Legal clarity in the cloud

Cloud computing offers substantial benefits, but the legal sector should be aware of potential dangers, as Michael Cross reports

Drayson Law describes itself as a new kind of law firm. The IT contract law specialist’s Solihull headquarters are in an innovation centre managed by the University of Warwick Science Park. “Most of our clients are software firms,” says founder Charles Drayson, who is happy when his neighbours drop by for advice on startups. “It works the other way, too – when we have a technical issue, I’m able to walk up the corridor and find someone to fix it.”

Not surprisingly, the firm is at the leading edge of IT. Its client files have been paperless for seven years and, when it upgraded its practice management system, it turned to a cloud-based system from Canadian-based company Clio.

Cloud is a buzz-phrase for providing computing as a service over the internet, rather than as boxes of hardware and software. At its most extreme, users have no idea where their data is stored and processed. This poses obvious compliance problems for lawyers which, along with the sector’s innate conservatism, explains why cloud services such as Google Docs have not taken off in the legal world.

However, despite ongoing reservations, including vulnerability to snooping by intelligence agencies, regulators are giving a cautious green light to working in the cloud. Earlier this month, the Law Society of England and Wales issued a practice note on the subject, following its Scottish counterpart and the Solicitors Regulation Authority.

For Mr Drayson, security and flexibility are compelling advantages. “Cloud does away with the need for you to have your own secure server. In a small firm, it is surprisingly difficult to keep it to the level of security that is needed,” he says. Flexibility means not having to pay for functions, such as conveyancing and personal injury, neither of which is of interest to his specialist firm.

But you do not have to be an IT specialist to see the possibilities. When high-profile QC Michael Mansfield set up his new chambers, based in serviced offices in Chancery Lane, his team did not want to run its own IT infrastructure. Instead, it picked a hosted chambers management system from UK supplier Advanced Legal. It was implemented in eight days over the Christmas break.

Martin Parker, consultant and chief clerk at Mansfield Chambers, says the system enables “more flexibility and access without having wardrobes full of servers and cabling”. Barristers log on remotely to a hosted environment shared by two office-based clerks. “Michael’s at the Hillsborough inquest, but he can do exactly what he needs to do without coming back to the office.”

While Mr Drayson and Mr Mansfield are using aspects of cloud technology, this does not mean they are posting client data into the ether and hoping for the best. This perception has been hanging over cloud systems, especially since the Snowden revelations of eavesdropping by the US National Security Agency. The Law Society warned this month that, when selecting a cloud service, lawyers should “have regard to the possibility of lawful access by a foreign law enforcement or intelligence agency”.

However, this is not the only potential problem. In its practice note the Law Society warns that the processing of sensitive data on a third-party server or application has implications for both professional conduct and regulatory compliance. One ambiguity is whether the cloud provider is a data processor or a data controller under the Data Protection Act. Service contracts also need to ensure access to data where required by legal regulators and what happens to data at the end of the agreement.

Despite the worries, the use of cloud-based technology seems certain to spread in this most technologically conservative sector

IT specialist Sam de Silva, partner at law firm Penningtons Manches and chairman of the Law Society’s technology and law reference group, says that suppliers have not always been transparent. He warns of “cloud-washing” – the tendency to give unchecked assurances.

Firms need to be especially wary of “click wrap” standard terms and conditions, which may well not apply to the legal sector. For example, the terms and conditions may prohibit the processing of defamatory or obscene content – a problem for law firms handling cases in this area. “It’s a judgment call for law firms,” Mr de Silva says. “But you need at least to review the agreement and understand the risks.”

Andrew Joint, partner at London firm Kemp Little, says the very novelty of the cloud poses difficulties. “There is still zero to very little relevant case law and legislation,” he says. One uncertainty is what happens when a relationship breaks down. Could the service provider exercise a lien – the right to retain possession – over digital data in the same way it could over tangible property?

Mr Joint points out that in the recent decision in Your Response Limited v Datastream Business Media Limited, the Court of Appeal noted that resolution may need the intervention of Parliament. The Law Society advises firms to consider removing contractual provisions permitting the provider the right to exercise lien.

As for steps to reduce the risk of what the Law Society calls “lawful access by a foreign law enforcement or intelligence agency”, the main advice is to ensure you know in which jurisdiction the system is hosted. In Clio’s case this is in Ireland, though Mr Drayson stresses: “Just because a server is in the EU does not get you completely off the hook, you need to look at how it is run.”

Mr de Silva agrees. “The only absolutely sure way to stop interception is not doing anything by electronic means,” he says.

Despite these worries, the use of cloud-based technology seems certain to spread in this most technologically conservative sector. Mr Drayson enthuses about the ease with which cloud-based systems can be rolled out and the fact that they can be tried out without a big capital investment. He also says the market has matured substantially. “Suppliers are getting better at saying we understand you have a data protection concern,” he says.

Of course, in our connected world, this advice is only as good as the weakest link. The Law Society’s practice note warns that the very ease and attractiveness of “free” services could set another trap. The risk is that staff at any level may circumvent carefully designed procurement policies by signing up to “free” services which generate income by processing data from users.

“They can pose serious data protection, client confidentiality and information security risks. Everyone in your practice should be alerted to these risks and be made aware of the need to follow your formal approvals process,” the Law Society says.

Used properly, the cloud is a liberating force for lawyers – but it also turns everyone into a compliance officer.