Security in the cloud: is your client’s data secure?

What are the concerns surrounding the safety of lawyers’ data?

The concept of confidentiality is at the core of the solicitor-client relationship and protected as a concept in law and also through regulatory controls. This is dependent on lawyers’ data being secure. The challenge that many lawyers now face is the need to reconcile the safety of data, and the connection of this with confidentiality duties, with modern storage and communication methods which are increasingly computer-based rather than the paper-based. The use of electronic solutions means that there are a number of third parties with access to lawyers’ data and this increases risks to both the lawyers and their clients that data will not be secure or may become subject to the right of seizure from government agencies.

What are the particular concerns surrounding lawyers’ data posed by the rise of cloud computing and increased electronic transfer?

Cloud computing and electronic transfer methods place increased pressure on solicitors in respect of their duty to keep client matters confidential. The Solicitors Regulation Authority (SRA) is a risk-based regulator and has identified high impact risks in its Risk Regulatory Index and Risk Outlook documentation.

Outsourcing and the use of cloud computing and cloud providers were identified as high-level risks in the SRA Risk Outlook of Autumn 2013. While these are not prohibited activities, the SRA has said that it will expect law firms to manage the challenges that this creates in respect of the protection of client confidentiality.

The regulator published a regulatory guide, “Silver linings: Cloud computing, law firms and risk” in November 2013 to assist lawyers.

Suggestions for good practice include undertaking due diligence exercises on the service provider both before a contract is agreed and during the period of the agreement. In addition the SRA Code of Conduct specifies that the firm must enter into a contractual agreement with the provider to enable the SRA access to this third party to inspect data if necessary.

The cloud system must also comply with the Data Protection Act 1998 so that, for example, there must be a written contract between the law firm and the provider and restrictions on sending data outside the European Economic Area must be observed. This is crucial—not only does breach of legislation have an impact on lawyers in terms of their relationship with the SRA, they also must understand that some jurisdictions have surveillance and other laws which would place confidential information at risk of disclosure.

How do other jurisdictions fare in their protection of lawyers’ data?

The CCBE report looks at the extent to which lawyers’ data throughout Europe is (in its words) “susceptible to governmental access, and the rules and conditions surrounding such access”. The report notes that there are “very strong similarities” in how countries treat the regulation of the protection of data. In particular, the CCBE says that, in most countries, the “universal value of the protection of lawyers’ data” is recognised.

According to the report: “In some jurisdictions, however, this protection is viewed, however, as being a defence counsel privilege. These countries also provide for generic rules for lawyers acting outside the scope of a defence counsel, based on the human right of privacy. Furthermore, in most countries, there is specific legal protection for wider professional secrets, which also serves to cover lawyers acting outside the capacity of defence counsel. In other jurisdictions, the conceptual starting point is a general legal professional privilege which covers all communications relating to all legal advice between lawyer and client, of which criminal defence work or (for example) advice on a corporate merger, would be regarded as particular instances of the general principle”.

Are there particular areas of concern in relation to the safety of data?

The SRA’s style of regulation is risk-based so that risks must be identified and managed by regulated individuals and entities. Risks relating to data security have been identified so that breach of confidentiality is seen as a “risk level 1” event or, in other words, a risk which is likely to have a detrimental effect on the client concerned. The SRA Handbook contains an outcome requiring that firms must have effective systems and controls in place to identify risks to confidentiality and to mitigate those risks.

On-site storage of confidential information is increasingly being replaced by off-site solutions and also through cloud providers. The risk is that a third party may create an environment in which client confidentiality is placed at risk. The SRA has produced Risk Guidance to explain how it considers firms can manage this effectively.

Particular risks arise where a disreputable outsource provider is used, data is not stored safely with suitable encryption standards, and where storage in off-site jurisdictions places the data at risk of seizure etc. Regardless of methods of storage used, the responsibility for the safety of the data and compliance with duties owed to the clients, remains with the lawyer.

How do you see this area developing? Are reforms in the pipeline?

In terms of the lawyers’ relationship with the SRA, the developments of electronic communications and storage continue to be seen as a risk to regulatory compliance which must be managed. The SRA will expect to see that law firms have identified potential risks and can demonstrate an appropriate response including initial assessment, agreement on appropriate safety measures, and ongoing monitoring of both the provider and the law relating to data storage. In turn, it seems highly likely that the SRA will continue to monitor developments and assess its regulatory response to ensure that appropriate drafted requirements protect consumers of legal services.

By Tracey Calvert, Director at Oakalls Consultancy (Interviewed by Jon Robins).

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

First published on Lexis®PSL.

 

Filed Under: Technology

Relevant Articles
Area of Interest