As law firms began to toe the waters of cloud computing earlier this decade by cautiously using hosted platforms for storing data, they rightfully focused on making sure they were working with properly certified data centers. These are the locations that take responsibility for delivering 24/7 access to a law firm’s most sensitive information, so it is crucial that they utilize state-of-the-art data security protocols and are compliant with the highest industry standards.
For example, savvy law firms took care to only entrust their information to data centers that could produce: Service Organization Control (SOC) 1 certification of their control environment that may be relevant to financial reporting; SOC 2 certification that provides independent assessment of system security; International Standardization Organization (ISO) 27001 certification for information security management; and ISO 9001 certification that demonstrates ability to meet customer specifications and comply with regulatory requirements.
We have now reached the tipping point in cloud adoption, with the number of lawyers using cloud platforms jumping to 52 percent last year, according to the 2017 ABA Legal Technology Survey. The question is not whether or not the migration to the cloud is going to happen for your law firm; the question is whether or not you are prepared to manage this migration effectively and work with the right service providers to execute it with minimal disruption and maximum risk management.
Likewise, the conversation about certifications needs to evolve to the next level. Certifications are valuable and important, but they are table stakes in today’s technology world. It is time to look beyond those data center certifications and focus on building a culture of ongoing compliance with your move to the cloud.
The Culture of Compliance
Many law firms have already discovered the hard way that “Security” does not equal “Compliance” in the context of their on-premises networks, with the consequences of data breaches leaving an unfortunate trail in disparate locations such as New York and Panama. Similarly, no matter how carefully selected and well-certified your data centers may be, what truly protects your clients and minimizes information risk is day-to-day compliance.
The most common mistake that law firms make in this regard is the presumption that they offloaded the burden of worrying about data compliance issues when they decided to outsource the function of data storage and management to a services provider. Of course, it is certainly true that — at some point — you must trust your provider to do what they do best. But at the same time, you simply can not abdicate your responsibilities to your firm and your clients to oversee the proper management of their data.
For example, law firms must work with their services provider to make sure the access controls in place are appropriate and well-documented. Many of these services are “DIY” and you are still responsible for configuring and setting up correctly to meet your needs. You need to be confident that the provider is fulfilling its obligation to be a good custodian of all client data and respecting international data privacy regulations. You must monitor how they are securely facilitating online collaboration when data is retrieved from the cloud by lawyers and clients, and even how they are managing data disposition when that is required.
Here are three specific areas where law firms can work alongside their managed services provider to build an ongoing culture of compliance:
1. Hosting. With managed hosting services, your provider hosts your servers, operating system, network, storage and databases. This allows the firm to reduce capital expenditures and fill IT skills gaps in your organization. If you choose to assign this hosting role to a third party, they need to be aligned with you on both strategic objectives and tactical execution of compliance requirements. As a lot of these tend to be of the DIY variety, make sure the items you would like to have in place can be accomplished in conjunction with your provider — or at least they can assist you in that design.
2. IT Operations. Many law firms are under rising pressure to do more with less; i.e., faster delivery of applications to lawyers, stay ahead of information security threats and cut expenses, and do it all at the same time. Some of these firms choose to transfer some or all of the day-to-day operational aspects of their IT infrastructure to a solutions provider with the scale and expertise to deliver these services. Working with a managed services provider to outsource some IT functions can produce great results, but it is essential to ensure the provider aligns to your business needs, as well as your compliance and security requirements. Synergies in these areas are very important.
3. Migration. Regardless of how much time and energy is focused on planning a move to the cloud, there can be serious compliance risks if your firm neglects to oversee the migration itself. Proper migration reduces the risk of an error that can trigger downtime and significant business disruption, so it is important to partner with your provider in the selection of the right tools and technologies that will aid the migration. At the center of this work should be strict adherence to your compliance strategy.
Common industry standards such as ISO 27001 and SOC 2 are important because they provide important third-party validations that your data is being hosted in secure, highly available and certified data centers. But these certifications should be the beginning — not the end — of your search for a trusted provider of cloud services.
It is essential to find a technology and services partner that is aligned with your perspective, then work closely with that provider to make sure that you are functioning as a team to build a culture of ongoing compliance and security. An important starting point is to select a company that understands a law firm’s unique needs as a provider of legal services so you can have confidence they know the industry landscape and nuances that law firms must navigate when it comes to managing client data.