Five questions lawyers should ask cloud technology vendors

In today’s legal landscape, success requires more than just exceptional legal work. Sharp lawyers must also find ways to enhance productivity, minimise expenses, and serve clients from anywhere. While adopting cloud-based legal technology can support these goals, not all providers are created equal – and lawyers have to ascertain which vendors are up to standard.

If you’re thinking of introducing (or changing) cloud technology at your firm, it’s prudent first to assess potential vendors. While it may be obvious to evaluate business factors like a provider’s history, funding, and stability, it’s equally important to query things like the level of security and reliability they offer. But what risks should you be alert to, and what do you need from potential vendors to make an informed decision? Consider these questions to help guide your assessment.

1. What are their terms of service and confidentiality policies?

As a solicitor, it’s essential – and it’s your legal and ethical responsibility – to protect and ensure client confidentiality when it comes to cybersecurity. As such, your first assessments when considering any potential cloud provider should be whether they have clear and accessible:

• terms of service and privacy policies;
• lawyer and client confidentiality policies (specifically, do they recognise and agree to abide by the duties of confidentiality?);
• contractual obligations to notify you of any demands for client information – with time for you to intervene.

Key questions:

• What uptime does the vendor guarantee as part of their service level agreement?
• Is there an initial setup fee? Are there additional usage or bandwidth fees?
• Is there a cap or limitation on the cloud provider’s ability of service, such as bandwidth caps or storage limits?
• Do they explicitly recognise your ownership of any intellectual property?

2. What is the plan for data backup and business continuity?

Disasters (both natural and manmade) do, unfortunately, happen. While using cloud-based technology can help mitigate the risk of losing data if a physical disaster (such as a fire or flood) happens at your office, providers must have a plan to protect your data and ensure business continuity.

Key questions:

• What are their documented procedures for business continuity and disaster recovery? Have they been tested?
• Are there regular backups that are tested for validity? Are they encrypted?
• How – and how easily – could you retrieve your data from the provider if needed?
• Can you maintain a local backup of your data?
• If you retrieve data, is it in a usable, non-proprietary format?

3. What security measures do they maintain?

Security is critical for your firm – on all fronts. Take time to investigate and understand exactly what reasonable security measures the cloud provider offers.

Key questions:

• What controls to prevent unauthorised access or disclosure of information (including penetration testing) have they implemented?
• What features (such as two-factor authentication, IP monitoring, strong password requirements, role-based access control) does the provider offer for user authentication and to prevent unauthorised access?
• What are their data protection policies? Do they employ encryption at rest and in transit?
• How regularly (and is it ad hoc, annually, or on some other schedule?) is the provider’s security audited? Will they allow you to obtain copies of any security audits performed?
• What support and/or remedies will the vendor provide in the event of data breaches and service availability failures?

4. What is the provider’s geolocation?

A key advantage of using fully cloud-based software is that it lets you go mobile and not be tied to on-premise servers at your office – but you still must think about where the provider is physically located. A true cloud-based provider should be capable of maintaining multiple geographical locations to ensure data safety and residency requirements.

Key questions:

• Where are the cloud provider’s servers located?
• Do they have multiple storage locations?
• If so, how often are these synced?
• Can they provide a means to satisfy any applicable data residency requirements?

5. What are the policies for termination of services?

If, in the future, you decide to terminate your use of a cloud-computing technology service, you need to know what happens next. Are there, for example, any additional costs or penalties that your firm would incur for terminating the service? What would happen to your data and information?

Key questions:

• Will your information be returned/deleted by the cloud provider on termination?
• Can your data be sanitised from the cloud provider in the event of termination?

Conclusion

By thoroughly investigating a potential service provider’s policies and asking smart questions, you’ll be in a better position to evaluate their value to your firm. To help further, here is a handy Cloud Computing Due Diligence Checklist with some of the questions I outlined in this article, and more.