The United States Law Week

INSIGHT: Three Capabilities Law Firms Should Demand from Their Cloud Service Providers

July 15, 2019, 8:01 AM

Despite the cloud’s cost, agility, and other benefits, many law firms took a “wait-and-see” approach until relatively recently, concerned that cloud-based document management, billing, and other solutions would not provide the same level of data security and service levels as on-premises solutions.

These concerns are rapidly evaporating as the cloud and the technologies that underpin it become better understood and more widely deployed. The ABA’s most recent Legal Technology Survey found that more than half of respondents are using cloud-based services in some form. Commonly cited reasons included the cloud’s ability to provide ubiquitous access from any location, low cost of entry, and predictable monthly expense.

These are certainly all good things. But does it mean that any cloud-based system should be greeted with open arms by law firms? Not necessarily. As law firms begin replacing their on-premises document management systems and other solutions with cloud-based solutions, they should ensure that they aren’t swapping one set of problems for another by selecting cloud solutions that might create new compliance, security, or performance related problems down the road.

If you’re considering a cloud-based system, you should ask some questions. Will it allow you to meet GDPR and other data privacy regulatory requirements? Can you be sure that client data won’t be vulnerable to a blind subpoena? Will the cloud actually deliver maximum performance right from the get-go—or will it require you to purchase costly hardware, such as WAN accelerators or MPLS lines, to achieve optimal results?

Below are three things any law firm will want to look at and be very clear on before moving forward with any cloud-based system.

Geographic Location Matters

When it comes to regulations around how data is handled and stored, few have garnered more press in recent years than GDPR. One of the most vexing aspects for firms is GDPR’s requirement that data stay within a specific geographical jurisdiction at all times.

Firms that do not comply with this requirement risk a hefty fine from the EU. More than that, firms risk violating the outside counsel guidelines that their clients have given them regarding how data needs to be handled—never a particularly clever move from a business retention or business development standpoint. Existing and potential clients alike want to know that firms are taking the privacy of their data seriously.

Accordingly, firms should make sure that any cloud-based system provides geo-isolation capabilities where not only is the data stored in one specific geographic location, but all services performed on that customer data—from encryption and optical character recognition (OCR), to document preview and other services—are as well. This way, the data never leaves the jurisdiction it’s supposed to be in, no matter what action is being taken on the data.

Who Holds the Key? Don’t Be Vulnerable to a Blind Subpoena

Increasingly, clients have more on their mind than making sure their sensitive and confidential data is properly domiciled: they also want to make sure their data isn’t vulnerable to a blind subpoena. With a blind subpoena a government agency could compel a cloud vendor to turn over a customer’s data without the knowledge or approval of the customer.

This is why customer managed encryption keys (CMEK) are essential in today’s environment. With CMEK, the customer generates an encryption key and manages it with a third-party service provider. This customer key is used to encrypt the data in the vendors cloud. The cloud vendor never needs, receives, or stores a copy of this key.

In this scenario, even if the cloud vendor is compelled to hand over client data to a government agency or investigatory body, the data stays protected because it is encrypted with the customer key and cannot be decrypted without this key.

This design means that the customer has exclusive control of their key and thus their data. Because of the added layer of protection this provides for customer data, choosing a cloud service that utilizes CMEK should be a top priority for law firms.

Avoid Performance ‘Gotchas’

Another equally important factor for law firms to consider is performance.

Many is the law firm that has signed on the dotted line for a new cloud service, only to find that the speedy performance they were promised can only be fully realized by purchasing some expensive extras for their organization’s infrastructure.

Typically, this might be a WAN accelerator, which optimizes bandwidth across a wide-area network, or a dedicated MPLS line between locations which—in addition to being very costly—can take weeks to install. In the meantime, you’ll have an office of grumpy lawyers and legal professionals wondering why the new cloud service is so sluggish.

The lesson? Try before you buy. In addition to asking the vendor whether the performance of the cloud will be fine with their existing setup, law firms should test the performance ahead of time. In many cases, cloud vendors will offer a set of performance testing tools that can be used across geographies so that firms can validate what kind of performance they can expect from the service once they go live. If the vendor isn’t keen to offer this testing, proceed with caution.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

About the Author

Dan Dosen is general manager, Cloud Services at iManage, which transforms how professionals in legal, accounting and financial services get work done by combining artificial intelligence, security, and risk mitigation with market leading document and email management. Dosen is responsible for the commercial aspects of the iManage cloud including customer on-boarding, security-compliance and cloud roadmap.

To read more articles log in. To learn more about a subscription click here.