Due diligence is key when adopting cloud, says Databarracks

SRA needs to look north in light of growing cloud adoption.

  • Friday, 16th August 2013 Posted 11 years ago in by Phil Alsop

The Solicitors Regulation Authority's (SRA) apparent reluctance to provide guidance on new technologies means law firms currently searching for a cloud service provider (CSP) need to take it upon themselves to carry out comprehensive due diligence and in-depth reviews says Peter Groucutt, Managing Director of Databarracks.


A recent report from Databarracks, in collaboration with Frank Jennings, Commercial and Cloud lawyer at DMH Stallard LLP and Chair of the Cloud Industry Forum Code of Practice Board, identified the key challenges and benefits to law firms embracing cloud services. The report highlighted legitimate concerns regarding the SRA’s lack of proactivity in this area, especially in comparison with their counterparts.


Groucutt states that such an approach will only serve to hinder the legal sector during a time when guidance is most needed: “As more and more firms look to embrace cloud services, they will look to the SRA for direction.


"Naturally, as with any new technology, firms will have questions regarding the services available and there may be a lack of understanding as to which path to take when migrating to the cloud, especially in terms of data security. If the SRA continues to remain inactive in this area, confusion, questions and the potential for mistakes will only increase.


“The report showed that senior IT personnel at a range of firms were surprised by the lack of direction given by the SRA for cloud services, considering how concerned it is with data security and client confidentiality. There was debate as to whether the SRA would get more involved at some point or if its commitment to outcomes-focused regulation (OFR) would keep it from giving any meaningful advice.


"Looking across the border, the Law Society of Scotland has acted to address the growth of cloud adoption by developing a guide which does offer practical advice around the risks associated with cloud computing and how these services are best suited to the legal industry.”


Groucutt continues: "While these steps might seem basic, they are certainly effective. A small amount of guidance has a big impact in a field like cloud computing. The SRA should look to follow suit, working with CSPs in order to provide guidance to those considering migration.


"In the meantime, firms actively looking to move to cloud services should carry out full due diligence checks when identifying a potential CSP. Comprehensive SLA’s should be agreed and specific data security and compliance concerns should be addressed at the outset.


Groucutt concluded: "As a starting point, firms should look to the accreditations of the CSP to determine their credibility. Ensuring that providers are compliant to standards such as ISO 27001 for information security, should give some reassurance. Also looking at general cloud industry standards such as the Cloud Industry Forum’s (CIF) Code of Practice, which seeks to assure end-users receive high quality services by providing certification to credible suppliers, will serve as a useful guide to law firms until the SRA decides to act.”