According to a recent report by Forrester, the cloud computing market is anticipated to grow at a rate of 18.5 per cent a year.
As technology develops at an exponential rate, the changes within the legal sector continue to accelerate. As this occurs, we’re seeing a bigger gap between providers and informed clients. And we’re seeing a number of clients making uneducated decisions.
Data is fast becoming the primary currency for cloud providers and knowing how yours (and more specifically your clients) is being looked after and protected covers a number of topics, particularly:
- Data Sovereignty
- The Privacy Act
- Data Breach Insurance.
1. What is Data Sovereignty?
Data sovereignty is the concept that information which has been converted and stored in digital form is subject to the laws of the country in which it is located.
The concern is that when Australian data is stored overseas, it is subject to International laws that are less stringent (or potentially more) than the laws at home that safeguard individual and corporate privacy.
With that in mind, there are questions you should ask when making the final decision around where your data should be kept. That is whether you consider hosted cloud environments as a primary solution or as simple as your offsite backups.
What you need to know
It’s important to understand the different concepts of offsite data storage and whether your data is stored in public or private domain environments.
Essentially Public Cloud, like Amazon and Azure, are shared resources owned and operated by third-party providers. Their servers are housed in multiple locations, including potential on-shore and off-shore locations.
Private Cloud is infrastructure and resources privately shared to a group of dedicated customers. It allows more flexibility in terms of control and security, generally with set locations and the ability to tailor requirements specifically for your needs.
When determining the security of your data and the accessibility to that, the 3 main categories of questions you should consider are:
- Where is my data being stored?
- How can I physically access my data if required?
- Is my data being backed up and where abouts?
2. The Privacy Act
As a lawyer, you’re in possession of incredibly confidential information. With the proposed changes to the Privacy Act, it is essential to have a complete understanding of your obligations.
According to the National Privacy Principles (NPP), a business is obligated to, “take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure.”
Although, to a certain degree, this indemnifies organisations that are currently storing information abroad with a reputable company, The Office of the Australian Information Commissioner (OAIC) is reviewing these policies and enforcing stricter regulations on organisations that are storing sensitive personal information, especially those relating to medical details. For more information, visit OAIC’s website.
What you need to know
When you consider your obligations and the fact that the responsibility and accountability ultimately lies with you as the Law Firm, you can probe a little further into a few key questions:
1.Where is my data being stored?
Once a decision is made around public vs private, it is essential you know where your data is being stored. Our recommendation is to ask for some written, documented proof, as well as ensuring it is included within your Service Level Agreement. This ensures the provider is held accountable.
2. How can I physically access my data if required?
You need to ask a number of questions to understand the process in order to obtain your data. The questions below are a good start:
- Should the hosting provider become insolvent, what is the process to access your data?
- Does the provider have a plan in escrow that can be acted upon?
- What levels of physical security does your provider currently have in place to protect your data?
- Is it housed in a Data Centre?
- Does it have redundant power?
- Are there security measures like swipe cards, pin codes and locks on your server?
- Should you leave your provider can you get your data back without financial penalty (in the form of data migration costs)?
3. Is my data being backed up and where to
Most reputable organisations will have their own business continuity strategy to ensure they can provide continuous service as a hosted provider.
You need to understand this and determine whether this is consistent within the same state, nation or off-shore
Retention is also relevant. Issues around how long backups are kept for is an important topic. There are many additional extras like file level backup, image level copies, full replication and redundancy, increased retention and optional iterations.
3. Data breach Insurance
By now, most organisations would have heard about Cyber Insurance and the benefits it provides firms in this current digital age.
Seeing that no solution on the market is 100% guaranteed, insurance is becoming a crucial aspect to provide some additional assurance to law firms. Apart from the general cybercrime insurance, you can also include Privacy Breach and Expense Cover to that policy.
This is an additional level of security should your data be breached or accessed from another country, for whatever reason. Most reputable insurance providers will include that as a standard cover on the policy, but it is essential to specify that with your broker.
The bigger picture
Considering all of the above, as well as a bigger concern that the US can play their “Trump” card at any given time, I feel the more sensible approach is to engage a local private cloud provider that can ensure your data is stored and backed up locally.
Alternatively, you could always leave your data in house, but be careful that the cleaner doesn’t pull out the plug to vacuum the floor.
About Zahn Nel & Mathew Williamson
Zahn and Mathew are both Directors of CT Group Solutions, who provides premium managed services and secure private cloud hosting to the legal service sector. They have extensive experience in working with professional services firms, both locally and internationally.