In the last few years, many a law firm and legal team have turned to the cloud to support new ways of working. In fact, research shows that when it comes to facilitating virtual working, 40 per cent of law firms in 2022 used cloud-based tools, up from only 3 per cent in 2020. At the same time, over 60 per cent of larger law firms migrated their document management systems to the cloud in 2022.
The benefits of the cloud are clear — lawyers can work and collaborate remotely in the cloud, meaning firms and legal departments become more productive and efficient. However, amid all the advantages, organisations must also ensure they remain secure and compliant. A security breach or failure to meet compliance regulations can carry significant financial penalties and reputational repercussions.
How fast you move data will be key to compliance — Where data resides and how fast you can move it between jurisdictions is going to be crucial if you want to adhere to compliance.
Brace for more data privacy regulation
The need for compliance is being driven by people becoming more aware of how their personal information is managed and stored. Gartner has predicted by the end of 2023, modern privacy laws will cover the personal information of 75 per cent of the world’s population.
Because global standards for data privacy and security are changing and expanding, law firms will need to pay close attention to which regulations are relevant to their clientele to ensure the privacy and security needs of their clients’ data can be met. In some cases, it may be necessary to geographically segment data storage to ensure compliance. Organisations should also consider investing in technology such as robust authentication, data loss prevention (DLP), ethical walls and encryption.
Making the right choice
The good news is that cloud providers do some of the heavy lifting when it comes to ensuring privacy, security and compliance. In fact, a law firm or legal team can actually “inherit” the embedded security and compliance controls that already exist within a vendor’s application infrastructure.
Therefore, when selecting a cloud service provider, confirm if your chosen vendor has been audited or certified against one or more of the following standards and regulations. This provides independent validation that the provider has implemented the audited security controls. Some of the most widely accepted standards include the following:
- The General Data Protection Regulation (GDPR) regulates how companies protect EU citizens’ personal data and has become the benchmark privacy law for many countries. Although GDPR has become an international standard for protecting personal privacy, there is currently no direct “certification” for GDPR compliance. However, ISO 27701 is a separate certification that parallels many GDPR requirements (see below).
- ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within the context of the organisation. ISO 27001 certification is one of the most widely recognized security standards.
- ISO 27017 provides guidance on the information security aspects of cloud computing and cloud services as well as additional implementation guidance for relevant controls specified in wider ISO guidance.
- ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Privacy Information (PII) in accordance with ISO privacy principles for the public cloud computing environment.
- ISO 27701 is a privacy certification extension to ISO/IEC 27001 designed to enhance the existing ISMS with additional requirements in order to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS). As noted above, the controls in ISO 27701 parallel many of the requirements in the EU’s General Data Protection Regulation (GDPR), so being certified in the ISO 27701 controls can used to independently demonstrate compliance with GDPR.
- Service Organisation Controls (SOC) is a U.S. – based standard that outlines controls for adhering to some or all of the controls for the Trust Principles of security, availability, privacy, processing, integrity and confidentiality. An independent SOC 2 audit report helps companies to establish trust and confidence in their service delivery processes and controls.
- The EU Model Clauses are standardised contractual clauses used in agreements between service providers and their customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data protection laws and meet GDPR requirements.
A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.
Let the cloud provider do the heavy lifting
Today’s cybersecurity and privacy requirements are complex and evolving — and it can be tough to keep up with them. By choosing cloud solutions from vendors that have undergone audits and certification reviews to validate compliance with recognised security and privacy standards, law firms and legal departments can rest assured that their operational and client data is in safe and capable hands.
David Hansen is vice-president of compliance at NetDocuments.
More on compliance:
Best GDPR compliance software for CTOs — Not being compliant when it comes to data protection could cost your business millions. But using software to automate GDPR compliance can save you time and money.