The Law Society has published a practice note on the use of cloud computing services in law firms, warning them they could break the Data Protection Act, including storing data in foreign clouds.
The guidance is "responding to the increasing use of cloud storage as an alternative to traditional IT provision and the associated security risks involved", said the Law Society.
The practice note is aimed at all solicitors, practice managers or law firm IT staff using or planning to use cloud services.
Sam De Silva, chair of the Law Society’s Technology and Law Reference Group, and a member of the EU Commission’s Expert Group on Cloud Computing, welcomed the new guidance for lawyers.
“While cloud computing has a number of advantages for businesses, such as reducing costs and increasing storage, it carries risk which firms must consider when engaging with a third party to handle sensitive information.”
He said: “Anyone involved with the collection and storage of personal data must comply with the Data Protection Act, and law practices are also subject to professional conduct obligations to maintain client confidentiality and properly manage their practices.”
In addition to the risks and benefits of cloud computing, the practice note covers areas such as lawful access to data by foreign law enforcement or intelligence agencies, as well as service levels and the right to sue the cloud provider for damages or to terminate the contract.
It also covers inadvertent breaches of cloud providers' “acceptable use policies”, where defamatory material needs to be held in the cloud where a law firm is acting for a client defending a defamation claim.
The Law Society is advising firms to ensure their prospective cloud service has been subjected to a "full risk and compliance analysis" before proceeding.
A practice note from the Law Society is not intended to be the only standard of good practice that solicitors should follow. Solicitors are not required to follow them, but by issuing them the intent is to make it easier for legal practitioners to account for their actions to oversight bodies.