By Milton L. Petersen, published on November 9, 2011, in Small Business Computing.
This guest article is an interview with Milton L. Petersen of Hunter, Maclean, Exley & Dunn, P.C.. who advises law firms on successful cloud computing implementation practices and other legal IT matters.
This article is the seventh in a series. Other articles in this series: “Attorney discusses IT outsourcing”, “Does the billable hour negate IT’s value?”, “Legal IT statistics”, “IT gives law firms an edge”, “Legal IT easier than you think” and “Legal IT and cloud success stories”
Why have some law firms embraced cloud computing, while others have not?
Law firms are not typically the first adapt to new technologies. They have ethical responsibilities to keep client data confidential. Some attorneys feel that moving to the cloud may be a violation of that ethical code.
On the other hand, without basic technologies – such as email – attorneys understand that they simply won’t keep up in today’s business world. Furthermore, most cloud providers can provide better security measures than in-house IT teams.
Firms must do their due-diligence on cloud providers and check certifications and reporting procedures (such as SAS 70 auditing and SOC -Service Organization Control – Reports) that hold them to strict obligations of confidentiality. Alternatively, the firm can hire a third-party to assess the cloud computing provider.
What are some “must-haves” that firms should ask of a cloud computing provider?
Email control policies. There are quite a few, but let’s start with email – a technological necessity today. While most firms don’t have encrypted email capabilities, I believe law firms should not resort to public email, such as Gmail or Hotmail. Since firms must save their email communications, they should make certain that emails can be archived in an efficient and secure matter – without having to deal with additional “storage charges.”
Firms should make sure they have control over the information. The cloud provider should never destroy the electronic documents or emails. In discovery, firms should have the ability to obtain the necessary information from their cloud provider(s). Ask about the vendor’s “data retention policy”.
Breach notifications: Many states have security breach notification laws. Law firms would do well to ask a prospective cloud provider if/when their systems have ever been breached and to what extent. Some providers are only required to report data breaches once it reaches a certain level. Request to be notified of future breaches as well.
Obviously, law firms need to be very careful in using any social networking tools or services, especially with regard to ensuring that client confidential information is not disclosed, even indirectly (for example, by describing something in such a way that a client’s identity could be inferred, even if not directly disclosed).
In general, firms should already have internal policies and procedures in place. Use them to drive your cloud computing implementation plan.