Authorities including the UK Information Commissioner, the Solicitors Regulation Authority (SRA) and the Council of Bars and Law Societies of Europe (CCBE) are establishing requirements which are conflicting with the main foundation of cloud computing and in many cases making it impossible to implement

1. Securing data in the cloud: A challenge for UK Law Firms

2. ii SECURING DATA IN THE CLOUD: A CHALLENEGE FOR UK LAW FIRMS
Securing data in the cloud: A challenge for UK Law Firms
According to Gartner, cloud computing is a style of computing in which scalable
and elastic IT enabled capabilities are provided ‘as a service’ to external customers
using internet technologies. Law firms around the world are embracing cloud
computing to take advantage of the economies of scale and reduce the operations
and maintenance cost of IT infrastructures. The cloud is no longer an emerging
technology, with around a third of lawyers using cloud-based services*, it is
an essential one for business. However, there are serious concerns about data
protection in the cloud as highlighted in the UK Data Protection Act and in the SRA
Risk Outlook.
The facts
Cloud computing is a business strategy, not just an IT optimisation strategy. A recent Harvard
study** found that 70 percent of businesses have adopted cloud computing, 71 percent expect
cloud to reduce complexity in their business and 74 percent say cloud has provided competitive
advantage. Law firms are quickly catching up and realising these benefits with adoption figures in
the legal sector growing each year.
Cloud computing is introducing new risks:
The typical enterprise perimeter is eroding making the physical location of data irrelevant
Sovereignty is not only about the physical location of the data, it’s also about the
nationality of the physical location controller
There is a changing notion of insider threats
End user devices are more diverse and less controllable (e.g. BYOD, guest’s devices)
Information consolidation leads to high value targets
Government surveillance and organised crime sponsored attacks; your adversaries are
much stronger than you!
Stealth attacks mean that businesses are often not even aware of an attack
Hacking incidents jumped significantly around the time cloud computing was introduced
as highlighted in the graph across

3. iii
Governments are enforcing data privacy regulations, including the UK Data Protection
Act (DPA) 1998, to protect against the risks of cloud computing. In many countries,
government surveillance may already be impacting privacy.
The challenge
Authorities including the UK Information Commissioner, the Solicitors Regulation Authority
(SRA) and the Council of Bars and Law Societies of Europe (CCBE) are establishing
requirements which are conflicting with the main foundation of cloud computing and in
many cases making it impossible to implement.
The UK Data Protection Act (DPA) 1998 governs how private data is to be processed.
Looking more closely at the DPA:
The DPA applies to personal data that is processed
The DPA defines personal data as “data which relates to a living individual who
can be identified from that data . . .”
The DPA requirements state that any contract with a third party must comply with
the same security obligations as if it was implemented and operating on premises
It doesn’t matter who performs your data processing, you will continue to have full
liability for unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data
The DPA requires that personal data “shall not be transferred to any country or
territory outside the European Economic Area (EEA)”
SECURING DATA IN THE CLOUD: A CHALLENEGE FOR UK LAW FIRMS

4. vi SECURING DATA IN THE CLOUD: A CHALLENGE FOR UK LAW FIRMS
Additional requirements from the UK
Information Commissioner (ICO), SRA Risk
Outlook 2014/2015 and the CCBE specify:
The ICO recommends that cloud
customers negotiate with the cloud provider,
through the contractual terms and conditions,
to ensure compliance with the DPA. However,
cloud providers offer standard, non-negotiable
terms - take it or leave it - without opportunity
for negotiation. In most cases, cloud customers
are in no position to negotiate the terms of
their contract with the service provider
The primary cloud provider contract
should include appropriate assurances that the
security of each sub-cloud provider involved
in the processing of cloud customer’s data will
comply with security requirements set out by
the primary cloud provider
Using primary cloud provider services
from outside the UK:
- The primary cloud provider should be
able to explain when data will be transferred to
the different locations
- The location of each sub-cloud
provider involved in the processing of the
data should also be available from the primary
cloud provider, with details of the security
arrangements in place
ICO and SRA guidance state that the
most effective way to assess security measures
used by a primary cloud provider would be to
inspect their premises
These requirements conflict with the main
foundation of cloud computing. In summary,
law firms are expected to:
1) Assure that cloud providers‘ security practice
adhere to the same as the cloud customer
2) Control where the physical location of the
data is stored and processed
3) Know who owns the physical location
Before moving on to the proposition, it’s
important to note that cloud computing is
based on a layered service model (including
software, platform and infrastructure as a
service providers) and cloud providers often
have a global infrastructure. If this complex
structure means that data is moved across
multiple players in the cloud and across
international boundaries, how can we utilise
cloud computing?
The proposition
Although law firms should be concerned
about using cloud computing in light of recent
regulations, it’s not impossible. To capture
some of the challenges, and offer alternative
solutions, the ICO published a document titled
‘Anonymisation: managing data protection risk
code of practice’. However, the challenge of
finding a cost-effective universal way to adhere
to the ICO recommendations and move forward
with cloud computing still remains.
Firms can utilise global cloud computing to
grow the business whilst being compliant with
the data protection laws in respect of data
privacy and residency. By changing the way
data is secured and adopting a new security
paradigm, it is possible to take advantage of
the cloud. Firms should no longer only protect
the perimeter of the organization but focus
on anonymising the data from the point of
creation and throughout its lifecycle.
By masking data from the point of creation,
it will never travel through the cloud as
meaningful data. Benefits of anonymising data
in the system means your firm will be able to
deploy any cloud with no restriction and still
be fully compliant within all laws, regulation
and directives. The data in the cloud is NOT
“personal data”. In addition, firms can use the
cloud to improve their competitive edge, be
more client focused and address some of the
risks listed in SRA’s Risk Outlook 2014/15.
The key is to focus on what matters most, your
data.
SOURCE:
*2013 ABA Legal Technology Survey Report
**Harvard Business Review Analytic Services of 527
HBR readers in large and mid-size organisations.

5. To find out more about how CloudMask and SIM can
protect your information, extend your security or privacy
policies, and enable secure collaboration across your
supply chain visit www.cloudmask.com or
contact info@cloudmask.com.
Copyright© CloudMask