Cloud Computing and Compliance
“The cloud” is one of those buzzwords that seems to dominate any discussion of technology now. The cloud is a catch-all term for computer services and data storage via the web. Before you ditch the hardware and dive into the cloud, make sure you have covered your compliance questions. As a law firm you must comply with the Solicitors Regulation Authority’s (SRA) Code of Conduct, outcomes-focused regulation (OFR), and your quality kite marks such as Lexcel.
Below is an overview of both how cloud impacts OFR and Lexcel together with some key questions to ask prior to moving to the cloud.
Outcomes Focused Regulation has brought a new approach to mitigating risk and there can be few risks as serious as your business grinding to a halt in the wake of an IT failure. Ensuring that your firm meets compliance for business continuity and disaster recovery, a key feature of a cloud service, is no longer a matter of ticking a box.
Of the ten principles outlined in the SRA Handbook, Principles 5, 8 and 10 are all impacted by a move to the cloud, as these relate to: services to clients, risk management and protection of assets. As a compliant law firm you are required to:
- Provide robust systems that can handle the pressures of shifting workloads and demands;
- Deliver a cast iron guarantee to your clients that they won’t be affected by IT down time or mini-disasters (such as extreme weather) preventing your staff getting into work;
- Deliver failsafe systems for the handling of money and assets
Q) What specifics do I need to take into consideration?
A) Chapter 7 of the code of Conduct, outcome 7.10, states the requirements that must be met for outsourcing any functions which are critical to the provision of legal services. You must ensure that;
- Your outsourced solution does not adversely affect your ability to comply with, or the SRA’s ability to monitor your compliance with, your obligations in the Handbook. Far from adversely affecting your ability to comply, a cloud solution supports compliance.
- The SRA – or its agents – can inspect the records of, or enter the premises of, any outsourced provider. Consider which cloud supplier you use – this is where international suppliers may not provide the best solution, as they may be accountable to international regulation on data disclosure that conflicts with these requirements.
- Your outsourced solution does not alter your obligations to your clients. Far from adversely affecting your obligation to clients, a cloud solution can underpin and guarantee delivery of that obligation. With Cloud, an internet connection is all you need to access all your data and applications, removing the risk of downtime through local disruption and disaster, and guaranteeing a continuous level of service to clients.
- The outsourced solution does not interfere with your ability to remain authorised. When considering a Cloud supplier, look for one with experience in the legal sector. Ask them to explain the infrastructure of their proposed data centre, specifics about the owner, its capacity, disaster recovery failsafe and security. With the correct due diligence, Cloud not only helps you avoid breaching the Code, it can support you with compliance.
Q) How will I know if I meet my OFR commitment?
A) The Code sets out a series of ‘indicative behaviours’ which will help. These include
- Safekeeping of documents and assets entrusted to the firm. Cloud helps reduce the need for physical copies of files and greatly lessens the risk of them falling into the wrong hands.
- Controlling budgets, expenditure and cash flow. Cloud offers the ability for firms to better manage their systems through centralised data and applications and a ‘single version of the truth’ when it comes to management information.
- Identifying and monitoring financial, operational and business continuity risks – including complaints, credit risks, claims under legislation, IT failures and damage to offices. Cloud can give the compliance officer an overview of the firm’s activities, enabling them to anticipate and identify risk, and act quickly upon any potential breach.
- Have a business continuity plan to ensure that there is the minimum interuption to clients’ business in the event of absences or emergencies. This is where Cloud comes into its own; an internet connection is all that’s required for a member of staff to access all their normal desktop applications and data anytime and anywhere, delivering an unbroken service to clients.
There are also specific requirements for firms seeking quality kitemarks, such as the Law Society’s Legal Practice Quality Mark (Lexcel). Lexcel accredited practices undergo independent assessment every year to ensure they meet required standards of excellence in areas such as client care, case management and risk management
Q) What does Lexcel require from a Cloud solution?
A) Lexcel requires that practices will have a policy in relation to any outsourced activity, which must include:
- Details of all outsourced activities
- Procedures to check the quality of outsourced work
- Steps to ensure providers have taken appropriate precautions to ensure information will be protected
- A list of all providers of services
- The person responsible for the policy
- A procedure for an annual review of the policy, to verify it is in effective operation across the practice
Make sure you build these into the service level agreement with your Cloud provider.
Q) What are the Business Continuity requirements from Lexcel?
A) Lexcel requires that practices will have a business continuity plan, which must include:
- An evaluation of potential risks and the likelihood of their impact
- Ways to reduce, avoid and transfer the risks
- Key people relevant to the implementation of the plan
- The person responsible for the plan
- A procedure to test the plan annually, to verify that it would be effective in the event of a business interruption
Review your risk management plans at the point of engaging a Cloud solution, so as to include the benefits of Cloud-based disaster recovery and business continuity.
Q) What are the IT Plan requirements from Lexcel?
A) Lexcel requires that practices will have an information communication technology (IT) plan, which must include:
- The application of all IT facilities within the practice
- The role of IT in facilitating services for clients
- The person responsible for the plan
- A procedure for an annual review of the plan, to verify it is in effective operation across the practice
Download the booklet from Converge TS to view a template IT plan.
For a FREE copy of our “Cloud and Compliance – Your IT Questions answered” booklet, Email: firstname.lastname@example.org