Professional Obligation of Law Firms when Considering Cloud Services

By Biren Shukla, CEO, LevelCloud

We have all heard about cloud computing and its benefits. But how does a law firm ensure that they are meeting their professional obligations and asking the right questions from their cloud provider? Not all cloud providers are created equal. This article is a modest attempt to make a decision easier for law firms that are considering cloud as an alternative to on-premise server upgrades.

According to Forbes, by 2014, businesses in the United States will spend more than $13 billion on cloud computing and managed hosting services. The legal industry has always been at the forefront and has embraced at least some form of cloud computing such as cloud-based spam filtering or email encryption. However, when a firm decides to change their information technology business model by working with a cloud service provider (CSP) to host all their data, it is paramount that they are well equipped to ask the right questions to their CSP.

As per my latest research, close to 13 states, including California have formally approved cloud computing and have provided their opinions. The California Bar opinion according to is summarized as follows “The Committee states that a lawyer must take the appropriate steps to ensure that technology use “does not subject confidential client information to an undue risk of unauthorized disclosure” and must “monitor the efficacy of such steps” on an ongoing basis.

Reading several state bar opinions on cloud computing, it is clear that the ultimate responsibility for ensuring the privacy and security of the data resides with the user purchasing the cloud services. While much of the physical, technical, and administrative safeguards are handled by the cloud service provider, the user will still retain responsibility for a significant portion of these safeguards.

While the underlying technology that powers the cloud is not that different from what most firms use today in their on-premise server environments, what changes is the actual location of where the data is stored. In other words, you still need a server to run your applications and hard drives to store your data. Instead of your server room, the data resides in a highly secure datacenter within a secure cage. The common perception is that if I cannot see the server hosting my data, than I am not in control, it can’t be secure, and therefore we are not comfortable adopting cloud for our firm. On the contrary, there is a tremendous amount of innovation around cloud security, drawing plenty of investments from private equity. Today, cloud providers are able to offer many types of security solutions from 2-factor authentication, email and data encryption, file auditing, and more. You don’t have to use all of the security that is available in the marketplace, but ensure that your firm has taken significant precautions to fulfil their professional obligations.

Furthermore, competition from leading providers like Amazon, Microsoft, and Google is forcing everyone to innovate and create cloud offerings that provide higher uptime, increased security, and customization to meet their industry’s compliance requirements.

The matrix below will help firms focus on the right areas and appropriate questions when selecting a cloud provider for managed cloud hosting. This is a partial list. A complete checklist is available upon request by emailing

Law Firm Obligations and Questions for Cloud Provider

Comments and Clarifications

Security and Risk Management

Review Service Level Agreement(SLA)

Your data belongs to you and should not be claimed by the CSP

Review Privacy and Confidential Agreement

Make sure you have this in the agreement

Check if the cloud provider has had any security breaches

Educate yourself and be comfortable with the severity of the breach, if any

Check to make sure your application is cloud ready

Most applications are cloud ready, but it is always good to check with the application vendor

How sensitive is the data being placed in the cloud?

Ensure that your data is not sold for profit

Is your data stored at a third party separate from the cloud provider?

This helps if the cloud provider ceases to exist

Can you maintain a local copy of your backup?

It is always helpful to have a local copy for the ultimate peace of mind

Who is responsible for security of your data?

A data security plan should address firewall, encryption, password protection, and physical security


Make sure that your firm’s privacy policy is consistent with the contemplated cloud service

Review your privacy policy and make changes as necessary to incorporate the cloud service

Find out where the CSP servers are located. Who has access to data? Do they have multiple storage locations?

A cloud provider should have their servers in a Tier 3 or 4 type of datacenter and have at least two datacenters in geographically separate locations

Can your data reside outside the United States?

This varies from firm to firm, but typically data is sensitive enough that it should not leave the United States

Be sure to check the certifications of the datacenter

At a minimum, a datacenter should have SSAE 16 SOC 2 compliance and should be able to furnish it. There are more compliance requirements like PCI and HIPAA, based on the industry.

Make sure there is some type of encryption of data

Encryption can be done during transmission of data and while data is at rest or stored

Make sure that the provider is taking reasonable steps to ensure confidentiality and privilege of your clients’ information

Various technologies like secure authentication, encryption, and auditing are utilized to ensure data is sufficiently protected

Due Diligence

Review the roles and responsibilities of your cloud provider after moving to the cloud

The cloud provider should be able to maintain your systems 24/7 and provider help desk services as a minimum

Effects of Termination of Service

Make sure there is a standard protocol that is followed to transfer data back to the firm

What if the cloud provider cannot meet performance and reliability promises?


IT Considerations

Does cloud application integrate with office systems?

Make sure that you ask your cloud provider to research this

Make sure you discuss RPO and RTO with your provider

RPO (Recovery Point Objective) – What is the latest you can go back to recover your data? Typically, it ranges from seven days to months. RTO (Recovery Time Objective) – How quickly can you be back up and running from a disaster? Typically, it ranges from 4 hours to 24 hours.


What is your cloud provider’s uptime history?

Typically, cloud providers will offer at least a 3 or 4 99.99% uptime guarantee.

What type of notifications will be given for maintenance or outages?

There should be a process to quickly notify the users during outage or when there is going to be scheduled maintenance.



LevelCloud is a cloud hosting provider for Prolaw. We can host your entire network, all the applications and deliver it to you securely and cost effectively to any mobile device like iPads and Android Tablets. We also provide value added services like managed IT services, email archiving, spam filtering, exchange hosting and various other services to offer you a turn-key cloud solution for a fixed monthly cost. Click here to learn more.

Return to Forefront main page »
Thomson Reuters Elite Headquarters
800 Corporate Pointe, Suite 150, Culver City, CA 90230
© 2014 Thomson Reuters
Thomson Reuters