Cloud Computing Due Diligence: A Checklist for Law Firms

Every day, forward-thinking law firms eliminate onsite servers and move their legal practice applications and data to the Cloud. Those that remain have cloud computing on their radar, considering that it is hard to ignore. The benefits of cloud computing for law firms include:

  • A private Cloud is a proven, trusted, and secure solution for an Internet connected practice
  • The ability to work productively anywhere in the world, on any device
  • Significant cost reduction through elimination of onsite servers and related IT expenses

In fact, there are numerous competitive business advantages cloud computing affords your practice, with little to no change to the way your practice operates.

However, there are a number of serious issues to consider before selecting a cloud service provider. The legal profession has unique security, ethical, and compliance requirements to factor into the selection of a cloud provider. Law firms also have specialized software and mobility considerations that few cloud service providers are equipped to handle. Many cloud service providers—including otherwise capable and reputable providers—simply do not understand the legal practice and issues surrounding privileged client information, nor do they have experience working with legal-specific software.

The consequences of choosing the wrong provider can be devastating to a law firm. Generally, the major risks a law firm assumes when moving to an ill-suited cloud service provider fall into two categories:

Security-related Risks

Productivity-related Risks

Exposure of confidential client data

Stability issues and downtime

Violation of lawyer-client privilege

Workflow interruption

Breach of ethical obligations

Lack of support for legal software

Damage to firm's reputation

Lack of integration with peripherals

This article outlines the most important requirements that your current (or prospective) cloud service provider must meet to minimize your risk when moving to the cloud. These requirements reduce the risk of both security breaches as well as downtime and system/workflow interruptions.

Established and Reputable Provider

New cloud service providers are popping up every day. Small local IT firms are rebranding themselves as cloud providers to attempt to avoid losing clients. It is imperative you ensure that your selected provider is established and reputable. Make certain business and legal authorities such as the Inc. 5000 list, the American Bar Association, and one or more state bar associations have recognized them. A high-risk provider is one that is unknown to the larger legal technology community or only known in a single city or region. Risks include slow response times, inexperienced technical support, system downtime, or worse, the provider simply going out of business.

Exclusive Legal Focus

Numerous cloud service providers offer services to any business or industry. While they may be technically proficient, they typically do not have the experience to understand lawyer's ethical obligations and compliance requirements, and they likely will not have deep experience in legal software used by law firms. Therefore, you should narrow your list to cloud service providers that exclusively service the legal industry. Some generalist cloud service providers may even claim to specialize in legal, though upon closer review, you will often find that legal is just one of many industries they serve.

Your selected cloud service provider should have at least 100 law firms in their client list, and they should have no problem sharing with you a rich, diverse list of references.

Cloud-first Company

In recent years, many companies not in the business of cloud computing have lost market share to the Cloud, and they have often reacted by spinning up a cloud offering. This group includes software companies, local IT companies, and telecom/telephone companies. These companies are desperately trying to stay relevant or stem the loss of business to the Cloud. They almost certainly lack an independent perspective, the infrastructure, and software acumen to provide a reliable, dependable, and secure cloud platform.

Data Stored in the U.S.

Every bar association agrees that all client and confidential data should be stored within the continental United States. Surprisingly, the locality of where your data is stored is ambiguous or simply not defined by many cloud service providers. Microsoft’s own Office 365 states that your data may be stored or backed up to countries outside the U.S. This is one more reason to use a cloud service provider that is legal-centric and only services the legal industry. If your firm’s data is stored or backed up to a country outside of the U.S., it can create a host of potential ethical issues.

Data Ownership

Do not assume that data you store in the Cloud belongs exclusively to you, even if the provider is well known and reputable. For example, in 2012, Google Drive came under fire for claiming the rights to anything a user uploaded, in perpetuity. Once you decide to use a cloud provider, make certain that the fine print includes unambiguous, perpetual ownership of any data you store on their Cloud.

Legal Software Support

There are plenty of companies willing to host your legal software. But generalist cloud service providers simply cannot be relied upon to provide best practices to support your practice management, document management, and billing/accounting software. The cloud service provider you select should not merely host the software your firm relies upon, it should also provide first-call support for your applications and apply security and application patches and updates as necessary, so that you can focus on practicing law. Ideally, your cloud service provider will have a strong working relationship with major legal software publishers so they have rapid access to the software companies’ teams when necessary.

Backups and Disaster Recovery

Make certain you understand your cloud service provider's backup and disaster recovery system. A dependable, robust provider will have at least two independent systems for backup and recovery. The backup strategy should include a file-and-folder backup (so you and your staff can quickly recover deleted files) and a bare-metal recovery system (so the provider can perform a complete system restore in the event of a disaster). Ideally, the cloud service provider has an option to synchronize your data in the Cloud back to a server or device at your site. This incremental layer of security gives you additional backup protection and a viable alternative should your Internet connectivity go offline for an extended period.

Infrastructure and Data Center

Verify the provider has a best-in-class data center and server infrastructure. This ensures both data security and reliability. Considerations include:

  • SSAE16 audited
    Also called Statement on Standards for Attestation Engagements 16, SSAE16 is a regulation created by the Auditing Standards Board (ASB) for defining and updating how service companies report on compliance controls. Demand evidence that the data center is SSAE16 audited annually.
  • World-class data center
    Ensure the data center has standard top-tier provisions, including multiple upstream Internet providers; redundant power sources, including backup generators, fire, and flood preventions systems; 24x7 closed-circuit video surveillance; and physical access restrictions.
  • Equipment ownership
    Ensure the provider actually owns the server equipment. Some smaller cloud service providers (especially local IT companies) simply rent servers or space from large public cloud providers such as Microsoft Azure or Amazon Web Services. This creates a significant problem as it complicates data ownership and seriously limits the cloud service provider's ability to control and support the infrastructure, making them essentially intermediaries.

The ideal cloud service provider will offer to give you a tour of their data center facilities.

Additional Considerations

Be wary of conflicts of interest. Beware of a cloud provider whose core business is selling its own proprietary legal software, as there will likely be a conflict if you use and host other software applications.

Clearly understand what the provider will do if served a subpoena. Read the service contract carefully and question the process that occurs in the event of a subpoena of data and records. Confirm that your service provider will notify you if your records have been requested, or if they receive any request for information pertaining to your firm. Many cloud service providers, especially those without legal experience, are unprepared, and have no formal process for dealing with a subpoena.


Cloud service providers are springing up daily. Some are big, and some are small…making your decision to know where to start more difficult. As a law firm, your stakes are high. If you narrow your search to cloud-first, legal-first companies, and systematically analyze potential providers against this checklist, you can be confident you will find a solution with minimal risk, so you can add value to your firm...and practice better.


Uptime Legal Systems

Uptime Legal Systems is a leading provider of cloud services to the legal industry. Uptime provides a complete Law Office in the Cloud™ to hundreds of law firms around the world. Services include hosted practice management, cloud-based document & email management, legal-grade email, cloud-based phone service and managed IT for law firms. Click here for more information.

Return to Forefront main page »
Thomson Reuters Elite Headquarters
800 Corporate Pointe, Suite 150, Culver City, CA 90230
© 2015 Thomson Reuters
Thomson Reuters