Security and Regulatory Compliance
Demonstrating security and compliance with regulatory requirements is critically important to law firms. Selecting the correct partner to deliver your technology platform will help you meet these requirements.
Law firms are under increasing pressure from their clients to demonstrate that they are able to effectively manage and control confidential information. For example, an increasingly common client requirement is to provide evidence of their ability to control and audit who has access to client specific data through compliance with ISO27001. These trends along with the risk and compliance principles outlined by the SRA in their code of conduct present a significant challenge to the systems and processes within a law firm. It is extremely difficult for law firms to meet these challenges through traditional approaches to delivering technology; the investment and expertise required to own and manage and maintain the infrastructure and processes to support these requirements, is beyond the capabilities of all but the largest firms.
So what options are available to law firms in the face of this issue? VESK for Legal delivers the highest quality IT services by leveraging economies of scale that are not achievable to most law firms. These quality levels encompass:
- compliance with critical industry standards,
- enhanced security,
- improved access to applications and content and,
- guaranteed high-quality service levels.
While the investment required to meet these quality levels is out of reach of the vast majority of internal legal IT departments, it is delivered as standard with VESK for Legal solutions.
VESK for Legal provide better physical and electronic information security than would be possible for a law firm storing its data on premise or in a co-location facility. VESK:
- Offer the highest levels of physical data centre security.
- Comply with the terms of the Data Protection Act 1998. These terms require a written contract between user and provider and restrict the sending of data out of the European Economic Area (“EEA”). Potential users must familiarise themselves with the requirements of the Eighth Principle to the Act before committing to a provider.
- Uses a private cloud, or private area of a hybrid cloud, for client confidential material for each Client organisation ensuring the upmost security is applied.
- Uses software to automatically encrypt all documents using security keys that are not known to the provider.
- Data-centres are based in EEA countries or countries offering equivalent or greater data protection laws, and guarantee that data will not be held in jurisdictions that do not offer such protections.
A key point to remember when considering cloud is that not all cloud providers are created equal and this is reflected in different approaches to security and the levels protection they offer from internal and external threats. Security must be firmly at the centre of any strategy and procurement process when delivering your technology platform, there are many different approaches that can be taken to security and the levels of protection consequently provided from internal and external threats.
When selecting the appropriate method to deliver your infrastructure you should consider the following questions:
- how data is stored (e.g. how secure separation of client data is achieved);
- whether you can be sure that any personal data will only be processed in accordance with instructions (e.g. that it will be deleted on request);
- what is the approach to the back-up and mirroring of data, datacentre and network resilience;
- what is the approach to disaster recovery;
- what forms of encryption are used for resident and in-transit data;
- is multi-factor authentication is supported;
- what data leak prevention (DLP) methods are employed;
- whether you need to demonstrate any relevant industry accreditations, such as ISO27001-2005;
- what security measures do you require and do you have a a security plan;
- how will you monitor and reports security breaches;
- how will you respond to breaches and aims to prevent future breaches; and
- will you have sight of regular security audit reports or other evidence of the a quality security track record.
The cloud doesn’t change the way that security is addressed. Just like with on-premise solutions, there are specialised vendors who support each layer of security in the cloud. VESK for legal will manage these layers for you. As much as law firms are concerned about data breaches, so too are VESK for legal
It is also worth remembering that law firms are not specialists in data security and will not have the same expertise or financial resources to apply the latest security standards to data that a business whose primary role is maintain the integrity of data it hosts for its customers will have. Using VESK for legal will ensure that you automatically stay up to date with the latest security measures. Technology evolves, and these improvements include better ways to keep data secure. Because the core of a VESK for legals business is data security and so many customers rely on them to bring best-in-class security, we are required to keep up with the latest advancements in technology in order to address these requirements.
The SRA and Legal Services Act
The regulatory and legal environments of different jurisdictions do present real issues that need to be understood, interpreted and addressed by any firm considering a move to the cloud.
VESK for Legal will help you ensure that you fulfil the requirements of the SRA in the following areas:
Dealing with the SRA
Principle 7 of the SRA handbook requires solicitors to comply with their legal and regulatory obligations and deal with their regulator in an open, timely and co-operative manner. Firms will in part be complying with the principle by achieving outcome 7.10 of the SRA Code of Conduct, the purpose of which is to ensure that they have appropriate terms in their agreement with the provider, allowing the SRA to access the information stored. The systems and processes VESK for Legal employ will make information more readily accessible than that managed by internal resources. We will ensure that our agreement with you will inlcude binding terms requiring us to deliver data, in a usable form, to the SRA on demand.
Outcome 4.1 of the SRA’s Code of Conduct requires firms to keep the affairs of clients confidential. Indicative behaviour 4.3 provides one manner for evidencing compliance with this outcome, involving satisfaction that the provider has taken all appropriate steps to ensure that clients’ confidential information will be protected.
Using VESK ffor Legal will include having the appropriate agreements and processes in place to ensure that the processes and systems to maintain confidentiality is appropriately managed and understood. These agreements will take into account the local laws in the jurisdictions in which you operate.
Loss of data control
To minimise the risk of being in breach of Principles 4 and 5, VESK for Legal will ensure that you have the right to get data back in a usable format on demand and that you retain full ownership of the information stored. We will also ensure that you have clear sight of:
- frequency of back up of data
- continuity and portability of the data in the event that you wish to switch to another provider
Service interruptions and downtime can potentially put firms at risk under Principle 5 of the SRA Handbook and Outcome 1.2 which requires them to provide services to clients in a manner which protects their interests in their matter.” VESK for Legal guarrantees 99.9% uptime and indeed has had zero downtime for the last three years.
The SRA recognises that cloud computing can provide benefits for law firms and their clients;
Many industry commentators quote privacy and data protection as being the most significant risks with cloud computing solutions. This is highlighted in instances in which personal information relating to individuals (‘personal data’) is stored in a cloud.
Under the 1998 Data Protection Act (DPA) data controllers must ensure that personal data is processed with “appropriate technical and organisational measures” in place to prevent unauthorised or unlawful processing or accidental loss, destruction or damage. Under the eighth principle of the DPA a cloud customer is also prevented from transferring that data outside of the European Economic Area (EEA) unless the destination country and the circumstances of the transfer provide an adequate level of protection for the data. The European Commission recognises a list of non- EEA countries which are deemed to meet these requirements, and maintains “Safe Harbour” agreements which US-based companies can sign up to. Therefore, in order for the cloud customer to exert ‘control’ over the processing of the personal data it places in the cloud, it needs to know who is processing its data and where the processing is taking place.
Working with VESK for Legal you will be able to satisfy your clients that their data is:
- stored in specified locations that comply with DPA requirements;
- managed to the highest levels of security;
- fully encrypted.
A 2013 study of organisations that had moved to the cloud in Europe and US , found that 94% had experienced security benefits that they didn’t previously have with their on premise solutions and 91% said that the security of their organisation had been positively impacted as a result of cloud adoption. In the same survey, while 60% of organisations not using the cloud cited concerns around data security as a barrier to adoption, 91% of those that had said that the security of their organization had been positively impacted by cloud adoption.