Fine print in the clouds

What to look for in a provider’s service-level agreements

Lawyers who want to use the cloud to meet their computing needs find themselves whipsawed. Cloud service providers promise up-to-date systems, great features and manageable IT costs. But questions stemming from professional responsibilities, such as privacy and confidentiality, can curb any lawyer’s enthusiasm for the cloud.

Robert Percival doesn’t think this situation will last much longer. “Regulatory bodies in each Canadian province, and in other jurisdictions, like the U.K. and Scotland, are starting to realize that law firms, especially small law firms and solo practitioners, are turning to the cloud,” says the Toronto-based partner and national co-chair of the technology business law group for Norton Rose Canada.

Following Percival’s reasoning, legal industry regulators will create standards that cloud providers must meet for their services to be used by lawyers. In doing so, they take the guesswork out of whether a service will keep a lawyer onside with regulators. Cloud providers could evaluate their services against these standards, then market themselves to lawyers.

In the absence of such standards, lawyers can find the answers to the questions they need to ask in a cloud service provider’s service level agreements (SLAs), the commercial software version of end-user licence agreements (EULAs). Here’s an overview of what lawyers need to look for in cloud service provider SLAs.

Few lawyers have the time, inclination or knowledge to perform security audits of cloud providers, so they rely on warranties instead. “If a cloud provider says, ‘We’re providing a service and we give you no warranties whatsoever, with respect to the security we provide or against loss of data or corruption of data or disclosure of data,’ that’s a red flag,” says Mark Hayes, managing director of Toronto-based firm Heydary Hayes PC.

Chris Bennett does not like limitation of liability. “Even if they take steps to protect your data, they’ll say: ‘Our maximum liability to you is three months of services.’ You don’t get much protection, if you get sued,” says the Vancouver-based Davis LLP intellectual property lawyer.

Check where the data is stored. “Let’s say your data ends up stored in a backup file somewhere in France,” says Percival. “If client data is in a jurisdiction that is subject to French law, what does that do to your own professional obligations?”

Hayes advises: “If you have very sensitive information that might interest law enforcement, you will probably be very careful about storing that anywhere outside the law firm,” He adds that Canadian authorities have just as much power to appropriate data as do Americans under the U.S. Patriot Act.

Bennett finds that privacy and confidentiality clauses are often combined. “Some service providers don’t even mention privacy at all. We’re always adding a privacy clause.”

On-premise systems bring with them the assumption that the licensee owns the data and the software system being used, but that assumption isn’t always safe in the cloud. “You want to be clear that you own your data and that the cloud service provider cannot use your data for any other purpose than to deliver the service to you,” says Jack Newton, president and CEO of Vancouver-based cloud practice management system vendor Themis Solutions Inc. “Virtually all paid services make this explicitly clear.

“If you’re not paying for a product, you’re the product being sold,” he adds.

“Ensure the cloud provider notifies you, the account owner, if a subpoena is served on the cloud provider for your data,” says Newton. “This allows you to intervene, in court if necessary, to object to that subpoena.”

Data “should be encrypted, both during transmission and at end-point storage,” says Martin Kratz, Calgary-based head of Bennett Jones’ intellectual property practice.

Firms must also learn of any data breaches a service provider might suffer. “You need to know about it so you can carry out your responsibilities,” says Kratz.

Providers need to maintain redundant systems, consisting of “hot backups,” so a law practice stays operational even if the service provider’s primary data centre becomes unavailable.

If a firm ends its relationship with a cloud vendor, successful transfer of firm and client data must be part of the exit scenario. The provider must delete your data when you leave the service, checking redundant servers and backups as well as main systems.

“Support during that [exit] process is very important,” says Kratz. “It’s a point when a cloud service provider isn’t happy with a customer who’s now leaving.”

If a service provider’s SLA doesn’t meet important criteria, lawyers can try to negotiate terms in the SLA. “Some will negotiate on their agreements, others won’t,” says Hayes. “It depends on the particular provider and the size of your needs. How much you pay them is probably directly related to the amount of flexibility they have in their contractual relationship with you.”

This article originally published by Lawyers Weekly Magazine. For a PDF of this article, click here.

Leave a Reply