The legal considerations of cloud computing

It's a misconception to think that all law firms are stuck in the technological dark ages.

I work for a law firm, in a sector of the economy that is often regarded as stuffy and old fashioned. Sometimes this stereotype is justified, but it's a misconception to think that all law firms are stuck in the technological dark ages.

Field Fisher Waterhouse is about to use cloud computing to improve the way it delivers IT services to lawyers. But in addition to the usual technical issues, there are some legal aspects that require careful consideration.

The legal industry handles highly confidential information on behalf of clients, and the time-critical nature of the business requires extremely high service levels. Over the years the firm has developed a set of specialised applications to help to achieve this.

There is a wide spectrum of 'cloud' solutions available, from pure software-as-a-service (SaaS), delivering software applications to your desktop, to infrastructure-as-a-service (IaaS), providing a hardware platform in the cloud from which to deliver your own applications. Both are cloud solutions because they are externally managed, rapidly scalable solutions with the service provider taking the responsibility for providing the service.

The first consideration is your required level of 'customisation'. SaaS solutions offer highly efficient, but generally standardised applications. So if like us, you require a high degree of customisation in your applications, this will be difficult to achieve with a pure SaaS solution. Also, most organisations have some degree of integration across their applications which will be harder to deliver through standard cloud applications.

And what about information security? With increased regulation on data privacy in the UK (eg the Data Protection Act, Privacy and Electronic Communications Regulations, etc) and information security (Official Secrets Act, Computer Misuse Act), organisations like Field Fisher Waterhouse are very concerned about the security of their information. You might think that specialist service providers will offer better security than you can achieve, but the frequency of security incidents reported in the press suggests otherwise. You need to explore this very carefully because the damage to an organisation's reputation caused by a breach will still fall to that organisation, not the service provider, and could exceed any penalty imposed by the Information Commissioner.

You must also consider location carefully. Information physically hosted in the EU is controlled under EU regulations. You can extend these regulations beyond EU territory through 'safe harbour' arrangements. However, it can still be subjected to 'local' regulations. Examples include the US Patriot Act, which was established to protect the US from acts of terrorism following the 2001 9/11 attacks. In essence it allows the US government to obtain any information stored on US territory (including those in 'safe harbours') or any other jurisdiction when managed by a US-headquartered organisation. And the owner of that information (you) cannot be informed. The risk is obviously quite small, but it could be important.

And what about contractual arrangements? You will select a service provider that can deliver the service levels you require, but that is all worthless without a very detailed contract supported by a service level agreement, with appropriate termination clauses for poor performance. If you do consider termination, ease of migration to another service provider is critical.

Given all of this, it is hardly surprising that the legal industry is somewhat cautious of cloud computing, particularly in its purest form. Field Fisher Waterhouse is one of Europe's leading IT law firms advising some of the biggest organisations in this field. Having considered carefully, it is implementing a virtualised IaaS solution, providing a scalable platform on which it will manage its own business-critical applications, with the option of SaaS solutions for non-critical applications.

Its full roadmap also includes desktop virtualisation, to provide a totally flexible and scalable method of delivering IT services to lawyers, wherever they need to work.

Paul Heywood is IT director at Field Fisher Waterhouse LLP

Read more on IT outsourcing