Cloud computing

Who should read this practice note?

What's the issue?

Overview of cloud computing

Whilst the terms ‘cloud’ and ‘cloud computing’ have become much more familiar to lawyers in the last few years, there can still be some confusion about definitions and acronyms.

In this practice note we focus on the basic concept of a ‘web-based software service or solution’.

In practical terms, you can understand cloud computing as software or services that can be accessed and used over the internet using a browser (or, commonly now, a mobile app), where the software itself is not installed locally on the computer or phone being used by the lawyer accessing the service.

Your data are also processed and stored on remote servers rather than on local computers and hard drives. Cloud applications might also be referred to as ‘web services’ or ‘hosted services’.

Cloud services might be hosted by a third party (most commonly Amazon or Microsoft) or, more commonly in the legal profession, by a provider running its services on Amazon, Microsoft, or another cloud data centre provider. It’s also possible, though unlikely, that a law firm could host and provide its own private cloud services.

Examples of cloud computing

Cloud computing examples:

• in the commercial and business world include Salesforce.com, BaseCamp, Microsoft Office 365, LinkedIn and Slack
• for individuals include Dropbox, Gmail, and Evernote
• specifically for legal practices include services, such as Clio, Rocket Matter, NetDocuments

Types of cloud service

Cloud services can generally be classified into three types:

• infrastructure as a service (IaaS): basic infrastructure (eg servers in a data centre) on which users can load their own applications. IaaS providers include AWS, Microsoft, Google, Rackspace, CenturyLink, IBM SoftLayer, Fujitsu, NTT and VMware
• platform as a service (PaaS): a development platform which customers can use to develop and run their own applications. PaaS providers include AWS, Microsoft Azure, Google App Engine, Salesforce, SAP HANNA and IBM Cloud
• software as a service (SaaS): ready-made applications like word processing, customer relationship management, data storage or email. Larger SaaS providers include Microsoft (Office 365), Google (G Suite), Adobe (editing and design), Dropbox (storage), Salesforce (CRM), Intuit (finance and tax), LogeMeIn (comms and conferencing), SAP (ERP) and Workday (HR)

As the cloud develops and new services proliferate, it is now common to speak of XaaS (“Anything as a Service”). In addition to SaaS, examples include AIaaS (Artificial Intelligence), BPaaS (Business Process) and DaaS (as Data or Device).

Deployment models

Cloud services can be deployed in different ways:

• a public cloud is the most common deployment type. A public cloud service provider offers cloud based services to external customers
• a private cloud is owned and deployed by an organisation for its own exclusive use. Private clouds can potentially offer you greater security and knowledge of where your data is being held, but costs will be higher and there may be limited scalability
• hybrid clouds integrate private networks or data centres with a public cloud so that the latter can act as a backup to provide additional capacity to meet exceptional demand
• finally, community clouds are established by organisations who have a common requirement for certain standards of service, particular software or levels of security. For example, a group of law firms could establish a community cloud

A variety of more detailed and informal definitions and descriptions of cloud computing – including an outline of the public, private and hybrid deployment models - can be found under Further Information below.

Defining cloud computing from a regulatory perspective

In most cloud computing scenarios, data, including personal data, is processed on a third-party server or application. This is significant from a professional conduct and regulatory compliance perspective.

If personal data is being processed by the cloud service provider, the GDPR and the Data Protection Act 2018, including its security provisions need to be complied with (see section four).

Practices are also subject to professional conduct obligations to maintain client confidentiality, properly manage their practices and facilitate Solicitors Regulation Authority (SRA) access to data (see section five).

Benefits

• Improved backup/disaster recovery
• Flexibility
• Increased storage capacity
• Increased data handling capacity
• Reduced infrastructure costs
• Avoiding frequent updates to software
• Reduced internal IT staff costs

Risks

• Security, data confidentiality and location of data
• Service reliability and stability
• Lack of control over customisation and integration
• Service response time, and enforcing service level agreements (SLAs)
• Speed and bandwidth
• Danger of supplier lock-in
• Difficulty of achieving executive buy-in

Analysing risks and benefits

Some issues, like information security, can potentially be a risk or a benefit to your firm, depending on several factors.

You should understand prospective cloud service offerings fully, to make sure that they:

• meet your business requirements
• are procured under a robust business case
• have been subjected to a full risk and compliance analysis

If you do not have relevant expertise in-house, you should obtain independent expert advice.

Understanding roles and responsibilities

From a law firm’s perspective, one of the significant areas of risk involved with cloud computing is associated with the division of activities and responsibilities between the cloud service provider and the law firm.

A clear understanding of what activities are within the scope of the service (“in-scope”) provides an opportunity for the law firm and/or the cloud service provider to fill the gap (perhaps with an additional service) and reduce the risk of customer satisfaction issues.

One way to assess gaps is to review the capabilities required by the appropriate cloud service model (SaaS, PaaS or IaaS).

You also need to understand the growing trend of cloud service providers utilising business partners and/or value-added resellers (VARs) to sell their cloud services.

A VARs often offers its own ‘agreement’, which is mostly a ‘wrapper’ around the cloud service provider’s contact which adds a layer of contractual complexity that needs to be navigated.

You should take time to examine and compare what is in the VAR’s agreement versus what is in the cloud service provider’s contract to make sure that:

• the VAR agreement does not weaken the commitments of the cloud service provider
• you’re fully aware of the VAR’s role in notifications, communication, incident reporting, correction of billing errors, collection of service credits, etc

In most but not all of these reseller agreements, the VAR or business partner is largely acting as an agent for one cloud service provider, or as an integrator or broker for selecting cloud services, but with such a model there is a risk of introducing additional delays or finger-pointing.

Your existing data protection policies

The starting point for evaluating cloud services should be your practice's existing data protection, information security and business continuity management frameworks and policies.

Your data protection and information security leads should be involved from the outset.

You may want to ensure that the cloud service provider complies with your applicable policies. A practical difficulty is that the cloud service provider may find it difficult on a public cloud model to accept obligations to comply with policy requirements of particular customers.

However, as cloud provision becomes more extensive and cloud service providers offer more services that comply with particular sector specific regulatory requirements, market practice is emerging around the cloud service provider agreeing to comply with law firm policies provided before contract start and/or the cloud service provider accepting new or certain changes to law firm policies on a chargeable basis through change control.

Data protection considerations

The GDPR and the Data Protection Act 2018 (collectively referred to in the remainder of this practice note as ‘Data Protection Law’) changed personal data regulation with significant consequences for cloud computing.

Deployments that simply process non-personal data, for example, some knowledge management tools, are not covered by the Data Protection Act. But the law uses a broad definition for 'personal data', so you should look carefully at the Information Commissioner’s Office's guidance on determining what constitutes personal data.

Where Data Protection Law is relevant (which will almost always be the case where the service covered by the cloud contract touches personal data anywhere in the EU/UK) key considerations include the following.

Do you need to prepare a data protection impact assessment (“DIPA”)?

You should consider at an early stage whether to prepare a DPIA for the cloud service and if so (whether required under Data Protection Law or as good practice) to prepare it side by side with negotiating the contract.

Is the cloud service provider a data controller or data processor?

Data Protection Law sets out different rules depending on an entity’s role as controller or processor of personal data. In summary the controller determines the purpose and means (the ‘why’ and ‘how’) of the processing, and has responsibilities arising directly under Data Protection Law. The processor processes personal data on behalf and on the instructions of the controller and is generally indirectly subject to Data Protection Law in this context through the controller’s duty to have written terms in place with the processor.

Reaching a view as to respective roles may be difficult as:

• the boundaries between controller and processor can become blurred
• the same cloud service provider can be a processor for some activities (e.g. SaaS provider) and a controller for others (e.g. consulting services)
• if both are controllers, the law firm and the cloud service provider may be separate controllers for some activities but joint controllers (where different duties arise) for others

If the cloud service provider is a data controller, what contract terms will need to be included?

Data Protection Law requires no specific or prescriptive terms but as mentioned above, Data Protection Law will apply directly to the cloud service provider. Whilst no clauses are mandated to be included in the cloud contract you should consider including the following:

• each of the law firm and cloud service provider accepting an obligation to the other to comply with Data Protection Law
• each party accepting an obligation to cooperate with and assist the other on Data Protection Law-related matters
• an express obligation on the cloud service provider to take appropriate technical and organisational measures for the security of personal data

If the cloud service provider is a data processor, what contract terms will need to be included?

Data Protection Law is very prescriptive in the scenario and the contract will need to meet the specific terms set out in Article 28(3) of the GDPR (see section 4.3).

Will personal data be transferred from the UK/EU?

Articles 44 to 50 GDPR cover transfers of personal data to countries outside the EU. Generally, for any third country where the EU has not taken an ‘adequacy’ decision on the privacy laws of that country, data exports are permitted only:

• where the entities have entered into Binding Corporate Rules (“BCRs”) regarding personal data
• (in the case of transfer to the US) where Privacy Shield arrangements apply; or
• where the parties have entered into the relevant EU Commission’s model standard contractual clauses (controller to controller or controller to processor)

Where the cloud service provider is a data processor and personal data is to be processed outside the adequacy, BCR or Privacy Shield regimes, effectively two sets of controller to processor clauses will need to be included in the cloud contract: (1) those prescribed by Article 28; and (2) the standard contractual clauses (controller to processor).

Where the cloud service provider is a data controller and adequacy, BCR or Privacy Shield arrangements do not apply, the standard clauses (controller to controller) will be needed.

What is the liability position for breach of data protection obligations?

Liability under the GDPR can be significant and explain to an extent why discussions around the liability limitation clause in cloud contracts have become more contentious after the implementation of Data Protection Laws.

Market practice in cloud contracts is starting to develop in relation to this issue where breach of the cloud service provider’s data protection, information security and confidentiality duties are removed from the general liability cap and dealt with separately, with either unlimited liability (rare but possible), a higher cap or indemnification, which may also cover fines and the costs of regulatory action.

Overview of mandatory clauses to be included in a cloud computing contract where the cloud service provider is a processor

As mentioned above, Article 28(3) of the GDPR prescribes the provisions which must be included in a contract between a controller and a processor. The contract at a minimum, must contain the following operational details:

• the subject matter, duration, nature and purpose of the data processing
• the type of personal data being processed
• the categories of data subjects whose personal data is being processed

The contract must also include the following clauses:

• that the cloud service provider will only process personal data received from the law firm on documented instructions of the law firm (unless required by law to process personal data without such instructions)
• that the cloud service provider ensures that any person(s) processing personal data is subject to a duty of confidentiality
• that the cloud service provider takes all measures required pursuant to Article 32 GDPR (Security of Processing) including but not limited to implementing appropriate technical and organisational measures to protect personal data received from the law firm
• that the cloud service provider obtains either a prior specific authorisation or general written authorisation for any sub-processors the cloud service provider may engage to process the personal data received from the law firm. The cloud service provider must further ensure that where it has a general written authorisation to engage sub-processors, the law firm has the opportunity to object in advance to each individual sub-processor to be appointed by the cloud service provider
• that any sub-processors engaged by the cloud service provider are subject to the same data protection obligations as the cloud service provider and that the cloud service provider remains directly liable to the law firm for the performance of a sub-processor’s data protection obligations
• that the cloud service provider assists the law firm by appropriate technical and organisational measures to respond to data subject rights’ requests under Data Protection Law
• that the cloud service provider assists the law firm to ensure compliance with obligations under the GDPR in relation to security of data processing (Article 32 of the GDPR), notification of data breaches (Articles 33 and 34 of the GDPR) and data protection impact assessments (Article 35 and 36 of the GDPR)
• that, at the expiry or termination of the contract and on the law firm’s instruction, the cloud service provider deletes or returns the personal data received from the law firm
• that the cloud service provider makes available to the law firm all information necessary to demonstrate compliance with Article 28 of the GDPR and that the cloud service provider allows for and contributes to audits conducted by the law firm or a third party on the law firm’s behalf

Information security

Security controls of course apply to both on-premises systems and cloud computing. However, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different information security risks to an organisation than traditional IT solutions.

You’ll need to consider how to evidence assurance that the cloud service provider will be able to perform its information security commitments. This is done typically through a combination of warranted responses to your RFP (Request for Proposal), contractual commitments and evidence of third party standards certification, perhaps with independent testing for more critical aspects.

The most widely recognized international standard for information security compliance is ISO/IEC 27001 which includes national variants and well developed certification regimes. ISO has also standards specific to cloud computing:

• ISO/IEC 27017 – code of practice for information security controls based on ISO/IEC 27002 for cloud services
• ISO/IEC 27018 – code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, which specifically address cloud service security and privacy considerations and builds upon ISO/IEC 27001
• ISO/IEC 27036-4 – information security for supplier relationships - Part 4: Guidelines for security of cloud services

There are also codes of conduct relating to the handling of personal data in cloud services, for example the EU Cloud Code of Conduct.

Confidentiality and disclosure

Standard 2.5 of the SRA Code (2019) for firms require you identify, monitor and manage all material risks to your business, including those which may arise from your connected practices.

Standard 6.3 of the SRA Code (2019) for firms states that you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents.

Standard 6.4 of the SRA Code (2019) for firms requires any individual acting for a client to make the client aware of all information to the matter of which the individual has knowledge. 

These standards reinforce your obligations in respect of transparency, data protection and information security but they also go further in that they do not just apply to personal data.

Access to outsourced data by the SRA

Standard 2.3 of the SRA Code (2019) for firms requires you ensure that relevant information, which is held by you, or by third parties carrying out functions on your behalf which are critical to the delivery of your legal services, is available for inspection by the SRA.

Standard 2.5 of the SRA Code (2019) for firms requires you identify, monitor and manage all material risks to your business, including those which may arise from your connected practices.

Standard 4.2 of the SRA Code (2019) requires you ensure that the service you provide to clients is competent and delivered in a timely manner, and takes account of your clients attributes, needs and circumstances.

Adopting a third-party cloud computing platform is likely to constitute outsourcing an operational function that is critical to the delivery of your legal activities. It follows that you should seek a contractual terms and conditions from your cloud supplier that would enable you to satisfy the Standards and Regulations as set out in this section and in section 4.2 above.

Lawful access to data

There may be circumstances in which police or intelligence agencies at home or abroad can lawfully obtain access to your data via your cloud service provider.

You should have regard to the possibility of lawful access by a foreign law enforcement or intelligence agency when selecting a cloud service. Select a provider who will offer appropriate contractual commitments and operational practices in relation to managing the risks of your data being subject to such lawful access.

You should also consider a range of other factors that may have a bearing on whether or not you should entrust them with client data.

These include their:

• reputation
• ownership and control (including foreign ownership and control)
• financial stability
• independent certifications

Section six below discusses procurement and contract issues further.

Impact on the law firm’s client relationships

A law firm that uses a cloud service to provide (in turn) a service to its own clients may be bound by certain SLAs.

The law firm should carefully review whether any inconsistencies may arise between the ‘upstream SLA’ (with the cloud service provider) and the ‘downstream SLA’ (with their client). 

An obvious issue would be a higher uptime commitment to its client than the uptime guaranteed by the cloud service provider in the cloud computing contract.

Pre-contract: internal approval

In addition to a review of business requirements, a robust business case and proper risk and compliance analysis (see section 3), you should ensure that you have an internal approvals process which you follow.

There is a risk that staff at any level will circumvent your official procurement and approvals processes, particularly with 'click-wrap' and 'free' services.

'Free' services may involve payment for extras, or generate income from processing data about you. They can pose serious data protection, client confidentiality and information security risks.

Everyone in your practice should be alerted to these risks, and be made aware of the need to follow your formal approvals process.

Pre-contract: scope for negotiation

It may not be possible to negotiate standard terms and conditions as many cloud service providers offer take-it-or-leave-it contracts. In other negotiations, your relative bargaining power will be insufficient.

This may not be a problem, particularly if your intended deployment of cloud services is non-strategic.

However, if you do need to negotiate, then you should be aware that many 'integrators' – sub-contractors re-selling primary cloud services – should have greater bargaining power with cloud service providers. As discussed in section 4.2 it is important to understand the basic relationships in your cloud services supply chain.

Key commercial and legal issues

You should critically question and fully understand any cloud contract you enter into. Some of the matters you may wish to consider include the following:

Liability for service failure

Cloud service providers frequently exclude contractual liability for their customers' direct losses and even more frequently, indirect losses, as a result of service failure.

It may not be possible to re-negotiate these terms. In practice the solution may be to choose a cloud service provider with:

• a good track record
• commitment to remain in the cloud computing market
• a strong reputation to protect

Service levels and service credits

Service levels should be objective, quantifiable, repeatable measures of matters within your cloud service provider's responsibility. You should agree the service levels that are important to your firm.

Service availability is likely to be a key measure for most firms. You should consider various aspects of service availability including:

• point of measurement: availability of service provision or availability at the point of user consumption
• service measurement period: even if a service boasts high availability 24/7, this could translate into relatively high downtime during normal working hours)
• application availability: availability of particular applications may be just as important to you as general availability of a service

Cloud service providers commonly offer service credit if they fail to meet their service level agreement. You should weigh up the relative merits of this regime against damages at common law.

In general, service credit regimes are advantageous to cloud customers and cloud service providers as they offer certainty and keep risk to identifiable and manageable levels.

You should be careful before accepting that service credits are your sole and exclusive remedy. This will limit your right to sue for damages at large or terminate the contract.

Regulation and professional conduct

You should satisfy yourself that the following obligations are, where appropriate, addressed in the terms and conditions you agree with your cloud computing service provider:

• data protection
• client confidentiality
• business continuity
• your other regulatory and professional conduct obligations

You should read and follow our other relevant practice notes, including:

• Outsourcing practice note
• LawTech Practice note

Disengagement and transition

Before entering a cloud computing contract, you should think about what will happen if you need to terminate it or what happens at the natural expiry of the contract.

You should ensure that if you need to migrate services to another cloud service provider, or back to you, it can take place with minimal disruption. In particular, the format of the data transmitted from the cloud service provider to the law firm should be specified in the cloud computing contract and should conform to standard data formats whenever possible, to enable portability to a new service.

The transmission of the data from the cloud service provider to the law firm or a new cloud service provider should use standard packaging and data transfer techniques.

You should therefore define your requirements for exit at an early stage in negotiations, and ensure that the contract provides a clear exit strategy.

You should consider removing contractual provisions permitting the cloud service provider the right to exercise lien over your data and client data.

Other contractual issues

Some of the other contractual matters you may wish to consider include the following.

Jurisdiction and governing law

Cloud service providers and their customers are commonly located in different jurisdictions. Where this is the case, two separate issues need to be considered:

• applicable governing law
• jurisdiction

Governing law relates to the law that governs the contract. Jurisdiction relates to courts of the country which is to resolve any dispute.

In each case, the cloud computing contract may stipulate the choice of law and jurisdiction. However, there may also be separate rules on applicable law and jurisdiction which apply irrespective of provisions in the contract. For example, data protection has its own free-standing rules on applicable law and jurisdiction.

Minimum terms, renewals and notice periods

Cloud computing contracts frequently have a fixed term, which sometimes renews automatically unless terminated. As these contracts require notice of non-renewal within a set period before expiry, you should be careful not to miss the window.

Acceptable use policies

In cloud computing contracts, the customer has an obligation to comply with the cloud service provider's acceptable use policy (AUP). This policy protects the cloud service provider from liability arising out of the conduct of their customers.

The vast majority of policies prohibit a consistent set of activities that cloud service providers consider to be improper or illegal uses of their service.

In most cases, the prohibition of activities referred above may be acceptable. However, in a law firm context, they need to be considered carefully. For example, if a law firm is acting for a client who is defending a defamation claim, materials which are hosted by the cloud service provider could be defamatory (which under most AUPs would mean that the law firm is in breach).

Consequently, you should review the acceptable use policy carefully and seek to revise any restrictions which you may inadvertently breach.

Introduction of harmful code

In the cloud computing environment, the introduction of harmful code like viruses and other malicious code is a potential threat to your systems and data.

You’ll need to rely on the cloud service provider applying sufficient protection against the introduction of harmful code in hosted data and systems as well as via any communication with your local systems.

To manage this risk, you should consider the potential risks posed by harmful code and the relevant obligations that should be imposed on the cloud service provider to ensure that your systems and data are protected.

Change of control and assignment/novation

You should consider the risks associated with another entity obtaining control of your chosen cloud service provider.

Contractual approaches to managing this risk include:

• requiring the cloud service provider to inform you in advance (subject to any listing rules of a relevant stock exchange) of any proposed change in control of the cloud service provider
• having the right to terminate the contract if a change of control has occurred; and/or
• ensuring that any transfer of the cloud service provider's rights and obligations under the contract to another entity (commonly referred to as 'assignment' in the case of rights and 'novation' in relation to rights and obligations) is subject to your prior written approval

Subcontracting

Understanding the supply chain has already been covered in sections 4.2 and 4.3, but it has consequences beyond data protection compliance. When determining your contractual approach to supply chain risk management, you should also consider:

• Should subcontracting be permitted at all?
• If subcontracting is permitted, should it be permitted in respect of the whole or part of the subject matter of the contract?
• If subcontracting is permitted, on what basis can you withhold your consent?
• Do you have the right to review the terms of the subcontract?

You should also consider the various mechanisms you can use to allocate, manage or transfer the risks associated with subcontracting - for example, by ensuring that the cloud service provider is fully liable for the acts and omissions of its sub-contractors.

Suspension of services

Cloud computing contracts frequently contain a right for the cloud service provider to suspend services at its discretion.

Alternative approaches include:

• not permitting suspension except with prior notice and agreement
• not allowing suspension for any reason other than non-payment, unless prior notice was given, including reasons for suspension
• not allowing suspension without prior written notice of non-payment, with an obligation on the provider to give a final notice, and a commitment to restore services within a certain number of days after payment
• allowing suspension for material breach, but only after reasonable prior notice and good-faith consultation with you

You should always have effective business continuity arrangements in place.

Change of terms at discretion of the cloud service provider

Some cloud computing contracts include clauses allowing the cloud service provider to change the terms of the contract at any time without agreement by the customer. You should consider:

• deleting the right or making the right subject to your agreement to any change, or
• placing an obligation on your cloud service provider to notify you in advance of any changes and give you the right to terminate the contract if you do not agree to the changes

Insurance

It is good practice for you to negotiate a contractual requirement for the cloud service provider to carry sufficient insurance to cover the cloud service provider’s liability under the cloud contract.

Law Society

• Outsourcing practice note
• LawTech Practice note

Other

• Information Commissioner's Office
• National Institute of Standards and Technology