P2P

15 I L T A N E T . O R G Essentials, and client security audits all present hurdles that require a firm's CISO and CTO to be aligned – a vendor having CSA Star assurance may go some way to help. Contractual issues such as responsibility for data breach and data loss, notifications under GDPR and remedies for such issues may be difficult to resolve, especially where a vendor either excludes liability or offers a liability cap relative to the fees paid by the customer: this may not be appropriate for some law firm datasets. In 2019, Capital One suffered a hack of 100m credit card details residing in AWS and was fined $80m. The OCC said in a statement that the fine was "based on the bank's failure to establish effective risk assessment processes" before it moved a major portion of its computer data to a cloud storage system, "and the bank's failure to correct the deficiencies in a timely manner." • Regulatory and jurisdictional issues: how to comply with the breach notification regimes of regulators such as the Solicitors Regulation Authority or the European Union, or ensure that data stays in a particular region? Azure Germany is an isolated instance of Microsoft Azure, designed to help its customers comply with German data privacy regulations, but an international firm will have to think hard about where to locate a document management system. And that's before the data privacy concerns raised by United States v Microsoft Corp., or various government's apparent desires to look at your data via encryption backdoors or malware. • Commercial considerations – whilst an annual fee might be preferable to upfront capex plus maintenance, does the service scale up and down, or only up? Do you have any control over renewals? A subscription that increases 5% per user per annum, at a firm that grows headcount by 5% per annum, will double in cost in nine years whilst the hosting costs go in the other direction. And, where a service can be scaled down, is someone responsible for the occasional review to ensure that the services are still being used, properly sized, and limited to the correct people? • Concentration risk among the "Big Three" CSPs: whilst unlikely, a CSP outage (whether Big Three or intermediary) is possible and may not sit comfortably with the recovery time objectives (RTO) in your business continuity plans. "Credible and reputable Cloud Service Providers both attest and have teams dedicated to meeting and exceeding local/regional requirements. This service is liberating in that it helps firms comply with a notable part of the equation while freeing up people to ensure client specific administrative controls are met and sustained." — Jim McKenna, CIO at Fenwick. "Although our approach is cloud first - particularly for new technologies - we are often challenged by this primarily by ensuring our contractual terms reflect areas such as jurisdictional restrictions and meeting our client requirements in respect of cloud solutions. Having offices in 20+ countries there are many local regulatory differences that we have to align with and this isn't always widely understood by CSPs." — Karen Jacks, CTO at Bird and Bird. ESG Environmental, Social and Governance is in sharp focus in law firms and even more so following the COP26 conference in Glasgow. Can cloud computing help a firm reduce carbon emissions? A firm may be able to reduce energy consumption and air conditioning in its facilities by moving services away from on-premise and IaaS to SaaS cloud services, taking advantage of efficiencies brought about by a scale of operations that cannot be achieved by one firm alone. But if a firm keeps all its infrastructure running to support other applications whilst also taking on SaaS services, there is an overall increase in consumption and emissions, however efficient the SaaS vendor. There may well be potential benefits in this area, but an holistic approach is needed that incorporates minimising data storage and decommissioning old infrastructure. Does your cloud service come with bottomless storage? Aside from the GDPR implications of that, it was reported recently that around 68% of data is never used again after it is created, and that the technology storing it is producing more CO2 than the airline industry. "Regardless of where your data lives, be it in an IT cupboard or a data centre, it's consuming energy and producing emissions. All data has a carbon footprint and

• Cover