Moving to the cloud? 5 legal issues you need to consider

Legal practices are rapidly embracing the efficiency and accessibility of cloud-based technology. Cloud-based legal practice CRMs (Customer Relationship Management systems) for legal firms are transforming how practices can manage clients, cases, and overall operations.

Whether you are a small firm or your business has recently grown into a large company, you will be responsible for storing and organizing client information, personalized communication, as well as handling highly confidential data.

This is why it is crucial that you adopt an efficient and secure cloud-based CRM. But first you must consider the legal aspects involved in migrating sensitive data to the cloud and how to choose the best cloud-based legal practice CRM.

Philip James, Partner, and Carolyn Butler, Solicitor at Pitmans LLP, have summarized the five legal issues you should address when moving to cloud computing and points to consider when selecting a new vendor.

1. Know the Flight Plan (Negotiation and Contract

Carefully review the terms on which you are intending to contract with your cloud provider. Is the contract open to negotiation or are you expected to contract on the cloud provider’s standard terms? If the former, consider your specific requirements, and ensure your contract:

• Adequately reflects your requirements in simple language in an easy to follow layout (in other words, don’t bury your specifications across numerous schedules).
• Clearly delineates the roles and responsibilities of both the cloud provider and your organization.
• Includes clear metrics or KPIs to verify the performance of your cloud provider.

If you’re stuck with standard terms, scrutinize them to make sure they’re fair and meet your needs. If not, work with your provider to adjust them.

Look at the extent of the remedies available under the contract. The contract will probably contain limitations of liability, so if you are intending to outsource critical internal infrastructure, check whether those limitations adequately reflect the allocation of liability to your cloud provider. Consider the following:

• What limitation should apply?
• Are there risks for which liability should or should not be excluded? E.g. does the supplier exclude liability for loss of data (this is not much good if you are outsourcing your CRM database!).

In some cases, damages for breach of contract may not be a sufficient remedy if things go wrong, and you may wish to set out alternative, more appropriate remedies under the contract. Other key issues to look out for in your contract are explored in more detail below. In all cases, always seek specific legal advice if you are unsure about the effect of any element of your contract.

Before negotiating a contract with a cloud provider, the European Network and Information Security Agency’s Information Assurance Framework for Cloud Computing, which sets out questions that an organization should ask a cloud provider, is essential reading.

Furthermore, if you are thinking about switching from Salesforce to Workbooks or simply want to compare our CRMs, it’s definitely worth checking out the differences and the affordable packages we offer that you won’t find with Salesforce.

2. First Class, Business Class or Economy Class?
(Service Levels)

Service levels need to be agreed upfront, and should be expressed in the service-level agreement in terms that are both clear and measurable, including maximum periods of downtime, the relative importance to the business of different elements of the service, and processes for remedying defaults. While many businesses look to cloud providers as part of their business continuity strategy, it is also necessary to consider what would happen if the cloud provider’s operations become disrupted. How does your cloud provider manage its response to incidents such as natural disasters or security breaches to ensure disruption is kept to a minimum?

Before signing up, ask about extra costs and charges, determine which apply to your business, and budget accordingly. Make sure your contract also addresses future needs—can the provider scale services quickly as your business grows, or support your operations internationally?

Make sure it’s crystal clear what happens if service levels aren’t met (service credits are often the go-to fix). It’s also key for both sides to agree on how to handle things if problems pop up beyond the usual fixes. Disputes can be pricey and time-consuming, so having a solid, easy-to-follow process in place is in everyone’s best interest. This way, you can sort out issues smoothly, keep the business relationship intact, and minimize any disruption.

3. Security Checkpoints (Security and Data Protection)

Make sure you know exactly where the security responsibilities lie—what’s on your plate and what’s on your cloud provider’s.

Your cloud provider might not share every detail about their security measures (because revealing too much could weaken their defenses), but they should give you a clear overview. This includes things like how much they rely on data encryption, whether they use anomaly detection systems, how they handle stolen credentials, and the physical security of their data centers. They should also tell you if they meet web standards and what security features they offer, like user authentication and access controls.

Check if your cloud provider guarantees that your resources are fully isolated from others and whether they completely erase all traces of your data before reusing any machines. Get all the info you need to confidently assess their security measures, and don’t forget to lock down any extra protections in your contract if needed.

At Workbooks, information security is at the forefront of our minds which is why we have extensive measures in place to ensure your data is held securely. Take a look here at some of the ways we implement this.

If your cloud provider plans to outsource or subcontract any of the work they’re doing for you, make sure you know exactly who these third parties are, where they’re located, how they ensure quality, and what security measures they have in place to protect your data. After all, having solid protections in your contract doesn’t mean much if the subcontractor (or ‘subbie’) isn’t held to the same standards. And if you haven’t done your homework on that subbie, you could be leaving yourself exposed.

4. Final Destination (Location)

Find out where your cloud provider will physically store your data. Your data should be held in a jurisdiction where an acceptable level of protection is mandated by law. Data protection standards vary from one jurisdiction to another and, although efforts are being made to harmonize the requirements across the EU as a whole, outside of the EU they may be non-existent. Nevertheless, if you are a business based in the UK, and the data in question is being processed in the context of that business, the full extent of the UK rules will most likely apply.

Furthermore, if you are intending to store personal data in the cloud, such as HR records, take note that the transfer of personal data to a country or territory outside of the EEA is prohibited, unless equivalent protection in that country or territory is assured (and in this respect, if it is to be stored outside the EEA, seek specific legal advice on this issue as there are a number of compliance requirements which may need to be dealt with). From a data privacy compliance perspective, it’s always easier to work with a supplier whose data center is located in the UK or Europe. This is preferable to using a supplier with servers in the US or China, especially when compared to a virtual data center where the location of your data is unknown.

It should also be noted that where HR data is concerned, it is likely to contain sensitive personal data. As such, there are a number of more stringent restrictions as to how this type of data can be processed and specific consents may need to be obtained from the data subjects (i.e. the person to which such personal data relates). Ideally, find a cloud provider based in your jurisdiction that can provide assurances that data (and at the bare minimum, personal data) will not be transferred outside of the EEA.

It is important to ensure your contract with your cloud provider clearly states the choice of territorial jurisdiction (that is, the country in which any dispute in relation to the country will be heard) and the choice of law that the courts will apply in determining any dispute. Ideally, this should be a jurisdiction in which your organization operates. If a dispute arises, and the choice of law and jurisdiction has not been specified, under EU law a defendant may be sued where they live, or where the contractual obligation was performed. The applicable law, however, will be the law with the closest connection to your contract. It is easy to see how this can create problems in a cloud computing environment where there are cloud providers all over the globe eager for your business, and where your data could potentially be stored anywhere in the world, so explicitly state in the contract what’s intended.

5. Take a Moment to Find the Nearest Exit (Transitioning)

Although it may seem distant, plan your exit strategy before entering a cloud contract. Care should be taken to ensure the portability of your data, including your metadata. Review your contract to determine what events could trigger a right to terminate the agreement by either you or your cloud provider. Ask what procedures are in place to export your data (in an orderly fashion) if you change cloud providers or in the event that the agreement is terminated. Find out whether those procedures are regularly tested to ensure that they work.

If you need your data in a specific format when it’s handed back to you, make sure you spell that out in your contract as much as possible. Keep in mind, though, that this might come with some extra costs to get everything compatible with your systems. Intellectual property (IP) can be a tricky subject in the cloud, so dig into the IP terms in your agreement to see how data ownership is handled and whether it works for you. If you’re unsure, it’s always wise to get legal advice to make sure you’re fully covered.

After you’ve moved your data, you’ll want assurances from your cloud provider that it will be completely wiped out as soon as possible. But before you sign on the dotted line, check if that’s actually doable. Deleting data can take weeks if it’s stored in multiple places, like on backup tapes, and it might be impossible to erase everything if you’re sharing disk space with other customers. If that doesn’t sit well with you, push your provider to put better processes in place.

NOTE: This note has been prepared to provide general guidance on the benefits as well as some of the risks associated with cloud computing. As such, it should not be relied on. Always seek specific legal advice in relation to your specific circumstances in questions.

Partner with Workbooks for a New CRM Experience

If you are looking to make the move, or are looking to have total peace of mind in your CRM management, then Workbooks is for you.

At Workbooks, we prioritize our clients’ objectives to provide a CRM solution to power their growth, adaptation, and success. By working with you as a partner, we will customize our CRM technology so that everyone in your business benefits. Based on your needs, with our CRM Managed Service, we can cover different tasks for you. From data cleansing and configuring dashboards, to importing data, and automating tasks — we can carry out all the admin tasks you don’t have time for and provide you consistent CRM support.

Get in touch with us to learn more about the Workbooks CRM platform today.