Computing Through the Clouds—Does it Compute?

Conducting Business and Law on “The Cloud”—Does it Compute?

Card catalogs, dusty law books and visions of bespectacled librarians updating pocket parts have perpetuated the not-so-secret stereotype of the legal industry’s aversion to technology. However, a December 2010 survey by LexisNexis revealed that lawyers are now quick to embrace new technology with over half identifying themselves as early or cutting-edge adopters. And according to Tom Rump, general manager for CT Summation, CT’s electronic discovery arm, “Although traditionally the legal industry has adopted technology at a measured pace, economic pressures and the risk and increasing costs of litigation are actually forcing law departments to be more aggressive about bringing solutions in-house or revamping.”

Cloud computing is the latest technology revolution sweeping the business world. How will the impact of this new revolution affect the legal industry? As gatekeepers of risk, there may be good reason to take a “measured approach” when adopting new technologies like cloud computing.

In July of 2009, social networking communication surpassed email communication for the first time, moving approximately 800 million users to the cloud, according to the Morgan Stanley Internet Mobile Report, December 2009. Cloud Computing is expected to grow to $121.1 billion in the next several years from $37.8 billion in 2010. Many in the industry now believe we have moved beyond the tipping point where it’s not a matter of if, but when.

According to the National Institute of Standards and Technology (NIST), cloud computing is defined as:

A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Though the term “cloud computing,’’ a metaphor for computing via the Internet, is rather new, the concept is a throwback to the 1960s when computer scientist John McCarthy predicted that “computation may someday be organized as a public utility.”  

When the dot.com bust occurred, Amazon stepped forward as an early adopter of the cloud architecture. With the launch of Amazon Web Service, they improved their computing efficiency by maximizing peak demands and computing power resources. And the race was on.

Cloud computing very simply enables users to access software, business or database applications on demand through the Internet, regardless of their location.

What Are the Advantages?
One of the biggest advantages in cloud computing is reduced cost. With hardware and infrastructure handled by a third-party, there is reduced capital expenditure, IT staffing, maintenance and support costs. Gone are the days where IT personnel spent countless hours installing, upgrading and troubleshooting software issues. Real-time collaboration and increased flexibility, another advantage, increases productivity enabling workers to access documents simultaneously from remote locations. Cloud computing also improves performance, providing scalability to handle peak usage without adding computing power.

With all of this good news, it appears that cloud computing technology is ready to whisk us into the future. And according to a recent study by Microsoft, 58 percent of the general public and 86 percent of business leaders are enthusiastic about the prospects of cloud computing technology.

History, unfortunately, has a tendency to repeat itself. According to Michael Aginsky, CTO of Gibbons P.C., “With respect to the legal industry, cloud adoption is just getting started. The legal industry has been traditionally slow in adopting technology. Though cloud computing has a lot of long-term potential in the legal domain, I think we are still trying to figure out the measures needed to take the much larger applications and slice or dice them in such a way that they can be delivered over the cloud.”

Obstacles to Adoption
What issues might prevent wide adoption of cloud applications in the legal industry? According to the latest 2010 AM Law Tech Survey, Big Law IT budgets are still tight. However, if cost is driving business to the cloud, wouldn’t this provide the proper incentive? Another finding in the survey indicates that almost 90 percent of law firms run a central data center. Of these, however, only a third distribute their computing to offsite data centers.  

So, what are the concerns of remote hosting and offsite computing for the legal industry? Some of the general business issues that companies will confront as they move applications to the cloud include: 

Data Transfer. It is extremely difficult to transfer vast amounts of data either in or out of the cloud regardless of your network connection.

Information Silos. Software, business and database applications that do not communicate to one another are often referred to as information silos. The sheer number of disparate business applications available creates information silos. Though cloud computing will make many more point-of-service applications available, the lack of integration between systems will continue to be an issue for IT departments.

Dependency on Provider. There is a loss of control regarding maintenance, quality assurance and technical innovation. The good news is that the cloud service provider will have to perform or risk customer turnover. The bad news, depending on the service, is that switching costs could be high. 

Lack of Customization. With many providers, what you see is what you get, so true customization is generally not available.

Although these issues will give pause to IT departments in law firms and legal departments, according to Michael Aginsky, CTO of Gibbons P.C., more concern will center on security and governance. “If we are going to host information for multiple clients on a cloud platform, the key issues are, how is the cloud secure; how is client data kept secure; where is the data hosted, not just in terms of the facility but also in which state it is located; and where does the data get backed up? This amounts to knowing where the data is at all times.”

Other issues, on the governance side, include keeping track every time data is accessed, by whom, and for what purpose. “With strict audit requirements and hundreds of attorneys, adoption of cloud technology may be limited,” according to Aginsky. These issues point to a variety of laws that focus on appropriate governance and security that the legal industry will need to address.

Privacy & Security
Privacy and security obligations as they relate to regulatory acts such as Gramm-Leach-Biley, which regulates the safeguard of consumer personal financial information, and Health Insurance Portability and Accountability (HIPPA), which regulates electronic health care transactions, need to be recognized when doing business as a U.S. company.

When safeguarding personal identifiable information such as social security, credit card, driver’s license or other financial data, companies need to use industry-accepted measures to comply with state and federal regulations. Breach notification, as an example, will disclose the breach to affected customers to avoid plaintiff lawsuits and regulatory action. Encryption, another safeguard, is a process that alters data, making it unreadable to outside intruders.

Companies that do business internationally will need to understand data protection laws in Europe, which protect consumer rights through detailed notification. These laws let consumers know how data is collected, used and secured, at a minimum. Europe has also established statutory requirements which outline stringent security as additional measures. Keeping compliant with state, federal and international guidelines for data protection may seem daunting, however, common themes include: breach notification, cloud service provider due diligence, data protection to restrict access and legally binding contracts that protect subscribers.

As interest in cloud computing continues, several groups have entered into a discussion to set guidelines. Brad Smith, vice president and general counsel for Microsoft, is proposing a Cloud Computing Advancement Act that would address privacy and security issues. The NIST has issued recently, Guidelines on Security and Privacy in Public Cloud Computing in a draft version. Also, the Cloud Security Alliance, a non-profit organization with the mission of educating and developing security best practices for cloud computing, has also developed some voluntary guidelines.

International Data Transfer
In addition to European data protection laws, there are also restrictions that prevent the transfer or sharing of data across borders by the European Economic Area (EEA) Member States and other regional countries. To circumvent this problem, providers have developed regional-based co-op clouds that consolidate geography with a designated host country. Still, this is not a global solution, as some agreements only transfer information one way. 

Contract Provisions
When storing personal identifiable information that is outsourced to a cloud provider, there may be contract considerations that affect third-party outsourcing. Also, contracts by providers do not usually differentiate between the types of data managed, whether regulated, as outlined in the Gramm-Leach-Biley, or simple business contact or lead-generation data that is not heavily regulated. 

E- Discovery
When considering the cloud for e-discovery, any automated records management will need to meet the standards for regulatory compliance and integrate well with other applications like document management systems.  To avoid risk there are five requirements for regulatory compliance, as indicated in the February edition of the American Agent and Broker: 

1. Centrally controlled access to document management, which is one of the most essential elements of compliance;

2. Document classification policy management which controls the classification of records to locate data efficiently while providing security;

3. Retention policy management that specifies retention schedules to help keep records for the required amount of time and deletes them when the retention policy requires it;

4. Destruction and disposition policy management that helps track all stages of destruction to show a history of approvals (if required) and adherence to policies; and

5. Legal hold management, which is a function that prevents destruction of documents if they are under litigation hold.
Decisions to move data into the cloud will not be much ado about nothing. The security, operational and legal issues are significant hurdles. Intellectual property and recent consumer data breaches are inspiring a new wave of regulatory measures to protect data. In a recent data breach, Sony Computer Entertainment America reported their PlayStation® Network was invaded by hackers who obtained personal information on 70 million subscribers. As a result the company has had to suspend their services while a security firm conducts a full investigation.

Most IT managers, however, are excited at the prospect of efficient staffing, scalable applications, little maintenance and flexible costs as companies move to cloud computing.  Software as a Service Applications or SaaS models, such as salesforce.com®, are making it more affordable than ever to increase productivity and efficiency in a virtual world.

According to Federal Chief Information Officer Vivek Kundra, the government has 2000 data centers throughout the country. “Of the $80 billion we spend each year, $20 billon of that can actually move to the cloud,” he said, adding that the plan is to shut down 800 data centers by 2015.

Some predict that wholesale transfer to a cloud architecture will never happen. Yet, many business applications will derive great benefit operating in a cloud environment. How the legal industry confronts the latest technology trend and debate will be one to watch.