The new world of remote work has moved attorney-client communications further into the cloud, with growing use of online workspaces, teleconferencing and file sharing.
As this transition accelerates, it's a good time for you, as corporate counsel, to review your policies about how your external law firms use and secure cloud data in these tools.
Here are four things to look for in your outside counsel guidelines for cloud data (with suggested language):
1. Establish a preference for your cloud
There's a crucial difference between communicating by email and communicating in an online workspace: With email, everyone in the conversation ends up with a copy. When the conversation is in the cloud, sometimes the only copy is on the cloud, and it’s either in your firm’s account or yours.
Generally, your default policy should be to use the company’s own cloud services rather than those of the external firm. It’s your company’s data, so your company should be in control of the choices relating to retention, external access and backups, among others. There will be exceptions; your guidelines should call for those to be highlighted and subject to approval.
Of course, your legal providers also need assured access to this information, even after the engagement ends. Your policies (and their engagement letter) should make this clear, too.
Whenever possible, communications and files should be stored in accounts owned and controlled by the client. Client will ensure continuing access for the service provider as appropriate.
2. Maintain an approved vendor list
When a law firm manages your data in the cloud, their vendors become your vendors. You need to make sure those vendors are just as well vetted on security as if you were retaining them directly. For each vendor, it’s also important to understand how you can get the information out of their system if that becomes necessary; some are harder than others.
To manage this process sustainably, work with your own IT team to develop a list of approved cloud services that meet your standards, and cover the gamut of places your law firm might need to store information. Include that approved list in your guidelines.
The client will provide and maintain a list of approved third-party services available for use in the engagement. No client data will be stored on other services without the client’s approval.
3. Confirm their cloud policies
When it’s necessary and beneficial to house data on your law firm’s cloud accounts, ensure that these requirements are in place:
Any service storing client data must allow a complete download of communications and shared documents, in a manner suitable for transition to a comparable service.
On termination of the relationship, provider will facilitate the transition of ownership of the account to the client and at the client's expense, if possible.
4. Require regular reporting and access
Your guidelines should call for the firm to report periodically (quarterly, perhaps) on where your client data resides, exactly what’s where, and if and how your team can have direct access.
This doesn’t need to be a huge chore for your firms. It can be a shared spreadsheet which lists the various data locations for each case or project. The important thing is to focus attention on the underlying decisions of where and how the work product is being stored, and to catch exceptions to your approved list.
The provider will provide a report every quarter that includes an inventory of all locations where the client’s data may be stored, confirmation of compliance with these guidelines and an explanation of any exceptions.
Joinder makes this easier
Our platform, Joinder, includes a comprehensive solution for managing your law firm relationships, including keeping counsel guidelines and reporting complete and up to date. Check it out with a free 30-day trial.