Moving from on-premises IT to a colocation data centre can be a significant undertaking for any business, let alone a law firm in which the nature of the work involves highly confidential client data and a need for compliance with various regulatory requirements. Here, we try to ease the burden and simplify the process by highlighting the key things to look for in terms of data centre security for law firms.
As part of the SRA Code of Conduct, law firms must ensure that their clients’ information is kept confidential. In combination with the Data Protection Act (DPA) this also includes protecting against unauthorised access to the data and data loss.
Law firms should therefore look for a provider who can outline all of the controls they have in place to safeguard against a breach. Moreover, since confidentiality is so critical, it’s a good idea to have something in the contract that prevents the provider from discussing the identity of your firm to other clients who are hosting within the data centre.
A further important consideration for confidentiality is the location of the data centre. The eighth principle of the DPA makes it clear that personal data cannot be sent outside of the European Economic Area without sufficient protection. If it’s necessary for your provider to be outside of the EEA, you should at minimum ensure that it upholds relevant safe harbour agreements set out by the European Commission.
An interruption to your service would not only result in chaos and business disruption, but it can also lead to the violation of regulations within the SRA Handbook. Such regulations require law firms to provide services that protect the interests of their clients (Principle 5 and Outcome 1.2).
You should therefore look for a provider that provides you with a high level of protection against downtime. Most data centres use the Uptime Institute’s Tier classification system to describe their resilience levels, but it’s important to read between the lines in this respect (see our previous blog: Why data centre Tier isn’t all that matters). You should also consider the environmental profile of the facility, as well as look for signs of poor management (as most downtime is a result of human error).
Our Manchester colocation facility provides 2(N+N) redundancy, making it one of the most resilient data centres in the UK.
Physical and information security
The protection afforded to your data will depend heavily on your data centre’s physical and information security controls and policies. Looking for a facility that complies with the ISO27001 standard – which describes an information security management system – is a good place to start.
You should also review how bespoke and personalised the provider’s service is. For example, could they implement further measures like separate CCTV monitoring? Additionally, how long do they retain records and how easy is it for you to access them?
A data centre that is flexible and strives to meet your requirements is likely to be a provider that takes security seriously, and one that actually cares about its customers.
Some data centre providers will view their services as nothing more than a business transaction. The best ones, however, will treat it as a partnership where communication and transparency is essential. This is especially critical to the legal sector where business is fast-paced and updates on everything are essential - even a few minutes of downtime could be catastrophic for clients.
Initial meetings with a provider will reveal how communicative and open they are, but you should enquire about the availability of things like quarterly reports on power and network usage, as well as references from other customers.
A disaster recovery plan for your own firm is essential, but what about your provider? In case disaster strikes, it’s critical that your data centre has a back-up and business continuity plan of its own. It’s best to choose a provider that is independent and neutral enough to have strong links to other data centres that they can then refer you to, based on your security and compliance requirements.
Everything may seem perfect on paper, but before you sign on the dotted line it is absolutely crucial that you review the data centre in person first. Someone from your organisation should visit the site and check over security controls, review relevant documentation and ensure that all of your requirements are being met. Following on from the principals about transparency mentioned above, your provider should be open to site visits and be completely audit-friendly.
In an industry such as law where firms need to meet so many ethical and legal requirements, a considered approach must be taken when choosing a colocation provider. It’s essential that the data centre you choose does not affect your ability to comply with your Handbook obligations. Therefore, at a minimum, your provider should work in partnership with you, have a secure audit-friendly site and be able to protect against any risks to client confidentiality.