August 2, 2018

Last Updated on January 13, 2024

Legal firms are highly dependent on anytime/anywhere access to their systems and data, yet need to keep administrative and operational costs to a minimum. Software-as-a-Service (SaaS), with its browser-based access, minimal upfront cost, and outsourced administration model would seem ideal. Moreover, the specialized software that law firms rely on for billing, case/practice management, document assembly, trial presentation, etc. is now widely available from SaaS vendors.
But because data (documents, notes, contacts, billing information, etc.) is stored and managed in the SaaS vendor’s remote data center(s)—i.e., “in the cloud”—rather than on a firm’s on-site computers, SaaS options pose confidentiality and security-related concerns for law practices.
These data security concerns have come to the fore as law firms are increasingly targeted by cybercriminals, often as a “stepping stone” to their clients. Clients and prospects are more and more likely to scrutinize their legal partner’s cybersecurity posture for that reason. Firms may likewise be subject to fines and sanctions in the event of a data breach, and can suffer devastating reputational damage as well as the loss of major clients.

What Law Firms Should be Asking Their SaaS Vendors

If your law firm is considering one or more SaaS solutions, or is already using SaaS, you need to carefully scrutinize the offering. Here are nine essential data security topics to discuss with SaaS providers:

  1. Is the software designed with security in mind? SaaS providers serving the legal vertical should design their platforms from the ground up with security as a top priority. In particular, because SaaS instances run on shared infrastructure, there must be bombproof separation between different firms’ data. Leading SaaS providers may have attestations or certifications to prove that their software has been subjected to rigorous security testing. You can also engage a third-party like Pivot Point Security to definitively evaluate the security of an offering.
  2. How secure and available is the infrastructure the SaaS offering will run on? Often this involves yet another third-party; a cloud service provider like Amazon or IBM. What security attestations (e.g., ISO 27001, CSA STAR, SOC 2) or independent audits have the infrastructure provider achieved or undergone? What availability levels will you be guaranteed in your contract?
  3. How often will your data be backed up? How and where are backups stored? Who has access to the backups? Are the backups encrypted? Are they stored in multiple geographic locations to safeguard them from natural or political disasters? What is the procedure for recovering data in the event of an outage, hardware failure, human error, etc.? How much data might you potentially lose in a worst-case scenario, and what would the impact be on your firm and its clients?
  4. Is your data encrypted with 256-bit encryption both in transit across the web and at rest (anytime it’s not in use) on third-party infrastructure—including backupsEncryption is a great way to secure sensitive data and can make it less useful to hackers even if it is lost or exfiltrated.
  5. If you cancel your subscription, can you get your data back? What happens to your backups in that event? Can you pull data off the SaaS infrastructure as-needed in a standard format that is compatible with other software? Unfortunately, some SaaS vendors create roadblocks in these areas to keep their customers “locked in.” Be highly wary of any signs this is the case.
  6. Is two-factor or multi-factor authentication an option? Simple username/password authentication is vulnerable to a wide range of attacks and may not offer the robust security a law firm needs.
  7. Does the SaaS provider have appropriate procedures in place to comply with legal requests like court orders or subpoenas? Have they responded successfully and in a timely manner to such requests in the past? Your firm could be held accountable if a SaaS provider is unable or unwilling to comply with court mandates.
  8. Do the vendor’s Terms of Service or other contracts address confidentiality and security? Do the terms meet your needs? If not, is the vendor willing to amend the terms to clarify responsibilities and outcomes?
  9. What is the vendor’s business history? What are their sources of funding? Are they financially stable? Is their market share going up or down? Shaky finances can lead to a variety of problems that threaten security, from cutting back on staff to outsourcing to untrustworthy people to reducing safeguards. Plus, being forced to migrate to a new solution would bring a host of challenges, including security of your data during the transition.

Moving to a particular SaaS solution for your mission-critical services is a decision that requires planning and due diligence. Contact Pivot Point Security if we can support your data security evaluation process in any way. 
For additional information, see the American Bar Association’s “cloud computing for lawyers” page.