With software moving to the cloud, many organisations providing professional services are embracing modern practice management systems (“PMS”) which now host their clients’ data in the cloud. There are undoubtedly a lot of potential advantages to using these solutions. However, if all of a firm’s data is in the cloud, there is potentially a huge single point of failure. Is enough being done to address this? 

In business a single point of failure (SPoF) is any one problem that can lead to the demise of an entire organisation. Most commercial organisations will probably be able to recover to an extent from losses of their data. Regulated businesses on the other hand, such as law firms, accountancy firm and firms operating in financial services sector are often subject to additional rigorous regulatory requirements to manage and mitigate risks to protect their clients’ data, and maintain their ability to continue to service their clients, should the firms’ business be adversely affected by a number of risks, such as damage to premises, failure of power or connectivity, and so-on. Often, the most crucial asset of these organisations is their clients’ data. If their system fails, and data is not retrievable, the consequences of a permanent loss of data could be disastrous. A permanent loss of data would not only lead to their failure as a business, but could be severely damaging to their clients, would potentially open the principals and directors to serious disciplinary action and could expose the organisation to potential breaches of data protection legislation.

A loss of data is, potentially, a greater loss to the client than the organisation going bust.

So, what is the solution?

The solution begins with an acknowledgment of the advantages to using cloud solutions such as scalability, reliability, evolution of features, resilience, security, release of office space, less need for in-house expertise and IT resource but understanding that whilst in theory this sounds like great news, in practice each of these needs examining carefully. 

Having a good contract for your cloud solution is also important part of the solution to avoiding a single point of failure but is not the solution of itself. Contract enforcement is the last resort. What if your supplier goes bust? What if one of their subcontractors goes bust? There is little to be done in terms of enforcing the contract.  

In our view, the real solution lies in knowing your supplier and their offering. There is no substitute for proper due diligence on your supplier. Risk analysis and mitigation, and implementation of contingency plans is a vital part of any business operation, but to reinforce this, it’s not only mandated by the regulators such as the Solicitors Regulation Authority but is also required by data protection legislation. 

Based on our own experience and those of our clients who are reliant on a PMS as we do as a law firm, we would recommend that contracting with a single supplier to provide PMS functionality is unacceptable, whatever the contract says, unless:

1. You have access to *all* your data, all the time, and you have an up-to-date backup which you are able to access immediately.
2. The backup is stored somewhere accessible (and secure) and will still be accessible if your PMS supplier goes bust.
3. The backup must either be on premise, or in a cloud service provider operated by someone other than your PMS provider. In this case it should also be a different cloud provider from the one used by the PMS provider (in case that provider goes bust), and also the data should be stored in a geographically separate location.
4. You can understand and process the backup. This means that, if the data is stored in a SQL database (it probably will be) you should have written details of the complete database schema including what each of the fields is and what it represents, for each table, and the interrelationships between all tables, and all the passwords and access certificates necessary to query the database.
5. You must have all encryption keys necessary to read and process the content of the database.
6. Ideally, you should have an actual copy of the PMS software and its environment so that you can install a local copy for processing the data without reference to the original supplier. If you don’t have this, you must have the expertise to know and understand how the data is stored and extracted, and possibly even a relationship with a backup supplier who can quickly ingest and convert the data for use on their own system.
7. You may also wish to consider an escrow agreement covering the source code to the PMS so that you have access to the source so you can engage a third-party maintainer to maintain and support the software if necessary.
8. The backup does not necessarily have to be real time. How current it has to be will be for your own assessment. A good starting point would be to have a backup at the end of every working day, so that no more than a days’ data would need to be re-entered.
9. You must regularly carry out tests to simulate a failure. There is no substitute for simulating a full systems failure.
10. All the above must be documented as part of your disaster recovery plan, and you must ensure that all relevant personnel have access to the plan at all times (so storing in your PMS is probably not sensible)!

What if your cloud provider refuses to provide you with access to your back up?

In reality if your cloud service does not or refuses to give you the ability to access your own data directly (and understand how to extract it), this would be a major red flag from a compliance perspective – both in terms of data protection legislation and your organisation’s obligations to its regulators such as the SRA as such a cloud service provider’s PMS system would represent a potential single point of failure. If it ceases to provide the services, then that will not only mean that you as an organisation, in all probability, fail as a business, but that the principals or directors will potentially be exposed to extremely serious personal liability. This is clearly a business risk that no prudent law firm should accept. 

Therefore, it is important to carry out your due diligence on the provider itself, verifying its financial stability, how well its systems integrates with your other office systems, checking various key aspects of its terms of service, what security it offers to protect the data against damage and loss, how it deals with termination of the service and its consequences and more importantly how well it deals with issues around business continuity and back up of data. 

If you need any help with a better understanding of the due diligence process before engaging with your supplier, need assistance with devising a due diligence checklist or reviewing your suppliers’ terms of business, please contact us.