For law firms, your clients’ information is your responsibility. Therefore, when clients’ information is outsourced to an IT firm, the number one question every law firm should ask is, “Where is my data stored?”.
If it is in New Zealand, that’s great. Your data security will be governed and protected by New Zealand Laws, the Privacy Act in particular, and comply with the Law Society’s ‘Cloud Computing Guidelines for Lawyers’. Any access to your clients’ data is restricted within New Zealand due process.
If your data is not stored in New Zealand, you need to know where it is being held. Is it in Singapore, the USA, India or China? The question becomes “what laws is the data subject to?” and then “who can access it without due process?”.
Then there are the privacy issues. If you do not know where your data is, or if it is in an overseas jurisdiction, then you need to ask the following questions:
- Is there is a privacy law that applies in the country or countries where your data is stored or processed?
- Is the privacy law similar to New Zealand’s privacy law?
- Does the law apply to the cloud provider and to your information?
- How will the cloud provider deal with any requests for information that it receives from government agencies, courts etc.?
- Will the cloud provider notify you if data is lost or stolen, for instance if the provider is hacked?
- Who can you or your clients complain to if there’s a breach of privacy?
So at your next Partners’ meetings, or when you next speak to your IT provider – ask the question “Where is our firm’s data stored?”.