Cloud issuesThis guideline has been compiled by Mark Heyink, an attorney, notary and conveyancer who specialises in Information Law, for the Law Society of South Africa primarily as a tool to assist attorneys in governance and management of eMail.

By its nature the guideline is general, not exhaustive, and intended as a starting point to guide attorneys in their use of cloud computing. This guideline is not intended and must not be construed as establishing any legal obligation. Neither is the guideline intended, nor must it be construed, as providing legal advice.This guideline is supplementary to the Information Security Guideline and the Protection of Personal Information Guideline published by the Law Society of South Africa which should also be considered in using this Guideline.


  1. INTRODUCTION

    1. The Law Society of South Africa has published guidelines entitled “Information Security Guideline 2011” and “Protection of Personal Information Guideline 2011”. This Guideline is supplementary to those guidelines which will be referred to and parts of which may need to be read to achieve a greater depth of understanding of the information security and protection of personal information issues which apply to cloud computing. The Guidelines are available on the Law Society of South Africa website at www.lssa.org.za.

    2. Cloud computing comes in a wide variety of forms. Some of these are quite simple and others significantly more complex. So too the legal issues relating to the use of the cloud take on many varying forms and complexity. The purpose of this Guideline is to assist attorneys to navigate some of the typical legal issues which cloud computing may present.

    3. Also addressed very briefly, are issues that the use of tablets and SmartPhones and the Apps provided for use with tablets and SmartPhones, which may be facilitated by servers (in the cloud) outside of South Africa. These devices bring with them wonderful advantages but may present legal problems which may not be fully appreciated.

    4. Over the last 18 months the furious rate of change of technologies in our information revolution has accelerated dramatically with the advent of the wonderful new technologies. The law, cumbersome slow beast that it is, has simply fallen further behind in addressing the changes that the novel technologies and practises herald. In the case of cloud computing one of the major advantages is the driving down of cost of the availability of excellent computer facilities and applications that would otherwise be beyond the financial means of the users.

    5. This having been said, the law relating to the governance of information and communications technologies, its management and use, requires due diligence. In the case of attorneys there are also professional obligations that must be considered. The regulation of an attorney’s behaviour to meet these legal requirements and professional obligations relies to a large degree in ensuring that the implications of cloud computing are properly considered and that appropriate agreements are concluded governing an attorneys’ use of the technologies.

    6. The issue of discovery, generally and e-discovery, more specifically also raises certain issues which must be considered in determining whether cloud computing is appropriate for the processing of information by attorneys and whether information processed using cloud computing will be readily available for discovery should this become necessary.

    7. This Guideline highlights some of the considerations which attorneys should bring to bear in deciding on the appropriateness of cloud computing within their practises.

  2. WHAT IS CLOUD COMPUTING?

    The aim of this chapter is to:ž  Explain the nature of cloud computing;ž  Alert the reader to advantages that cloud computing may hold; andž  Alert the reader that there are potential legal risks in adopting cloud computing.
    1. As indicated in the Introduction, cloud computing takes on many forms and while there are definitions that have been developed to describe cloud computing, these typically address the more technical issues and will not be particularly helpful in this Guideline. It may be more helpful to describe some of the services that cloud computing offers and the deployment of these services.

    2. At its broadest level cloud computing is the provision of computing as a service over a network, typically the Internet. These services are usually grouped into the following categories:

      • “Software as a service” which allows for the provision of software over a network rather than software being loaded directly onto a locally available computer;ž 

      • “Platform as a service” which allows for the provision of a computing platform which in turn allows the environment for other software to run on (for example operating systems) over a network rather than being loaded directly onto a locally available computer;ž  

      • “Infrastructure as a service” which allows for the access of a computer infrastructure (for example data storage or processing capability) over a network that is used to complement locally available platform resources.

    3. The deployment of cloud computing may also occur in different ways, which may also affect the legal consequences of using cloud computing. These include:ž 

      • Public Cloud (there is no restriction and any entity or person may access these services);ž 

      • Private Cloud (where access is restricted to a single entity);ž 

      • Community Cloud (where access is available for a community of entities – for example if the Law Society established services and were only available to members of the various law societies in South Africa which would accessed remotely by attorneys in a Law Society cloud facility);ž 

      • Hybrid Cloud (in this instance more than one of the cloud computing models referred to above may operate in conjunction with another and provide a level of interactivity which would not be available outside of the hybrid cloud).

    4. Cloud computing is not to be confused with outsourcing, although it may have many similar characteristics. Typically with outsourcing control of the services provided may be exercised by having a single agreement with a service provider. This is not always the case with cloud computing.

    5. What often happens in the case of cloud computing is that entities may establish infrastructure that may be used optimally in certain instances by offering the services to different parties at different times. So it is possible that a particular entity requires significantly more processing capacity at a particular time and that the computers and servers facilitating this capacity are relatively idle at other times. These entities then hire out this unused computing capacity to parties that may require the computing capacity in most cases at a very favourable cost to the third party.  The providers of cloud computing facilities will often take advantage of the low cost computing capacity offered in this manner. However, the computers which provide this capacity may be situate in a myriad of different geographical locations, each of which may be subject to different laws, business practices and government oversight.

    6. The economies of scale that can be achieved through cloud computing services will in most cases significantly drive down the cost of computing. This makes cloud computing an extremely attractive option for the development of an organisation’s computing infrastructure and the ability to acquire computing capacity on demand.

    7. While the cloud computing option holds many attractions, the complications which may occur as a result of the services being provided from dispirit geographical locations which are subject to different legal jurisdictions may result in unexpected but significant legal consequences and need to be carefully considered in determining whether cloud computing is an appropriate option.


  3. PROTECTION OF PERSONAL INFORMATION

    The aim of this chapter is to alert attorneys to:ž  Their obligations to protect personal information;ž  Information security obligations that are inherent in protecting personal information; andž  The restrictions on trans-border flows of personal information
    1. Privacy is a constitutional right in South Africa. One of the elements of privacy is the protection of personal information.(Section 14 of the Constitution)

    2. While not yet enacted it is likely that the Protection of Personal Information Bill will become a feature of our legislation in 2012. The importance of the proposed legislation cannot be under-estimated. It is likely that a considerable amount of information, which will be processed by an attorney will be personal information as defined in the PPI Bill(Section 1 of the PPI Bill Sixth Working Draft dated 27 January 2012) and will therefore be subject to the provisions of the Bill, once enacted.

    3. For the purposes of this Guideline the most important aspects of the Bill (which are not likely to be amended in any substantial measure before enactment) are the Conditions for the Lawful Processing of personal information contained in Chapter 3 of the Bill.

    4.  In the context of personal information being processed by a third party, the provisions of Sections 19 to 22 of the Bill, prescribe the security safeguards which a responsible party and operator need to employ in the processing of personal information. If the attorney, acting as the responsible party, requires the processing of personal information by an operator (in this context the provider of a cloud computing facility), it is prescribed that there must be a written agreement concluded between the attorney and the operator. This agreement must require the operator to establish and maintain measures to ensure that security of the personal information and protect the integrity and confidentiality of information.(Section 21(2) of the PPI Bill)

    5. If the operator (provider of cloud computing facilities) is not domiciled within the Republic, the responsible party must take reasonably practicable steps to ensure that the operator complies with the laws, if any, regulating the protection of personal information of the territory in which the operator is domiciled.(Section 21(3) of the PPI Bill)

    6. Thus, should an attorney wish to take advantage of cloud computing, where the information to be processed in personal information, it will be necessary for the attorney to conclude an agreement with the provider of the services, aimed at ensuring that appropriate security for the protection of personal information is established and maintained.

    7. One of the issues which needs to be taken into account in these circumstances is that if the principal service provider relies on third parties for the processing of information, the agreement contemplating 3.6 must also provide appropriate assurances that the principal service provider will enter into written agreements with the providers of services relied on by the principal service provider, providing appropriate back-to-back assurances. In theory this may be possible but where cloud computing models are more complex, the practicality of obtaining the necessary assurances may prove extremely difficult. Nonetheless it must be borne in mind by attorneys who wish to use cloud computing services that where personal information is processed and they are the responsible party, they remain liable to the data subject for any breaches which may occur in the processing of the information regardless of the fact that the compromise is occasioned by the negligence of an operator.

    8. Trans-Border Information Flow
      Also of importance in considering the protection of personal information is Chapter 9 of the Bill which deals with trans-border information flow (Section 77 of the PPI Bill), in particular the provision that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless the recipient is subject to a binding agreement which effectively upholds the principles of reasonable processing of the information. Alternatively, that there are adequate laws in place (substantially similar to the provisions contained in the Bill) which afford this protection. If agreements are relied upon by an attorney these must provide for substantially similar Conditions for the Lawfully Processing of Personal Information in South Africa and also include a provision preventing the third party from transferring the information to another foreign country.

    9. Processing of Personal Information in Foreign Jurisdictions
      While the issue of jurisdiction is more fully dealt with in Chapter 5, in the context of the Protection of Personal Information, jurisdiction is also important. In this regard the provisions governing agreements to be entered into between responsible parties and operators and trans-border information flows will require careful consideration.

    10. It is beyond the scope of this Guideline to deal with the myriad of jurisdictional issues which relating to the processing of personal information. However, it may be helpful to understand how personal information is dealt with in other jurisdictions and with the developments which are occurring in this regard.

    11. The USA does not have a general law of application governing the protection of personal information. Privacy is governed by a proliferation of several sectoral legislative instruments, including without limitation:In addition to the laws referred to in 3.11 there are several other federal laws which govern the protection of personal information and a plethora of State laws regulating the processing of personal information within specific states in the USA. 

      • The Gramm-Leach-Bliley Act which is also known as the Financial Services Modernisation Act. This Act requires financial institutions, among other things, to protect the non-public personal information if financial consumers from disclosure and addresses important information security issues.The health insurance portability and accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) govern the protection of personal health-related information in the USA.
      • Sarbannes Oxley (“SOX”), among many other things, governs internal controls over financial disclosures and the Federal Information Security Management Act (“FISMA”) governs how federal agencies are required to protect personal information.
      • The Fair Credit Reporting Act (“FCRA”) and Fair Accurate Credit Transactions Act (“FACTA”) requires consumer credit reporting agencies to implement reasonable procedures that are fair and equitable to the consumer with regard to the confidentiality, accuracy, relevancy and proper utilisation of consumer credit, personal insurance, and other personal information.
      • The Children’s Online Privacy Protection Act (“COPPA”) prohibits websites from processing, using or disclosing of personal information of a child under the age of 13 without obtaining verifiable consent from the child’s parent.
    12. One of the reasons that the USA is important in this perspective is the fact that many cloud computing platforms and applications used on tablet and mobile technologies are supported by cloud computing facilities situate in the United States. It should be noted that by the nature of cloud computing, even though the entity might be a USA entity, the support for these devices and applications used on these devices may well be in another jurisdiction. In determining whether these devices may be used for the processing of personal information, care must be taken to ensure that proper consideration of the jurisdiction of not only the entity providing the services but also where the computers are situate that provide the services needs to be established.

    13. It should be noted that in February of 2012 President Barack Obama introduced the “Consumer Privacy Bill of Rights” to Congress for consideration. In effect this Bill will provide for a general law of application governing the privacy of personal information.

    14. In March 2012 the Federal Trade Commission published a paper entitled “Protecting Consumer Privacy in an Era of Rapid Change – Recommendation for Businesses and Policy Makers”. In essence this report recognises and in many ways supports the concept of a general law of application governing personal information being introduced in the USA.

    15. In the European Union there have also been significant developments. The European Union is a leader in the establishment of the Protection of Personal Information principles globally. In January 2012 the European Commission introduced a regulatory framework which is far broader in application and concept than the directives which are currently in place. While many different issues are considered, the issues of primary importance in so far as jurisdiction is concerned is that previously countries within the European Union were required to legislate in terms of directives made by the European Union. It is contemplated that the new European Regulation will apply to all European countries and governs among other things the issues of cross-border transfer of information, policing and enforcement of contraventions of the regulation. This is an important development as it recognises the practical difficulties that have been experienced in the policing and enforcement of legacy legislation between different countries in Europe despite the fact that they are closely bound and related in so many ways.

    16. The development of a law of general application in the USA and the European Union Regulation highlights the increasing importance that is being assigned to privacy by legislators globally. This is well summarised by the remarks of President Obama in his introductory note to the “Consumer Privacy Bill of Rights”. President Obama remarks:

      “One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.”

  4. JURISDICTION

    The aim of this chapter is to highlight issues of jurisdiction and choice of law in implementing cloud computing solutions.

    1. As globalisation increasing renders our commercial activities borderless the issues of jurisdiction and choice of law have become one of the burning issues in our jurisprudential development globally.

    2. This is all the more the case when we are dealing with something as portable as electronic information. Thus, in processing information using cloud computing solutions, consideration must be given to jurisdictional and choice of law issues which may be important.

    3. In considering cloud computing it is important to ensure that a clear understanding of the services, their deployment, both structurally and geographically, and the information security protections employed by a service provider are understood. This should be reflected in the agreement, which in itself may provide important information determining whether the services are appropriate and whether they might lead to potential non-compliance with local legislation or professional obligations.

    4. In instances where the principal service provider relies on sub-contractors, it may be necessary to obtain the necessary assurance and warranties from the principal contractor relating to the sub-contractors.

    5. In considering the use in business of tablets and SmartPhones, which in many cases may have limited processing power and thus rely on cloud computing services to allow users the functionality they desire, consideration needs to be given to where the processing will occur. Likewise the use of Apps, in many but not all cases, will route processing through particular computers and gateways which may have similar considerations.

    6. Where the services are provided from third party jurisdictions, consideration of the law governing those jurisdictions is very important.

    7. A good example would be the United States which has enacted the “Uniting and Strengthening America by providing appropriate tools required to intersect and obstruct terrorism Act 2001” (“the US Patriot Act”). In response to the events of the 11th September 2001 the US Patriot Act has reduced the procedural hurdles that the USA Law Enforcement Agencies and Government need to overcome to secure access to any information held by organizations within the United States. This would include any information which emanates from a foreign jurisdiction but is processed within the United States. Thus, platforms such as the Blackberry Messaging service (BBM) and iServer-type platforms, serving many of the tablets available today, would be subject to this legislation. In certain instances governments and even companies have prohibited the use of this type of service by their employees for fear that sensitive information may fall into the hands of the United States Government or its law enforcement agencies.

    8. The United States is not alone in efforts to counteract organized crime and terrorism in this manner. Recently the British Government has been considering proposals for similar laws and there are numerous jurisdictions around the world that are reviewing their cyber security status in order to protect both their own resources and access to information which may assist them in these efforts.
    9. From the perspective of an attorney in South Africa the potential risk of the processing of information in third party jurisdictions needs to be considered carefully, taking into account the nature of the information that may be processed, and if the information belongs to a client the risks that this type of processing may hold to the client. It must be borne in mind that whatever legislation may be in place in South Africa, over and above legislation, consideration to the professional duty of confidentiality demands that attorneys ensure that information which may be processed by them in using resources which are not directly available under their control, are not subject to confidentiality risks.

  5. INFORMATION SECURITY

    The aim of this chapter is to highlight to attorneys their obligation to provide information security and complications which this may present in implementing cloud computing solutions.

    1. In the Information Security Guideline for South African Law Firms published in 2011 (to which the reader is referred for a greater depth of information), attention is drawn to the attorney’s professional duty to implement information security. In this regard it is recognised globally that lawyers have a duty to maintain confidentiality over client communications.

    2. While our obligations as attorneys may place an even greater obligation on us to provide appropriate information security, there is an underlying obligation on all entities processing information (in both manual and electronic forms) to implement reasonable, organisational, physical and technical measures to safeguard the information. The legal obligation to provide information security is owed by all stakeholders of the entity and globally is increasingly being regarded as a non-negotiable obligation.

    3. In South Africa the Companies Act requires that directors (and senior executives) perform their functions with the degree of care, skill and diligence that may be reasonable expected of the director having the general knowledge, skill and experience of the director. Further, that the director must properly equip him/herself to fulfil these obligations with the necessary skill. It is suggested that attorneys (even those who are not directors in incorporated practises) take heed of the provisions of the King III Code of Governance Principles for South Africa relating to ICT Governance. One of the obligations which is expressly addressed is the obligation to implement information security.

    4.  Information security is not an end in itself and in order to ensure that the information and communications processed by an attorney meets the provisions governing legal requirements for data messages (electronic records and communications), the provisions aimed at facilitating electronic transactions contained in Chapter III of the Electronic Communications and Transactions Act have to be met. A cursory reading of these provisions highlights the fact that they cannot be met without ensuring an appropriate level of information security.

    5. Similarly, certain of the obligations imposed in the Promotion of Access to Information Act, the Consumer Protection Act and the National Credit Act, while information security is not explicitly a requirement in these Acts, cannot be achieved without appropriate information security.

    6. The Protection of Personal Information Bill (once enacted) will be the first legislative instrument in our law which expressly requires the implementation of appropriate information security. This is dealt with more fully in Chapter 4 of this Guideline and in “the Protection of Personal Information for South African Law Firms Guideline” published by the Law Society of South Africa in 2011. Nonetheless it bears repeating that as attorneys the vast majority of the information which we process relating to our clients is personal information and is subject to the provisions of this prospective legislation.

    7. Bearing in mind the obligations which are currently a feature of our law and the potential complexity of the relationships in cloud computing, the difficulty of ensuring that appropriate information security is established and maintained by the service providers and the many parties to whom these services may be sub-contracted is brought into sharp focus.

    8. It should also be borne in mind that considering the professional and ethical requirement of maintaining the confidentiality of client information, this may demand that attorneys introduce security measures which are more stringent than those regarded as “Best Practice”.

  6. TABLETS, MOBILE PHONES AND APPS

    The aim of this chapter is:ž  To draw the attorney’s attention to the use of mobile devices; andž  The reliance that mobile devices often place on cloud computing solutions.

    1. Over recent years one of the most exciting developments in information and communications technologies has been the advent of tablet computers and the vastly improved facility of mobile phones to process and communicate data. Tablet computes and mobile phones are referred to as mobile devices in this Chapter.

    2. These developments are globally of huge importance as they have exponentially increased the capacity of people around the world to effectively process information and communicate on mobile devices which makes information instantaneously available wherever they are. In the South African context the importance of these developments cannot be overstated. It should be remembered that there are slightly less than 7 million PC devices in South Africa whereas there are approximately 40 million mobile devices.

    3. The very nature of mobile devices (much smaller and more compact) dictates that the computing capacity of these devices (while significant) does not allow for the type of processing power that operating platforms typically used in PC’s provide. The platforms are for the most part cut-down versions but the development of Apps which run on mobile devices allow users to choose the processing that best suits their needs and to download onto the mobile devices. Thus, the ability to customise mobile devices provides extremely effective tools for the user in the processing of information.

    4. One of the features of many Apps is that while in certain circumstances they may be utilised in a stand-alone form on a mobile device, in many circumstances they facilitate a link to a server or servers which will allow the mobile device to use processing facilities in that server. Thus in many cases by using the computing services provided on the tablet or mobile device as well as the Apps which may be downloaded to the mobile device, in effect the processing of the information is occurring on computers situate in the cloud.

    5. Thus, while the use of tablet and mobile devices has many important attractions, consideration needs to be given to how these devices may be used in an attorney’s practice to ensure that the potential dangers highlighted in this Guideline do not result in the attorney compromising the security and confidentiality of the information, which is the attorney’s legal and professional duty to protect.

  7. DISCOVERY AND E-DISCOVERY

    The aim of this chapter is to highlight the importance of electronic discover and issues which an attorney may have to agree with a cloud computing service provider to ensure that it can discharge these obligations.

    1. Attorneys are indebted to Brendon Hughes for his article entitled “The Rise of Electronic Discovery” published in the January/February 2012 De Rebus. This article draws attention to the more important elements of e-discovery and attorneys are referred to this article to gain a greater depth of understanding relating to e-discovery.

    2. In seeking to comply with the uniform rules of court and Magistrate’s Court rules, obligations on litigants to make discovery on oath of all documents relating to any matter in question in litigation and produce such documents for inspection and at trial, all too often the issue of electronic communication is overlooked, or poorly dealt with.

    3. In many instances important and sometimes critical information will be held by attorneys in electronic form only and these electronic communications may never be printed out before the requirement for discovery. As Mr Hughes points out, these documents are subject to the Electronic Communication and Transactions Act and need to be retained in accordance with the provisions of that Act to counter any challenge to the validity of the electronic communications when adduced in evidence.

    4. In instances where this information is processed in the cloud, the obligation to discover the electronic communications and the obligation to ensure that the electronic communication meets the requirements of the Electronic Communications and Transactions Act remains unchanged.

    5. Mr Hughes raises the very important point of the value of meta data. Very often important information relating to the document itself, for instance, when it was created and on what computer it may have been created, when and on what computer it may have been amended, and when it may have been communicated, is retained with the electronic communication. In these circumstances the meta data itself takes on important evidential value. In the 21st century no lawyer should discount the critical evidential value that meta data provides.

    6. Against this background it is clear that when using cloud computing one of the issues that needs to be considered and where appropriate contractually guaranteed, is that the electronic information processed in the cloud will be processed in a manner which meets with the provisions of the Electronic Communications and Transactions Act and that the information can be readily retained for the purposes of discovery should this become necessary. In addition the retention of all appropriate meta data should also be required.
  8. CLOUD COMPUTING AGREEMENTS

    The aim of this chapter is to highlight certain important points relating to agreements which may govern cloud computing and an attorney’s obligations in this regard.

    1. General
      This Chapter is not intended to be an exhaustive review of the nature of cloud computing agreements and provisions which attorneys should address in considering cloud computing. The nature of cloud computing, the proliferation of different cloud computing models and the multitude of parties who may provide services within those models, militate against this. Nonetheless, it may be useful for attorneys to consider the following issues as a checklist in determining whether the cloud computing services are appropriate to the processing of information and particularly personal information in the conduct of their practice.

    2. Transparency
      In considering cloud computing services the actual model and who will be processing the information should be disclosed and where necessary service providers contractually bound to not change or use other services outside of the configuration contemplated. This will allow the proper consideration of whether the processing of the information in the cloud is appropriate and provides the necessary protections.

    3. Where providers of cloud computing services are unable to provide an agreement for consideration this should immediately raise an alarm that the provider has not considered potential obligations and liability issues, including without limitation, protection of personal information, information security, access to information by third parties, agreements with sub-contractors, record management, business continuity, termination of the agreement and return of information and choice of law.

    4. Considering the legal issues which this Guideline touches on, any lack of transparency in arrangements with the providers of cloud computing services, however technologically or commercially attractive the services may be, should be treated with great caution.

    5. Jurisdiction and Choice of Law
      The issue of jurisdiction and problems relating to jurisdiction and conflicting laws are dealt with in Chapter 5. From the perspective of potential agreements it must be point out that “forum shopping” is not possible in relation to certain of our legislation. Thus, choice of law clauses which may make more lenient regulation of another jurisdiction applicable to the contract will not protect a South African attorney, who will remain subject to the laws of South Africa in so far as South African clients are concerned.

    6. Protection of Information
      Protection of personal information is dealt with in Chapter 3 of this Guideline and needs no further elaboration.

    7. Security is dealt with in Chapter 5 of this Guideline and needs no further elaboration.

    8. Attorney and client confidentiality is dealt with in this Guideline in considering privacy and security but it is worth emphasising the professional duty of lawyers to maintain the confidentiality of client information.

    9. Records management is an important consideration and an attorney must ensure that the records are managed in such a manner that the necessary protections are provided not only relating to unauthorised access but in a manner that would allow the legal requirements for data messages dealt with in Chapter III of the Electronic Communications and Transactions Act to be satisfied. Further, that the attorney has ready access to information as and when it may be required.

    10. Record retention and destruction. Issues of record retention and destruction are particularly important against the background of the legislative requirements which may apply to the information by virtue of South African law, as well as the considerations relating to discovery and electronic discovery which are dealt with in Chapter 7 of this Guideline.

    11. Sub-contractors must be identified, if they are processing personal information, and satisfactory assurances must be provided that there are written agreements in place between the principal service provider and the sub-contractor which satisfy the requirement of the protection of Personal Information Bill.

    12. Audit arrangements may be appropriate to ensure that the privacy and security contemplated in the provisions protecting the information are properly established and maintained through the term of the agreement.

    13. Performance Management
      Service levels should be agreed and appropriate provisions included in the agreement to allow for the measurement and enforcement of the service levels.

    14. Response times and guarantees of uptime should be part of the service level arrangements.

    15. Business Continuity and Disaster Recovery
      One of the information security obligations of an attorney is to ensure that a client’s information is not compromised by virtue of either the attorney or service providers to the attorney having their business interrupted or going out of business. In the context of electronic information issues of backup, offsite storage of documentation and disaster recovery arrangements are important in this context. While provisions governing business continuity and disaster recover should be a feature of any outsourcing arrangements where the attorney may lose direct control of the information, in the context of cloud computing this becomes even more important, considering that there may be different levels of processing. The complexity in this regard will be one of the considerations which must be brought to bear in considering whether cloud computing is appropriate for processing of the particular information.

  9. CONCLUSION

    1. While exploring the advantages of novel technologies and how they may improve the services that we provide to our clients as well as how we may become more competitive in the provision of our services, as with most novel technologies and the application of these technologies, care must be taken to ensure that risks attendant on the use of the technologies can be avoided.

    2. Cloud computing and portable devices, the application of which is supported by cloud computing, brings into sharp focus some of the legal issues which are taxing jurisprudential systems globally. Attorneys are well advised to not discount the huge advantages that evolving technology brings to our profession, which has at its core the processing of information, but equally to consider carefully what risks these novel technologies may hold.

 Copyright
Copyright in this material vests in Mark Heyink. The material may be used by the Law Society of South Africa and Tech4Law under a licence granted by Mark Heyink.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

12 − 10 =