Mar 13, 2017

A Due Diligence Checklist for Legal Professionals

There are a lot of factors for law firms to consider when selecting a cloud provider.  Not knowing where to start can make the selection process even more difficult.  This post serves as a primer for law firms.

As cloud adoption continues to grow, law firms of all sizes are realizing the benefits of leveraging the cloud.  For most firms, these benefits include:

  • Increased productivity and efficiencies
  • Improved security
  • Meeting compliance requirements
  • Better business resiliency
  • Reducing costs of on premise servers and IT related expenses

Most practices also realize the competitive business advantages, as well as an increase in billable hours, that come as the results of adopting the right technology solutions and choosing the right provider.

However, the stakes are high for law firms.  There are several factors to consider when choosing a provider for your firm.  Like many industries, the legal profession has specialized applications and workflow processes that need to be considered.  Legal professionals also have a unique set of ethical, security, and compliance requirements that must be met and maintained at all times.  Choosing a provider that can’t meet these requirements, or simply doesn’t understand the legal profession, can be disastrous to any firm.

Business and Productivity Risks
  • Downtime
  • Workflow disruption
  • Mismanagement of application deployment
  • Lack of industry knowledge
  • Inaccurately capturing billable hours
Security and Compliance Risks
  • Confidential client data leaked
  • Improperly archiving files
  • Unsecure data encryption and transfer
  • Violations of attorney/client privileges
  • Fines or penalties for compliance violations

What to Look for in a Cloud Provider

The checklist below addresses some of the critical areas and/or requirements that should be considered when evaluating cloud providers for any law firm.  These considerations can greatly reduce the risk of any downtime, business operational impacts, security incidents, or compliance fractures.

1. Data Center(s) and Infrastructure Ask the provider about the data center(s) and infrastructure they use to deliver their solutions. A good provider will use best-in-class, enterprise-grade hardware (for servers, storage, network equipment, etc) and only use data centers that meet the highest industry standards. Using the right data center(s) and infrastructure increases uptime and reliability.

Be cautious of providers who use generic or entry level hardware as the components in these machines often fail which leads to downtime in replacing the components or migrating your environment to a new host server.

Make certain that the provider actually owns the equipment that is used to deploy your solution. Many providers are simply small, local IT companies who are reselling or white labeling services from a larger provider. This can lead to problems down the road with managing the solution, controlling ownership of your data, and guaranteeing uptime.

Confirm that the data center(s) used by the provider are top tier and suited to deliver proper uptime and reliability. Ask the provider who owns the data center(s). Make sure that there are multiple upstream providers for internet, redundant cooling, redundant power/generator sources, and proper physical security for the facility. Inquire about the frequency of scheduled maintenance windows and the uptime that is guaranteed.

2.  Experienced Provider Over the last few years, the cloud industry has seen significant growth. There are more and more providers offering various ‘cloud’ services every day. Be sure to choose a provider that has the right industry expertise and experience in deploying, managing, and supporting cloud and infrastructure solutions. It’s not uncommon to see small IT companies start rebranding themselves as a ‘cloud provider’ to try to keep up with the industry.

Choose a reputable provider that has the right industry knowledge and expertise. Not doing so can lead to frequent and long windows of downtime, slow response time for support, and poor customer service.

3.  Disaster Recovery Capabilities Verify the provider can provide the right type(s) of backup and disaster recovery options. A good provider will be able to provide you everything from daily backups of your data to a full ‘hot site’ that your firm can failover to in the event of a disaster.

Make sure the provider has geo-redundant locations available for your backup and DR and ask which location is being used to backup your data.

Ensure the provider can meet your Recovery Time Objective (RTO). RTO is the maximum amount of time allowed between an unexpected failure or disaster and the resumption of normal business operation. Basically, it’s ‘how long can you afford to be down’.

4.  Legal Industry Experience Many providers have no experience providing services to the legal industry. Even if they have the technical expertise and knowledge needed to deploy a solution to other industries, it doesn’t guarantee that they can effectively deliver and support that same solution for law firms.

Be sure to choose a provider who understands the nature, and importance, of the work performed by legal professionals. Attorneys have certain ethical and security standards that must be considered at all times. Understanding the business operations of firms including how they track, manage, and bill for services is critical. The right provider will have experience and expertise in providing services to law firms.

Legal Cloud and IT Solutions

5.  Application Management While many providers may be able to deliver a proper infrastructure solution, many lack the expertise in deploying and managing your firm’s applications. What good is the underlying infrastructure if your firm can’t properly access and utilize its billing, practice management, and other critical applications?

Choose a provider that has a strong knowledge of commonly used legal applications as well as how to best deploy and manage those applications. Often times, supporting the application(s) is a shared responsibility between the provider, the firm, and potentially a third party. Be certain to understand how much support and management your provider can deliver for your applications.

6.  Solution Methodology  It’s important to choose a provider that can look at your firm, including all areas of operations, and provide a holistic solution. This means evaluating your apps, workflow, business operations, current and future needs and designing a solution that is considerate of all these areas.

Many providers only offer ‘cookie cutter’ solutions. That is, they only offer a handful of solutions and try to steer the client towards one of those options.

A good provider will take the time to listen and understand your needs, from the top down, and design and deploy a solution that is unique to your firm’s requirements. Choose a provider that can provide ongoing management of the solution once it’s deployed. Ideally, the provider can offer you flexible options to manage, or co-manage, as much or as little of your environment as your desire.

7.  Data Center Locations  Small providers will often only operate out of one location. Often times, location matters when deploying cloud solutions. Multiple firm locations, Disaster Recovery standards, compliance requirements, application or latency concerns – these are all factors that should be considered when evaluating providers and data center locations.

Make certain you choose a provider with a large footprint of data center locations.

8.  Compliance and Security Requirements  Law firms and attorneys are held to strict security and compliance standards. Meeting and maintain those requirements often requires assistance. Ideally, the provider you choose will not only provide you with an infrastructure solution that is compliant-ready, but they will also help you understand those requirements and ensure that all policy standards, within the firm’s office, are being followed as well.

Ensure that the provider can provide a solution that meets all regulatory compliance standards. Specifically, SOC, PCI DSS, HIPAA, and Privacy Shield.

Every day, more and more providers are popping up. A lot of these providers are small, inexperienced companies that are simply reselling or white labeling services from a larger provider. This makes the selection process more difficult. It’s important for law firms to perform due diligence when considering providers and solution types.

Begin by narrowing your search to providers who have experience working with the legal industry and who have a holistic approach to deploying and managing technology solutions. Using the criteria in this checklist will help your firm select the right provider and get the solution that meets your requirements.

Leave a Comment