The High Cost of Cloud Computing Due Diligence

An ever-increasing body of ethics opinions and reports on the suitability of cloud computing for lawyers aim to provide guidance that may appear deceptively straightforward. Take the following as an example:

Cloud computing is acceptable, but make sure you first undertake an appropriate level of due diligence on your prospective cloud computing provider.

While this doesn’t appear onerous on the surface, the cumulative expense of performing due diligence on multiple cloud providers could prove to be prohibitive for solo- and small-firm lawyers – the very demographic that benefits most directly from cloud computing.

Take the simple task of reviewing privacy policies as an example. A recent article in The Atlantic highlights a Carnegie Mellon study that demonstrated it would take 608 hours – or 76 work days – to simply read the privacy policy of every website visited by a typical Internet user.

The level of due diligence expected of lawyers examining a cloud computing provider goes far beyond simply reviewing a privacy policy. The Law Society of British Columbia’s Report of the Cloud Computing Working Group, for example, lists over 30 items on its recommended due diligence checklist, including:

  • Lawyers are strongly encouraged to read the service provider’s terms of service, service level agreement, privacy policy and security policy. Lawyers must ensure the contract of service adequately addresses concerns regarding protecting clients’ rights and allowing the lawyer to fulfill professional obligations. Ensure the contract provides meaningful remedies.
  • Will the lawyer have continuous access to the source code and software to retrieve records in a comprehensible form? Consider whether there is a source code escrow agreement to facilitate this.
  • What is the service provider’s business structure?
  • A lawyer should compare the cloud services with existing and alternative services to best determine whether the services are appropriate.

A lawyer considering cloud computing doesn’t just have to review the provider’s legal policies, but also needs to establish access to the provider’s source code (a request virtually all cloud computing providers will reject), perform an audit of the cloud provider’s business structure, and conduct an comparative analysis of the cloud provider’s services to alternative offerings, along with the remaining recommended due diligence items.

Similarly, the recent North Carolina State Bar’s 2011 Formal Ethics Opinion 6 makes the following due diligence recommendations:

  • Inclusion in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
  • If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
  • Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
  • Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.
  • Evaluation of the extent to which the SaaS vendor backs up hosted data.

Again, nothing is unreasonable here, but the time investment required to comply with these recommendations – especially performing an evaluation of the security safeguards of the cloud computing provider – could take several days.

Imagine if the Carnegie Mellon researchers turned their attention to the time investment being requested of lawyers here: rather than reviewing the average website’s 2,500 word privacy policy in 10 minutes, lawyers are instead being asked to perform an in-depth analysis of virtually every aspect of a prospective cloud computing provider. If properly reviewing privacy policies is untenable for the average Internet user, how can an already too-busy lawyer possibly comply with the due diligence guidelines that are being promulgated?

This isn’t to say that due diligence is a bad idea, but rather to point out that pushing this responsibility to the individual lawyer level can place an unreasonable burden on the lawyer’s time. The simple reality is that most lawyers will at best perform a cursory amount of due diligence, despite what is being recommended by their bar association or law society.

What can we do to lessen the burden of cloud computing due diligence? Let me know in the comments, and I’ll follow up with those suggestion as well as some of my own next week.


  1. It’s great to see analytical frameworks for assessing the ethical impact of different technologies being developed by BC and North Carolina. It’s important for lawyers to know what goes in to a proper analysis. But due diligence does mean more work for lawyers, and as you point out, Jack, there is good cause to be concerned that they will perform this analysis only cursorily.
    Since presumably we are talking about a finite number of SaaS providers, offering solutions to a finite number of jurisdictions, is there any reason why the outcome of one competently produced due diligence report for a service done by or on behalf of one lawyer in a given jurisdiction, could not be reasonably relied upon by another lawyer in the same jurisdiction?
    One way to lessen the burden of due diligence in this context would be if a certifying authority (like a law society or professional association) did due diligence on a number of SaaS providers based on a jurisdiction’s rules or guidelines, and then certified that provider.
    Other systems of trust run on due diligence performed by others: internet certificate authorities (such as VeriSign, essential for online banking security, for one thing), organic and kosher certification for foods.
    Would this not work here in Canada? What if the CBA formed a national committee on cloud computing services and offered due diligence assesments?