Last week I wrote on The High Cost of Cloud Computing Due Diligence, and asked readers what thoughts they had on how the burden of cloud computing due diligence could be reduced.
In his post on The Myth of Due Diligence, David Whelan questions the assumption that we should apply more strict due diligence requirements to the cloud than to traditional desktop-based software:
If due diligence is called for – and something is, whether it needs that name or not – then it should apply equally to the wireless routers, operating systems, and locally installed software within law practices. When the concept is applied only to the cloud, it creates the idea that this is somehow a new obligation and, potentially, easier to do with Internet-based systems.
Nate Russell suggests in a comment that one way of addressing the burden of due diligence would be to elevate the task of performing due diligence to a centralized authority:
One way to lessen the burden of due diligence in this context would be if a certifying authority (like a law society or professional association) did due diligence on a number of SaaS providers based on a jurisdiction’s rules or guidelines, and then certified that provider.
Would bar associations and law societies be willing to take this on? For many I imagine the potential liability ramifications would create a lot of inertia for such a project. There would have to be strong demand from the bar association’s or law society’s membership for such an undertaking to get off the ground.
Without the support of an association or other body helping create some economies of scale around the due diligence process, the simple reality is that most firms, especially solos and small firms, simply won’t undertake the onerous due diligence demands being placed on them. They will do their best to act “reasonably,” as their ethics rules dictate, but they will justifiably question whether it is reasonable to invest tens of hours in screening each and every cloud provider utilized by their law office.