Is the Cloud Safe for Legal AI Tech? "It depends."

As the legal industry continues to embrace the use of artificial intelligence (AI) to improve efficiency and reduce costs, the question of where to host such AI solutions is becoming increasingly important.

While Software-as-a-Service (“SaaS”) offerings in the cloud are a popular choice for many industries, the legal industry has unique requirements that may make it less suitable for AI use. We previously detail where these legal tech requirements come from and what they generally entail, but in this post, we will explore how these requirements impact the choices that organizations make when it comes to “cloud” hosting or “SaaS” solutions.

The Cloud is Just Someone Else’s Computer

First, let’s define what we mean by “the cloud” and “SaaS” this article

The term “cloud” is often used interchangeably with “the Internet,” but in this case, we’ll use it to refer to a specific type of hosting arrangement in which a third-party provider manages one or more computers on behalf of another party. For example, the largest cloud providers today are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), who “rent” out their computing resources to nearly every one of the Fortune 500 companies and millions of smaller businesses around the world.

Fundamentally, the cloud is just someone else’s computer.

The term “SaaS” refers to a specific type of software application that is typically hosted in the cloud by a third-party vendor. In most cases, the software application vendor is not the same party as the cloud provider; instead, the vendor rents computing resources from the cloud provider to host their application. Under this model, the application is typically accessed over the public Internet through a web browser or mobile app.

The SaaS vendor is then responsible for managing the application and its data, while the cloud provider is responsible for managing the underlying computing resources, like hard drives, memory, networking equipment, and the physical data center itself.

In situations like this, compliance with requirements is a shared responsibility between the SaaS vendor and the cloud provider. The SaaS vendor is responsible for managing the application and its data, while the cloud provider is responsible for managing the underlying computing resources. When compliance issues like data residency or data sovereignty arise, the SaaS vendor and the cloud provider must work together to ensure that the application and its data are stored in a compliant manner. A failure on the part of either party could result in a security or compliance failure for the user “downstream.”

Public cloud and SaaS both stand in contrast to traditional on-premises hosting, where the application is installed on servers that are owned and managed by the user. In this case, the application can often be accessed over the public Internet, but it may also be restricted to a private network via VPN or local area network for sensitive matters. In this case, the security and compliance of the application and its data are still shared with the application vendor, but the user has substantially more control and transparency into the details.

From a risk management perspective, both cloud-hosted SaaS and on-premises hosting involve deploying software on a computer and making this software available over a network. The relative advantages and disadvantages of each approach boil down to trade-offs between control, transparency, and convenience, and at the end of the day, the question can typically be reduced to the following:

Are the application vendor and cloud provider managing the application and computing resources in a way that satisfies your requirements as a law firm or legal department?

Requirement Recap

In our previous article, we identified ten common types of requirements that law firms and legal departments typically encounter when evaluating new technology. These requirements include:

1. Rules that relate to data “at rest”
2. Rules that relate to data in transit
3. Rules that relate to data processing
4. Rules that relate to data retention or deletion
5. Rules that relate to business continuity or disaster recovery
6. Rules that authentication or authorization
7. Rules that relate to audit or reporting
8. Rules that relate to personnel
9. Rules that relate to third-party vendors
10. Rules that relate insurance or risk management

Common Solutions

Once you have identified the requirements that apply to your organization, both generally and in the context of specific clients, matters, or projects, you can begin to identify potential solutions. While the specifics may vary based on the requirements you have identified, there are a few common strategies that law firms and legal departments typically use to address these requirements. These include:

1. Standardized Contracting

Standardized contracting is a common strategy for addressing requirements as they relate to technology and data. For example, a law firm or legal department may use standardized contracts to ensure that all third-party vendors are required to comply with specific requirements. This approach can dramatically simplify the process of understanding and addressing requirements, as it typically shifts the burden of compliance to the third-party vendor to comply with the requirements, justify their non-compliance, or negotiate an acceptable alternative.

2. Policies and Procedures

Comprehensive policies and procedures are frequently utilized as a means of addressing how data and technology are to be procured, utilized, and configured. Legal departments and law firms often require personnel to comply with all applicable policies and procedures, but in some instances they may require that vendors comply with them as well. Requiring adherence to your organization’s own policies and procedures helps ensure overall compliance and shifts the burden of determining whether a vendor meets these requirements, as it generally entails self-attestation on the vendor’s part.

The actual implementation of a “pass-through” requirement of policies and procedures to a vendor is frequently achieved through contractual terms; rather than using standardized terms, as discussed in the contracting strategy above, firms may instead refer to compliance with a subset of policies and/or procedures as an obligation of the vendor and include those relevant documents as an exhibit in the contract.

3. Audits and Assessments

Audit rights and/or assessments of vendors are frequently addressed in contracts. If present, these clauses may state that the “buyer"" has the right to audit a vendor to ensure compliance with specific requirements or they may refer to independent third-party assessments of the vendor (such as a SOC 2 audit or ISO 27001 certification) for which documentation may be made available. Many law firms and legal departments may combine these audits with security questionnaires or other forms of due diligence as part of the vendor procurement process.

In some cases, organizations may negotiate the right to engage their own third-party consultants, such as information security specialists, to audit or assess the vendor. This approach can be more effective than standardized contracting or policies and procedures, as it typically allows the law firm or legal department to engage in a more detailed analysis of a vendor’s compliance (although the value of the analysis and/or attestation/certification depends on the quality of the standards and the assessor). However, it can also be more expensive and time-consuming, as it generally requires that internal or external resources be allocated to conduct the audit or assessment; as a result, many firms opt for vendor-provided attestation and certification.

4. Private or Hybrid Cloud Hosting

For larger law firms and legal departments, it is almost inevitable that global laws and rules will create conflicts between the requirements that apply to different clients, matters, or projects. For such organizations, it is often necessary to use a private or hybrid cloud hosting solution to address these conflicts. For example, many organizations combine technology like VMWare virtualization on their own physical servers with cloud hosting solutions like Amazon Web Services (AWS) or Microsoft Azure. This approach can be effective, as it allows organizations create retain control over data and processing while still taking advantage of the convenience and scalability of AWS or Azure.

The primary downside of this approach is that many smaller legal technology vendors do not support private or hybrid cloud hosting, as they may only offer public cloud “Software as a Service” (SaaS) solutions. As a result, larger, more global organizations are often forced to exclude such SaaS-only vendors from more sensitive matters or projects.

The Kelvin Legal Data OS is designed to support such organizations, as it can be deployed on-premise or in a private/hybrid cloud environment, including fully-airgapped environments. You can read more about frequently-asked questions related to Kelvin’s legal and compliance capabilities here.

Conclusion

In conclusion, it is important to remember that there is no “one size fits all” solution for addressing the requirements that apply to your organization. Instead, you must carefully evaluate your organization’s unique requirements as they fit each use case, and then identify the best solution for each use case.

While there are multiple approaches to managing the pros and cons of “cloud” solutions, larger organizations often find that a hybrid approach based on private/hybrid cloud hosting is the most effective way to address the requirements that apply to their organization. However, as the regulatory landscape and economics around AI and the cloud continue to evolve, it is important even for smaller organizations to future-proof their AI technology strategy by ensuring that they have the flexibility to adapt to changing requirements.

---