Table of Contents

(SECTION I) SCOPE OF STANDARDS

Standard 1. Scope and Purpose

Legal Cloud Computing Association (LCCA) is an organization whose purpose is to facilitate adoption of cloud computing technology within the legal profession, consistent with the highest standards of professionalism and ethical and legal obligations.  The organization’s goal is to promote standards and guidelines for cloud computing that are responsive to the needs of the legal profession and to enable lawyers to become aware of the benefits of computing resources through the development and distribution of educational and informational resources.

(SECTION II) PHYSICAL AND ENVIRONMENTAL MEASURES

Standard 2. Location of Data

LCCA SaaS providers should disclose where data housed in their systems is being stored geographically and be able to restrict its movement so that it remains within a particular country.

Standard 3. Certifications

LCCA SaaS providers should host on reputable cloud services that have obtained one of the following certifications or met similar indicia.  All of the certifications listed are used to gain confidence and place trust in a service organization’s systems.

1. Type 2 SOC 2 certificationA Service Organization Controls (“SOC”) 2 report evaluates an organization’s information systems as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.
2. ISO 27001 certificationISO 27001 is an international standard published by the International Standardization Organization (ISO), and it provides a framework of how to manage information security in a company.  The main philosophy of ISO 27001 is based on managing risks: find out where the risks are, and then systematically treat them.
3. ISO 27018 certificationISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud.  It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of Personally Identifiable Information (“PII”) which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

Standard 4. Geographic Redundancy

LCCA SaaS providers must have their data centers in multiple geographic locations in the event of a natural disaster.  The impact of an outage at one data center can be minimized by automatic backup and redundantly provided by additional data centers.

(SECTION III) DATA INTEGRITY MEASURES

Standard 5. Encryption

LCCA SaaS should maintain data encryption protocols covering:

1. data stored at the data center, and
2. data transmitted to and from the data center

Strong encryption may protect data from unauthorized access, copy, modification or other attacks to the integrity and security of the data.

Standard 6. Testing

LCCA SaaS providers should disclose if and how frequently data testing and/or ethical hacking services are being performed on their offering.  Some of the testing methods are listed below.

1. Vulnerability ScansA vulnerability scan is the process of identifying and quantifying security vulnerabilities in an environment.  It identifies security flaws based on a database of known flaws, tests a system for the occurrence of these flaws, and provides a report of exposures and the associated level of risk for each confirmed vulnerability.
2. Penetration TestingPenetration testing is a simulation of an internal or external attack with the intention of gaining unauthorized access to systems and the data stored within the network.
3.   Static Code ReviewsStatic analysis code testing provides an understanding of security issues within program code.  It is a systematic review of the software source code without executing the code.  The main objective of this testing is to find errors in the early stages of the development cycle.
4. Dynamic Code ReviewsA Dynamic Code analysis relies on studying how the code behaves during execution.  It monitors system memory, functional behavior, response time and overall performance of the system.  The main objective of this testing is to find and fix any defects.

Standard 7. Limitations on Third-Party Access

LCCA SaaS providers should disclose their policies relating to restricting and allowing 3rd party access to confidential client data by their cloud service provider and its representations.

Standard 8. Data Retention Policy

LCCA SaaS providers should disclose their data retention policies.  Additionally, the SaaS providers should take reasonable steps to ensure that when data is deleted from the cloud provider’s environment, the cloud provider has measures in place to ensure the data is no longer available to any entity.

(SECTION IV) USERS AND ACCESS CONTROL

Standard 9. End User Authentication

LCCA SaaS providers should provide appropriate authentication protocols based on the needs of their customers.  Examples include multi-factor authentication, strength of password requirements, certificate-based protocols, device authentication.

Standard 10. Addition or Suspension of a User

LCCA SasS providers should provide admin users the ability to add users and suspend users, as well as create certain limitations on users access to information.

Standard 11. Tracking

LCCA SaaS providers should enable the ability to generate detailed audit logs of user activities within their services and disclose the time period they keep such logs.

Standard 12. Addition or Deletion of Data

LCCA SaaS providers should enable the end user to have the ability to add and delete data.

Standard 13. Retrieving Data

LCCA SaaS providers should provide functionality to enable users to be able to retrieve data in a usable non-proprietary format, and restore data inadvertently deleted within a reasonable period of time.

(SECTION V) SERVICE AGREEMENT

Standard 14. Terms of Service

LCCA SaaS providers should present a clear and understandable Terms of Service.  The Service Agreement should define the LCCA SaaS performance obligations with clear terms and definitions, demonstrate how performance is being measured and what enforcement mechanisms are in place to ensure the terms are being met.

Standard 15. Privacy Policy

LCCA SaaS providers should provide a clear and accessible Privacy Policy.  The Privacy Policy should disclose how information supplied to the service is housed, protected, shared, manipulated, or disposed of.  In general, all user information entered into a SaaS application should be treated as confidential, private information that cannot be used by the SaaS provider for any purposes other than support of system integrity and usability objectives.  Furthermore, the SaaS provider should only be permitted to view any of your private information with users explicit consent.

Standard 16. Uptime Guarantee

LCCA SaaS providers should clearly state their uptime guarantee and the metrics upon which it is based.  Uptime is the amount of time that a server has stayed up and running.  The guarantee must clearly state how uptime is defined and what is the compensation if the uptime promise is not met.

Standard 17. Confidentiality

LCCA SaaS providers should include terms to abide by the duties of confidentiality in the Privacy Policy, thereby ensuring that the online data storage provider has an enforceable obligation to preserve users’ confidentiality and security of user data.

Standard 18. Ownership of Data

LCCA SaaS providers should provide an explicit recognition of the user’s ownership of the data. It should be clearly stated that the provider can not acquire any rights or licenses, including intellectual property rights, to the users data.

Standard 19. Demands for Data

LCCA SaaS providers must notify users of demands for their information by 3rd parties as soon as possible, unless the provider is specifically prohibited from doing so by law.

Standard 20. Data Breach

LCCA SaaS providers must notify users of a data breach.  The SaaS providers policy covering time and method of notification should be clearly stated as well as the standard policies and practices for responding to data breaches.

Standard 21. Disaster Recovery

LCCA SaaS providers have an obligation to maintain an accurate, up-to-date and regularly tested process for recovery and continuity plans in the event of a natural disaster or business disruption.