(SECTION II) PHYSICAL AND ENVIRONMENTAL MEASURES
Standard 2. Location of Data
Standard 3. Certifications
Standard 4. Geographic Redundancy
(SECTION III) DATA INTEGRITY MEASURES
Standard 5. Encryption
Standard 6. Testing
Standard 7. Limitations on Third-party Access
Standard 8. Data Retention Policy
Standard 14. Terms of Service
Standard 16. Uptime Guarantee
Standard 17. Confidentiality
Standard 18. Ownership of Data
Standard 19. Demands for Data
Standard 20. Data Breach
Standard 21. Disaster Recovery
Legal Cloud Computing Association (LCCA) is an organization whose purpose is to facilitate adoption of cloud computing technology within the legal profession, consistent with the highest standards of professionalism and ethical and legal obligations. The organization’s goal is to promote standards and guidelines for cloud computing that are responsive to the needs of the legal profession and to enable lawyers to become aware of the benefits of computing resources through the development and distribution of educational and informational resources.
LCCA SaaS providers should disclose where data housed in their systems is being stored geographically and be able to restrict its movement so that it remains within a particular country.
LCCA SaaS providers should host on reputable cloud services that have obtained one of the following certifications or met similar indicia. All of the certifications listed are used to gain confidence and place trust in a service organization’s systems.
LCCA SaaS providers must have their data centers in multiple geographic locations in the event of a natural disaster. The impact of an outage at one data center can be minimized by automatic backup and redundantly provided by additional data centers.
LCCA SaaS should maintain data encryption protocols covering:
Strong encryption may protect data from unauthorized access, copy, modification or other attacks to the integrity and security of the data.
LCCA SaaS providers should disclose if and how frequently data testing and/or ethical hacking services are being performed on their offering. Some of the testing methods are listed below.
LCCA SaaS providers should disclose their policies relating to restricting and allowing 3rd party access to confidential client data by their cloud service provider and its representations.
LCCA SaaS providers should disclose their data retention policies. Additionally, the SaaS providers should take reasonable steps to ensure that when data is deleted from the cloud provider’s environment, the cloud provider has measures in place to ensure the data is no longer available to any entity.
LCCA SaaS providers should provide appropriate authentication protocols based on the needs of their customers. Examples include multi-factor authentication, strength of password requirements, certificate-based protocols, device authentication.
LCCA SasS providers should provide admin users the ability to add users and suspend users, as well as create certain limitations on users access to information.
LCCA SaaS providers should enable the ability to generate detailed audit logs of user activities within their services and disclose the time period they keep such logs.
LCCA SaaS providers should enable the end user to have the ability to add and delete data.
LCCA SaaS providers should provide functionality to enable users to be able to retrieve data in a usable non-proprietary format, and restore data inadvertently deleted within a reasonable period of time.
LCCA SaaS providers should present a clear and understandable Terms of Service. The Service Agreement should define the LCCA SaaS performance obligations with clear terms and definitions, demonstrate how performance is being measured and what enforcement mechanisms are in place to ensure the terms are being met.
LCCA SaaS providers should clearly state their uptime guarantee and the metrics upon which it is based. Uptime is the amount of time that a server has stayed up and running. The guarantee must clearly state how uptime is defined and what is the compensation if the uptime promise is not met.
LCCA SaaS providers should provide an explicit recognition of the user’s ownership of the data. It should be clearly stated that the provider can not acquire any rights or licenses, including intellectual property rights, to the users data.
LCCA SaaS providers must notify users of demands for their information by 3rd parties as soon as possible, unless the provider is specifically prohibited from doing so by law.
LCCA SaaS providers must notify users of a data breach. The SaaS providers policy covering time and method of notification should be clearly stated as well as the standard policies and practices for responding to data breaches.
LCCA SaaS providers have an obligation to maintain an accurate, up-to-date and regularly tested process for recovery and continuity plans in the event of a natural disaster or business disruption.
Leave your comments here.