The myth refuses to die

Many lawyers instinctively prefer local, on-prem systems over the cloud. That instinct is understandable. A server in the office can feel more tangible, more controllable, and somehow safer.

It is often paired with another misconception: law firms are not allowed to use the cloud.

That is not what the Law Society says.

In its Guidance Note 3.4.1 on cloud computing, the Law Society says something quite clear: provided the relevant issues are properly addressed, it has no objection to the use of cloud services. (Amusingly, if you look closely at the link above, the PDF itself is hosted on Amazon Web Services, the pioneer of cloud services.)

That is an important distinction.

The guidance is not saying, “never use the cloud”. It is saying: understand the risks, choose your provider carefully, and put the right contractual and operational safeguards in place.

That matters because the real comparison is often not just about what is allowed. It is about what is cheaper, easier to maintain, easier to change.

Why the guidance sees value in the cloud

It is also fairly direct about the benefits.

Lawyers can work remotely from anywhere with an internet connection. Firms can reduce document-management costs. Because many cloud services are sold on a subscription basis, the cost is spread out rather than paid upfront in one large lump. For smaller firms, cloud services can make it easier to handle large volumes of documents even when support staff and office space are limited.

Furthermore, the guidance says cloud services may provide a level of IT security that meets or exceeds on-premises solutions. It even notes that, depending on a firm’s current practices, “storing documents on the cloud could be more secure than storing them on internal servers or as hardcopies”.

That warning matters. Many lawyers still assume that “local server” means safer and “cloud” means risky. But the guidance specifically cautions lawyers “not to overestimate the risk of unfamiliar technologies and underestimate the risk of existing methods of work”.

The box in the office

Recently, a lawyer told me about his firm’s local server setup.

It had been set up by an external IT provider at a pretty price. But when it was first installed, it had apparently been placed in a cabinet with poor airflow and inadequate heat dissipation.

People came into the office one morning and smelled burnt plastic.

It turned out that the setup had no offsite backup at all. If it had failed, the firm could have lost a very large amount of data.

That story stuck with me because it captures something lawyers often overlook: running your own infrastructure is not just a compliance question. It is an operational one.

Someone has to set it up, maintain it, back it up, and think about hardware failure, fire, theft, access control, recovery, and continuity.

In many small and mid-sized firms, that “someone” is a contractor, an office manager, or simply a setup that nobody has revisited in years.

To be fair, lawyers get into legal practice to practise law, not to become amateur infrastructure engineers. IT resilience is often not what they are most worried about, until the day it becomes the only thing that matters.

The Law Society guidance also makes this point indirectly when it says physical documents and documents stored on internal servers may be lost through theft or fire, and that cloud backups could be a lifesaver in such situations.

If your server is sitting in one office, then your resilience may be sitting in one office too.

What about ransomware?

This is usually the point where someone says: yes, but what about ransomware?

That is a fair concern. But ransomware is not a problem unique to the cloud. It is a backup, recovery, and resilience problem.

If a firm has proper backups and tested recovery procedures, ransomware is far less existential because the data can be restored. If it does not, then “we are on-prem” is not much comfort.

Public reporting on a 2024 ransomware incident affecting a Singapore law firm does not clearly disclose whether the affected system was cloud-hosted or on-premises. But one widely reported clue was the incident involved an ESXi virtualisation platform, which usually points to a self-managed virtual server environment rather than a pure cloud-native SaaS setup like Microsoft 365, OneDrive, or the products we build at Northbridge Lab.

So I would be careful about treating ransomware as an argument against the cloud.

The real cost of staying physical

Some lawyers still pine for the days when everything was simpler and all documents were physical. However, this has its own costs.

One managing partner told me he pays about $5,000 a month in warehouse fees just to store physical files.

That is before you count the time spent retrieving documents, moving boxes around, scanning old files, or dealing with the fact that paper is not searchable.

Lawyers already know file retention is part of the job. It does not mean the files have to stay in paper form.

The Law Society’s Practice Direction 3.12.1 on Storage and Destruction of Documents says that, as a general rule, firms should retain closed files for at least 6 years after the matter is wholly completed, then review whether longer retention is appropriate. For conveyancing files, it gives the same 6-year period from completion of the transaction.

It also makes two practical points relevant to digitisation: a shorter storage period may be agreed with the client if considered carefully, and original documents should not be destroyed without the owner’s prior consent.

Separately, the Law Society’s cloud guidance points to section 70E of the Legal Profession Act as an example of a 5-year retention obligation in the anti-money laundering context, read together with the Legal Profession (Prevention of Money Laundering and Financing of Terrorism) Rules 2015 and the Legal Profession Act, section 70E.

But the broader commercial point remains: if you are required to retain documents, it does not follow that you should retain them in the least searchable, least flexible, and most operationally expensive format.

Who do you trust to run it?

At some point, this becomes a question of trust.

Do you trust a small Singapore IT vendor to run the server in your office, or do you trust Microsoft and AWS to run the underlying infrastructure?

If you build on AWS or Microsoft properly, you are building on infrastructure run by trillion-dollar companies that harden their systems against sophisticated, nation-state level attacks, including nation-state level threats.

Of course, that does not mean everything built on the cloud is secure. Many so-called cloud incidents are really configuration failures by the developer: exposed storage, bad permissions, weak key management, poor monitoring.

That is exactly the distinction that matters. I previously worked on data policy in the Prime Minister’s Office. A big part of the job was encouraging government agencies to move to the cloud because even the Singapore government recognised the security and cost advantages of doing so.

The issue is not whether something is in “the cloud”. The issue is whether the people setting it up actually know what they are doing.

This is what I tell my clients: if my house burns down, the software should continue to run, and you should not lose your data.

Where the upside begins

The real prize is not just cutting costs. It is what happens once the files are digital.

Cloud and digitisation are the prelude. AI is where the real upside is.

Once documents are scanned, stored, and searchable, the practice starts to change. You can work from anywhere. Your team can find things quickly. And AI can read the material, extract from it, and turn piles of paper into something you can actually work with.

That is not just efficiency. It is unlocking new capability. Documents that were previously trapped in a file room become searchable, analysable, and usable.

That is why I think cloud, digitisation, and AI are mutually reinforcing.

That is also why our own software is cloud-first. The basic idea is simple: scan in your documents, store them properly, and let software extract and structure the information so it becomes genuinely usable.

Share

What comes next

The legal industry has already lived through several major technology shifts: first the PC, then email, then the cloud.

Now it is AI.

In a sense, none of this is new. Legal practice today would be completely different without word processing, email, or even Zoom. Each shift raises the baseline expectation for competent practice. We are only at the beginning of the same shift in the AI era.

But that is the thing about rising baselines: you do not really get to opt out.

That is why I do not think this is just a story about storage, or compliance, or where the server sits. I am interested in helping firms take the next step in how legal work gets done.

With the advent of AI, the question is no longer whether law firms are allowed to use the cloud. It is whether they can afford not to.