Data centers are doing their part to stem COVID-19 spread by implementing no-entry policies to limit exposure to the contagious virus. Those efforts can leave law firms without direct access to their data. But observers say their data is likely still far safer than if it were hosted at a firm's office.

Starting March 23, international data center Equinix announced its no-entry policies for its U.K., Spain, France, Germany and Italy locations. Visitors, customers, customers' contractors and non-critical Equinix employees and vendors are barred from accessing its offices for anything other than critical and essential work. Only clients with "special permissions" and government-issued critical infrastructure status will be allowed to schedule a visit for "critical and essential work," which the data center didn't define in its blog post.

Equinix pointed to its remote management, installation and troubleshooting support service as a tool clients can use while its no-entry policy, outside of Asia-Pacific, is effective "until further notice."

Steve Cairns, chief technology officer of legal outsource services provider Exigent, argued law firms are better off leveraging data centers with restrictive access. 

"By preventing access I think it happens to add another layer of protection," he said. "In fact, in some ways you may feel it's a safer environment because you don't have other companies allowing their staff in that may breach data."

To be sure, most data centers previously limit who and where someone can access their buildings, noted Cairns and Bell Nunnally & Martin partner Jared Hays.

"Even in normal times, there's really mostly restrictive access," said Hays, whose real estate practice includes transactions involving data centers. He noted most data centers require several levels of approval and security checks, visitor badges and escorted walks to the final destination.

Still, a new no-entry policy should be checked against the client's contract and local statutes regarding limiting access, Hays added.

"There could be liability for a provider in these types of restrictions. I think it's important from the provider's perspective that they word their policies carefully and try to limit the amount they are restricting access to what is only necessary," he said.

While legal rights may vary per jurisdiction and contract, Hays said clients' data doesn't face heightened risk when data centers limit client access. Many cyber risk surveillance and mitigation tools are available to data center employees' remotely, he noted.

However, new restrictions and rearranged schedules could eventually lead to malfunctions, Hays warned.

"Where I would be concerned [is] when we are having to delay preventive maintenance and delay inspections. If we are not checking, our hardware might have problems down the road." He added, "If you put that stuff off too long, the risk of electrical and mechanical failure increases because it's not supposed to operate so long without that maintenance."

Still, Cairns argued data centers further restricting access, and encouraging non-critical clients to leverage a portal to remotely assist them, is a practice that will likely outlive any stay-at-home mandate.

"Like Amazon Web Services, the security, fire prevention and air conditioning, we give you a view into it with a portal," he said. "Data centers see that as a model going forward that moves the needle a little more."

However, some law firms may struggle with letting go of the access.

"If you are still old school thinking and you think your IT should manage everything in that building those should be the companies that are worried because you may have to relinquish some of that control," Cairns said.