Many businesses have harnessed cloud computing to improve the way they manage and deliver computing resources. The benefits of cloud computing include cost effectiveness, scalability and accessibility. However, since cloud computing services are provided through a shared pool of computing resources, which often includes the storage and processing of data in third-party data centres, the cloud computing model has inherent risks related to service uptime, records retention, and data privacy and security. Lawyers should approach cloud computing with caution because of these risks, the highly confidential information they hold on behalf of their clients, and their professional responsibilities.
This article sets out some of the cloud computing requirements that lawyers must comply with in BC and issues that lawyers should consider and address before using cloud computing services. Many of the guidelines and best practices set out below are also useful for businesses and professionals outside of the legal industry. Although the BC working group report has been out for some time, the other provinces have so far not chosen to emulate the BC approach. They have instead tended to rely on pre-existing duties of confidentiality rather than attempting to formalize specific rules for cloud services. The BC approach is also relatively restrictive as compared with other jurisdictions which, thus far, have taken a more liberal approach towards regulating the use of cloud services in the legal profession.
Law Society of British Columbia Rules
In 2012, The Law Society of British Columbia (the “LSBC”) published the Report of the Cloud Computing Working Group (the “Report”), an analysis of issues with respect to cloud computing for the legal industry.The Report emphasizes that it is incumbent on lawyers to ensure their use of technology, including cloud services, complies with their professional responsibilities, a point echoed in the recommendations and requirements published by the law societies of other Canadian jurisdictions.
The Report makes recommendations with respect to what to consider before engaging a cloud service provider in order to ensure compliance with lawyers’ professional responsibilities. The Report includes:
- a caution that lawyers’ professional liability insurance in BC will not cover losses suffered by a lawyer or a client as a result of the lawyer’s use of technology, such as losses suffered as a result of a data breach;
- due diligence guidelines for engaging cloud service providers;
- recommendations for a checklist of items to consider before entering into an agreement with a cloud service provider and transferring data;  and
- recommendations for changes to the LSBC rules (the “LSBC Rules”).
The recommended changes to the LSBC Rules were adopted following the release of the Report. The changes bring the engagement of cloud service providers by lawyers within the contemplation of the LSBC Rules.
One of the significant changes to the LSBC Rules relates to records and the security of records. These rules do not distinguish between physical paper storage providers and cloud-based electronic storage providers. A lawyer using either or both must be able to produce printed or electronic records in a comprehensible format on demand and must not alter, without the written consent of the Executive Director, records which they have been required to produce. Lawyers must also ensure that they retain custody and control of their records and ensure that ownership of the records does not pass to another party.In addition, lawyers are responsible for protecting their records and the information therein by making reasonable security arrangements to avoid data losses or breaches. The rules also include a notice requirement, under which a lawyer must notify the Executive Director immediately of all relevant circumstances if the lawyer believes: (a) he or she has lost custody or control of his or her records; (b) records have been accessed improperly; or (c) records have not been destroyed completely and permanently by a third party according to the lawyer’s instructions.
Further, a lawyer is responsible for ensuring that his or her written agreement with a storage provider is consistent with the lawyer’s responsibilities and that his or her storage provider maintains records securely. For instance, the storage provider must not: (a) access records except as necessary to provide service to the lawyer; (b) allow unauthorized access to the records; or (c) fail to destroy records completely and permanently on instructions from the lawyer. The rules also stipulate that the Executive Committee may declare, by resolution, that an entity is not a permitted storage provider and thereby prohibit lawyers in BC from maintaining records of any kind with that entity. As of the date of this post, the LSBC has yet to exercise this authority.
Cloud Computing Checklist
The Law Society of BC developed a practical cloud computing checklist (the “Checklist”) that includes many best practices for dealing with personal information. The purpose of the Checklist is to assist lawyers in evaluating whether a particular service provider satisfies the Law Society of BC’s requirements.
The Checklist encourages potential cloud service users to consider, among other things:
- use of a private cloud, which is designed to offer the same features and benefits of public cloud systems without some of the typical cloud computing concerns such as data control, security, and regulatory compliance;
- encryption of data using a 3rd party encryption product and the compatibility of the 3rd party product with the cloud provider’s product and services;
- data security and responsibility for specific aspects of security, including firewall, encryption, password protection and physical security;
- regulatory requirements, including statutory privacy requirements, retention periods indicated in the LSBC Rules, the ability to produce documents with respect to a LSBC investigation in the form and time prescribed, and the retention of custody over client data;
- adequacy of remedies in the event of data breaches, data loss, indemnification obligations, and service availability failures;
- the cloud provider’s breach notification obligations;
- termination of the services agreement with the cloud provider, specifically as it relates to issues including cost, service level failures (bandwidth, reliability, etc.), data availability after termination, and transition services;
- technical considerations, including compatibility with existing systems, uptime, redundancies, bandwidth requirements, security measures, and technical support service availability; and
- the track record of the cloud services provider (such as uptime, security, support service level, etc).
The above is neither an exhaustive list of applicable considerations nor a complete summary of the Checklist.
In addition to the Checklist, the due diligence guidelines included in the Report (the “Guidelines”) also set out considerations for lawyers contemplating the use of cloud services. The Guidelines encourage lawyers to enter cloud service arrangements with service providers cautiously and thoughtfully. Readers are encouraged to review both the Checklist and the Guidelines before entering into an agreement with a cloud service provider.
In addition to the Checklist, Guidelines and relevant provisions in the amended LSBC Rules, BC lawyers and law firms considering adopting any cloud products (or any other technology products involving access, collection, use, or disclosure of personal information) must ensure that their use of such products complies with privacy legislation applicable to the data under consideration. For instance, a BC lawyer or law firm acting for a BC public body may not be able to engage cloud providers that store information outside of Canada because BC public bodies must ensure that personal information under their control (including personal information under the public body’s control but in the custody of a service provider, such as a law firm) is only stored in and accessed from inside Canada, subject to certain limited exceptions, pursuant to BC’s Freedom of Information and Protection of Privacy Act. Other privacy legislation that applies in BC includes BC’sPersonal Information Protection Act which governs personal information in the private sector and the federalPersonal Information Protection and Electronic Documents Act (to the extent that it applies to federal works, undertakings or businesses that operate in BC).
In Canada, there are a growing number of law firms that are becoming more comfortable with cloud computing technologies. In fact, some mid-sized law firms have moved to cloud solutions. For example, one mid-sized Mississauga law firm consulted with the Law Society of Upper Canada about moving their entire computer system to a cloud service provider and the Law Society of Upper Canada granted approval.
On the international front, a large international firm with offices and over a thousand employees in each of the UK and Australia is currently using cloud solutions for email and CRM data. In the US, many states expressly permit the use of cloud services by lawyers. The use of cloud services by lawyers is also permitted in the UK and Australia.
However, the LSBC rules for use of cloud services are generally more restrictive then the relatively liberal approach taken in other jurisdictions. Therefore, these developments may not be reflective of trends in the legal profession’s use of cloud services in the BC.
The advantages of using cloud computing must be weighed against the potential risks. Although some risks can be managed by engaging a reliable cloud service provider, lawyers must remember that the security of their records remains their responsibility. A lawyer’s use of any cloud computing services should be governed by an agreement that ensures compliance with their professional responsibilities and applicable legislation.