Cloud based computing and Canadian Law: What matters for lawyers
Lawyers are pretty interested in privacy matters. In fact, many lawyers are experts in the area of privacy. That’s why as practice management service providers in the cloud, we get so many questions about privacy and security as it relates to the use of cloud-based applications.
As with any other business these days, totally abstaining from the cloud is not an option. Such an approach would put a legal practice in a severe disadvantage in comparison to competitors. The cloud just has too much to offer in terms of cost, convenience and capability. The legal profession’s response then, from both the various legal societies across the nation and the individual legal firms within each jurisdiction, has been to review Canadian law with respect to privacy, set some guidelines for use and carry out due diligence when it comes to selecting specific online services.
The legal framework in Canada, at least for the private sector, is The Personal Information Protection and Electronic Documents Act (PIPEDA) and the 2015 follow up, the Digital Privacy Act, which amends PIPEDA to introduce mandatory data breach notification requirements. Alberta, British Columbia and Quebec have their own private sector privacy laws that are “substantially similar” to PIPEDA but in terms of cloud usage where data is crossing Provincial boundaries, both the provincial law and PIPEDA apply. There is a good summary of the provisions within PIPEDA and the Digital Privacy Act here
Whatever system you’re using for practice management is certainly subject to the personal data protections obligations set out by PIPEDA. Accordingly, the provider is required to implement safeguards that are appropriate based on the sensitivity of the data. These kinds of safeguards should include physical, technical and administrative controls to prevent loss or unauthorized access to or modification or disclosure of the data.
When our clients or prospective clients ask us about these privacy issues, this is what they have in mind.
Regardless of what service provider you are thinking about, you will want to carry out some due diligence. In particular, you will want to ensure that the service provider and technology they use support your professional obligations and are in compliance with your Law Society’s regulatory processes. As an example, when we were designing the uLawPractice service offer we relied upon guidelines issued by the Legal Society of British Columbia, who at the time appeared to be the thought leaders in this topic. You can and should download their cloud computing checklist and due diligence guidelines here.
We get a lot of questions, and they all have to do with remote data storage, security of records, custody or control of records, records retention and authorized access. Here is our reply:
Remote Data Storage
Remote data storage and processing are not new phenomena as lawyers have been using record storage service companies for some time: warehousing boxes of hard copy documents, mainframe computing technology, email transfers across third party systems as common examples.
Many issues will be the same when it comes to records stored in a warehouse and records stored on third party servers – the issue is trust and security. The key difference in the case of networked computing is that once records are networked the risks change and accordingly the steps taken to avoid a breach are different. Your practice management service provider should automatically encrypt all data in motion to or from your access device (mobile or fixed) and their servers. The level of encryption should be the same as what Canadian banks use to protect their customer’s financial data. For a Canadian practice server location should be in Canada to preserve data sovereignty.
Security of Records
We are defining security here as the protection of data from accidental or malicious modification, destruction or disclosure. To make it clear, every organization, no matter how security conscious, is at some risk. There is no guaranteed defense against every conceivable accident or malicious act affecting an organization’s information assets. In signing up for a practice management services you, the client, share in the responsibility of protecting your information. The most prevalent causes of security breaches has been user error: insecure passwords (“1234”, or “password” for example), improper password management (sticky notes under the keyboard), unattended logged on access terminals, use of public WiFi facilities. Your service provider’s share in the responsibility of securing your information is as follows:
- The service provider provides the capability for the client to determine what type of data is accessible by what type of user within the client organization. For example the lawyer may chose to limit what an admin staff or accountant can see and do in the system.
- The application encrypts the data when it is in transit.
- The service provider firewalls the server infrastructure both from the point of view of access credentials but also from the point of view of the location of the access request or frequency of request. If the access request were coming from Europe or Asia, access should be denied unless the client has told the provider in advance that for a period of time access requests from particular locations should be honoured. In this way if the pattern of access requests is such that they could be machine created – a distributed denial of service attack for example – these requests can be turned aside without disrupting legitimate service requests.
- Client data should be stored in more than one place at the same time. The service provider should automatically run incremental backups on the hour (incremental in that data changed in past hour is backed up such that in the event of a total crash a maximum of 1 hour of transactions would be lost.) The service should also a full backup – all data changed or not – once every 24 hours.
- Redundancy: multiple servers should be in play at all times. The traffic load is balanced among these servers. In the event of a server failure - even a decline in server performance – service is automatically picked up by other synchronously operating servers in the architecture. System availability of typical cloud-based services is far better than what is normally achieved by private in-house systems. You would want a service designed to allow no more that 15 minutes per year of planned outage. Actual performance is typically better than this and your service provider should be able to show you the operational data. If there is to be a planned maintenance outage, clients should be notified in advance with the outage scheduled for a typically low traffic period - Sunday’s midnight to 3:00PM Eastern Standard Time for example.
Custody or control of records
- The fact that records are stored with a third party does not necessarily mean that the lawyer has lost custody of them. It really depends on what the third party is able to do with the records and what their responsibilities are. The terms of service will be outlined on the service provider’s web. A private computing cloud can actually better support the concept of custody by the lawyer than a public cloud such as various web-based email services where the storage is commingled with other records. However, the fact that the safekeeping, care, protection and preservation of client data rests with your service provider during the provision of service does imply that you and the service provider jointly have data custody.
2. Your service provider should clearly state in their privacy policy that the client owns his data.
Records Retention
- Lawyers have record retention obligations. Some of these are driven by limitation periods, which will mean that different files have to be retained for different periods of time. Our understanding is that a lawyer may have retention obligations of 10 years with respect to trust records. As long as you are using the uLawPractice service we will retain your data. Should you terminate your service, you are responsible to download your data, retain, maintain and secure in anyway you see fit. We give you 30 days to complete this and will extend the period on your request. When your data is downloaded, it will be in a file format recognizable to you (.csv) and you will not require the uLawPractice application to read the data. Once you confirm to Superfluid Software Inc that you have your data we will wipe the files and no one, not even our own staff, will be able to retrieve the wiped files.
Authorized Access
- The client determines who has access to his data. Your service provider would not normally see your data unless you have authorized him to do so – in a tutorial or trouble-shooting situation for example where he is sharing screens with the you.
- A cloud-based service to the legal firm can have serious implications for regulatory bodies. If the Law Society requires access to a lawyer’s data held by the cloud service, the Law Society would require the lawyer to provide the access credentials and navigational instructions necessary to locate the records in question. Unless compelled to do so by law, your service provider would not provide access to client records without the client’s expressed permission.
So as you can likely tell, security in the cloud is particularly important in the realm of practice management and legal accounting. We focus on delivering affordable digital tools to lawyers in order to automate, assist and revolutionize these processes in the world of 21st-Century computing. Security in the cloud is highly important, and we take it seriously.
We suggest you try out a free 30 day trial of our audit-proofing software suite.