Standard
A lawyer who uses Cloud Computing services for storing, processing, retrieving or transmitting client data must provide that reasonable care is taken to ensure that the data is at all times secure and accessible. The service provider and the technology used must support the lawyer’s professional obligations, including compliance with the Nova Scotia Barristers’ Society’s regulatory processes1, and be in compliance with applicable privacy legislation, such as the federal Personal Information Protection Electronic Documents Act (PIPEDA)2.
NOTES
1 Nova Scotia Barristers’ Society, Code of Professional Conduct, Halifax: Nova Scotia Barristers’ Society, 2012: rule 3.1-2 “Competence”; rule 3.3-1 “Confidential Information”; rule 3.5-1 “Preservation of Client’s Property”; and section 7.1 “Responsibility to the Society and the Profession Generally”.
2 Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
PRACTICE NOTES
Introduction
Cloud Computing, or Software as a Service (“SaaS”) has become ubiquitous in practice. Practice management software, emails, file storage – many of these tools rely on cloud computing technologies. “Cloud Computing” means delivery of computing services – including servers, storage, databases, networking, software, analytics, and intelligence – over the Internet.
The benefits of Cloud Computing include lower upfront costs, reduced need for in-house expertise, and ease of use. However, Cloud Computing does raise significant questions about confidentiality, security, and control of client data stored and processed outside of the traditional brick and mortar law firm.
The question is no longer whether Cloud Computing should be permitted, but what is required of the practitioner who uses this technology.
Jurisdiction
Cloud services involve data storage which is outside of the de facto control of the lawyer responsible for the data. A cloud server will likely be located in a jurisdiction other than the province of Nova Scotia. This brings a risk that the data may not have the same level of legal protection that it would in our jurisdiction. In fact, the data might be backed up on servers all over the world, making the task of due diligence regarding security and confidentiality onerous.
The other side of the jurisdictional problem is that foreign governments may have legislative power of search and seizure that will affect the risk of breach of confidentiality. The USA Patriot Act is an example.
The third issue arising in this context is the Law Society’s ability to enforce an order for the disclosure of a lawyer’s records when those records are stored in another jurisdiction. There is a difference between data disclosure and access. For example, data can be obtained but not accessed if it is encrypted. Encryption is a process of making data unintelligible, unless the person trying to access the data has a password – without the password the data is nearly impossible to access in the sense that the data cannot be read without the password.
It is possible for lawyers to mitigate the risk of data being accessed by using strong encryption on all data being stored or processed in the cloud, installing regular software updates and establishing email and internet use policies (including the use of strong passwords) within their offices.
Security
When a lawyer entrusts storage of data to a service provider, they entrust the security of that data to that service provider. This delegation of responsibility to a service provider raises questions of both the adequacy of data security at the time of initial storage and whether the level of security is maintained and updated as technology changes.
When deciding which third party service to engage, the lawyer may choose to provide the service provider with the NSBS Cloud Computing Checklist for Cloud Service Providers. It contains useful technical questions for the service provider to answer. Their answers will indicate whether or not their service is technically robust and could assist the lawyer in assessing compliance with their obligations.
Records Retention and Management
Cloud Computing service providers are companies just like any other – they may cease operations at any time. It is also possible a service provider will suffer a catastrophic loss of infrastructure resulting in loss of data stored on their servers.
Generally, service providers have terms of service that limit their liability with respect to data loss. It is also unlikely that a large company would be willing to sign an escrow agreement with a small or solo practitioner using their service.
Best practice for a lawyer is to backup any data stored in the cloud on a regular basis, and to test the backup periodically. This will ensure that in the event data is somehow irretrievable from the cloud, the lawyer will be able to go to their back-ups to restore access to that information.
Privacy
PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activities. This includes private sector lawyers and law firms. Lawyers should familiarize themselves with this legislation and satisfy themselves that their obligations have been met, particularly with respect to:
- clients’ consent to store data in the cloud;
- safeguards appropriate to the sensitive nature of the data stored;
- transparency regarding data collection and retention process;
- scheduled destruction of data, and
- reporting obligations in the event of a breach of security safeguards.
How to I ensure I have exercised the appropriate level of due diligence when it comes to Cloud Computing service providers?
There are practical limitations for engaging in due diligence relating to Cloud Computing service providers. Often service providers are large companies and are unlikely to engage with small or medium organizations to assist them with due diligence. However, there are some steps the practitioner can take to fulfill their professional obligations:
- Have the service provider complete the NSBS Cloud Computing Checklist for Cloud Service Providers. This is checklist is optional and is not exhaustive; however, it may help lawyers gauge the level of risk associated with engaging the services of a particular third party service provider.
- Use the NSBS Annotated Law Practice Cloud Computing Checklist to assess the answers provided by the Cloud Service Provider in the completed NSBS Cloud Computing Checklist for Cloud Service Providers. The annotated version is intended to only be used by the Law Practice/Lawyer and provides comments explaining the importance of the various questions and outlines instances where a “No” answer may be acceptable based on the nature of the service. In cases where technical issues may impact the lawyer’s ability to assess the risks of the cloud service based on the provider’s answers, it may be advisable to consult with a computer security expert or managed service provider if particularly sensitive data is being stored.
- Read the service provider’s terms of service, service level agreement, privacy policy and security policy. Lawyers must take steps to ensure the confidentiality and privilege of their clients’ information is protected. Clear contractual language should be used to accomplish this objective.
- Try to ascertain where the data is stored / hosted. Consider the political and legal risks associated with data storage in foreign jurisdictions. If the jurisdiction where the data is stored poses a risk or uncertainty, any data being stored in the Cloud should be encrypted or otherwise secured. Regardless of whether or not encryption is used, the lawyer must consider whether they can comply with Nova Scotia and federal laws, such as laws governing the collection of personal information, when using third-party service providers.
- Determine how easy or difficult it is to extract the information. Many companies will have an “export” function where all the data in their system can be removed on request and stored locally by the lawyer. This is an important functionality to ensure the lawyer has control over the data stored in the cloud.
- Determine who owns the data. Confidentiality and privilege are rights that lie with the client. Lawyers must ensure ownership of their clients’ information does not pass to the service provider or a third party.
Due diligence is a continuing obligation. Lawyers should strive to remain current on changes in technology that might affect the initial assessment of whether a service is acceptable. Services, and service providers, may become more or less acceptable in light of technological and business changes.
ADDITIONAL RESOURCES
- PIPEDA
- Office of the Privacy Commissioner of Canada – PIPEDA and your Legal Practice
- Cloud Computing resources – LIANS
- Record Retention Standard – LIANS
- Maintenance and Back up of Electronic Data Standard – LIANS
- Cloud Computing Due Diligence Guidelines, Law Society of British Columbia
- The Basics of Cloud Computing, Law Society of Alberta.
- Technology Practice Management Guideline, Law Society of Upper Canada
- LSBC, Sample internet and email use policy
- PracticePro, Managing the security and privacy of electronic data in a law office
- PracticePro, Backup best practices and strategies
- Government of Canada, Get Cyber Safe (resources) – including Get Cyber Safe Guide for Small and Medium Businesses (see Appendix A: Cyber Security Status Self-Assessment)
- LIANS, Data protection
- Law Society of Alberta, Computer/Network Security Checklist
- Data Security Policy, Lawyers Mutual
Approved by Council on June 13, 2015; revised January 26, 2024.