A lawyer who uses Cloud Computing services for storing, processing, and retrieving client data must provide that reasonable care is taken to ensure that the data is at all times secure and accessible. The service provider and the technology used must support the lawyer’s professional obligations, including compliance with the Nova Scotia Barristers’ Society’s regulatory processes.1
1 Nova Scotia Barristers’ Society, Code of Professional Conduct, Halifax: Nova Scotia Barristers’ Society, 2012: rule 3.3-1 “Confidential Information”; rule 3.5-1 “Preservation of Client’s Property”; and section 7.1 “Responsibility to the Society and the Profession Generally”.
Cloud Computing, or Software as a Service (“SaaS”) has become an integral part of commerce throughout the world, and lawyers stand to gain from these opportunities as much as anyone. On the one hand, the outsourcing of data storage and software management can unburden the practitioner from many of the difficulties of traditional technology solutions by reducing upfront costs, reducing the need to engage in-house expertise and allowing greater ease of use. At the same time, the new technologies raise significant questions about confidentiality and security of client data stored outside of the traditional brick and mortar law firm.
It is fair to say that the question is no longer whether Cloud Computing should be permitted, but what limitations and safeguards are appropriate for lawyers in Nova Scotia.
Development of a Standard
Reference needs to be made to the work done by the Law Society of British Columbia in their Report of the Cloud Computing Working Group. This report is an exhaustive work, particularly on the analysis of the issues facing a Law Society, and while the report may be criticized for being overly demanding in its recommendations, a summary of the analysis of that work serves as a guide for the type of considerations which lawyers must make in taking reasonable care in the use of Cloud Computing. The following is an example of a succinct statement of responsibility which is typical of what has been accepted, in this case by the Vermont Bar:
Vermont attorneys may use SaaS systems for storing, processing, and retrieving client property, as long as they take reasonable precautions to ensure the property is secure and accessible. The nature of the precautions depends on the circumstances. The ability to engage in Cloud Computing is not limited by the specific location of the remote server, although some of the factors noted above, including choice of law clauses, and concerns about access to data in the event of a service interruption or an emergency, may be implicated by the location of the storage server and the extent of backup service provided by the vendor.
The Law Society of BC report similarly provides for General Due Diligence Guidelines as follows:
Lawyers must ensure that the service provider and technology they use support the lawyer’s professional obligations, including compliance with the Law Society’s regulatory processes. This may include using contractual language to ensure the service provider will assist the lawyer in complying with Law Society investigations.
The benefits to be derived from cloud computing are fairly straightforward and it can be assumed that members of the NSBS are using, or will be using such services. If reasonable care or reasonable precaution is the standard to which members should be held in doing so, a clear statement of the main issues is essential.
Cloud services by definition involve data storage which is outside of the de facto control of the lawyer responsible for the data. That server could easily be located in a jurisdiction other than the province of Nova Scotia (and likely will be). This brings an inherent risk that the data may not have the same level of legal protection that it would in our jurisdiction. In fact, the data might very well be backed up on servers all over the world, making the task of due diligence regarding security and confidentiality onerous.
The other side of the jurisdictional problem is that foreign governments may have legislative power of search and seizure that will affect the risk of breach of confidentiality. The USA Patriot Act is an example.
The third issue arising in this context is the Law Society’s ability to enforce an order for the disclosure of a lawyer’s records when those records are stored in another jurisdiction.
When a lawyer entrusts storage of data to a service provider, he or she entrusts the security of that data to that service provider. This delegation of responsibility to a service provider raises questions of both the adequacy of data security at the time of initial storage and whether the level of security is maintained and updated as technology changes.
Records Retention and Management
What happens if the service provider goes bankrupt? Will some form of escrow agreement be sufficient to allow the lawyer to get the records back from a trustee in bankruptcy? And even if the data is retrievable, will it be usable without the software now belonging to the trustee? Will it be retrievable within the time frame required by the Bar Society?
Due Diligence Guidelines
With the cloud computing issues in mind and with a practice standard requiring reasonable care, guidelines such as the following (which have been adapted from the Law Society of BC report of the Cloud Computing Working Group) must be considered:
a) Lawyers must take steps to ensure the confidentiality and privilege of their clients’ information is protected. Clear contractual language should be used to accomplish this objective.
b) Lawyers should try to ascertain where the data is stored / hosted. Consider the political and legal risks associated with data storage in foreign jurisdictions. The lawyer must consider whether he or she can comply with Nova Scotia and Federal laws, such as laws governing the collection of personal information, when using third-party service providers.
c) Does the lawyer have the right to approve in advance any transfer of data to another province or country?
d) Who owns the data? Confidentiality and privilege are rights that lie with the client. Lawyers must ensure ownership of their clients’ information does not pass to the service provider or a third party.
e) Who at the service provider will have access to the data and will there be different levels of access? Does the service provider screen its employees?
f) What happens if the service provider goes out of business or has their servers seized or destroyed?
g) If there is a data breach, will the lawyer be notified? How are costs for remedying the breach allocated?
h) On what terms can the service provider cut off the lawyer’s access to the records? What rights do you have in the event of a billing or similar dispute the provider? Do you have the option of having your data held in escrow by a third party, so that it is fully accessible in the event of a dispute? Alternatively can you backup your data locally so that it is accessible to you should you need it?
i) Will the lawyer have continuous access to the source code and software to retrieve records in a comprehensible form? Consider whether there is a source code escrow agreement to facilitate this.
j) How easily can the lawyer migrate data to another provider, or back to desktop applications?
k) What procedural and substantive laws govern the services? What are the implications of this?
l) Does the service provider archive data for the retention lifecycle the lawyer requires?
m) Are there mechanisms to ensure data that is to be destroyed has been destroyed?
o) Ensure that the service provider supports electronic discovery and forensic investigation. A lawyer may need to comply with regulatory investigations, and the litigation disclosure, in a timely manner. It is essential that the services allow a lawyer to meet these obligations.
2. What is the service provider’s reputation? This essentially requires the lawyer to assess the business risk of entrusting records to the service provider. Lawyers should seek out top-quality service providers.
3. What is the service provider’s business structure? Lawyers must understand what sort of entity they are contracting with as this affects risk.
4. Does the service provider sell its customer information or otherwise try and commoditize the data stored on its own servers?
5. Lawyers should strive to keep abreast of changes in technology that might affect the initial assessment of whether a service is acceptable. Services, and service providers, may become more or less acceptable in light of technological and business changes.
6. What security measures does the service provider use to protect data, and is there a means to audit the effectiveness of these measures? How good are the provider’s backup policies and procedures?
7. A lawyer should compare the cloud services with existing and alternative services to best determine whether the services are appropriate.
8. If using a service provider puts the lawyer offside a legal obligation, the lawyer should not use the service. For example, there may be legislative requirements for how certain information is stored/secured.
9. Lawyers should establish a record management system, and document their decisions with respect to choosing a cloud provider. Documenting due diligence decisions may provide important evidence if something goes wrong down the road.
10. Consider the potential benefits of a private cloud for mission critical and sensitive data, along with information that may need to be stored within the jurisdiction.
This is an extensive list of steps to be taken in considering the retention of a service provider and, if one is shopping, the due diligence is multiplied by the number of potential suppliers being considered. Any such list can only serve as a guide as additional questions may be appropriate given the facts of a particular situation. Finally, reasonable care with respect to the use of technology will be subject to change at a rate linked to the change in the technology itself.
- Cloud Computing resources – LIANS
- Record Retention Standard – LIANS
- Maintenance and Back up of Electronic Data Standard – LIANS
- Cloud Computing Checklist, Law Society of British Columbia
- Cloud Computing Due Diligence Guidelines, Law Society of British Columbia
- Report of the Cloud Computing Working Group, Law Society of British Columbia, January 27, 2012
- Technology Practice Management Guideline, Law Society of Upper Canada
- LSBC, Sample internet and email use policy
- PracticePro, Managing the security and privacy of electronic data in a law office
- PracticePro, Backup best practices and strategies
- Government of Canada, Get Cyber Safe (resources) – including Get Cyber Safe Guide for Small and Medium Businesses (see Appendix A: Cyber Security Status Self-Assessment)
- LIANS, Data protection
- Law Society of Alberta, Computer/Network Security Checklist
- Data Security Policy, Lawyers Mutual
Approved by Council on June 13, 2015