First to BC where a committee of the Law Society of British Columbia, under the chairmanship of Gavin Hume, has produced the best and most thoughtful piece on how to practice ethically and effectively using cloud computing. We've referred in the past to helpful work done by the Bar Association in North Carolina and the ABA's 20/20 Commission – see Jack Newton's posts from May and July, as well as Connie's and Omar's take on last week's ABA discussion.
At the Canadian Lawyer, David Paul has a good tip sheet of practical advice on the intelligent use of Google in the practice of law – well worth a close look. Even Slaw readers might pick up a tip or two.
Back to the cloud – to my way of thinking, Gavin's committee has really done us all a service with the clarity and practicality of its analysis.
Recommendation 1: The Law Society should adopt and publish the attached due diligence guidelines for lawyers using third party electronic data storage and processing (see Appendix 1).
Recommendation 2: In order to ensure the Law Society’s regulatory process keeps pace with evolutions in data storage and processing technology, and to ensure the audit process remains robust, the Act and Rules Subcommittee should draft rules that capture the following concepts:
1. Rule 3-68(0.1) should include reference to Rule 3-59 in order to facilitate the Trust Regulation Department auditing and investigation of accounting records;
2. Rule 3-68 should be amended to remove reference to the “chief place of practice” requirement with respect to electronic records, and instead should require that electronic records be made available at the time of request in a format acceptable to the Law Society (the Law Society should publish guidelines as to what the Trust Regulation Department requires as an acceptable format);
3. The general retention period in Rule 3-68(1) should be 10 years from the final accounting transaction;
4. There should be a general rule regarding records in electronic form that gives the Law Society the discretion to accept copies of those electronic records in paper or another form;
5. There should be a general rule regarding records in electronic form that the Law Society has the discretion to require the lawyer to provide the meta data associated with those records;
6. There should be a general rule that requires lawyers to ensure their electronic records are capable of meeting the prevailing electronic discovery standards of a British Columbia superior court;
7. The Act and Rules Subcommittee should determine how to incorporate the following trust rule requirements:
(a) If monthly reconciliations are prepared and stored electronically, the reconciliation must show the date it was completed. Each of the monthly reconciliations must be available with appropriate back up documentation and not overwritten by the system.
(b) If billing records are stored electronically, they must include the creation date as well as any modification dates.
(c) All accounting records must be printable on demand in a comprehensible format (or exported to acceptable electronic format (ie. PDF)) and available for at least 10 years from the final accounting transaction. If the member scans all his supporting documentation such as 3rd party documents like bank statements the full version meaning all the pages front and back even if there it is blank page.
(d) A sufficient “audit trail” must be available and printable on demand in a comprehensible format (this should be a requirement of all accounting software whether it’s in the cloud or a stand-alone program such as ESILAW or PCLAW etc.).
(e) Audit trail transaction reports must be complete, showing all postings into the software with specifically assigned transactions that correspond chronologically with dates etc.
(f) Cash receipts must always be retained in hard copy.
(g) Ability of system to provide creation dates, what changes were made, and how often the documents (i.e. Word, Excel and/or Adobe) were changed. Ensuring that metadata information is not lost when stored on a cloud.
(h) Ability for LSBC to have view only access & printing access to all items stored on cloud (I.e. emails, documents, accounting records) when required. This does not derogate from any rule that allows the Law Society to copy a record or have that record provided on request. The purpose is to allow for a forensic investigation that does not alter the underlying record.
8. There should be a rule that recognizes, in circumstances where the Law Society has had to copy electronic records held by a third party, the Law Society may rely on the copies as best evidence and the onus is on the lawyer to provide a forensic copy of those records if the lawyer wishes to dispute the quality of the evidence.
9. The Act and Rules Subcommittee should consider, as part of future revisions to the Legal Profession Act, amending s. 37 to permit orders for copying or duplication of records, as an alternative to “seizing” records.
Recommendation 3: For the purposes of interpreting Rule 3-68(4), and subject to the other recommendations in this report, if a lawyer ensures through contractual safeguards that custody or control of his or her records does not pass to a third party, the lawyer can use a third party for the storage or processing of those records. If the lawyer is unable to access those records and provide them on demand during an audit or Law Society investigation, however, the lawyer may be found to have lost custody or control of the records, which may lead to disciplinary consequences.
Recommendation 4: In circumstances where the Law Society Rules require a lawyer to either provide the Law Society the lawyer’s records or make copies of the records available to the Law Society, and the lawyer either refuses to comply, or is unable to comply by virtue of having used a service provider that does not make the records available in a timely fashion, the lawyer should be suspended until such time as the lawyer complies with the disclosure requirements under the Law Society Rules. The Act and Rules Subcommittee should consider whether this requires creating a new administrative suspension rule, or proceeding by way of Rule 3-7.1. In circumstances where the lawyer is suspended, the Law Society should consider seeking a court order for a custodianship in order to protect the public and ensure the suspended lawyer’s clients continue to be served.
Recommendation 5: The Law Society should encourage the CBA BC Branch and CLE BC to include as part of future courses on cloud computing (or similar technology), information about the best practices and Law Society Rules.
Recommendation 6: The Ethics Committee should review its ethics opinions regarding the use of third party service providers and update them to address the concerns arising from the use of cloud computing, or similar technology.
Recommendation 7: Law Schools and PLTC should teach students that lawyers’ have an obligation to ensure their use of technology is consistent with their professional obligations.
Recommendation 8: The Law Society’s Trust Regulation Department, and the Professional Conduct and Investigation Department, when dealing with investigations involving a lawyer who uses cloud computing, should identify circumstances in which the approach proposed in this report is failing to protect the public interest, in the event modifications to the policy and rules is necessary for the Law Society to fulfill its public interest mandate. Because technology will continue to develop, and standards will emerge, it is important to ensure the Law Society keeps pace with these changes, and staff will play an important role in keeping the Benchers apprised of the potential need for amendments to the policies and rules recommended in this report.
Recommendation 9: The Practice Advice group should modify their resources to reflect the recommendations in this report. This may involve creating checklists to better assist lawyers.
Recommendation 10: Because cloud computing is an emerging technology, the Law Society should ascertain whether any lawyers who use cloud computing are willing to have the Trust Assurance Department determine whether their system meets the present requirements, and the investigators determine whether the system meets the requirement for a 4-43 investigation. This would not be for the purpose of endorsing a
particular system. It would be for the purpose of identifying any concerns to ensure the Law Society’s auditing program can address cloud computing.
Recommendation 11: Because cloud computing stores records in a manner where the Law Society may not be able to make forensic copies of hard drives, or segregate irrelevant personal information that is stored in the cloud, Rule 4-43 should be amended to make it clear that the process for protecting personal information during investigations is subject to the lawyer using a record keeping system that supports such a process. If lawyers choose to use systems that do not support that process, they do so at their own risk, and the Law Society may end up having to collect or access personal information that is irrelevant to an investigation.
And a very practical due diligence check list for those considering venturing onto the cloud:
PART A: GENERAL DUE DILIGENCE CHECKLIST Lawyers must ensure that the service provider and technology they use support the lawyer’s professional obligations, including compliance with the Law Society’s regulatory processes. This may include using contractual language to ensure the service provider will assist the lawyer in complying with Law Society investigations.
o Lawyers must take steps to ensure the confidentiality and privilege of their clients’ information is protected. Clear contractual language should be used to accomplish this objective.
o Lawyers should try to ascertain where the data is stored/hosted. Consider the political and legal risks associated with data storage in foreign jurisdictions. The lawyer must consider whether he or she can comply with British Columbian and Federal laws, such as laws governing the collection of personal information, when using third party service providers (see Part B).
o Who owns the data? Confidentiality and privilege are rights that lie with the client. Lawyers must ensure ownership of their clients’ information does not pass to the service provider or a third party.
o What happens if the service provider goes out of business or has their servers seized or destroyed?
o On what terms can the service provider cut off the lawyer’s access to the records?
o Will the lawyer have continuous access to the source code and software to retrieve records in a comprehensible form? Consider whether there is a source code escrow agreement to facilitate this.
o How easily can the lawyer migrate data to another provider, or back to desktop applications?
o Who has access to the data and for what purposes?
o What procedural and substantive laws govern the services? What are the implications of this?
o Does the service provider archive data for the retention lifecycle the lawyer requires?
o Are there mechanisms to ensure data that is to be destroyed has been destroyed?
o Ensure the service provider supports electronic discovery and forensic investigation. A lawyer may need to comply with regulatory investigations, and litigation disclosure, in a timely manner. It is essential that the services allow the lawyer to meet these obligations. What is the service provider’s reputation? This essentially requires the lawyer to assess the business risk of entrusting records to the service provider. Lawyers should seek out top quality service providers. What is the service provider’s business structure? Lawyers must understand what sort of entity they are contracting with as this affects risk. Does the service provider sell its customer information or otherwise try and commoditize the data stored on its servers? Lawyers should strive to keep abreast of changes in technology that might affect the initial assessment of whether a service is acceptable. Services, and service providers, may become more or less acceptable in light of technological and business changes. What security measures does the service provider use to protect data, and is there a means to audit the effectiveness of these measures? A lawyer should compare the cloud services with existing and alternative services to best determine whether the services are appropriate. If using a service provider puts the lawyer off-side a legal obligation, the lawyer should not use the service. For example, there may be legislative requirements for how certain information is stored/secured. Lawyers should establish a record management system, and document their decisions with respect to choosing a cloud provider. Documenting due diligence decisions may provide important evidence if something goes wrong down the road. Consider the potential benefits of a private cloud for mission critical and sensitive data, along with information that may need to be stored within the jurisdiction.
With respect to certain trust records, the Trust Regulation Department at the Law Society of British Columbia recommends the following as best practices:
1. All bank reconciliations (for all trust and general bank accounts) should be printed the same date it was completed and stored in hard copy;
2. A full and complete trust ledger should be printed in hard copy at the close of each client file matter and stored in hard copy;
3. A master billings file should always be maintained in hard copy;
4. Have a disaster recovery plan in case the cloud provider shuts down. Regularly back up all files and records in possession of the member. Store backup files in a fire safe, safety deposit box;
5. All Members should print off or export to electronic file (i.e. pdf) all accounting records required by Division 7 Rules on an ongoing basis and store locally;
6. If client files are stored electronically, all key documents supporting transactions and key events on the file must be printable on demand in a comprehensible format (or exported to acceptable electronic format (ie PDF) and available for at least 10 years from the date of the final accounting transaction.
The Lawyers Insurance Fund notes that there may be data breaches and other risks in using a particularly technology, including cloud computing, that may lead to losses by lawyers and clients. These are not risks to which the professional liability insurance policy responds, so lawyers will want to consider the risks and how best to protect themselves as part of their due diligence. Steps that might be taken include: A lawyer should obtain informed client consent for the use of the services; A lawyer should require the service provider to indemnify the lawyer for any claims the lawyer faces as a result of using the service; and A lawyer should consider buying insurance on the commercial market to cover risks such as data breaches.