Did the LSBC Just Kill Cloud Computing for Lawyers in BC?
As a frequent public speaker, I’ve seldom found myself speechless on stage, however, last week I stood in front of an audience of over 200 lawyers in stunned silence for the first time in recent memory. I did so after the Law Society of British Columbia (LSBC) President, Jan Lindsay, boldly pronounced that, in no uncertain terms, BC lawyers are prohibited from using US-based cloud computing providers.
To set the stage, let me rewind to Friday, November 14. I was invited to talk at the CBABC Annual Meeting in Scottsdale, AZ. My topic, “The Security and Ethics of Cloud Computing,” was one I’ve presented on dozens of times at various law society and bar association meetings and conferences across North America.
The primary goal of this talk is to inspire lawyers to embrace technology – in particular cloud technology – not only to make their practices more efficient, ethical and effective, but to deliver superior and differentiated service to their clients. I also spend some time outlining the state of ethics opinions relating to cloud computing, and the due diligence some of those opinions require.
At the conclusion of my presentation, one of the attendees asked if the LSBC has given its blessing to Dropbox as a document storage tool. I replied by citing Appendix 1 of the LSBC Cloud Computing Report and the LSBC Cloud Computing Checklist, both of which provide guidance for BC lawyers looking to undertake due diligence on a cloud provider. “For better or worse, there’s no black-and-white or pre-authorized list of providers from the LSBC, you’ll need to perform your own due diligence and reach your own conclusions about the suitability of a given provider,” I stated.
This is where, from the back of the room, an attendee stood up and stated (roughly, to paraphrase): “I am Jan Lindsay, President of the Law Society of BC. This is black and white: BC lawyers are prohibited from using non-BC-based cloud computing providers, including Google and Dropbox.”
I’m sure I stared back at Ms. Lindsay for ten or twenty seconds, completely dumbfounded by her statement. In my role as President of the Legal Cloud Computing Association and co-founder and CEO of the first cloud-based practice management system, I pride myself of staying abreast of cloud computing developments, especially relating to ethics issues at the Law Society and Bar Association level. Ms. Lindsay’s statement took took me by complete surprise, and left me feeling both embarrassed and disappointed that I’d wasted an hour of my audience’s time.
“Is this a new development?” I asked.
“It is a new ruling as of October 31st,” Ms. Lindsay replied.
On that devastating note, my talk ended. One audience member live-tweeting my talk aptly described Ms. Lindsay’s statement as a “bombshell.” As I left the stage, a dozen or so of the 200+ attendees approached me, deeply concerned by this development. One was a loyal Dropbox user, who heavily relied on its data syncing and backup capabilities to access his practice data from any device. Another was a Clio user, who asked me if she’d have to cancel her subscription to the practice management system she’s been depending on for the last three years (disclosure: I am a co-founder of Clio). Everyone had questions about this new ruling, but I had no answers.
I returned to my hotel room and spent the next two hours poring over the Bencher’s Agenda and Minutes from the October 31st, 2014 meeting I presume Ms. Lindsay had referred to. While the topic of cloud computing is addressed (see pp51-118), the proposed amendments to the Law Society rules appear to make cloud computing more acceptable for BC lawyers by altering Rule 3-59 and 3-68 to accommodate electronic (cloud-based or otherwise) record-keeping, and adding rules 10-4 and 10-5, to offer guidance on the duties a lawyer needs to meet when using cloud services. I could find no reference to the prohibition of non-BC-based cloud providers.
There are several redacted sections of the Bencher’s Agenda and Minutes, so it is possible the ruling Ms. Lindsay referred to is a private ruling. I have asked Ms. Lindsay to provide more information on this new ban on non-BC-based cloud providers, but have yet to receive a reply; I will post an update if or when I receive a response.
If this is indeed the path the LSBC has chosen, it means BC lawyers will be effectively banned from using the cloud:
All web-based e-mail services, including Gmail, Google Apps, Hotmail, Outlook.com, and Yahoo Mail are off-limits.
Cloud-based storage providers like Dropbox and Box are likewise prohibited.
Lawyers cannot use cloud-based practice management systems like Clio, Rocket Matter and MyCase.
Every one of the ABA’s Top 10 Cloud Apps for Lawyers as listed by Bob Ambrogi — Dropbox, Google Docs, iCloud, Evernote, Clio, Bill4Time, RocketMatter, Zoho, Verve and Nextpoint — are verboten.
And make no mistake: no major cloud provider would open a BC-based data center solely to address the LSBC’s requirements — the 10,000 lawyer market in BC simply doesn’t move the needle for companies that have millions of users. This ruling would have the effect of relegating BC lawyers to a pre-cloud technological backwater, which does not serve the public’s interest nor the LSBC’s own principal strategic goal of becoming a “more innovative and effective professional regulatory body.”
Ms. Lindsay is an authoritative voice on behalf of the LSBC, and the broad reaching impact of her statement at the end of my CBABC talk is worthy of documentation, explanation and dialog. If accurate, Ms. Lindsay’s declaration stands to hamper the entire BC legal profession from participating in one of the most important and sweeping technological changes since the advent of the internet. More than that, I find it concerning that such a profoundly impactful decision could be made out of view of the public and the membership that the LSBC is mandated to serve.
My genuine hope is that the alarm expressed above is the result of either misinterpretation or misinformation, however, without benefit of further commentary from Ms. Lindsay and the LSBC, BC’s lawyers are right to be deeply concerned about their technological future.
I really hope BC lawyers will pay more attention to Benchers elections going forward. Between this and the TWU decision, the benchers really do seem stuck in 2001.
I would hope this was a miscommunication. Shall we expand on your list of non-BC cloud tools that would be prohibited? Microsoft Office 365, any iPhone with iOS8+ (pretty much requires iCloud now, no?), Skype, Evernote, almost every extranet or virtual deal room tool on the market, and most tools that utilize internet-based backups.
In fact, since the vast majority of software products are either cloud driven or have a cloud-storage aspect to their service, how about we inquire about a list of cloud tools that DO originate in BC? It would take less time.
I am a 3L student at Thompson Rivers University.
‘Future of Law’ talks have been a key discussion this year after the CBA released their Futures Report in August. I find it incredible that after the CBA recommends innovation in the legal practice and using technology to improve the legal profession, the LSBC may have come in and stonewalled a big part of it.
So many key services use the cloud today. It has allowed the practice of law to become more efficient and cheaper. It has allowed innovation like paperless firms. If this is true, the LSBC is stifling innovation, and it seems like such a ruling indicates a poor understanding of the risks and benefits of cloud computing.
I wrote a blog on this a year ago, but never thought that this would be the outcome. ‘Is your Data Safe on the Cloud? A Lawyer’s Dilemma? http://truhumanrights.com/2013/10/31/is-your-data-safe-on-the-cloud-a-lawyers-dilemma/ “
Hello everyone. I’ll chime in quickly here as a BC Bencher with some knowledge of the Law Society of BC’s requirements regarding cloud computing use by its members.
I’ll leave it to LSBC spokespeople to give the official and full explanation very soon, but basically there is no prohibition as described regarding the use of non-BC-based cloud computing services. There are only guidelines regarding due diligence for privacy and security standards.
So this seems to be the result of some unfortunate misinformation or misinterpretation (a consequence of the mystical desert climate perhaps?).
Based on my review and discussions with other lawyers, the biggest limitation on the adoption of cloud computing in British Columbia actually comes from the requirements under the Freedom of Information and Protection of Privacy Act, RSBC 1996, c.165.
This legislation places strict limits on where personal information and records in the control of public bodies may be located. The result is that firms that represent or work for public bodies are not able to use any hosted solutions (for those files at least). I am hoping that Jan Lindsay’s comment was merely a misunderstanding of applicable law or based on rulings or discussions dealing with law firms that hold records for public bodies.
My sense is that the LSBC’s official channels will resolve this shortly. It does seem to be something of a miscommunication. My bigger concern is that the LSBC’s cloud computing recommendations may be diverging too far from standard practices within BC firms. The Cloud Computing Task Force did some great work, but their recommendations do not easily scale-down to sole practitioners or small firms with little technical sophistication. Most lawyers do not know who hosts their email, let alone whether a data escrow account is properly configured.
This type of confusion certainly does a disservice to Jack and the team at Clio. They are one of our best local success stories and have spent years working with law societies and bar associations to iron-out such uncertainties. I would have hoped that the LSBC would be trying to support Clio rather than putting-up barriers.
I have been asking Clio for some time now to store it’s Canadian users’ data in Canada – I hope this will encourage them to do this now.
For those who are looking for an alternative online storage company, I use a cloud-based storage company based out of Ontario called Sync: [sync.com]
All of their servers are in Canada, and I’m told they will keep them in Canada.
Thank you to Ashley Syer!
Canadian companies *should* store Canadian users’ data in Canada. It may not be cost effective to Clio to start a server farm in BC just for BC lawyers, but I’d hope it would be cost effective to have servers in Canada for Canadian lawyers and paralegals across the country.
For companies that rely on “it’s not cost effective” how can Canadian Law Societies (or their members) expect that it will be cost effective for the company to take into account the requirements of our profession when creating or updating their software. The professional accounting and record-keeping rules vary between US Bar Associations and Canadian Law Societies. If a company does not care about the difference in privacy legislation enough to site a data center here, why should we trust that they’ll get other Canadian legal requirements right?
While Ms. Lindsay’s statement may have been incorrectly over-broad, I’d suggest that there’s an important baby in that bathwater, and it’s a bad idea to hurriedly toss the latter without rescuing it first.
Thanks for your comments, Neil, Jeremy and Ashley. I think the Law Society needs to hear these things more often. And somehow more directly than via Slaw comments.
Jeremy– I’m particularly interested in your views on how the LSBC cloud computing recommendations may be setting up solo and small firm members to fail. Scaling down rules and regulations is so often difficult and poorly executed. If you have the time and inclination, please email me at jmaclaren[at]accessprobono.ca to further share your views.
Cloud computing for lawyers. What a lively topic!! Jack, thank you for following up on this topic right here on slaw so clarifications can be obtained and reported. I am very interested in this topic. I can’t speak for LSBC but I’ll say that the issue of cloud computing is a very lively one at the Quebec Bar.
Law societies would be prudent never to bar the use of particular platforms or technologies absent clear authority to do so. If a statute or regulation prohibits hosting specific information in the cloud (such as the example cited by Neil Mangan above), it is the responsibility of the lawyer to adhere to such prohibitions.
Law societies have a role to play in guiding lawyers to properly use cloud computing. As a minimum and for example, this guidance could include:
– for information not confidential, not subject to the solicitor-client privilege and not subject to any statutory cloud prohibition, what are the minimal computing safeguards that should be adhered to by the lawyer / law firm with regards to cloud computing? (e.g. two-factor authentication for google apps computing?); and
– for confidential information or information subject to the solicitor-client privilege that is not subject to any statutory cloud prohibition, a law society provided cloud computing decision framework to help lawyers decide what levels of technology safeguards are necessary for what type of information.
Cloud computing guidance could also include, for example, the inclusion of standard “cloud computing” terms & conditions in retainer agreements with clients that achieve any or all of the following goals:
– Disclosing what information cannot be stored in the cloud, even with client consent;
– Obtaining the client consent to manage client information in the cloud, if applicable;
– Obtaining the client consent to send and receive information subject to the solicitor-client privilege by email; and
– Informing the client about the security measures and due diligence completed in order to ensure the confidentiality, integrity and availability of client information managed in the cloud.
Sending emails to clients and transferring documents over email is inherently less secure than any half-decent cloud server. Why aren’t law societies saying no to email? Because that would sound insane.
Many smaller firms who rely on Microsoft Small Business Server to provide onsite email, domain authentication and local data storage will have little choice now but to go to the cloud as SBS is no more and the only real migration is to Office 365. There is not much choice unless the smaller firm wants to invest in the full blown Microsoft offerings at a much greater and very prohibitive cost as well as complexity.
Every where I go, lawyers, law firms and IT consultants that I communicate with are all facing this concern/dilemma and the various bar associations have not provided a clear path for anyone. Smaller firms will have no choice but to go to the cloud to be able to maintain their competitive business yet the bodies that govern them are advising against it or at the very least not saying anything at all or are sending out mixed information and many are literally afraid of the outcome.
If it is encrypted at rest and in transit, it is backed up to multiple locations(redundant), there is little to no risk greater than that of paper files sitting in an office anywhere in Canada and it may in fact be safer due to the encryption.
I think all mainstream cloud services are all of the above.
The cloud is not something in the future but is here now and soon will be the only option for many as everything is rapidly moving to an online subscription based system as the only alternative.
Thanks everyone for the great discussion here.
Jamie, I appreciate (and am heartened) by your reply, and hope an official response from the LSBC will be forthcoming.
I will plan on a follow-up post incorporating feedback from the comments in this thread along with a discussion of the response from the LSBC.
Thanks, Jack. I’m happy to help where I can.
Law Society of BC President Jan Lindsay recently issued a statement on this matter via her blog: http://www.lawsociety.bc.ca/newsroom/president.cfm
The main issues are the implications of the patriot act and shared, tenant based public cloud architecture on privacy concerns. Note that other regulatory bodies e.g. OSFI have similar rulings that effectively prohibit cloud adoption by regulated entities.
Cloud providers need to work towards transparency and the regulators must work towards adoption… but we are still years away from the green light