Frequently Asked Questions (And Answers) on BC Lawyers’ Use of Cloud Computing
♫ It’s coming down, it’s coming down, it’s coming down
These clouds could never hope to save us…♫
Lyrics, music and recorded by Thrice.
On Nov. 17, 2014 Jack Newton posted on Slaw: “Did the LSBC Just Kill Cloud Computing for Lawyers in BC?”
To set the record straight, the death of cloud computing for BC lawyers has been greatly exaggerated. In fact, quite the opposite is true. Cloud computing for BC lawyers is alive and well. What the Benchers have recently done is adopt rule changes based on the report and recommendations of the Cloud Computing Working Group.
The amendments address three areas:
- the requirements for electronic data storage and processing;
- producing records in a complaint investigation or forensic audit; and
- third-party storage providers and security.
While these rule changes (principally 10-4 and 10-5 of the Law Society Rules ) permit the Executive Committee, by resolution to declare that a specific entity is not a ‘permitted storage provider’ for the purposes of compliance with this rule, no such entity has been so declared.
Accordingly, I would like to deal with the following questions and issues that have been raised concerning the use of cloud computing resources by BC lawyers:
Q: Is the Law Society of BC against the use of Cloud Computing by Lawyers?
A: The Law Society of BC Benchers have just recently adopted rule changes that were created to give effect to the recommendations in the Cloud Computing Working Group Report (January 2012). To the writer’s understanding, this Report represents one of the leading examinations of the use of cloud computing resources by lawyers by any regulator. Lawyers in BC who wish to use cloud computing resources are referred to the Cloud Computing Checklist for specific guidance of the issues that should be considered before moving data to the cloud. To the writer’s knowledge this Checklist is a leading document and represents one of the first comprehensive overviews of the issues for a lawyer to consider before moving client data into the Cloud. The Report, Recommendations and Checklist highlight that The Law Society of BC has and continues to provide thoughtful leadership to the lawyers of BC on the adoption of new technologies.
Q: What guidance is there for BC lawyers looking to use Cloud Computing?
A: The Cloud Computing Report supports the idea that the Law Society regulates lawyers, not technology. It is up to the lawyer to determine whether it is appropriate to use any particular technology in the circumstances, recognizing that the professional responsibilities of a lawyer will continue. This places cloud computing on an equal basis with regard to a lawyer’s use of services such as: bookkeeping, accounting software, IT consultants or any other provider of services to a lawyer or law firm. As such, the Law Society expects lawyers to engage in due diligence when using any service provider that handles, stores or processes client records, whether those records are in paper form or electronic. The Cloud Computing Checklist is designed to provide a list of considerations for a lawyer contemplating moving data to the cloud. Lastly the Practice Advice Department at the Law Society is available to discuss a lawyer’s use of cloud computing.
Q: Are BC Lawyers prohibited from using US-based Cloud Computing Providers?
A: There is no prohibition against using services in which servers are located outside Canada. However, the lawyer must ensure use of the service complies with any legal limitations on where the records can be stored. Consider, for example, s. 30.1 of the Freedom of Information and Protection of Privacy Act, RSBC 1996, Chapter 165. If the lawyer acts for clients who are prevented from storing data outside of Canada, this will be a very important consideration when thinking about the law firm’s use of cloud resources. The Checklist and the report highlight that lawyers’ obligations to preserve and protect privilege and confidentiality do not disappear; accordingly the checklist provides questions to consider when choosing a service so the lawyer can be satisfied the client’s information is protected. A lawyer should disclose to their clients that they use cloud computing resources and that the client’s data may be stored outside of Canada, preferably by incorporating this into the law firm’s retainer agreement. In the writer’s view, informed client consent is an integral part of responsibly using cloud computing resources by a law firm.
Q: Does the Law Society prohibit the use of non-BC based cloud computing providers such as Google or Dropbox by lawyers?
A: The Law Society neither endorses nor rejects the use of specific products. However, if the Law Society discovers during the course of exercising its regulatory function that lawyers who use certain services are unable to comply with the rules for disclosing records, either because the service provider refuses to assist with the regulatory disclosure or is incapable of providing the records, the Law Society can disapprove the use of that service for lawyers. But at this time, no cloud provider is so prohibited by the Law Society.
Q: What has changed in BC regarding cloud-based computing?
A: In my view, the changes that the Benchers have made to the Law Society Rules are in respect to the regulatory work that the Law Society is mandated to perform on behalf of acting in the public interest and how storing data in the cloud may impact that work.
For example, a lawyer who is required under Rule 3-5 [Investigation of complaints] or 4-43 [Investigation of books and accounts] to produce and permit the copying of files, documents and other records, provide information or attend an interview and answer questions and who fails or refuses to do so is suspended until he or she has complied with the requirement to the satisfaction of the Executive Director (See more at: http://www.lawsociety.bc.ca/page.cfm?cid=982&t=Law-Society-Rules-Part-3-Protection-of-the-Public#3-5-01).
The Law Society must have access to the files, documents and other records of a lawyer under investigation. If those files, documents and other records are stored, either in paper form or electronically, in a way that prevents the Law Society from gaining access to those files, then the rules envision a process by which lawyers who are unable to provide such requested records can be suspended until able to do so.
In particular, Rule 10-4 (4) contains provisions that a lawyer needs to consider when using any cloud provider. They are:
(4) A lawyer must not maintain records, including electronic records, with a storage provider unless the lawyer
(a) retains custody and control of the records,
(b) ensures that ownership of the records does not pass to another party,
(c) is capable of complying with a demand under the Act or these Rules to produce the records and provide access to them,
(d) ensures that the storage provider maintains the records securely without
(i) accessing or copying them except as is necessary to provide the service obtained by the lawyer,
(ii) allowing unauthorized access to or copying or acquisition of the records, or
(iii) failing to destroy the records completely and permanently on instructions from the lawyer, and
(e) enters into a written agreement with the storage provider that is consistent with the lawyer’s obligations under the Act and these Rules.
These are new provisions but the concepts are not new. No lawyer would store records – paper or electronic – with a provider that accessed them or copied them except as necessary to provide the service to the lawyer. No provider would be permitted to gain unauthorized access to the lawyer’s records whether they are in paper or electronic form. Furthermore, when a lawyer destroys records he or she needs to know that these records have been completely and permanently destroyed – regardless if these records are in paper form or electronic. What the Benchers have done is made it clear that these responsibilities apply when records are stored with a cloud provider and that the lawyer must comply with them.
The Law Society has simply updated their Rules to incorporate the potential use of cloud computing by lawyers and the requirement for the Law Society to have access to the records of the lawyer should the need arise, no matter where those records may be stored. Furthermore, the Law Society has confirmed that a lawyer’s responsibilities apply equally no matter how a lawyer chooses to store their records, whether in paper or electronic form.
The LSBC’s cloud computing checklist is designed to ensure lawyers turn their minds to the ability to comply with audits and investigations by the Law Society, while using technology.
Any questions on the use of cloud computing resources by BC lawyers can be directed to the writer at the Practice Advice Department at the Law Society.
With respect, the writer submits that BC lawyers’ use of cloud computing resources has not in fact come down and that indeed, these clouds can in fact save us a great deal of time, energy and resources.
(The writer gratefully acknowledges the assistance of Doug Munro, staff lawyer at the Law Society of British Columbia who, along with the writer, are the authors of BC’s Cloud Computing Checklist, based on the ground-breaking work of the Bencher’s Cloud Computing Working Group.)
This makes for good clarification. It still is obvious that the Law Society could weigh in to prohibit lawyers from using select services, but it seems to clear up the confusion about what decisions have (or have not) already been made with respect to that discretionary power.
Thank you Dave!
Thank you for responding, Mr. Bilinsky. I am grateful we have you to advocate for technology at the LSBC. If we can’t have a list of approved service providers, tables (or short memos) from the LSBC that compare the most popular (and cheapest) service providers based on answers to FAQs might be the next best thing, even if they do go out of date quickly. We can share what we find with other firms, but I don’t like having to find someone with similar needs who had the time to look into it, and all of us repeating work someone else already did.
Lawyers are trained to interpret law not understand data storage mirroring in cloud service providers, if our law society wishes to regulate this (and they should) we deserve bright line answers.
Within the tech industry there is a growing divide between cloud services that want access to your data and cloud services that do not.
The technical term is “zero knowledge encryption”. Cloud services that utilize this type of encryption offer absolute privacy because the “encryption keys” to access the data remain client-side, and are only available to the end user. This makes it impossible for the service provider (or anyone else) to access the encrypted data stored at rest or in transit.
Consumer-grade cloud services (like the ones recently criticized by the BC Law Society) keep a copy of the encryption keys – giving their employees and automated systems full access to the encrypted data stored on their servers. And buried within the terms of service many of these companies indicate that they actively access, scan and even share the data stored on their servers with third-parties.
Choosing a cloud provider that operates 100% in Canada is a good start in terms of ensuring data is stored within the confines of Canadian legal jurisdiction. However this does not solve the core issue of data privacy.
Who has the encryption keys to your data?
The good news is that data privacy is something we’re all starting to talk about. British Columbia appears to be ahead of the curve in terms of leading this conversation.
And Canadian companies like Sync.com (full disclosure – I work for Sync.com) offer cloud storage with “zero-knowledge encryption” built into the core.
I like where this thread is going, and I’m glad Jason joined the fray.
Peter’s comment is right on the bulls eye. Lawyers need bright line answers. Grace’s point about efficiency is also on the money. Why would we ask the profession, including rank upon rank of solo and small firm lawyers with no expertise in technology, to continuously audit the hundreds of consumer apps, websites and data services that are out there? We have dozens of sample documents, model policies, etc., to ensure retainers are sound, trust reports are proper, client identification is complete, etc. — but these processes are far more familiar to a legally trained individual. A checklist is a good start for technology, but this changes so fast, and it’s not an area lawyers are the least bit comfortable in, on average at least.
Is it not just painfully ironic—frankly—that we are on one hand so phobic of technology that we cannot even agree how to characterize it in terms of a prerequisite of base competency but at the same time seem to think lawyers will follow a diagnostic checklist that really only a network specialist would understand?
Data security is now a recognized domain of public interest. Clients’ secrets are being placed into the cloud and lawyers are accountable to them. The duty is clear. The standard of care, however, is far from self evident. Unless we’re waiting for a major shipwreck, it’s time to build that lighthouse.
Organic and Kosher have certification bodies. Why not have one for data services that would help lawyers, accountants, journalists?
Nate:
Don’t you find it a bit ironic that lawyers hire accountants to advise them since they don’t have training in accounting and finance; they hire consultants and people to help them in marketing, in management, in HR and all the other areas of running a practice, yet for some reason they regard IT as an area that somehow they should be able to master with all its nuances and pitfalls?
Lawyers are trained in the law. Not in technology and certainly not in computer security. Corporations have departments filled with IT people who run their systems and they also turn to other experts for testing and verifying computer security and such.
I submit it is not the role of any regulator to certify any technology. Again that falls outside of their expertise.
It seems to me that you are calling for *someone* to certify that any particular system meets the criteria that lawyers’ need in order to follow their professional duties.
Well I ask: Should that someone not be the provider of the cloud product itself? We are seeing the rise of lawyer-specific cloud offerings. The needs of lawyers are becoming clearer by the publication of Cloud checklists and such. Why is it not on the cloud provider – who is obviously skilled in their offering – to verify that their product meets the standards of X professional body?
And if lawyers choose to use a non-legal specific cloud product…then isn’t it buyer beware?
Perhaps certification bodies will emerge as a growing discipline. But I don’t see legal regulators morphing into certification bodies.
Regards,
Dave
Does David’s comment immediately above this comment may answer the question I posed in my earlier column, whether the Rules governing lawyers should require competence in the use of technology. Or are there two different themes: (a) professional responsibility to use technology in a way consistent with professionalism – spelled out by the ABA, implied in Ontario, hinted at – at least – in BC; and (b) ability to design or evaluate technology, which may, as David says, be outsourced as are many other kinds of expertise?
Mr. Bilinski’s comment assumes that lawyers have access to professional IT consultants who act without special interest… My experience has been the exact opposite with most IT providers simple peddling the product that produces the most profit for the IT provider.
Why can’t the law society of BC invite submissions from cloud providers to obtain a “certifed LSBC cloud compliant” mark?
Or better yet why isn’t this something that can be done on a National level? I would be happy to sit on such a committee of the variety of law societies could get behind such a proposal.
Nate, I agree. I have struggled to move my small firm forward with technology and it has cost us a lot of money, time and headache, and we are still not “there.” It is like learning Greek without a teacher, then when you ask for help, you are told “here are the standards, written in Greek.” (Substitute Geek for Greek)
To follow up, we have hired IT professionals. They have also been stumped over and over in getting us set up. It may be easy to do this in the larger metro centres (or maybe firms with larger budgets), but it isn’t easy in rural B.C.
One IT firm I contacted, which seemed very competent in technology for law firms (and there don’t seem to be many), said it couldn’t help me because it only served the lower mainland. The one we currently use still has to work with a local IT tech who is not in any way familiar with legal programs and requirements.
Dave,
We all appreciate the wisdom and thought that went into the checklist for cloud computing. I think we all appreciate that BC is ahead of the curve when it comes to thinking about this issue too. And the LSBC is actively praised for having formed a Working Group to tackle these issues head on.
And I actually DO agree with you that it’s ironic a law firm would cough up for an accountant to guard against trust report problems, and at the same time have its members travel with unencrypted flash drives of client data, leave their wifi networks open, or use pet names as passwords—or any number of things that an IT consultant would tell you not to do.
To me that signals the problem, though. That’s not an all-clear. Lawyers are a risky bunch when it comes to IT security. We can agree on that.
But rather than the regulators crying “buyer beware”—which might be a fair response if not for the fact the real victims will be the unsuspecting public—this speaks to the need for proactive intervention on the regulator’s part. The profession is asking for more guidance. Lawyers are having a hard time even getting consultants to help them in non-major centers, and there are other complaints about their independence (see comments above). So we might also agree that the IT consultant sector is not as reliable for providing guidance as the accounting profession.
I say, if the LSBC can’t see a way to do this, let’s bump it to the Federation of Law Societies and team up on the issue of an IT Accreditation for Legal Services.
With respect I don’t think it’s acceptable to say it’s not the regulator’s business, however. If it’s a concern that the public will be compromised because of the actions of ignorant or hapless lawyers, then it is obviously a concern.
A certification of some kind would be more efficient, it would result in a better application of the recommendations of the checklist/2012 Cloud Report, and it would not pass all the cost to the small firm lawyers (who are the most likely to miss something and burn a client down the road). Remember, we’re not asking the Law Society to build and administer a one-stop cloud computing service (although that is one option considered by the Working Group), we are just talking about running the checklist against the services that exist, asking the questions already formulated, tracking the answers, verifying the end user agreements, and reporting the results in a table.
I can accept that the regulators may not have the in-house expertise to run this checklist against every storage provider. Also, the regulators may not want to pay external auditors to do this for them. But if this is true, how can one possibly ask all of the small law firms to do this. We already know this is a blind spot. Right, John Gregory?
Nate,
I can’t agree more… This should be addressed Nationally with a bright line guide/ certification for all firms to guide their practice by,.. In the best interest of lawyers and the public.
Greetings
Well with the greatest of respect, I disagree, at least with regard to those providers who are focusing on the legal market. These legal cloud providers have every incentive to demonstrate that their offerings meet the stated needs of lawyers from a legal, ethical, security and confidentiality standpoint. It is clearly in their best interests as well as their clients’.
In the first instance they should be stepping up to the plate and voluntarily showing (certifying?) that their products meet the test. They know the inner workings of their products best. They can read the Cloud Computing Checklist and other documents and compare their service against what is set out there.
We have the Legal Cloud Computing Association (http://www.legalcloudcomputingassociation.org/?page_id=8). They state on their webpage:
Our Charter
•We provide a unified and consistent voice for vendors in the legal cloud computing market.
•We collaborate and cooperate with Bar Associations and other policy-forming bodies in efforts to form policies and guidelines relating to the use of cloud computing in law practices.
•We define standards and best practices.
If they don’t so certify their products against the established standards, isn’t that cause for concern? I think we should be saying to these members…OK…demonstrate to us that your products meet the grade.
Regards,
Dave