Canadian Privacy Acts - "how they apply to the legal practice using cloud-based computing services"
Lawyers are pretty interested in privacy matters. In fact, most lawyers are experts in the area of privacy. That’s why as practice management service providers in the cloud, we get so many questions about privacy and security as it relates to the use of cloud-based applications.
As with any other business these days, totally abstaining from the cloud is not an option, as such an approach would put a legal practice in a decidedly competitive disadvantage. The cloud just has too much to offer in terms of cost, convenience and capability. The legal profession’s response then, from both the various legal societies across the nation and the individual legal firms within each jurisdiction, has been to review Canadian law with respect to privacy, set some guidelines for use and carry out due diligence when it comes to selecting specific online services.
The legal framework in Canada, at least for the private sector, is The Personal Information Protection and Electronic Documents Act (PIPEDA) and the 2015 follow up, the Digital Privacy Act, which amends PIPEDA to introduce mandatory data breach notification requirements. Alberta, British Columbia and Quebec have their own private sector privacy laws that are “substantially similar” to PIPEDA but in terms of cloud usage where data is crossing Provincial boundaries, both the provincial law and PIPEDA apply. There is a good summary of the provisions within PIPEDA and the Digital Privacy Act
Your practice management system is certainly subject to the personal data protection obligations as set out by PIPEDA and accordingly the service provider must implement safeguards that are appropriate to the sensitivity of the personal data. Safeguards should include physical, technical and administrative controls to prevent loss or unauthorised access to or modification or disclosure of the data. When our clients or prospective clients ask us about these privacy issues concerning our service in particular and cloud use for the storage of legal documents in general, this is what they have in mind.
Regardless of what service provider you are thinking of, you will want to carry out some due diligence. Particularly you will want to ensure that the service provider and technology they use support your professional obligations and are in compliance with your Law Society’s regulatory processes. As an example, when we were designing the uLawPractice service offer, we relied upon guidelines issued by the Legal Society of British Columbia, who at the time were the thought leaders in Canada on this topic. You can download their cloud computing checklist and due diligence guidelines here:
The particular questions we get asked have to do with remote data storage, security of records, custody or control of records, records retention and authorized access. Here is our reply:
Remote Data Storage
Remote data storage and processing are not new phenomena, as lawyers have been using record storage service companies for some time: warehousing boxes of hard copy documents, mainframe computing technology, email transfers across third party systems are common examples. Many issues will be the same when it comes to records stored in a warehouse and records stored on third party servers – the issue is trust and security. The key difference in the case of networked computing is that, once records are networked, the risks change and accordingly the steps taken to avoid a breach are different. Your practice management service provider should automatically encrypt all data in motion to or from your access device (mobile or fixed) and their servers. The level of encryption should be the same as what Canadian banks use to protect their customer’s financial data. For a Canadian practice server location should be in Canada to preserve data sovereignty.
Security of Records
We are defining security here as the protection of data from accidental or malicious modification, destruction or disclosure. To make it clear, every organization, no matter how security conscious, is at some risk. There is no guaranteed defense against every conceivable accident or malicious act affecting an organization’s information assets. In signing up for practice management services you, the client, share in the responsibility of protecting your information. The most prevalent causes of security breaches has been user error: insecure passwords (“1234”, or “password” for example), improper password management (sticky notes under the keyboard), unattended logged on access terminals or use of public WiFi facilities without a VPN.
Your service provider’s share in the responsibility of securing your information is as follows:
- The service provider provides the capability for the client to determine what type of data is accessible by what type of user within the client organization. For example, the lawyer may chose to limit what an admin staff or an accountant can see and do in the system.
- The application encrypts the data when it is in transit.
- The service provider firewalls the server infrastructure both from the point of view of access credentials but also from the point of view of the location of the access request, or frequency of request. If the access request were coming from Europe or Asia for example, access should be denied unless the client has told the provider in advance that for a period of time access requests from particular locations should be honoured. In this way if the pattern of access requests is such that they could be machine created – a distributed denial of service attack – these requests can be turned aside without disrupting legitimate service requests.
- Client data should be stored in more than one place at the same time. The service provider should automatically run incremental backups on the hour (incremental in that data changed in past hour is backed up such that in the event of a total crash a maximum of 1 hour of transactions would be lost.) The service should also run a full backup – all data changed or not – once every 24 hours.
- Redundancy: multiple servers should be in play at all times. The traffic load is balanced among these servers. In the event of a server failure - even a decline in server performance – service is automatically picked up by other synchronously operating servers in the architecture. System availability of typical cloud-based services is far better than what is normally achieved by private in-house systems. You would want a service designed to allow no more that 15 minutes per year of planned outage. Actual performance is typically better than this and your service provider should be able to show you their operational data. If there is to be a planned maintenance outage, clients should be notified in advance with the outage scheduled for a typically low traffic period - Sunday’s midnight to 3:00PM Eastern Standard Time for example.
Custody or control of records
- The fact that records are stored with a third party does not necessarily mean that the lawyer has lost custody of them. It really depends on what the third party is able to do with the records and what their responsibilities are. The terms of service will be outlined on the service provider’s website. A private computing cloud can actually better support the concept of custody by the lawyer than a public cloud such as various web-based email services where the storage is commingled with other records. However, the fact that the safekeeping, care, protection and preservation of client data rests with your service provider during the provision of service does imply that you and the service provider jointly have data custody.
- Lawyers have record retention obligations. Some of these are driven by limitation periods, which will mean that different files have to be retained for different periods of time. Our understanding is that a lawyer may have retention obligations of 10 years with respect to trust records. As long as you are using their the practice management service your service supplier must commit to retaining your data.
- Should you terminate your service, you are responsible to download your data, retain, maintain and secure in anyway you see fit. Most practice management software providers give 30 days to complete this and sometimes will extend the period on your request. When your data is downloaded, it has to be in a file format recognizable to you (for example .csv or PDF) and you should not require the practice management application or solution to read the data. Once you confirm your termination of service, the service provider needs to guarantee that they have wiped your data clean.
- The client determines who has access to his data. Your service provider should not normally see your data unless you have authorized him to do so – in a tutorial or trouble-shooting situation for example where he is sharing screens with the you.
- A cloud-based service to the legal firm can have serious implications for regulatory bodies. If the Law Society requires access to a lawyer’s data held by the cloud service, the Law Society would require the lawyer to provide the access credentials and navigational instructions necessary to locate the records in question. Unless compelled to do so by law, your service provider should not provide access to client records without the client’s expressed permission.
- uLaw White Paper on Power of SOLO
- uLaw webinar on Disbursement
- uLaw Integrated payment options
- uLaw Legal Analytics and its power
Cloud-based computing services have now achieved a level of security, privacy and availability suitable to be applied to high integrity records as might be recorded in a legal practice management system. The costs of such an architectural approach to practice management solutions is in the order of one tenth of the cost of classical in-house hosted software solution.