Last week The Law Society of British Columbia’s Cloud Computing Working Group published online a report with recommendations regarding the use of cloud computing by legal professionals.
Recommendations included in the report include:
1) Guidelines to help lawyers conduct due diligence in researching a technology providers and cloud-based solution. (The report refers to “third party service providers” which includes cloud computing but is much broader in scope.)
2) Review of potential changes in the Law Society Rules to ensure that its regulatory functions are kept up to date with the changes in technology. (Canadian legal professionals are subject to audits of law office records by their governing body whereas most state bars in the United States do not have this investigatory function.)
3) Methods that lawyers and law students might be educated to improve understanding of their responsibilities when using technology.
The report advocates that clear guidelines are needed to assist lawyers in making the decision about what type of technology to use and which providers to trust. Here is a brief overview of what the Report recommends. Even if you are not practicing law in Canada, these are good recommendations to consider as you conduct your “due diligence” in researching any tech-related practice management decision.
1) Ensure that contractual safeguards are in place with the technology provider; (A full checklist is provided in the Appendix.)
2) Notify the client of the use of the technology provider and obtain client’s consent in a written retainer;
3) Understand the security measures related to the chosen provider that are associated with storage and processing of data;
4) “…assess the security risks associated with their existing records management systems as well as any new system they intend to use.”;
5) Ensure in contracts with provider that the lawyer retains custody or control of the law office data and that this control does not pass to the third party provider. (Because of the investigative requirements of the Law Society, if the attorney cannot access the data and provide it upon demand, then he or she may be found to have lost custody or control.);
6) Back-ups of data and escrow agreements might not be enough protection without access to the application software to review the data. Get reassurance from the provider that data returned will be in a usable format.
7) Ensure that the provider understands required archiving of law office records and that if the records are returned there is no loss of relational data, such as metadata.
8) Set up succession planning so that there is a custodian of law office data hosted in the cloud that knows how to access the data or who to contact to wind down the practice. (This is one area where the Working Group decided to monitor for future recommendations.)
9) Three recommendations related to reducing the risk of data breaches:
– Inform clients and obtain consent for lawyers use of the third party provider’s services,
– Require the service provider to “indemnify the lawyer for any claims the lawyer faces as a result of using the service,” and
– Purchase additional insurance that would cover data breaches. (My thought: Would the cost of the extra insurance actually cancel out the cost savings of using cloud computing in the first place? Obviously that might affect the solo practitioner a little more. )
Other interesting take-aways:
– The Working Group recognized that “the Law Society regulates lawyers, not third party providers or their technology.” The Law Society does not have the authority to “compel cloud servic providers to provide access to and copies of lawyers’ business records.” In other words, the provider is not an agent of the law firm.
– There is a “chief place of practice” rule that reads very similar to a “bona fide office” that some State Bars have on the books. However, the concern here is with the ability of the Law Society to handle its investigative function if the records of the law firm are not located at the “chief place of practice.” The Report recommends that this requirement be changed to emphasize “on demand” record access in an acceptable format.
– “There are too many variable with respect to security for the Working Group to make a blanket statement as to whether cloud computing is sufficiently secure.”
– “The Working Group did not feel it could assert that cloud computing is more safe or less safe than traditional computing.”
– Some personal information and data related to the individual attorney may be retrievable by the Law Society upon an audit of law office data in a hosted system. “…this is the risk the lawyer bears by choosing to use cloud computing.”
– “Law Schools and PLTC should teach students that lawyers have an obligation to ensure their use of technology is consistent with their professional obligations.”
– A “potential solution” listed in the appendix is interesting. “…the idea of the Law Society operating a cloud service dedicated for lawyers.”
This report is worth reading in full because of the insight into the analysis of the Working Group addressing these issues.