Secure Data Management: Cloud Computing

There are two main concerns firms have: how do I choose the right provider, and does it have to be Canadian?

Do I Have to Choose a Canadian Provider?

At the time of writing, we know of no Canadian law society that prohibits storing client information on cloud servers located in the US. Having said that, there are considerations around privacy (i.e. ensuring compliance with PIPEDA and provincial privacy laws – and other jurisdictions where appropriate) and client confidentiality (i.e. Code of Professional Conduct obligations). With those in mind, it is most often the preference of firms – perhaps a strong preference with good reason – to choose solutions that keep information stored in Canada. You may ask for information from people who want your business and ask your colleagues in other firms, who might be further along in their Cloud projects, what provider they chose and how they found them.

The Law Society of Saskatchewan published an excellent guide, “Cloud Computing Best Practices & Checklist” (November 2023). They advise using providers with Canadian-facing data.

While it is possible to use cloud services provided from areas outside of Canada, it is advisable not to. The law practice is accountable for all client data including data that is transferred and placed with a cloud service provider.

Data transmitted and/or stored outside of Canada can be subject to another jurisdiction’s laws or regulations. For example, the USA Patriot Act permits US law enforcement agencies to require US entities to supply a client’s data if ordered…

As part of PIPEDA data transfer rules, if a client’s data is to be transmitted or stored outside of Canada, the client needs to be informed, be educated on the risks of, and approve of:

  • their personal information being transferred outside of Canada for processing and/or storage.
  • their personal information being subject to the laws of the foreign jurisdiction including their personal data could be taken and read by foreign governments.

Informing and seeking approval from each client could be laborious and time-consuming. There is also a risk that a client may choose to not allow their data to leave Canada resulting in another cloud service solution being required.

Canadian cloud providers have the best knowledge of the country’s privacy laws and are in the best position to securely store client data. Keeping data geographically located in Canada is much simpler, requires less privacy compliance and has a reduced risk of being anonymously provided from other jurisdictions.

There is a requirement to use Canadian data storage if you represent an NS public entity under the Personal Information International Disclosure Act.

If you have EU clients, EU privacy rules come into play (GPDR).

Requirements aside, many lawyers and clients worry about US control and access to sensitive information: e.g., the Patriot Act. You must make your own risk assessment given the nature of the information you hold, your clients, and the risks.

Choosing a Provider

If shopping for a service, compare functionality, to make sure your choice is adequate for your purposes. Some lawyers prefer the enhanced functionality that can come with US-facing data storage. We recommend asking for or trying to negotiate better functionality for Canadian-facing data storage; some lawyers have had success because the providers want your business. Use NSBS’ Cloud Computing Checklist to help evaluate your options.

Some lawyers use different storage for different purposes. One option to get the best functionality, when needed, and Canadian storage, when wise to do so.

Resources

Nova Scotia Barristers’ Society, “Cloud Computing Checklist: Annotated Law practice Version (for use by Law Practices only)” (March 2022). nsbs.org (word document).

Annotated for law practice. This cloud computing checklist is for you to use after receiving the completed checklist (below) from the service provider. It offers commentary on how to interpret the service provider’s answers.

Nova Scotia Barristers’ Society, “Cloud Computing Checklist: Cloud-Based Service Provider Version (for completion by providers)”, (March 2022). Nsbs.org (word document).

This is a non-annotated version intended to be sent directly to a service provider where all 52 questions are requested to be answered as’ Yes’ or ‘No’, with ‘No’ answers requiring an explanation in a comment box.

Paul Saunders, “Cloud Computing Checklist Webinar” (8 December 2021). Nova Scotia Barristers’ Society. Online: webinar. nsbs.org.

Lawyers’ Insurance Association of Nova Scotia, “Cloud Computing”, (n.d.). lians.ca. (This is a list of service providers.)

Ronald D. Davis and Bree Pierce, “Lawyers In A Digital Age: An Emergent Duty Of Technological Competence In Ontario?”, (December 2021). mondaq.com.

Michael Sauber, “The Risky Business of Document Sharing”, (June 2019). JUSTE. oba.org.

Law Society of Alberta, “Software Comparison Chart”, (n.d.). lawsociety.ab.ca. This chart compares preservation options for common legal software.

Teresa Matich, “2023 Law Firm data Security Guide: How to Keep Your Law Firm Secure” (February 2023). Clio. clio.com.

With thanks to our Tech Advisory Group of lawyers.