It was so simple in the old days. The filing system was secured by lock and key. The communication “platforms” were writing a letter, setting up a meeting or speaking on the telephone. Any risk of interception by unauthorized third parties was negligible.
Then technology came along and ruined everything. Technology changed the way lawyers store and access their client data. It’s only really now, in the age of high profile hacks, that lawyers are starting to question where their data goes when it is in transit and where it lives when it is at rest on a server.
The decision for law firms on where to store data is not an easy one, for there are many benefits and risks to take into account. The choices come down to storing data on local hard drives or USB sticks (not recommended), on a shared drive on a network, or somewhere on the cloud.
Using a shared drive on a network is the most secure option, but it does not come cheap. Hosting costs will be significant and a geo-redundant backup server should also be included as part of a disaster recovery plan, effectively doubling the cost.
Using the cloud is cost-effective and convenient but brings an equal amount of risks and benefits, as outlined in a 2011 survey by the Law Society of England and Wales. According to this survey, the benefits include: improved backup/disaster recovery; flexibility; increased storage capacity; increased data handling capacity; reduced infrastructure costs; avoiding frequent updates to software; and reduced internal IT staff costs.
The risks identified in the survey include: security, data confidentiality and location of data; service reliability and stability; lack of control over customization and integration; service response time and enforcing service level agreements; speed and bandwidth; danger of supplier lock-in; and difficulty of achieving executive buy-in.
Law firms with a certain profile (or those hoping to attract institutional clients) will eschew cloud services for regulatory reasons or due to client sensitivities, in any event. Banks will not generally entertain law firms who store data on the cloud, for security reasons. Public bodies are required by the Freedom of Information and Protection of Privacy Act to ensure that their data is stored and accessed only in Canada.
The issue of data sovereignty is an important one. There may be political or legal risks in storing data in foreign jurisdictions. The risk of storing data in the U.S. was judicially considered in October 2015 by the European Union’s highest court, the Court of Justice of the European Union. The Court torpedoed the European Commission’s “Safe Harbour” scheme for the safe transfer of data to the U.S. on the grounds that the U.S. does not provide an adequate level of protection for data transferred there.
The risks and benefits are left to law firms to weigh. In British Columbia, the Law Society states that it regulates lawyers, not technology. The Benchers adopted the Cloud Computing Due Diligence Guidelines in 2012. The Guidelines are technology-neutral and leave it to lawyers to be satisfied that they have completed sufficient due diligence on the technology they propose to use.
All that said, there is a saying in technology: “if you don’t pay for the product, you are the product.” Therefore, it is abundantly clear that lawyers should never make use of free services like Gmail that admit they use the personal data from email messages.