Speaker Key: PB Phil Brown, DW David Whelan
PB: Hi it’s Phil Brown here and I’m with David Whelan and we’re going to talk about cloud regulations today.
DW: Cloud computing is the technology that seems
to be on everyone’s mind and whether they should use it and if they do
what they have to be thinking about when they adopt it.
PB: So before we launch into the regulations and
whether or not the Law Society has any, let’s talk a bit about the
cloud. What is it?
DW: Well for a long time it was a marketing term
and it allowed computer providers and software providers to say that
they were doing something that was entirely internet based. So if you
logged onto your Google mail or to your Hotmail account you were
working on a cloud system because it was out in the internet cloud,
meaning that it was not locally installed on your computer and it
wasn’t running on a server within your law firm.
PB: So it’s running on someone else’s computer
that technically you would not have control over, possibly in another
DW: Exactly and maybe in another country and maybe
in multiple countries if they spread their services out so they are
available all the time they might have to have coverage in different
continents or at least different countries.
PB: One of the reasons people should be aware of
this is because most lawyers and paralegals are already using the cloud
whether they’re aware of it or not.
DW: In many cases, you’re using it for your
personal life but you may be using it for some aspect of your
professional life as well.
PB: For instance if you’re using Gmail or Hotmail or Sympatico mail, all of those are cloud based delivery.
DW: Yes and if you’re not there’s a good chance
your clients are because they may be receiving e-mail which you sent
from inside the law firm on a web-based e-mail application in their
PB: So one of the things that’s been coming up
often in conversation amongst lawyers and paralegals is, does the Law
Society have any regulations with respect to cloud computing?
DW: The answer is no.
PB: There are no regulations as such. There are Rules of Professional Conduct however, which would apply to cloud computing situations.
DW: They are the same rules that you’ve had all
along and what we found with Bar Associations and other ethics groups
that have looked at this and then come out with formal opinions,
particularly in the United States, is that the expectation for lawyers
and paralegals is that they continue to act reasonably and competently
and follow the rules that they have been provided in the past.
PB: Specifically with respect to Ontario lawyers
and paralegals, rule 3.3 for lawyers and the equivalent rule for
paralegals is that the lawyer or paralegal shall keep all of the
client’s information confidential and that’s in all situations, whether
it’s stored somewhere else or not. The other question that often comes
up is does the Law Society regulate or approve of any particular cloud
DW: There are many cloud providers who would love
to have a Law Society or a regulator sign off on the product that they
provide but the answer is no, the Law Society does not certify or
recommend any particular cloud provider.
PB: In fact not just cloud providers, we don’t
recommend or approve any particular software or vendor or anything. So
one of the fundamental issues here in dealing with cloud computing and
confidentiality is you are trusting client information to someone other
DW: Right and it’s a threshold question. If you
work in a particular area of law where it doesn’t make sense for your
client information to be located on a computer, whether it’s a computer
in your office or someone else’s computer, you need to avoid cloud
computing. And then if you do have client information, you may decide
you have certain information you’re comfortable having in the cloud and
certain information that you aren’t. So it’s not an all or nothing
decision to go into the cloud. Whether you choose to put your to do
list up in the cloud or your e-mail or whether you decide to
synchronize documents that relate to the operations of your law firm
and aren’t client confidential at all or whether you decide to put your
entire practice up in the cloud, the rules that apply will still apply
no matter which type of content you put out there.
PB: So one of the things you have to be aware of
when you’re putting anything in the cloud is the user agreement you have
with this third party. You need to own the information as the lawyer
or the paralegal.
DW: Yes, and it’s important that you have the
ability to get access to that information at any time. So if your cloud
provider has a way for you to export or download the information, you
should be doing so on a regular basis just in case they become
unavailable for whatever reason. And if they don’t have that, then you
should be able to synchronize it down to your computer so you will
always have a copy, whether you have internet access or not.
PB: So within that use agreement there will be
other information that will be very important which includes what
happens if there’s a dispute with you about fees and the cloud
provider? Who is their information being stored with? What happens to
your information if their business goes under? What happens if you
terminate your relationship with them? How long do you have to recover
DW: Those are critical aspects of the relationship
you have with the provider and you should also be aware of how they’re
going to be managing your information while it’s stored on their
system. For example, if I upload files to a file storage site and those
files are encrypted according to that provider then I want to make sure
that they are encrypted until I download and access them and that
their employees can’t access the server from within the organization
and access files that I think are encrypted and therefore protected.
PB: Right and in terms of the encryption, it’s
really just protecting the information on site because an authority
could come along with lawful authority and says “here’s my search
warrant”, they’re going to turn over the encryption keys immediately.
DW: Someone once asked me if the encryption used
on one of the cloud providers I was discussing was enough to block the
National Security Agency, the NSA in the US, from getting access to
it. The reality is probably not – this is the answer to almost any
encryption utility on any cloud service, but we have a reasonable
expectation that you will act competently and so you really have to
approach it from that perspective. What is reasonable? What is
competent for your practice and for your confidential information?
PB: There’s also the option if you’re only using
the cloud to store information, if you’re not using software as a
service or something, you can encrypt the information on your end
before you load it up into the cloud.
DW: Yes and that would prevent anybody from being
able to crack through the egg of encryption that is provided by the
provider from the cloud site because you would have a belt and
suspenders encryption approach.
PB: You mentioned this at the beginning. It’s
really important to give clients the option if you’re using a cloud
service to store their information. It’s important clients know that
and they also have the option possibly to opt out of that if they want.
DW: That’s a great idea and to put that in writing
I think helps everybody to understand where that information is. I’ve
heard of a lawyer who has a drop box folder for each of his clients and
so he is really committed to moving all of his clients out into the
cloud and to have them interact with the cloud because those files are
being synchronized to their computers. I think one of the interesting
things that cloud computing has raised is the idea that we are leaving
confidential information, potential information that talks about the
client matters and maybe client personal information on the web when we
do searches using Google, which is now encrypting, but it does save
search history or when we are sending e-mails and other things that we
might now have thought about in the past.
PB: When we say make client aware of it, it’s a
good idea to put that information in a retainer agreement, which is your
contract with the client so that they know what your policy is with
respect to storing your information and protecting their information as
well as what your policy is in terms of the disruption of that
DW: And that can help them to understand how they
might already be interacting with a cloud or storing information out
there - that although you are protecting it for them, they might be
exposing it and hurting their own interests.
PB: Thanks very much David.
DW: Good seeing you Phil.