by Martin Felsky, PhD, JD, Senior Counsel, Heuristica Discovery Counsel LLP and Special Advisor to the Canadian Judicial Council on Information Technology. 1
“BigLaw may not be able to access [Office]365 for years,” warns the headline.2 Is cloud computing simply too risky for lawyers?
Around the world, private and public sector organizations are moving to the cloud. Typically, motivating factors are low initial investment, predictable operating costs, rapid deployment, scalability and mobile access. Any organization considering a move to the cloud should take into account, among other things, critical considerations of security, data residency, confidentiality, privacy, and information governance. Large cloud service providers with data centres in Canada – such as Microsoft and Amazon – have scooped up government contracts. Both have been qualified by Shared Services Canada to store classified data up to and including “Protected B.”3
Law societies and bar associations in North America today are generally supportive of the concept but leave it to individual lawyers to perform their own due diligence. For example, the Law Society of British Columbia offers a helpful (though somewhat intimidating) cloud computing checklist.4
The main concerns?
- Protecting the confidentiality of client information, especially privileged information
- Protecting sensitive data against foreign government agencies
- Restricting (and auditing) monitoring and access by system administrators
- Incident reporting mechanisms and protocols
- Compliance with privacy legislation
- Keeping data in the jurisdiction
For judges, judicial independence is another big concern. For example, judges should be involved in negotiating cloud provider contract terms, and judges must have meaningful input if not control of security, privacy and access policies as these relate to judicial information. Judicial information must be identified, classified and segregated from court information throughout its lifecycle. Default apps and settings that facilitate file or calendar sharing and social interaction must be customizable to avoid inappropriate access and also to protect the appearance of independence.
Since 2004, courts across the country have been using the Blueprint for the Security of Judicial Information 5 as the standard for implementing security controls to protect judicial independence. Principle 6a states that:
“Judicial Information may not be migrated to the cloud without the consent of the judiciary. As such, the judiciary must be included in negotiations for proposed cloud services including governance, operations, access controls, data location, and other security considerations. The security, privacy and integrity of Judicial Information must be expressly addressed in any service provider agreement. Third party compliance with the Blueprint must be monitored and audited on a regular basis.”
In the case of judges, proposed cloud migrations by respective governments in several jurisdictions prompted the Canadian Judicial Council to strike a Technology Committee in January 2019 with the mandate to recommend guidelines for cloud migration of judicial information. The Committee’s Guidelines were published in both official languages in November 2019 and are available on the Council’s website.6
The Guidelines have been eagerly awaited by a number of courts across the country, since judges generally are looking forward to enjoying the benefits of cloud computing but have wanted to ensure that their concerns about security and independence were taken into account. Some jurisdictions are moving ahead more quickly than other – but it seems likely that in a few short years most Canadian judges will at least be using cloud-based email and file storage services. Modern case management systems, which are in various stages of planning and implementation across the country, are also typically cloud-based.
Another aspect of the Guidelines is more intriguing. One of the recommendations is this: “Using the same cloud service provider would make it easier to migrate to a community cloud for judges in the future.” This is an idea that has gained some traction in the judicial community, though it is by no means a fait accompli. One day we might see judges breaking away from government-administered cloud solutions to their own, judge-managed service, at least for office productivity tools. This would give judges greater independence and control over their own judicial information, while allowing them to seamlessly access court information and collaborate with court-administered resources where appropriate. It would also mean they would contract directly with a cloud service provider rather than through the agency of a government department or court administration.
The fact that governments and the judiciary are moving to the cloud should give comfort to sole practitioners and small firms – in principle, well-managed cloud services are much more secure than servers managed on premises. The challenge for many lawyers looking to the future is that, managing independently, it is difficult to apply checklists and to verify that appropriate controls are in place. Small firms have no bargaining power when it comes to dealing with enterprises such as Google, Amazon or Microsoft. It is very tempting, but risky, to adopt popular services such as Evernote, iCloud, or Dropbox, to handle sensitive law practice information, let alone client data. In some jurisdictions, each lawyer or small firm is expected to individually assess every proposed cloud service provider to ensure that adequate protections are in place. In others, lawyers are restricted to those applications that are approved by the relevant law society, but the approval process can be slow, and the range of options small.
In my view, we can do better to evaluate and endorse cloud services if we act collectively as a profession, taking the burden and risk off the shoulders of solo practitioners and small firms.
The views expressed in this article are those of the author alone and represent neither the views of the Canadian Judicial Council nor those of Heuristica Discovery Counsel LLP.