November, 2020 | Article
Understanding Where The Risk Lies When Law Firms Move To The Cloud
Even before Covid-19 happened – and now very much more since it has – Canadian law firms were looking to move their data and systems into the cloud. This is a good decision. But in the process, what’s puzzling me is that firms are only asking one question: “Where will my data be stored?”
Now, don’t get me wrong. This is a reasonable enquiry to make. Clients may want their data to be in Canada and the firm may feel more comfortable, or find it more practical, to have its data resident in the same jurisdiction. And of course, as we all know, if data is stored in the USA, under the terms of the US Patriot Act, the US Government is entitled to access it, should it wish to do so.
So, yes, it’s absolutely fine to check, when you look to move into the cloud, where your firm’s data will be held. But my issue is simply this: it’s an important question to ask, but – and I cannot emphasize this strongly enough – it’s not the ONLY question to ask. Because what actually matters is whether your clients’ data is safe.
The big mistake I’m seeing Canadian law firms make at the moment is that when moving to the cloud they diligently check where their data will be held. And once they’re told it will be in Canada, they accept that as a full and final answer – and they don’t ask anything else!
Where Risk Lies
So what I see happening at the moment is that there’s a particular focus on the US Patriot Act. In fact it’s almost a fixation. Firms are determined to keep their data away from the prying eyes of Uncle Sam. And I get that. However, let’s conduct a reality check. Ask yourself just how likely it is that the CIA actually wants to know what a family law firm in Ontario is doing? I’m not saying it couldn’t ever happen. I’m just saying that the probability is extremely low.
Meanwhile, north of the border, Statistics Canada conducts an annual Canadian Survey of Cyber Security and Cybercrime (CSCSC). In 2017, just over one-fifth (21%) of Canadian businesses reported that their operations were affected by a cyber security incident, despite the fact that they were spending a reported $14 billion to prevent, detect and recover from cyber security incidents. [1]
Worse still, in 2019 a CIRA (Canadian Internet Registration Authority) cybersecurity survey found that 71 per cent of organizations reported at least one cyber-attack that affected the organization in some way. They experienced impacts on time and resources, incurred out of pocket expenses, and even paid ransoms.[2]
Even closer to home, the Canadian Bar Association found that 33 per cent of Canadian firms with between 10 and 49 attorneys have reported data related security breaches in the past 12 months. It suggests that Canadian law firms have a one in three chance of sustaining a data security breach, versus an infinitesimal chance that through some freakish collision of circumstances, the government of the United States of America may suddenly want to access their data. It’s about really understanding the odds and connecting it to managing the risk.
My point is that clearly the balance of risk lies with data security; not with data residency (where it’s physically stored) or with data sovereignty (the jurisdiction within which it’s stored). Data security is the clear and present danger. So firms have to stop fixating on where their data will be held and instead focus on the area where the actual threat exists.
And it’s not just me that thinks so. In fact the Canadian Bar Association doesn’t require data to be held in Canada. But it does expect client data to be handled safely and its confidentiality assured. Moreover, the Law Society of Ontario states in its Rules of Professional Conduct that: “A lawyer at all times shall hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship....”[3]
Since there is clear evidence that significant potential exists for the firm’s data to be hacked by cybercriminals or otherwise misappropriated, a failure to ask about data security provision is in effect a failure to safeguard the integrity of your clients’ information assets. In other words, a breach of your Rules of Professional Conduct. So, yes, one question is: “Where will my data be stored?” But the next question has to be: “How are you going to ensure the safety of my data?”
Asking For Credentials
What should firms be looking out for? For one thing, we know that a high proportion of data breaches are as a result of human error, or malicious action. So, whoever is looking after your data, you need to ask what employee background checks they’re running. Firms should ask who will have access to their data; how it’s encrypted; and importantly, what provisions are in place to enable the firm to recover its data in the event that the cloud provider goes out of business.
Firms should also ask for evidence around the provider’s adoption of recognized ISMS (information security management system) policies and procedures. ISO/IEC 27001 and 27018 are two well-recognized and highly-regarded ISMS standards to look out for. Going one step further, firms can go as far as asking the cloud supplier evidence of third-party audit of the provider’s ISMS policies and procedures.
In summary, when moving your data out of your premises and into the facility of a cloud provider, a firm must check the cloud provider’s entire ISMS which encompasses their people and their processes and technology specifically as it relates to security and encryption, and ensure that it’s working with a certified, regulated organization. To fail to do so is arguably in breach of your Rules of Professional Conduct.
Do not assume that because your data is being held in Canada that it is safe just because it’s in Canada! You are exposing your firm to a considerable risk if you fail to ensure that the cloud provider you choose to work with isn’t providing adequate data security provision. Understand that the real risk lies in data security, not data residency – and address that risk.
[1] https://www150.statcan.gc.ca/n1/daily-quotidien/181015/dq181015a-eng.htm
[2] https://www.cira.ca/resources/cybersecurity/report/2019-cira-cybersecurity-survey#key
[3] https://lso.ca/about-lso/legislation-rules/rules-of-professional-conduct/chapter-3#ch3_sec3-confidentiality