The Report of the Cloud Computing Working Group released guidelines on January 27^th, 2012. The guidelines apply to lawyers in British Columbia, Canada. However, it’s a good idea for all lawyers, regardless of the location, to follow the guidelines, which cover the concept of due diligence.

A lawyer is required to perform due diligence when using a third party for data storage. The guidelines are designed to assist lawyers with performing due diligence, as well as assist in determining whether to utilize the cloud. In addition, the guideline also includes a section for privacy considerations.

Part A: General Due Diligence Guidelines

• Lawyers must ensure all third parties support the lawyer’s professional obligations.
• Lawyers are encouraged to read the service provider’s terms of service, SLA, security policy, and privacy policy; ensuring the contract provides meaningful remedies.
• Lawyers must ensure confidentiality of their clients’ information is protected at all times.
• Lawyers should be aware of the data center location, considering the legal risks associated with data storage in the location.
• Lawyers must ensure ownership of their clients’ information. Don’t choose a provider who obtains ownership.
• Discuss the access to the records. When can your provider cut off your access?
• What happens if the provider goes out of business? What about the destruction of servers?
• Who has access to your client information? For what purposes?
• What procedural and substantive laws oversee the services?
• Does the provider archive data for the proper retention period?
• What happens if your provider doesn’t comply with the terms of service, privacy policy, security policy, or SLA?
• Lawyers must research and assess the provider’s reputation.
• What security measures are in place for the protection of data? Does the provider perform audits regularly?
• Lawyers should compare cloud services available to determine the best solution.
• Lawyers should establish a record management system, documenting due diligence decisions.

Part B: Privacy Considerations

Lawyers are required to ensure their use of cloud computing complies with the applicable legislation. When considering cloud computing, understand the obligations of data confidentiality and complying with specific privacy legislations.

It’s also important to be aware of where the data is stored. In addition, lawyers must inform clients’ of the decision to utilize the cloud. There are many obligations regarding the collection, use, and storage of personal information.

In order to maintain client confidentiality and data security, lawyers must consider the following:

• Choose a provider that offers the same level of data protection required in your location.
• Consider where the data is processed and stored, as well as the privacy laws of that location.
• For what purpose is the provider authorized to collect, use, or disclose data?
• Does the provider have written information security policies?
• Are all third-party contracts required to comply with policies and customer agreements?
• Who will you discuss any problems and concerns with?
• Will your data be separated from other customers?
• Does the provider perform data backup tests on a regular basis?
• Does the provider offer results of a third-party audit conducted recently?

Have questions about cloud computing for your law firm in The GTA?  Call CAT-TEC today and book a time to meet with our cloud services experts.  We are here to help you.  Call (416) 840-6560 or drop us an email at {email}.