I build and sell legal technology for corporate lawyers and law firms to help them modernize their practice, find efficiencies and better serve their clients.
One of the key attributes of modernizing the tools and software used by law firms is migrating to cloud solutions, which offer greater reliability, features and security vis-a-vis on-premises software solutions. Despite the benefits, I routinely encounter the great myth of cloud technology within the first few minutes of any call, notably “Where is the data stored?” or “Is everything stored in Canada?”
Particularly telling is not that this question is raised at all, but often that it is the first, the only or the paramount cloud-related inquiry. The legal profession should be lauded for investigating before adopting, but in some cases asking the wrong questions can be more harmful than asking no questions, lest the user satisfy him or herself with a false sense of security.
As security experts well know, data residency does not provide any additional material security. In our case, we confirm with our clients that, indeed, all data is stored in data centres in Canada. Our choice to host data in Canada, however, is one part incidental and one part reactionary to market demands, rather than a decision made in furtherance of our security infrastructure.
Lawyers have long been the greatest safeguard of confidential client information. And it may be that the data residency demand is perhaps a hangover from the lawyer’s traditional role as physical custodian of confidential client information. Alternatively, the misapprehension may relate to the lawyer’s interpretation of vague or altogether absent law society rules and guidelines, or in some bona fide cases, the interpretation of statutory obligations. In other cases, the lawyer may simply be the conduit of his or her own client’s misapprehensions, and in turn, demands on data security. Notably, banks are still quite hesitant to embrace the cloud for many modern enterprise needs of which the cloud is best suited. Whatever the case may be, if security is the underlying premise, then it is a false premise.
Understandably, the minor (but significant) nuances of cloud-based software security goes beyond the expected expertise of most lawyers to fully appreciate. However, much like we expect trusted counsel to guide and educate us through a complex legal deal, it behooves the cloud technology provider to educate the lawyer customer away from falsehoods and myths that could result in serious harm to the integrity and security of client data.
The belief that a law firm’s data is more secure if it is stored in one place over another is perhaps the greatest and most controversial myth of cloud security. And “security” here should be read broadly, but largely to mean that data is available to those that are authorized and unavailable to those that are not.
To be sure, there are rational and legitimate reasons grounded in law why a lawyer may insist on particular requirements of data residency. For example, governing law and choice of forum in the rare case of adjudication, as well as preferring the legal standards for unreasonable search and seizure of one’s own country, are all valid concerns. Network performance by virtue of more proximate servers, may be another bona fide (though likely immaterial) reason to care about data residency.
In practice, however, the world’s largest cloud infrastructure providers, Amazon, Microsoft and Google, the ones your data is most likely to live on, are all American companies with American choice of law provisions in their terms of service (for North American customers, at least).
Belief in protection from unreasonable search and seizure by state actors or three-letter agencies is, at best, illusory. The unfortunate truth is that data residency will not provide protection against unauthorized access by state actors (there are, of course, other methods of safeguarding cloud data from this form of intrusion, but that is beyond the scope of this article).
Of the many revelations revealed by the leaks of Edward Snowden, one in particular is illustrative. The Five Eyes (FVEY) — the signals intelligence alliance of Canada, the United States, Australia, New Zealand and the U.K. — routinely and knowingly spy on the citizens of States Parties and share that intelligence back to the home country to circumvent domestic laws.
In 2013, a national scandal revealed that the Canadian spy agency, the Canadian Security Intelligence Service (CSIS), engaged the New Zealand government to spy on Canadian citizens. Federal Court Judge Richard Mosley chastised CSIS for “outsourcing” its spying on Canadians and deliberately keeping the government in the dark.
Corporate espionage is no small black-market industry. I would be remiss not to point out that law firms, through the long-standing legal principles of privilege and confidentiality, are often the chief custodians of their client’s most sensitive and valuable data (holding trillions of dollars worth of trade secrets representing the largest global corporations), making them ideal targets not only of malefactors, but of misbehaving state actors as well. The release of classified government documents confirms the long-held belief of the information security industry that data residency provides no material security advantage against state actors either.
Lawyers are not wrong for asking questions about data residency. However, problems arise where the responsible lawyer prefers a domestic cloud vendor on the false premise that his or her client data is more secure than with a foreign provider, where that foreign provider might otherwise provide stronger data safeguards.
As lawyers and law firms continue to modernize their practices and shift to the cloud, the following ought to be kept in mind. All else being equal, domestic data residency requirements may pose no harm, but in a world of immensely varying and inconsistent security standards among vendors, a preference for domestic data residency may in fact put your client’s data at risk. A preference on encryption standards should be preferred over preference on data residency.
Daniel Levine is an entrepreneur and former litigator. He is co-founder of MinuteBox Inc., a modern and secure cloud-based legal entity management platform. He leads a team that is helping the legal industry modernize and innovate without sacrificing client security or confidentiality.
Interested in writing for us? To learn more about how you can add your voice to The Lawyer’s Daily, contact Analysis Editor Richard Skinulis at Richard.Skinulis@lexisnexis.ca or call 647-776-6740.
This article is presented by LexisNexis on behalf of the author. The opinions may not represent the opinions of LexisNexis. This document is for educational purposes only.
The Lawyer's Daily
Try a 2-week free trial giving full access to The Lawyer's Daily = Canadian legal news, in-depth Supreme Cout of Canada coverage, expert analysis, case digests, business of law, legal tech and job moves published daily.