Asper Review of International Business and Trade Law: Special Edition - Cybersecurity and Law Firms

Abstract

Several years ago, I came across an American Bar Association guide to cybersecurity for lawyers. It occurred to me that there should be a Canadian equivalent. With the help of my student co-authors, we have attempted to do just that by providing and collating expertise on a wide range of matters, some background information about the security issues involved, and information about the legal norms implicated. We do not presume to offer legal advice as counsel about any particular situation, but rather compose a reference work that can help both lawyers and citizens better recognize and manage various cybersecurity issues. The overall perspective embodied in this book is briefly stated in this preface:

A key aspect to our overall approach is that lawyers consider the whole range of professional obligations and legal norms bearing on cybersecurity issues, as opposed to a narrowminded perspective. Client privacy and security are legally protected and morally compelling, but there are trade-offs with other norms – for instance, the ethical duty to serve a client efficiently and effectively. Near-perfect cybersecurity might be achieved by avoiding the use of emails or text messages to contact a client; however, it would then be difficult to communicate on a timely and effective basis with many clients. Furthermore, there may be some added security risks when a lawyer working at home is able to access their office computer remotely but prohibiting such access might then interfere with the lawyer’s ability to serve the client’s needs, especially urgent ones. Security might be enhanced by limiting information to a few key personnel, but if those personnel quit, become ill or die, the organization may find that information becomes inaccessible to itself as well as potential wrongdoers.

Sometimes security norms are in tension with other norms including those under law society rules requiring retention of client files (for purposes such as holding lawyers accountable in case of client complaints). The challenge for a lawyer is to recognize all the applicable norms involved in addressing cybersecurity and use the necessary ingenuity to comply with all of them to every reasonable extent.