I have given a presentation on lawyer use of technology and risks related to confidentiality for over 10 years, twice a year. The audience is lawyers new to Ontario and it’s amazing how consistent the questions and concerns are, year to year. In the past, I’ve posted about my presentation but I find the questions far more interesting to look at.

The paper I’ve been handing out for the last 2 sessions is here. Posts about previous sessions are tagged under confidentiality. In a nutshell, my early sessions – back in the aughts – were focused on specific technologies and products. But over time, a lot of the technology is embedded now and it really comes down to how it is used by the lawyer.


A perennial concern for a lawyer with client confidential information is losing it. We’ve moved from DIY to many devices coming pre-encrypted. If you’re using an Apple iOS device or a recent Samsung device, chances are it’s already turned on.

The concept is still unfamiliar to some people though. One of the most basic questions I get – and plan time around – relates to what encryption does. The biggest challenge seems to be conceptualizing the unwrapping and re-wrapping of your data.

One change I’ve made is to avoid even talking about how a technology works. No-one cares and fewer understand. Lawyers don’t need to understand the ins and outs of encryption any more than they need to understand the tensile strength of toaster elements. They need to understand what it does – and what it doesn’t do.

The audience for this seminar comes from all over the world, so I’ve tried a variety of analogies. The peanut M&M is an easy one but I think I’m going to go with a wrapped boiled candy in future. It’s something that you can demo rather than just describe or put on a PowerPoint slide.


A core theme is access control. Who can access the information (lawyer, staff, supervised consultants) and how do you limit what, when, and how they can access it. Passwords are key and my entire focus now is:

  • use a password manager
  • don’t save them in your web browser
  • and use a password manager

All of the password generation issues – how many characters, what types of characters, etc. – tend to be mandated by the login process and are managed by the password manager anyway.

But one lawyer asked about biometrics. But biometrics aren’t passwords.

My answer was that I didn’t think they were a good option to strong unique passwords. Two reasons:

You shouldn’t be able to unlock anything with just a biometric. If they’re good for anything, they might work as an authentication tool. Instead of using an authenticator app, you’d use your thumbprint.

But if security is improved by reducing friction, and made worse by increasing friction, I don’t see this as a big savings. The time for me to look up a two-factor authentication code from my authenticator app is probably pretty similar to whatever connection I’d have to have between my phone (onto which I’d press my thumb) and the system I’m authenticating against.

Also this:

The Cloud

Perhaps the most common questions I get asked relate to cloud computing. Yes, I wrote a book on that. You can read it at your local public library. This topic is so old my book is out of print.

The advice around the cloud hasn’t changed. It’s not for everyone but if you don’t have a particular reason to avoid it, there’s no reason not to. The smaller your law firm, and especially if you’re a solo, the more benefit you can get from it.

Don’t use the cloud if your clients don’t want their information in it. Or get different clients. Don’t use the cloud if you have reason to think you’re the target of hostile nation-state actors. Otherwise, using services like Microsoft 365 or Google in the cloud is usually a better option than trying to run your own servers in-house. Many cloud-based software offerings for lawyers are running on Microsoft or Amazon AWS cloud servers that are maintained and protected far better than most solo and small firm servers.

But what about the regulator? Well, there are no rules prohibiting the use of cloud technology. Some jurisdictions may require you to limit where you place your data to a particular jurisdiction (only in Canada, for example) but that tends to be straight up regulatory, not professional conduct.

Also this:

I think you’ll find it’s the rare lawyer regulator that isn’t using cloud-based technology. Our web site runs on Microsoft’s Azure cloud hosting, for example. You can see what internet-facing sites are using by going to Builtwith.com and typing in the URL of the site.

Here’s the Builtwith result for https://lso.ca:

The Detail tab of a Builtwith report on the Law Society of Ontario’s web environment

We have other systems that are externally hosted in cloud or cloud-adjacent environments, including email servers and our online store. The point being, cloud has supplanted a lot of on-premises applications even at highly conservative organizations like regulators.