In this Free Training Friday webinar, hear from our cloud solutions expert on how to move to a Private Cloud, and how Abacus Private Cloud helps you comply with laws like PIPEDA (Personal Information Protection and Electronic Documents Act).
About Free Training Friday: Since the beginning of 2017, we have been holding these free, 30-minute training hosted by our industry-leading experts and innovators who will teach you about AbacusLaw, Amicus Attorney and the Abacus Private Cloud. Since then, we have expanded to also provide free Results CRM and OfficeTools Software trainings. If you would like to request a topic, please email firstname.lastname@example.org.
Hello everyone. Good morning. If you could please just verify that you can not only hear my voice, but see our shared screen. Just go ahead and raise your hand or just drop us a line in the chat pane. That would be fantastic. All right. Who do we got? All right. We have one hand raised. we have two hands raised. Great. Okay. Fantastic.
Well, good morning, good afternoon, where ever you're joining us from. My name is Andrew Perez. I'm online content manager here at AbacusNext. Thanks for signing up for our webinar, Understanding Canadian Data Hosting. Before we get started, just a couple quick housekeeping notes. Please feel free to submit your questions through out the presentation using the chat panel. We're going to go ahead and answer your questions in the order we receive them at the end of the presentation. This presentation will be about 15 to 20 minutes, and we'll tack on another 10 minutes or so Q&A at the end. Without further ado, I'd like to introduce our speaker today, Paul Fihrer. Paul is senior solutions consultant here at AbacusNext and has some great insight into our topic today. Without further ado, I'll hand it over to you Paul.
Thank you. Again, good morning or good afternoon to everybody. Here is the agenda today. We're going to talk a little bit about PIPEDA and high data protection across all provinces. I am going to encompass some of or talk a little bit about the law society and how we can help you with that.
With that, let's talk a little bit about one of my pet peeves and that's some of the acronyms. Obviously, the PIPEDA which is the personal information protection and electronic document act, which actually is what we're going to be talking about here. One of the things I wanted to start off with is there's a lot of misinformation around the Canadian privacy laws and I wanted to actually just take a second and look at this and have you understand that really, while I'm talking about this, all of these roll up into the PIPEDA act. When you're looking at these, all of these are at the provincial level, and these all roll up into the Federal level. I'm going to talk about these. These are just acronyms that exist out there when I'm talking about these at the provincial level, and at the Federal level.
What is PIPEDA? PIPEDA is in its basic form, it governs how you manage or collect data both for private sector and for pubic sector. That's really what it is. How you collect personal information for both public sector and private sector. What's important about that is there are basically five key elements that I need to worry about when it's personal, identifiable, information. I need to collect with consent. I need to limit the purpose. Limit the purpose means it needs to be fore what I am using it for. It needs to be accurate and what that means is that it needs to always be updated. It needs to always be correct. The last one, which actually is extremely important, it needs to be stored securely. Then, on top of all of this, the last line, you can see I'm highlighted there, which I think people mostly sort of underestimate, it is your responsibility to protect that data. Outside of all of this, it is your responsibility to protect that data.
What data are we protecting? That's really, as you can see I'm drilling down into what are we doing here. It's the personal, identifiable information. This is the data that we're actually protecting, things like most people collect things like age, person's name, in context of a law firm you might be collecting, if you're a personal injury law firm, you might be collecting medical records. If you're a litigation firm, you might be collecting employment records. If you are an immigration law, you might be collecting personal information. You can see I have an example to acquire goods and services. Most law firms do goods and services in some context. Really, that's a very broad term, but if you're connecting any kind of personal information, you have to secure that information. Later on, I'll talk about how you can secure that information.
Are all provinces the same? That would be the next logical question. Let's start off at the Federal level, and then talk about at the province, because that's important. One of the things in doing the research for this and clarifying what I understood from PIPEDA is that even though you have to adhere to the provincial acts, it all rolls up into the Federal act. You have to adhere to the provincial act, and you have to adhere to the Federal act. That's what this is saying here, is you first have to adhere to the Federal act, and the provincial actually supersedes the Federal act as well here. That's what it's really saying here.
There are absolutely differences between the provinces and I wanted to highlight that. Quebec, British Columbia, New Brunswick, Nova Scotia and Alberta are the most stringent and I would actually say that British Columbia, or BC and Quebec tend to be have the most rigor around the rules or the act, mostly because they came out with the rule sets or the act first. In fact, British Columbia was the leader in the industry when it came out privacy laws. Most of the provinces and territories tend to follow them. One caveat that you'll see, I've actually put here is, and this is a common thing that I actually hear people talk about, is that oh you can't take data outside of Canada. I'll clarify my understanding. I'm not a lawyer, but this is my understanding of how the acts are is if you are a Federally funded or a Federal organization, if you are in British Columbia, Ne Brunswick or Quebec, you have to keep the data inside of Canada. Typically, I'll hear oh I'm in BC. I have to keep the data in BC. That's actually not true.
If you are a Federal or a provincial organization, you actually have to keep the data in Canada. There are however, some caveats to that. You can actually apply to get a think it's called a writ to actually take the data out for special reasons. Now, we're talking about law firms here. As a private entity, you don't necessarily have to keep the data in, but it is suggested that you keep the data in Canada. That's the big, real difference where people sometimes don't understand. The reality is, that they are more rigorous, and what I mean by more rigorous, we'll talk a little bit about this later, they try and talk about things like security, how the data should be kept, where it should be kept. Those are the type of things that they talk about.
Then the other provinces and territories are very, very almost identically aligned so they've written their acts to almost identically if not exactly the same aligned with PIPEDA. They're exactly the same so they don't differ from an act perspective.
What does the Law Society say? I though that would be relevant to this conversation. What the Law Society says are two pretty much similar things. They either, and I'll just stop here and say that, I didn't look at every single Law Society because I'll be honest. I didn't look at the territories. I look at pretty much most of the provinces. What they say is they either refer to the BC Personal Information Protection Act. If you remember what I said, the Personal Information Protection Act, will roll up into the Federal act. In fact, on the Alberta Law Society, they specifically reference the BC Personal Information Protection Act. These are suggestions. They are not mandates. They will reference where to go to, and what to do. They're actually references. They'll even do that. Or, like Ontario, they will actually say reasonable and responsible expectations. I'm going to tell you what I understand as a reasonable and responsible expectation. Again, I will talk about reasonable and responsible expectations on when I talk about what to do next. Everybody has a different understanding of what I believe reasonable and responsible expectations are.
Let's talk about what would you do next based on what I just talked about. Everything I've just talked about we hear about these things all the time. There's tons of cyber threats out here. When we talk about patient information. I just talked about the fact that you have to keep information secure, the PII for employee client information you have to keep secure. Information is being held for hostage by ransomware. There most data is not encrypted at rest which just means if it's on your server, on your computers, in your office, it is probably not encrypted. Most end users are not techno savvy. Most lawyers by nature are lawyers not technologists. Cyber criminals can use that to their advantage.
You look at this chart here, I talk about reactive approach versus proactive approach. Reactive approach is you having a server on your premise, versus putting that data in a protected environment in the cloud somewhere, in an environment which we call APC or Abacus Private Cloud. If you look at that, I'm only, because I have 15 minutes, going to talk about one small aspect. That was part of the Canadian privacy laws, and that's the security part. How do I secure my data from some of those threats out there? If you look at it, can I secure this data from critical threats on premise? That means 24 hours a day, seven days a week, I have somebody monitoring my data all the time. On a private cloud system, I have that. Do I know that somebody has access to my data, somebody can walk into my office, at 3:00 in the morning, and pick up my server. Do I have key card access, 24 hours a day, 7 days a week? That's physical kind of access. Not just somebody coming in to my server.
If I look at that, and there is a number of things here that I'm brushing over, things like 24/7 monitoring of the system, compliance things like am I doing updates on my servers all the time? Security can be a lot of different things to a lot of different people.
If we look at just security and compliance, there are a lot of things on this list. I'll just pick a few that I've talked about already. A couple of things like encryption, SSAE 16 and SOC 1, SOC 2. These are independent reports done by auditors on a data center to say that you are compliant and that all of your things like your updates are done. You have people, the right people in the center at the right time. They have been validated. They have the right security privileges. PCI compliance, if you are taking credit cards from people. You have the right security, the right encryption. They are stored correctly. If you're taking credit card information, there are mandates by the government that you have to adhere to. All of this is adhered to. All together things that go around that. Security analysis, are you looking at the servers 24 hours a day and maintaining the integrity of the servers so that no one is doing malicious attacks on the servers?
Again, biometric authentication. If somebody does come on premise, they are authenticated not just with a key, not just with a keycard, but with their eyes.
Somebody just asked a question on the chat channel. Typically I actually answer those questions at the end of the presentation but I'm happy to answer right now, because it's actually the next slide. Fortuitous question, Jason. The data center this is a screen shot of the data centers. Our data centers are in Montreal and our primary data center is in Toronto. Perfect timing for a question. Our primary center is in Toronto, and our back up data center is in Montreal today. There you go. The provinces are obviously Ontario and Quebec.
From a data perspective, one of the things that we can provide to you is applications anywhere and any time. What I've been talking about specifically is security, and endpoint network means end to end encryption and compliance. You don't have to worry about any of that data being stolen from end to end, full support 24 hours a day, disaster recovery, and so that you have business continuity. A turn key solutions. Turn key solution meaning one number to call and again, we talked about the data centers being in Toronto. A predictable OPEX model, so from a business model, you know where your value us.
Just from a timing perspective, in conclusion, the slide that's obviously here has to be shared. The key here, now that I've shown you all this, is it is your responsibility to comply with both the provincial and Federal laws and that key statement. It is your responsibility to make sure that you are handling the data. You are securing the data and you know where the data is at all times.
Q & A
How are the data centers in the UK and US related to all the respective province?
They are separate and independent. We have nine data centers in the US and two data centers in the UK. There are separate and distinct laws in the US set forth by the Patriot Act and there are European Union laws. The union laws are completely separate and distinct in the UK. We always have a mirror site like in the UK and Canada that are separate and distinct. For that purpose, we do not mirror data into the US or to the UK due to PIPEDA laws.
What application offering does AbacusNext provide?
We can offer any application from an application perspective - Think of it as a desktop, the Windows desktop that you have on your PC today. If you had Windows with an Office suite, Adobe and any other application that you have, the experience that you have would be exactly the same. All we're doing is delivering that through a remote desk, an encrypted remote desktop to your laptop, your desktop, your tablets and even your phone if you wanted to. Obviously, a phone is a much smaller device. The key here that it is, we are a pure, private cloud, so it is a virtual environment that is yours and yours alone. We are not mixing and matching processes, servers, or anything else. It is your organization's environment.
What are the bandwidth requirements for an organization to drive this encryption remote desktop?
The bandwidth requirement is what we typically refer to as a one to one. For each client, we require a one megabyte up and a one megabyte down. We typically have partners that can help you.
Are you purchasing the application or is it a subscription based? Who owns the application?
We are not just a private cloud provider. We also have our own applications. I'll give you an example of something like Amicus Premium or Abacus, which are both product management solutions. If you have one of those applications inside of Amicus Premium. If you have Amicus Premium, you actually don't license it. We actually give that to you for free. Adobe Reader is a free license, but some of our users use Quick Books, which is licensed - It depends on the application.
Then, on top of that, if we're bringing clients over, if you already have a license. you will not have to re-license it. We will take those licenses and bring them in to the APC environment. It's part of the whole subscription license, including the virtual environment. You're not buying additional licenses to house in there. We will take over your licensing inside of it. We don't charge for the products. We charge for the subscription of the system.
What is the set up transaction fee in the effort to move or import local server applications in the Abacus Cloud?
That's a little bit tougher to answer, simply because it is a client by client, we'd have to look at your specific environment. We do what's called a technical assessment of your specific environment and will provide you with a quote based off our initial assessment.
As I stated earlier, nobody shares any resources. We come in and say, you have this, this and that. You're going to fit this, this, and this. We will customize it specifically for you. I can't give you that specific answer. I'd have to sit down with you and do an actual technical assessment.
What is the process for recovering a file or a backup?
There are two answers to that question. We have built in version control into the application. so If you want to recover a file, you can do it yourself. You can also call us and we can show you how to do it if it's just a file. We conduct daily backups which is why we always have two physical sites for disaster recovery. Additionally, you can pay us to do more for your back ups, including reinforced disaster recovery and more backups, many more times a day. For example, if you want to do four or six hours, every four hours a day for disaster recovery, then you would call us if you wanted us to do a disaster recovery and recover that data; It all depends on what you're trying to do.
What's the estimated charges for a 10 user firm?
To answer that we'd have to conduct a technical assessment. I would encourage you to call in and talk to a sales person. They would actually get somebody like me involved, and I could do a technical assessment then.
Want more Free Training Friday? Register for upcoming webinars here!