Law Society Data Compliance: What Small Firms Must Have in 2025

Law Societies in Ontario, British Columbia, and Alberta have tightened cybersecurity expectations for member firms. Compliance now covers not just trust accounting — but how you store, access, and protect all client data.

What Law Societies now expect

The Law Society of Ontario's practice management guidelines and the Law Society of BC's cybersecurity resources both reference PIPEDA compliance and best practices including: encrypted storage of client data, role-based access controls, documented incident response procedures, and regular staff security training.

These aren't mandatory in the way trust accounting rules are — yet. But regulatory guidance creates a standard of care. A breach that could have been prevented with standard controls, at a firm that ignored available guidance, creates professional liability exposure alongside PIPEDA obligations.

The four technology requirements

• Encrypted storage. Client files on unencrypted laptops or personal cloud storage (consumer Dropbox, personal Google Drive) are a compliance gap. Use encrypted cloud storage with proper access controls — Clio's document storage, NetDocuments, or ShareFile.
• Multi-factor authentication. MFA on all cloud accounts is the single highest-impact security control available. Enable it everywhere, without exception.
• Documented incident response. A one-page plan: who is notified within 24 hours of a suspected breach, how to contain it, and how to assess PIPEDA notification obligations.
• Regular access reviews. Former staff, students, and contractors should lose access the day they leave. Quarterly access reviews catch lingering accounts before they become incidents.

PIPEDA on top

PIPEDA applies independently of Law Society rules. Client information collected in the course of legal representation is personal information under PIPEDA. Breaches meeting the "real risk of significant harm" threshold must be reported to the OPC and affected individuals within a reasonable time.