Compliance Reference · Law Firm · BC

Law Firm Compliance in British Columbia: Client Confidentiality, Trust Accounting, and IT Security Requirements

Q: Does Hexafusion provide legal advice?

No. Hexafusion is an IT services provider, not a law firm or compliance advisory firm. We implement and document technical controls that support your professional obligations. Consult the Law Society of BC and qualified counsel for compliance advice.

Q: How does law firm compliance overlap with cyber insurance?

Cyber insurance underwriters require multi-factor authentication, endpoint detection and response, tested backups, phishing training, a written incident response plan, and vulnerability patching. These controls also support solicitor-client privilege and Law Society of BC rule compliance.

Q: What records must my law firm retain?

The Law Society of BC Rules set out obligations for client files and trust accounting records. Confirm current retention periods with the Law Society. Tax and employment records follow the Income Tax Act and BC Employment Standards Act.

Q: Does FINTRAC apply to BC lawyers?

In Canada (AG) v. Federation of Law Societies of Canada, 2015 SCC 7, the Supreme Court struck down the application of the federal anti-money laundering regime to lawyers. Instead, the Law Society of BC enforces parallel client identification, verification, and no-cash rules. Confirm current wording with the Law Society.

This is a reference guide for BC law firms summarising the federal, provincial, and professional regulatory frameworks that shape how client information, trust funds, and case files are handled. Hexafusion is an IT services partner, not a legal advisor or compliance advisory firm. Confirm current obligations with the Law Society of BC and qualified counsel.

Federal regulatory framework

Area	Statute or Regulator	IT relevance
Privacy (federal)	PIPEDA, OPC	Applies to cross-border and federally regulated matters; safeguards and breach reporting.
Cybercrime	Criminal Code, ss. 342.1 and 430(1.1)	Unauthorised computer access and mischief to data.
Anti-spam	CASL	Consent logs for firm newsletters and client communications.
Tax records	Income Tax Act, s. 230, CRA	Six-year retention for books and records.
AML (law society path)	Canada (AG) v. Federation of Law Societies of Canada, 2015 SCC 7	Confirms law society oversight of client identification for lawyers, not FINTRAC.
Federal courts	Federal Courts Rules, Canada Evidence Act	Electronic records admissibility and e-discovery obligations.

BC provincial framework

Area	Statute or Regulator	IT relevance
Privacy (provincial)	BC PIPA, OIPC BC	Private-sector personal information regime.
Employment	BC Employment Standards Act	Payroll, hours, and wage statement records.
Workplace safety	Workers Compensation Act, WorkSafeBC	Office ergonomics, incident records.
Human rights	BC Human Rights Code	Accommodation records and complaint confidentiality.
Corporate	BC Business Corporations Act	Corporate records for the firm itself and client entities.
Consumer protection	Business Practices and Consumer Protection Act	Retainer agreement disclosures.
Premises liability	Occupiers Liability Act	Physical access control, video retention.
Electronic evidence	BC Evidence Act	Electronic record admissibility.

Law firm regulators and statutes

The Law Society of BC (LSBC) regulates lawyers under the Legal Profession Act. The Society's rule book covers everything from client identification to trust accounting to electronic records.

Legal Profession Act (BC). Enabling statute for the Law Society of BC.
Law Society of BC Rules. Division 3 sets out client identification, verification, and trust accounting obligations. Use the generic Division reference and confirm current sub-rules directly with the Law Society, as the rules are updated on an ongoing basis.
Code of Professional Conduct for BC. Covers confidentiality, privilege, conflicts, competence, and technology competence, which includes a lawyer's duty to understand the technology they use to deliver services.
Canada (AG) v. Federation of Law Societies of Canada, 2015 SCC 7. Supreme Court decision striking down the direct application of the federal FINTRAC regime to lawyers. Law societies instead enforce parallel rules on client identification and cash handling.
No-cash rule. A Law Society rule restricting cash receipts above a prescribed threshold. Confirm the current threshold with the Law Society.
Trust accounting obligations. The Rules require separate trust accounts, monthly reconciliations, retained source documents, and annual trust reports. IT systems supporting trust accounting need strong access control, audit trails, and backup integrity.
Technology competence. The Code expects lawyers to understand the benefits and risks of technology relevant to their practice, including cloud storage and remote access.

Cross-cutting frameworks

PCI DSS for card-based retainer payments.
HIPAA where the firm handles US-side protected health information.
NIST Cybersecurity Framework and CIS Controls as benchmarks.
SOC 2 as a due-diligence artefact for cloud practice management, document management, and e-discovery vendors.
Cyber insurance underwriter expectations. Multi-factor authentication, endpoint detection and response, tested backups, phishing training, an incident response plan, and vulnerability patching.

Law firms sit in a particularly exposed position because solicitor-client privilege makes a successful intrusion legally as well as operationally catastrophic. The Law Society of BC's Code of Professional Conduct builds in a technology competence expectation precisely because the risk surface has moved from paper files in a locked cabinet to cloud document management, mobile devices, and third-party e-discovery platforms. The same controls that support cyber insurance underwriting (multi-factor authentication, endpoint detection and response, tested backups, phishing training, a written incident response plan, and vulnerability patching) also demonstrate the reasonable care that the professional conduct rules expect, and satisfy the safeguards provisions of PIPEDA and BC PIPA.

How IT controls map to the regulatory stack

Retention schedules across practice management, document management, email, and backups, aligned to Law Society of BC file retention expectations.
Access logs at the matter level, with ethical wall configurations for conflict management.
Encryption at rest and in transit, with full-disk encryption and TLS on all remote access.
Written breach response plan aligned with PIPEDA Breach of Security Safeguards Regulations and BC PIPA, with privilege considerations documented.
Tested backups and disaster recovery with offline or immutable copies protecting trust records.
MDR, EDR, MFA, and patching across partner, associate, and staff endpoints.

Two patterns show up repeatedly in BC law firms that handle these controls well. First, they document the current state of their technology environment and match it against a control catalogue (NIST CSF or CIS Controls are common choices) so that gaps become visible rather than hiding inside day-to-day operations. Second, they assign a named owner for each control: a managing partner, director of operations, or chief operating officer accountable for MFA coverage, one accountable for backups, one accountable for retention. That division of ownership is what stops a shared-drive policy document from becoming shelfware. The firms that struggle are usually those that bought a set of tools without tying them to a documented policy, or that documented a policy without ever checking that the tools enforce it.

When the Law Society of BC conducts a compliance audit, the evidence requests typically cover trust accounting records, client identification records, file retention, and the firm's approach to technology and security. When a privacy commissioner opens a file, the requests centre on the privacy management programme, safeguards, breach procedure, and access logs. When an insurer renews cyber cover, they want to see the same controls described in underwriting terms. A firm that has invested in core technical controls can meet all three with the same set of artefacts, which is the argument for treating IT, security, and professional compliance as one programme.

Where Hexafusion fits

Hexafusion operationalizes the IT controls that support BC law firms' professional obligations. That includes practice management and document management infrastructure, Microsoft 365 hardening, encryption and key management, ethical wall configuration, retention tuning, and the written documentation that supports Law Society of BC reviews or insurer questions. Our founder's PCI DSS Internal Security Assessor background means we understand what a third-party reviewer wants to see in an evidence package.

We do not practise law, do not interpret the Code of Professional Conduct, and do not act as counsel. Those roles belong to qualified lawyers and the Law Society of BC's practice advisors. For the law-firm IT service companion to this reference, see our law firm IT support Vancouver page.

Common questions from BC firms at the intake stage include how to handle cloud document management without running into jurisdictional concerns around client data, how to scope privileged access to client files across multiple matter teams, how to build an email retention schedule that does not erase matters before the limitation period expires, and how to run a tabletop exercise that covers a ransomware event without exposing actual client information. Each of these has a technical answer that flows from the same underlying architecture, which is why a firm that builds the architecture once can answer each question quickly rather than improvising each time.

Related compliance resources

Frequently Asked Questions

Who enforces law firm compliance in BC?
The Law Society of BC regulates lawyers under the Legal Profession Act. OIPC BC enforces BC PIPA. OPC enforces PIPEDA where it applies. Courts handle professional conduct issues that arise in related proceedings.

Does Hexafusion provide legal advice?
No. We are an IT services provider. Legal and compliance interpretation belong to qualified lawyers and the Law Society's practice advisors.

How do IT controls map to law firm compliance rules?
Access controls, encryption, audit logs, retention, tested backups, and documented incident response provide technical evidence for privilege, trust records, and privacy obligations.

How does law firm compliance overlap with cyber insurance?
Insurers require multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and vulnerability patching. These controls also support Law Society of BC obligations.

What records must my law firm retain?
The Law Society of BC Rules set retention obligations for client files and trust records. Confirm current periods with the Law Society. Tax and employment records follow federal and BC legislation.

Does FINTRAC apply to BC lawyers?
No. In the 2015 SCC decision the Supreme Court struck down the direct application of FINTRAC to lawyers. The Law Society of BC instead enforces parallel client identification and cash-handling rules.

Disclaimer

This reference guide provides general regulatory context for BC-based law firms. It is not legal or compliance advice. Confirm current requirements with the Law Society of BC and qualified counsel. Hexafusion is an IT services provider and does not provide legal advice. Administrative monetary penalties apply up to statutory maximums; confirm current amounts with the regulator.

Other compliance reference pages

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).

Need help with the IT side of compliance?

Request a scoped assessment. We review your technical safeguards against the evidence an assessor, regulator, or insurer expects, and deliver a written report.

Request a scoped assessment