Compliance

Law Society of BC Technology Practice Standard 2026: A Compliance Checklist for Vancouver Law Firms

Click One MSPMay 5, 20265 min read
Law Society of BC Technology Practice Standard 2026: A Compliance Checklist for Vancouver Law Firms

If you manage technology for a Vancouver law firm in 2026, the Law Society of BC has not issued a single "Technology Practice Standard" document — but the obligations are scattered through the Code of Professional Conduct for British Columbia, the Trust Accounting Rules, and a series of Practice Resource papers from the Law Society's Technology and Practice Standards Committee. Pulled together, they form a coherent set of expectations that every BC law firm needs to meet, regardless of size.

This checklist is the operational version of those obligations. We use it as the discovery framework when we onboard a new Vancouver law firm and as the recurring review framework once a firm is under our managed program. Use it to benchmark where your firm sits today, and to plan the remediation work for the next 30 to 90 days.

Why this matters now, in 2026

Three things have changed in the last 24 months that make this checklist meaningful.

First, the threat landscape. Ransomware groups now specifically target professional services firms because the data is sensitive, the disruption is total, and most firms carry cyber insurance. The Canadian Centre for Cyber Security flagged law firms as a top-five SMB target in their 2025 Threat Bulletin. A 15-person Vancouver firm losing access to its document management system for two weeks is no longer a hypothetical scenario.

Second, the cyber-insurance market. Insurers have hardened underwriting requirements dramatically. Renewal applications now ask explicit questions about MFA enforcement, EDR deployment, backup testing, and documented incident response plans. Firms unable to answer "yes" with evidence are seeing premiums double, deductibles triple, or coverage refused outright.

Third, the Law Society's expectations. The Code of Professional Conduct's commentary on competence (Rule 3.1-2) increasingly references the duty to maintain reasonable understanding of relevant technology. Trust Account audits and Practice Reviews now ask about technology controls, supervision of IT service providers, and incident response procedures — not just paper records.

The 12 controls every Vancouver law firm needs

Below is the checklist we use during a Click One MSP discovery audit. Each item maps to one or more Law Society obligations and to the questions a cyber-insurance underwriter or a Practice Reviewer is likely to ask.

1. Multi-factor authentication on every account

MFA must be enforced on every Microsoft 365 account, every practice management platform login (Clio, NetDocuments, iManage, PCLaw, Soluno), every VPN, and every administrative tool. Partial deployment — "the partners have it" — is not enough. Attackers compromise the receptionist's account because that account can read shared calendars, billing matters, and confidential email threads.

2. Modern endpoint detection and response (EDR)

Traditional antivirus catches a small fraction of modern attacks. Every laptop, desktop, and server in the firm's environment needs EDR with 24/7 SOC monitoring. Our Cybersecurity Services include this as part of the baseline managed plan.

3. Encrypted endpoint storage

BitLocker on Windows, FileVault on macOS — enforced through Intune or Group Policy, not relying on individual users to enable it. A laptop stolen from a Granville Street coffee shop should not become a privilege-data leak.

4. Tested, encrypted, off-site backups

Daily image-based backups of every server and every critical user device, encrypted in transit and at rest, stored in Canadian data centres, and — critically — tested every quarter with an actual restore drill. Untested backups are guesses, not backups.

5. Document management with audit logging

Every access to a confidential client matter must be logged with user identity, timestamp, and action. Most modern legal DMS platforms support this natively but require explicit configuration and retention policies. Audit logs must be retained for at least seven years.

6. Conditional Access and Privileged Identity Management

Microsoft 365 Conditional Access policies that block legacy authentication, require compliant devices, and challenge logins from untrusted locations. Privileged Identity Management for any account with administrative permissions, so admin access is time-bound and approval-gated rather than persistent.

7. Defender for Office 365 (or equivalent)

Anti-phishing AI, safe-attachment sandboxing, link-time URL rewriting, and DMARC enforced at "reject" on the firm's domain. Email is still the way over 90% of attacks land. The version of M365 most firms already pay for includes Defender — it just needs to be configured.

8. Documented written information security policy

A policy stack covering acceptable use, password and authentication, data classification, incident response, retention and destruction, and vendor risk. Tailored to the firm — not generic templates with the firm name pasted on top. Reviewed annually with documented sign-off from the managing partner.

9. Incident response plan with tabletop testing

A one-page IR plan documenting who to call, what to shut down, what to communicate, and to whom — including the cyber-insurance carrier, outside counsel, the Law Society, and clients. Tested annually in a tabletop exercise with the firm's leadership team. Most firms only think about IR after an incident; that is too late.

10. Vendor and third-party risk reviews

Every vendor with access to firm data — IT MSP, document management host, e-discovery vendor, court reporting service, copy centre — needs documented assurance of their security controls. The Law Society duty to supervise extends to external service providers handling client information.

11. Security awareness training and phishing simulations

Every staff member, including partners, paralegals, and administrative staff, completes annual security awareness training and participates in quarterly phishing simulations. Document completion rates and simulation results — these become evidence during audits and insurance renewals.

12. Quarterly Microsoft Secure Score and control review

Microsoft 365 Secure Score is a free, built-in benchmark of how well a tenant is configured. Most firms we audit start in the 30s. After 60 days with us, they are above 80. Track the number quarterly and document the actions taken to improve it.

The five gaps we find in almost every Vancouver law firm we audit

Patterns repeat. Across the dozens of Vancouver firm environments we have audited, these five gaps appear in roughly 80 percent of cases:

  • MFA is on, but only on the partners. Associates, paralegals, assistants, and articling students — the accounts that actually read confidential matters all day — do not have it.
  • Backups exist, but nobody has ever tested a restore. The first time anyone tries is during a real incident, which is the worst possible time to learn the backups have been silently corrupted for months.
  • Admin accounts are used as daily-driver accounts. The IT contractor's everyday email and the M365 Global Admin account are the same account. One phishing click compromises everything.
  • No documented incident response plan. When something goes wrong, the firm improvises. Improvisation under pressure costs days of recovery time and dramatically increases the eventual bill.
  • End-of-support hardware quietly running in the back. A 2014-era server in a closet, an unsupported Windows 7 device, a firewall whose firmware has not been patched since 2019. None of these would survive a Practice Review or an insurance renewal.

How to demonstrate compliance to a Practice Reviewer or cyber-insurance underwriter

The good news is that demonstrating compliance is more about documentation than about deploying expensive technology. A well-organized firm with a $2,000-per-month managed IT program can present a more credible compliance posture than a firm spending $20,000 a month on tools nobody has documented.

What you want to be able to hand a reviewer in under five minutes:

  • A current network and asset inventory (every device, every account, every system)
  • Written information security policy stack with annual review evidence
  • The firm's most recent Microsoft Secure Score with a trend line over four quarters
  • Backup test results from at least the last three quarters
  • The latest phishing simulation report and security awareness completion rates
  • The incident response plan, with the date of the most recent tabletop exercise
  • Vendor risk reviews for the IT MSP, the DMS host, and any other vendor with privileged access

That packet — six to ten pages — is what a documented program looks like. Click One MSP delivers all of it as part of our standard managed plan, refreshed quarterly. Take a look at how it ties to our broader Compliance Services.

A practical 30-day remediation plan

If your firm is starting from a low baseline, the first 30 days are the highest-leverage period. Here is the order we run remediation in for new managed-IT engagements with Vancouver law firms:

Week 1: Deploy modern EDR to every endpoint. Enforce MFA on every account in Microsoft 365 — partners, associates, paralegals, assistants, service accounts. Block legacy authentication. Take a fresh, tested backup and store an immutable copy off-site.

Week 2: Deploy Conditional Access policies. Configure Defender for Office 365 properly. Enforce DMARC at "reject" on the firm domain. Audit and rotate any shared or stale admin credentials. Document the inventory of every device and account.

Week 3: Author the policy stack — acceptable use, authentication, data retention, incident response, vendor risk. Tailor each to the firm's actual operations. Have the managing partner sign off.

Week 4: Roll out security awareness training to every staff member. Run a baseline phishing simulation. Run a tabletop exercise of the incident response plan with the leadership team. Schedule the first quarterly review.

Four weeks of disciplined work closes most of the dangerous exposure. The remaining months are about depth — vulnerability scanning, vendor reviews, deeper compliance documentation, and the cultural shift that turns security from an event into an operational practice.

Where to start this week

If you want a structured assessment of where your firm sits today against this checklist, take our free 2-minute Cybersecurity Assessment. You will get a score from 0 to 100, the top three gaps to address first, and a personalized report emailed to you. No sales call. No commitment.

If you would rather have a real conversation, book a 30-minute strategy call. We will walk through your environment with you and give you an honest answer to the question that matters most: how exposed is the firm today, and what does fixing it actually look like?

Either way, the worst version of this conversation is the one you have with a forensic responder at 2 AM after an incident. Have it now, with a coffee, on your terms.

Share this article

Help spread the word — it takes one click.

LinkedInXFacebookWhatsAppEmail

Need Expert IT Help?

Our team is ready to help you implement these strategies and more.