PIPA BC IT Controls for BC Law Firms: What LSBC and OIPC BC Actually Expect

A regulatory-grade walkthrough of the Personal Information Protection Act of British Columbia (PIPA BC), the Law Society of British Columbia’s 2024 technology-competence commentary, and the IT controls a BC law firm should be able to evidence in a peer review, an insurer questionnaire, or a sophisticated client’s due-diligence ask.

Fusion Computing’s law-firm engagements are tagged to the regulator the firm actually answers to. For a BC firm, that means LSBC and OIPC BC, not the Law Society of Ontario and the federal Privacy Commissioner.

PIPA BC aligned Provincial, not PIPEDA defaults
LSBC tech competence BC Code rule 3.1-2 (March 2024)
CISSP-certified Security leadership
OIPC BC ready Voluntary-reporting playbook in place
Book a Consultation
Vancouver Law Firm IT →

Written for BC law-firm leaders, managing partners, and operations leads with a regulatory diligence problem to solve.

50 Best Managed IT Companies in CanadaBest Managed IT 2025 awardCISSP4.9
MP
Authored by Mike Pearlstein, CISSP, Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).
Reviewed and last updated 2026-05-18 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

Why PIPA BC matters more than PIPEDA for a BC law firm

According to BC Laws (2003), the Personal Information Protection Act, SBC 2003, c. 63 was assented to October 23, 2003 and sets the binding private-sector privacy regime for organizations whose commercial activities happen inside BC, displacing PIPEDA for those activities. A BC law firm answering to OIPC BC under PIPA BC is operating against a different regulator and a different breach-notification regime than a Toronto firm under federal PIPEDA.

National privacy guides aimed at Canadian law firms usually default to PIPEDA, the federal Personal Information Protection and Electronic Documents Act administered by the Office of the Privacy Commissioner of Canada (OPC). For a BC-registered law firm advising BC clients on BC matters, that default is the wrong starting point. The relevant statute is the Personal Information Protection Act of British Columbia (PIPA BC), SBC 2003, c. 63, in force since 2004 and administered by the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC).

The practical consequence: the breach-notification mechanics, the privacy commissioner you would actually liaise with, and the rules-of-professional-conduct hooks are all provincial. A BC firm running on a PIPEDA-shaped incident response runbook is documenting against the wrong regulator. Fusion Computing’s BC law-firm engagements are tagged to PIPA BC and OIPC BC by default.

LSBC technology competence: what the March 2024 commentary added

In March 2024 the Law Society of British Columbia amended the BC Code of Professional Conduct to add new commentaries to rule 3.1-2 (Competence), specifically addressing the level of technological competence required of lawyers. The amendment was published in the LSBC’s March 2024 Member’s Manual update and brings the BC Code more closely in line with the Federation of Law Societies’ Model Code, which has carried a comparable technology-competence commentary for several years.

Practical IT controls a BC firm must document for PIPA BC compliance

Documented consent managementWritten record of how the firm obtains, records, and respects client consent to collect, use, and disclose personal information, aligned to PIPA BC’s consent provisions. Engagement letter, intake form, and matter-management workflow all in scope.
Encrypted client communicationsTLS in transit on all firm email, Microsoft Purview Message Encryption available for partner-to-client sensitive transmissions, secure client portal as the default for document exchange instead of unencrypted attachments.
Retention and disposal policyWritten matter-retention schedule consistent with LSBC file-retention guidance and PIPA BC’s requirement to destroy or anonymize personal information when the original purpose is fulfilled. Disposal evidence retained.
Secure remote work postureConditional access blocking unmanaged devices, Entra ID-joined laptops, mandatory MFA on every account, no firm data on personal devices, written acceptable-use policy signed annually.
Vendor and cloud due diligenceWritten due-diligence file for every cloud vendor handling personal information: data residency, sub-processor list, breach-notification commitments, contractual right to audit. Microsoft 365 tenant region documented.
MFA on every privileged accountFIDO2 or authenticator-app MFA on all partner, associate, paralegal, and administrator accounts. No SMS fallback. Conditional access policy enforces MFA on legacy clients and external networks.
Incident response runbook tagged PIPA BCNamed runbook with OIPC BC contact, voluntary-reporting playbook, internal escalation tree, evidence-preservation steps, client-notification template, and timelines. Reviewed annually by the managing partner.
Audit logging and retentionMicrosoft 365 unified audit log retained for at least one year on E3 or longer on E5. SharePoint matter-site access tracked. Mailbox forwarding-rule changes alerted in real time.
Sensitivity labels on matter foldersMicrosoft Purview sensitivity labels applied to SharePoint matter sites, with auto-labelling for documents containing personal-information patterns. Label-aware Copilot retrieval where the firm is using M365 Copilot.
Written AI use policyFirm-approved list of AI tools, prohibition on pasting client information into consumer ChatGPT or similar, sensitivity-label-aware retrieval for tenant-scoped Copilot, partner sign-off required for any new AI vendor.

If your firm needs a BC-specific control map ready for an LSBC trust-account audit or an OIPC inquiry, talk to a BC-aware law-firm IT specialist.

Cross-border data residency under PIPA BC

For a BC law firm using Microsoft 365, the practical answer set is well understood. Microsoft offers Canadian data residency for core M365 workloads (Exchange Online mailboxes, SharePoint Online, OneDrive for Business, Teams chat) at the tenant-region level. A BC firm whose engagement letters commit to Canadian-resident data should select Canada as the tenant data location at sign-up and confirm in writing. Some workloads (telemetry, certain Copilot processing paths, Defender investigation evidence) may still transit US infrastructure, and the firm’s due-diligence file should record what does and does not stay in Canada.

OIPC BC breach notification: voluntary today, expected tomorrow

An important regulatory nuance BC firms get wrong: as of writing, PIPA BC does not currently impose mandatory breach notification on private-sector organizations. That is different from PIPEDA (federally), which has mandatory breach reporting under the “real risk of significant harm” threshold; different from Alberta’s PIPA, which also has mandatory reporting; and different from BC’s public-sector statute (FIPPA), which was amended to add mandatory public-sector breach notification. BC stands as the outlier in the Canadian private-sector privacy landscape on this one specific point.

What this costs for a BC law firm

BC law-firm pricing tracks the national Fusion law-firm pricing model. A solo BC practice with one to three staff typically lands at $500 to $900 per month. Mid-sized firms of 3 to 10 lawyers (including paralegals and clerks) typically land at $1,800 to $3,400 per month. Larger 10 to 25-lawyer Vancouver, Victoria, or Lower-Mainland commercial firms typically land at $4,200 to $7,500 per month. Per-lawyer pricing is uniform across BC; there is no Vancouver-downtown surcharge or Victoria-island uplift.

PIPA BC resources for BC law firms

“Other vendors quoted us PIPEDA controls and called it done. Fusion was the only firm that knew BC Code rule 3.1-2 commentary [4.2] by heart and built our OIPC BC voluntary breach playbook to match. Our litigation team got back to billable work and our managing partner can now answer LSBC audit questions on the phone without calling a consultant.”

Managing Partner, 22-lawyer litigation boutique, Vancouver.

Talk to a BC-aware law-firm IT specialist

Thirty-minute walk-through of your BC firm’s current stack, the PIPA BC and LSBC 3.1-2 controls you should be able to evidence, and what tagging the engagement to BC instead of Ontario actually changes in practice.

Book a Consultation

Frequently asked questions about PIPA BC and law-firm IT

Is PIPA BC the same as PIPEDA?
When does a BC law firm have to report a breach to OIPC BC?
What does the LSBC technology competence commentary actually require?
Can a BC law firm use Microsoft 365 if the data center is in the US?

PIPA BC does not prohibit storing personal information outside Canada (unlike BC’s public-sector statute FIPPA, which was historically much more restrictive). What PIPA BC requires is that the organization make reasonable security arrangements wherever the information sits and be able to answer who has access, where it lives, and why the arrangement is reasonable. Microsoft 365 offers Canadian data residency for core workloads (Exchange Online, SharePoint, OneDrive, Teams chat) at the tenant region level.

A BC firm whose engagement letters commit to Canadian-resident data should select Canada as the tenant data location and confirm in writing. Some workloads (telemetry, certain Copilot processing, Defender investigation) may still transit US infrastructure, and the due-diligence file should record what does and does not stay in Canada.

What are “reasonable security arrangements” under PIPA BC?

None of these is novel; the discipline is having all of them documented, active, and reviewed at the same time.

How does this differ from CPABC’s requirements for BC accountants?

The privacy regime is shared: any BC private-sector organization, whether a law firm or a CPA practice, answers to PIPA BC under OIPC BC, not PIPEDA. What differs is the professional regulator and the rules-of-conduct hooks. BC law firms answer to the Law Society of British Columbia under the BC Code, including the 2024 technology-competence commentaries on rule 3.1-2. BC accounting firms answer to Chartered Professional Accountants of British Columbia (CPABC) under the CPABC Code of Professional Conduct, with the CPA Canada national cybersecurity guidance applying equally. For the BC accounting-firm angle see our Vancouver accounting-firm IT page, which covers the CPABC + PIPA BC stack in parallel detail.

What if a BC firm has offices in Alberta or Ontario too?

Multi-province firms face overlapping regimes. A BC office answers to PIPA BC and LSBC. An Alberta office answers to Alberta’s PIPA (substantially similar to BC’s but with mandatory breach notification) and the Law Society of Alberta. An Ontario office answers to PIPEDA (Ontario has no substantially-similar provincial statute for the private sector) and the Law Society of Ontario. In practice, a multi-province firm typically implements the highest common-denominator control set across all offices, then tags the breach-notification runbook, the rules-of-conduct evidence, and the regulator-contact tree by province.

The IT architecture (Microsoft 365 tenant, identity, conditional access, Purview labels) is usually unified; the compliance overlay is province-specific. Most multi-province firms find this less complex in practice than it sounds on paper.

Updated