The chances are you’ll be using several cloud based applications at work today – and a significant amount of them at home too. As we’re under way in 2015, the number of apps that exist in the cloud, and the amount of personal and business data stored there are only going to increase. Are you and your company aware of the risks this seemingly benign technology could pose?
Businesses and individuals have been drawn to the cloud, spurred on by super-fast broadband connectivity, the almost unstoppable march of the smartphone and tablet and the increasing number of tech and IT service vendors that promote cloud offerings in the mainstream media. On top of that there’s been a huge push during 2014 by big tech vendors and IT service providers such as Apple, Microsoft, Samsung, Blackberry and Google to encourage consumers to store their data in the cloud by default. And that’s without mentioning the increased availability of hardware and software that backs up data directly into ‘personal’ and ‘private’ clouds.
Growth in cloud usage has continued during 2014 as the technology, besides being incredibly convenient, offers a range of cost savings. For businesses this comes down to the fact that the cloud has the ability to bring together applications and software within a pool of centrally located servers and allow access to them from any remote location.
For consumers, it means they don’t necessarily have to buy the top of the range smartphone or tablet with the most memory just because they have a large digital film, music or photo library – choosing instead to save money and buy a device with less memory then putting their media content straight into the cloud. However, just because the number of cloud based applications has increased and the technology has enjoyed mainstream success during 2014, it doesn’t mean that there aren’t significant risks in using it – particularly for corporate users, and particularly at an international level.
Risk 1: International Data Protection Laws
Cloud-based working necessitates placing company data on third party servers in data warehouses that could be located anywhere in the world. This carries a potential risk for companies as they can come into conflict with local laws. Keep in mind that data protection laws and rights are applied in the jurisdiction in which the data is stored, rather than where it is generated, modified or created. The jurisdiction where a cloud provider is physically storing data is an issue of key importance.
This couldn’t be more apparent with the revelation at the start of 2014 of the US’s National Security Administration (NSA) highlighted by press leaks which revealed that the organisation has been gathering and storing metadata from Verizon and nine other US-based Internet companies. Those with responsibility for assessing operational risk within a company would, therefore, be very wise to have a conversation with the IT department – ideally before a cloud service contract is signed – and check the location of all their provider’s servers as hosted data could often reside in several locations as cloud service providers use subcontractors.
Risk 2: US Law & Due Diligence
Be aware that, under the Foreign Corrupt Practices Act (FCPA), businesses are held liable for the conduct of their third-parties. This includes agents, consultants and distributors and could, potentially, extend to cloud service providers. As such, it’s extremely important to go through the same due diligence to identify potential fraud and corruption risks when selecting a cloud service provider as you would with the other third parties. This should include being able to document the way in which you have attributed a risk assessment to cloud service providers and demonstrate that you can flag them for re-assessment as required.
Further, it could be argued that even if a US company has a server in a foreign country (which could feasibly be deemed a “US server”) that server and the data on it could still be subject to FISA (Foreign Intelligence Surveillance Court) rules and related court orders. Time will tell if Microsoft’s servers located outside the US will fall into this category, and if its status as a US company makes the location of its servers irrelevant. This is an important issue for businesses using cloud based applications powered by US companies.
By their nature, cloud-based applications require companies to place their data on third party servers in data warehouses that could be located in the US (or on servers outside the US that are managed and maintained by US companies). In response to NSA spying revelations earlier this year, businesses need to think seriously about how and where they store their data. Many business leaders might now be asking if the ease-of-use and cost-saving benefits of using applications like Google Docs, Apple’s iCloud and DropBox – or other cloud computing offerings – are worth the risk.
Risk 3: Data Protection vs. Data Disclosure
Adopting a cloud computing strategy across the globe can expose multinationals to contradicting laws in different countries. For example, if a French company (which is subject to French data protection laws) takes out a service contract with a cloud provider that centrally stores its email data in the US, the company makes itself vulnerable to breaking both French and US laws in the event of US litigation or investigation – even if that data was created or modified outside the US or France.
The company may wish to comply with a US discovery request, or government subpoena, but will need to resolve the conflict that this creates with stringent French data protection and other laws which preclude the transmittal of data outside of France. Penalties on both sides can be very high, data protection breaches carry fines in the millions as well as criminal sanctions in some countries, and the failure or inability to respond to US discovery risks penalties or even spoliation fines which can be significantly higher. Keep in mind that the same is true in reverse – i.e. for US companies using a cloud service provider based in France.
Companies using cloud-based solutions should include this data source in their eDiscovery preparation and litigation readiness plan. Even if you know where your data is located, often information in the cloud can be difficult to access, preserve or extract in the right format and in a timely manner. Cloud vendors may have scheduled maintenance or freeze periods which could impact your disclosure exercises. For example, it may be necessary for the provider to make changes to their environment, such as enabling Exchange Litigation Hold on mailboxes or extending deleted item retention policies.
Risk 4: Where Is Your Backup Data?
Find out where your cloud services provider backs up copies of your data (they all make copies of client data to maintain 24/7 access and to offer service level guarantees). Ask for the backups they make of your data to be stored in the same location you specified for your original data and applications. FRA strongly recommends that high-risk data – such as financial, corporate and personnel related data is always housed in its jurisdiction of origin or one that carries similar protections.
Emails are often highly sensitive in EU jurisdictions and carry strong data privacy rights, which makes transmitting or producing them outside of their jurisdiction of origin, not just risky, but potentially illegal. Of particular concern are providers who store data in the US (or in a location where the data can easily be accessed from the US).
The NSA revelations in early 2014 came as a surprise to those who assumed they were protected by the US’s fourth amendment (where there is a reasonable expectation of privacy). However, once information is shared with a third party (i.e., cloud provider) the expectation of privacy could likely be forfeited. So, if you can’t get a location-based guarantee from your cloud provider then think very carefully about that data and applications you put into a cloud environment – and carry out a full risk assessment.
Businesses may also be starting to legitimately ask if their regular data back-up and protection policies, which might include making remote back-ups to US-based data centres could bring them into conflict with ever tightening European data protection laws. I strongly recommended that financial, corporate and personnel related data is always housed in its jurisdiction of origin or one that carries similar protections. However, in the light of Obama’s speech, this has never been more important for companies to consider as they assess their data storage, backup and access policies and weigh up how much use to make of cloud-based computing in their daily work.
Risk 5: Fraud In The Cloud…
These days, personal and corporate information is a valuable currency and there are unscrupulous people willing to break the law to get their hands on it and then trade with it. In order to prevent theft of fraudulent activity you should familiarise yourself with your cloud service provider’s own security policies and determine what procedures are in place to control access to information they hold. In particular: Ask your cloud service provider about its policies on passwords, laptop and portable device use by staff, personal software download policies and their tolerance of cyber-slacking.
Get your IT department to check the kind of encryption used by your cloud service provider to transport data. Make sure you build these two points into any risk assessment of cloud service providers as carelessness in either of these areas has the potential to expose cloud service providers to data leakage and information theft as well as increasing the possibility of malware getting onto their servers. All of which can compromise your company’s data.
Cloud computing provides many benefits, particularly in a time of economic uncertainty, but security, privacy and legal matters must be carefully considered and continuously surveyed. It is likely that, in the not too distant future, companies relying on cloud computing will be subject to litigation along with their cloud service providers. It is, therefore, imperative that they fully understand the legal, security and privacy issues that surround the technology before implementation – and that, once deployed, board members, legal teams and IT departments all work together to stay one step ahead to avoid cyber law headaches as well as potential incidents of fraud and corruption.