Risks of Cloud Computing

Cloud Computing

Australian enterprises have been adopting opportunities arisig from cloud computing where service providers offer data storage opportunities in onshore and offshore jurisdictions through global and/or regional clouds. The term cloud computing refers to delivering hosted services over the internet such as data storage and sharing, web based email services or use of software and hardware through cloud. An useful comprehensive formal definition of cloud computing is provided by the National Institute of Standards and Technology, US Department of Commerce, Special Publication 800-145.  Cloud-based information technology services allow users and communication participants immediate access to documents regardless of their location and decrease costs of data storage and communication substnatially.   

Control by Service Providers

Client information may be held in a cloud computing environment operated by a third party and there is level of control that a servcice provider has over hardware and software that provides cloud services.

It is the fact that information in the cloud is out of the direct physical control of its owner which leaves it potentially vulnerable to unauthorised access or inadvertent disclosure. Moreover, cloud computing often involves a complex supply chain with several cloud providers involved so it maybe difficult to ascertain roles of different providers.

Possession, Custody and Control of Data

When involved in documents disclosure process in court proceedings, question to be determined maybe: what is the extent of the data that the organisation now has in its actual possession, custody or control? When attempting to locate data the subject of a court order for discovery or a subpoena data stored in the cloud may be spread across many jurisdictions and exist in many different formats and it is impossible to undertake forensical interrogation of litigants equipment. Data moved into a cloud would be outside of the direct possession of a cloud user although arguably not out of legal control. It would frequently be stored outside of jurisdiction where a cloud user is located.

Another issue is the uncertainty who owes a document in a cloud – is it a cloud user or service provider.

A cloud user needs to carefully analyse ownership, accessibility and retrieval rights that it holds for data held by a cloud

Confidentiality and Privilege

It seems obvious that taking insufficient steps to maintain confidentiality over documents stored in cloud may result in being held responsible for breach of confidentiality and possibly in some instances a party's claim of privilege being waived. In some instances, it is possible that a cloud host be held as a third party to whom a privileged document is being disclosed.

A cloud user needs to scrutinise the particular confidentiality and security arrangements in place with a cloud service provider.

Data Protection and Security Threats

A cloud service provider usually claims the right to move, store, and process user’s data. It is common that a cloud user maybe unaware of the exact whereabouts or jurisdictional location of its data, whether copies were made and where they may be stored. In addition, there are external (e.g. hackers) and internal (e.g. dishonest employees) security threats cloud users maybe exposed to.

There are several possible applicable jurisdictions for the information: the location of the service provider's headquarters, the location of the servers, the location of the cloud user and other. There is a possibility of concurrent application of various concurrent laws and the powers of governments in several juridictions (e.g. national laws regulating the use and disclosure of data). 

Under Australian privacy laws, personal or other sensitive information collected must remainswithin Australian borders unless consent is obtained from the individual or the National Privacy Principles apply.

Recommendations

Cloud users should carefully consider where a cloud is hosted and by whom, locallity of servers,who has access to data and in which way, methods of back ups and number of servers, security measures, procedure if there is a data breach, indemntities for breach and other. 

Disclaimer: The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.