First off, I’m not an IT expert so the following is what I have gleaned from speaking to people who know about IT and my own experience with researching cloud and on-premises data storage solutions over the past year. However this is a very relevant topic, so I’m not going to shy away from setting out the issues as I see them. Any comments and corrections from IT experts are most welcome.
Cloud/third party data storage could be on the cusp of being adopted wholesale by law firms due to panic caused by the now regular data hacking incidents. Essentially, the thinking is: If I adopt a cloud solution, this will be more secure as my data is looked after by large companies such as Amazon and Microsoft, who most likely employ the best data security experts known to mankind. This view is confirmed by some information published by the Law Society, though their full Practice Note on cloud data storage is well worth reading in full.
Let’s not delay with getting to grips with the issues from a law firm manager’s perspective.
1. Who is actually storing the data?
A perusal through the marketing literature of many third party data storage providers won’t tell you where the data is actually held and who holds it – the word “cloud” is used as an explanation in itself, as if there really is a data depot up there in the heavens that allows our client information to rest in peace eternally, unless we recall it for use.
For example, Tresorit, one of the best known high security data storage providers for business, known for their hacker competitions ($50,000 bounty offered to anyone who successfully accesses their data), use Microsoft Azure datacentres to host their data storage service, though you won’t find this mentioned in their Wikipedia entry.
Likewise, some of the best known legal software providers such as LEAP use a third party to host your data.
2. Do we have a contract with the data storage provider?
Yes surely I do! Hang on, no – actually I have a contract with a software provider who in turn (hopefully) has a contract with the data storage provider, but we don’t know what that says.
What is the issue with this? It means your precious client data is being handled by a party whom you do not have a direct contractual relationship with. This could make remedies or legal action very difficult if anything should go wrong, also it just doesn’t seem great not have a direct contractual relationship with an organisation which handles one of the most (if not the most) important asset you are trusted with. A bit like asking a third party to put your files in their safe, but not bothering to sign a contract with them?
3. Data Protection law
As the data is often held by very large international organisations (such as Amazon or Microsoft) who have a complex network of worldwide data-centres, we need to check that the data is held within the EU and so complies with Principle Eight of the Data Protection Act.
Ultimately we retain responsibility and liability under the Data Protection Act as the data controller – the legal responsibility isn’t transferred to the third party data storage provider – see page 7, para 23 of the ICO’s Cloud Computing Guidance for Organisations.
This means that all of these issues need to be considered carefully before we rush into adopting a data storage solution which is taken care of and hosted by a third party.
Here is where we start to really take on an area in which as non-IT experts we cannot have any certainty. In my view, none of us can rely on internet research, or a cloud software representative’s opinion. Bearing in mind the highly regulated and high risk (of a data breach) environment in which we work, we need a expert IT consultant’s opinion to help inform us specifically which data storage solutions could work best. Some IT experts acknowledge that certain companies are dealing with data that requires more security than that which cloud data storage providers can offer.
One potential issue is that the larger the data storage provider is, the greater the incentive is to hackers to penetrate security and gain access to a huge amount of sensitive and valuable data. Successful cloud data storage hacks are not unknown – here’s a whole list of incidents.
There is much information on the benefits of cloud data storage security over on-premises data security, but some of this is published by private companies who have an interest in selling you a cloud product or solution.
5. Contracts again
So what if we do have a contract directly with the data storage provider and we are satisfied that all points above re location of our data and security are covered? What is our remedy if, god forbid, a data breach does occur?
Unfortunately the contracts I have seen offered to business users by “cloud” providers include a comprehensive limitation of liability clause, which states:
(a) They accept no liability whatsoever for any data loss or breach of any kind, howsoever caused, and;
(b) They do not provide any warranty that their product is fit for any particular purpose, including business use.
For more on this see my previous post on Contracting with the Cloud.
6. Password protection
Access to “cloud” data is often provided through a one-stage password entry process on an online login page, which is accessible to anyone, anywhere. The password may be known by a large number of employees, therefore data could be compromised either through a hacker using sophisticated software to obtain the password, or by employees writing down a password which is then discovered by the wrong person. Would we accept a one-stage password entry system for our online banking?
Passwords can be obtained by hackers through a variety of methods, and once they have your password they could gain unrestricted access to your client and office data. Consider this scenario; a fake login page is projected on a employee’s inadequately protected personal PC which has been hacked, the employee enters the login details believing it to be genuine, the hacker has the password and therefore access to all client data.
Or, what if your login details are obtained by a hacker and published online? Unlikely? Consider the potential effect on law firms of this 68 million username and password leak affecting DropBox users.
With on-premises data storage you could avoid this potential scenario by restricting the ability to access data for persons who are on site at the office only, though this would obviously be less convenient.
7. Is an on-premises solution definitely more high risk?
I am once again out of my depth here, but from my understanding a local solution will not necessarily be more high risk, as it will not rely entirely on your in-house IT expertise. We can adopt firewall and anti-virus software solutions which are independently recognised as being leading security options, and are updated and maintained on a daily basis. Bitdefender’s security software, for example, consistently provides protection against all threats under independent laboratory testing. However this is not the entire security picture – a great security software suite would need to be combined with up to date user and server software that provides the latest in security protection.
Data kidnapping is a growing trend and threat for organisations who hold sensitive data – and cyber criminals know just how much we have to loose from a breach of our obligations. Here’s a summary of the key points:
– We are ultimately responsible for managing this risk from the point of view of our contractual duty to our clients, our DPA legal obligations as data controllers, and our regulatory position.
– In my view we cannot safely “delegate” the management of this risk to a cloud provider without being very thorough in checking out the above issues, and most likely more.
– From what I have learnt, I do not believe that a cloud solution will always be more secure than a On Premises solution.
– We need guidance from IT experts to help us choose the right solution. We can’t rely on marketing information from cloud storage providers and their partners.
– We might need to sacrifice ease of access to avoid some recognised threats that enable hackers to gain access to our data.
And if you have 55 minutes to spare, this video talk by Penetration and Hacking technique expert Kevin Dunn is very informative – he walks us through a large number of means of gaining access to cloud data involving all platforms (Google, Office 365, Citrix) and concludes by saying we should only be holding data on the cloud that we can afford to loose, or have hacked. “There is no cloud”, he says, “it’s just someone else’s computer”.