Whether you are a Luddite or running the bleeding edge of technology, there is one certainty that binds all: we live in an age of near exponential technological advancement and discovery. This is well apparent in the advent and subsequent boom in cloud based computing and storage services. From the late 2000’s cloud based services have transitioned from relatively limited offerings to full data storage, software and IT services enabling businesses of all sizes and industries to conduct all of their computing and data storage in the Cloud.
So what is the “Cloud” really? It seems odd to ask that question in 2017, but cloud computing is still subject to its fair share of misinformation and myth. Simply put, cloud computing is a means of storing and accessing data, software and services over the Internet as opposed to your laptop or PC in your home or a physical server in your office. When one says “Cloud” what you are really saying is “Internet”.
Cloud storage is not one single method or process and there are many permutations, as below:
- Private cloud storage: resources are managed externally from your firm, but in a server that is reserved for your data (e.g. hosting contract);
- Public cloud storage: offered publicly by a provider (e.g. iCloud, Gmail, Google Docs, Dropbox, Microsoft Office 365, etc.) with few administrative controls and access facilitated by any anyone you authorize;
- Community cloud storage: akin to private storage, this model is used to meet the needs of several organizations that wish to collaborate on their resources; or
- Hybrid cloud storage: Generally involves a combination of two or more models (private, public and/or community) of cloud storage, depending on the specific needs of the organization.
In addition to the types of cloud storage available, there are a considerable number of cloud storage service providers in the world. Whether any one service provider is suitable depends on many factors, the most notable being security of data. In this article, the focus is on Cloud storage security and considerations to be made in assessing security.
Where in the world is my data? “Only in Canada” seems to be the preferred refrain. The near universal consensus in cloud based computing discussions among legal writers is that cloud servers and systems located in one’s local jurisdiction or country are strongly recommended. Where data is hosted in a foreign jurisdiction, a firm would need to assess the risks related to the laws governing privacy and security of the data there and the social and political risks of that foreign jurisdiction. The data will be subject to the laws and conditions of that jurisdiction, be it Dublin, Ireland or Changhua County, Taiwan. If the data travels through more than one jurisdiction, the problem of assessing security becomes exponentially more difficult (if the cloud storage provider discloses what jurisdictions those servers are located in), for example, as does the question of whom there has access to that data.
As with any service, cloud storage is governed by a contract with the provider. Read the contract: does it restrict the locations where the data can reside? Does it specify Canada? Does the provider have to ask for consent to transfer data outside Canada? Ideally, the answer should be “yes” for all 3 questions. If there is ability to negotiate, these aspects are important. If not, secure the desirable terms with another provider. Jurisdictional risks can be managed to a great extent with contractual terms.
Lawyers and law firms should be particularly sensitive to data location, given their professional obligations to protect and maintain client privilege and the confidentiality of often critically sensitive data. Data security remains the obligation of the organization that has collected the personal information.
In the recent past, there were few widely available options for hosting servers in Canada offering cloud storage and software services in comparison to the number and scale of data centers in the US, India and UK. In the last few years that has changed for the better. One recent and significant example of increased scale and availability of home jurisdiction servers is Microsoft: as of May 2016, Microsoft now boasts generally available “resident in Canada” servers for its Azure system and Office 360. Microsoft’s data centers are located in Toronto and Quebec City, adding to the fast growing number of providers in Canada with cloud storage and services operating and hosted on Canadian soil.
Who’s data is it, anyway? While there are clear advantages to cloud storage in terms of ease of access, software efficiency, active security and reduced hardware costs, there can be significant disadvantages in the form of risks to the security of data hosted in or transiting in the cloud. For example:
- Data can become inaccessible (or worse, destroyed) if the servers storing the data become unavailable (power failures, breakdowns, etc.). However, those risks are generally inversely proportional to the size of the facility hosting the data: the bigger the facility, the more likely it is to have comprehensive redundancies to maintain service and data integrity.
- Another unpleasant inaccessibility problem arises when the data is withheld by the cloud provider. This can occur for several reasons: failure to pay hosting fees; the contract terms render the data inaccessible at the end of the contract; there are inordinate delays or time limits within which data can be recovered once the contract is over; or there is no express clause confirming the data is yours. Again, the terms of the contract are vital.
- The problem of inaccessibility is compounded by storing and transferring data across multiple servers. This can make it difficult (or even impossible) to comply with legal obligations respecting how personal information is disposed of when no longer necessary for the purposes for which it was gathered or a person revokes consent of its use.
- The use of shared infrastructure can result in data becoming commingled. Lack of segregation may prevent the use of a provider or even the storage of certain critical data in this way.
The provider should be in a position to answer questions about redundancy, data continuity and precisely what occurs at the end of the contract term.
Keep it secret, Keep it safe. Don’t assume that the level of security and encryption procedures a provider uses are suitable for your purposes. Take an active approach to establishing and understanding the security measures and protocols of the provider. You can gain a firm understanding of the provider’s level of security by asking some primary questions:
- How are network and information security risks managed?
- What security tasks are carried out and which type of security incidents are mitigated by the provider?
- What contingencies are in place for natural/other disasters affecting data centers or connections?
- How does the provider ensure their personnel work securely?
- How is physical and logical access to customer data or processes protected?
- How is software security ensured (if you are also using a cloud based software like Office 360 for example)?
- What level of encryption is used? 128 bit? 256? Tokenization?
- Are you able to go to the provider’s location and conduct an inspection?
- Are there redundant back-ups? Consider another method of redundant back-up if not.
Keep in mind that even with the best cloud based security it is incumbent upon you to ensure the access points and equipment connected to the cloud are also secured by sound internal security protocols and robust anti-virus software. Sensible security practices and systems in use at your firm or office need to remain in place and are as critical to keeping that data secure.
Who’s watching the watcher? As users of cloud based services, law firms should conduct a higher level of due diligence on providers to ensure data is being secured and transmitted in compliance with the contract. Adding audit rights to the contract (if not already present) can allow for the audit of the provider’s systems and security from time to time, and help facilitate due diligence where deemed necessary. Audit rights can also require the contract to allow for you or your external auditor/IT consultant to access the provider’s datacenter or premises where the data is located. Your provider should be required to provide you with immediate alerts to any security/data breach so that you can respond to such events as effectively as possible.
Cloud based storage and services have significantly advanced in the past decade. Such services will no doubt be utilized in much greater numbers due to the burgeoning availability of data centers in Canada. Lawyers and law firms whom may have discounted cloud storage in the past are likely to now consider cloud storage as an alternative to traditional internal hardware solutions. With a firm understanding of security, protocols and professional compliance obligations, one should be able to make a prudent and reasonable assessment of any cloud based storage service to determine if it is suitable for your needs.
Devin Mylrea is a Partner with Shea Nerland Calnan LLP in Calgary, where he practices in the Business Law and Commercial Real Estate groups. Devin is also a member of the CBA Alberta Editorial Committee.