Comment: Where is your data and how secure is it?
by Campbell Williams, Group Strategy & Marketing Director, Six Degrees Group www.6dg.co.uk
With David Miranda set to take legal action against the UK over his detention and the seizure of his electronic equipment, data security and surveillance has once more been placed high on the agenda of individuals and businesses alike.
Before the news of Miranda’s nine hour detention in Heathrow airport, the discussion about data security was focused on the US National Security Agency’s surveillance activities (known as the PRISM programme). Such activities have provided a very public, if still cloudy, manifestation of concerns about the integrity of online information and the jurisdictional issues raised by the increasingly fluid nature of data today. However in light of the UK’s recent application of Section 7 of the very broad British Terrorism Act – surveillance and data security has never seemed so pertinent an issue to UK citizens and businesses alike.
The questions raised about government surveillance and data integrity have struck a chord for organisations using cloud-based platforms. With organisation using cloud based platforms to store and share legal documents; often containing sensitive client, case and personal information, it is no wonder jurisdiction and location have become central to their cloud worries.
The recent report from the EU’s Directorate General for Internal Policies (entitled Fighting cyber crime and protecting privacy in the cloud which preceded the PRISM revelations) provided a valuable service by highlighting serious concerns over the safeguarding of cloud-based data from European companies and citizens in a multi-jurisdictional framework.
The report warned that although cloud computing was making data processing global, “jurisdiction still matters. Where the infrastructure underpinning cloud computing (i.e. data centres) is located, and the legal framework that cloud service providers are subject to are key issues”.
Presciently, the report focused on the US, home of many large technology companies and cloud computing providers, and two specific pieces of legislation, the US Patriot Act and the US Foreign Intelligence Surveillance Amendment Act (FISAA) of 2008. The latter has gained some measure of notoriety since the PRISM revelations were first aired, bearing out the report’s concerns that both acts gave rise to conflicts in the relationships between states and companies.
“Major cloud providers are transnational companies subject to conflicts of international public law,” the report stated. “Which law they choose to obey will be governed by the penalties applicable and exigencies of the situation, and in practice the predominant allegiances of the company management.”
It suggested those allegiances were likely to be sorely tested by the scope of FISAA which authorises the mass-surveillance of foreigners outside US territory whose data is within range of US jurisdiction, including data accessible in US clouds. The pleas by companies such as Google, Facebook, Microsoft and Apple to release details of the NSA’s engagement with them demonstrates all too clearly the tightrope they were walking between their obligation to provide customer confidentiality and the needs of national security.
In the wake of the NSA story, it might be useful for EU-based businesses and citizens to ask whether they should be prepared to gamble the integrity, security and privacy of their data against the loyalties of managers of US-based companies.
These concerns are heightened for legal firms where security, compliance and privacy are essential components of their business because they are legally obligated to maintain confidentiality at all times and protect their client’s intellectual property rights. If a legal firm expects to use a cloud service to provide a service or store confidential client information, it should consider how critical that service is to its business and the importance of access to, and security of, client information given its duties to clients and to regulators.
Any concerns in the legal sector over privacy and security in cloud computing are compounded by risk governance, compliance and the need for Lexcel accreditation, particularly involving risk. The good news is that emerging technologies can be harnessed to help practice management achieve Lexcel standards and deliver considerable benefits such as:
• Robust business continuity and better risk management
• Accurate and more detailed client billing
• Clear and effective customer service processes
• Reduced professional indemnity insurance premiums
• Differentiation at client “beauty parades”
• Demonstrable end-to-end duty of care
But the NSA story serves to highlight the potential pitfalls that need to be understood and overcome if law firms are to benefit from emerging technologies such as cloud computing without compromising their activities. For this reason, they need to take particular care over areas such as data protection and professional secrecy, the risks of contracting a third party service in terms of its security protocols and policies for handling client data, as well as the data disaster recovery and crisis management in place at a prospective provider.
Service level agreements should also be scrutinised in detail to ensure policies are clear regarding issues such as ownership of the data, back-up schedules, data encryption, security breaches, duration of data storage, service failure and data destruction.
One of the best ways for UK law firms that opt for some form of cloud computing to ensure their data is safe is to choose a provider with resilient and diverse cloud platforms based in the UK. Working with a UK-based company gives them the comfort of being able to visit the data centre to see it for themselves and gain an understanding of where their data resides. And until the US authorities change or amend the Patriot Act and FISAA, this is the only way UK legal firms can guarantee their most critical asset stays outside the jurisdiction of the US authorities (or those of any other country).