Geldards: The Cloud & Data Security
Geldards LLP report on:
Cloud Computing – Staying Safe Online & Protecting Data
The recent hacking of celebrity accounts on the Apple iCloud should give one reason to pause and think, but not panic, when it comes to using cloud computing. Cloud computing is mature, and so security breaches are going to be the exception, not the rule.
This e-shot briefly reviews some of the practical and legal protections and issues concerning data security that businesses should consider in making the move to cloud computing.
Definition: “cloud computing” means the provision of computer systems, applications and storage as a service from a remote data centre, offering on-demand, pay-for-use, and flexibility.
There are now a lot of different cloud options available to you. Ranging from your committing to using a vendor’s own multi-tenanted system, through options to create more dedicated physical or virtual environments just for you. In particular, given the nature of life sciences data, which may have a mixture of regulated and unregulated information, hybrid clouds are being used, which involve a mixture of cloud and in-house infrastructure, with bespoke security and encryption controls and options, and bespoke auditing features, designed to fit the specific requirements of your data. Therefore, you should not assume that there is only one option available to you.
The Apple iCloud incident was not Apple’s fault, despite what the press might make of it. The affected celebrities simply chose easy to guess passwords and security answers. Apple’s response has been to offer more advice, more warnings of suspicious account activity, and additional log-in measures such as a one-time code sent to your phone. The practical lesson for anyone with valuable data in a cloud service is therefore to implement very secure log-in credentials and processes.
Picking your supplier
You will struggle to find a cloud provider who will agree to strict liability with respect to data security; and typically a contract will impose a duty to apply reasonable care and skill, or some other standard. Furthermore, you may not always have the budget or expertise to be able to audit your cloud provider’s infrastructure or security measures. Therefore you may need to pick your supplier based on other factors such as reputation, what other customers they have, the quality of security information they provide, and the standards they claim to adhere to.
Plan for the worst
Whatever may be promised, no computer system is water-tight. Any computer system will be exposed to the presence of undetected bugs, internal fraud, newly invented viruses, and even covert government monitoring. For instance the recently discovered flaw in the SSL security used to communicate between browser and server could not have been predicted. Therefore, you should always carry out a risk assessment and plan for what you would do in the case of a security breach and loss of data or service, including a risk management strategy.
In reality, unless you have some negotiating power, or an enlightened supplier, your contract is likely to be on their terms, which will be non-negotiable, have a limited service description, and be full of exclusions and limitations on liability, leaving you with little or no obvious claim. Suppliers tend to be prepared to negotiate, particularly for larger more valuable projects, but you will need to argue strongly for what you want. If you just sign the supplier’s standard terms, then you might still find some way of challenging this; for instance the UK courts do not like to enforce total exclusions of liability, and the Unfair Terms in Consumer Contracts Regulations 1999 and Unfair Contract Terms Act 1977 subject certain limits on liability in standard contracts or consumer contracts to a test of reasonableness and fairness. At the very least you should read and understand what you are signing, and a lawyer can assist here. Ideally you would put forward a strong negotiating team, backed by lawyers, to seek improvements to the contract in your favour.
Outside contract, if you are purchasing the service as an individual (or in a partnership) then you may have the protection of personal data protection laws, which will override any contractual terms.
Confidentiality and negligenceMore generally, you may have claims under laws relating to confidentiality or negligence, where the law may imply a non-contractual duty of confidence or duty to take reasonable care. The availability of these may depend however on what the contract says.
If you are using a cloud service to process data, then you will need to ensure that the cloud service fits with and enables you to comply with any regulatory obligations you are subject to, including to enable you to demonstrate to your regulators that the cloud service is compliant. For instance, you cannot transfer personal data outside Europe, unless your contract contains certain terms, or the provider and its systems are located in countries approved by Europe.
If your supplier or its equipment is based in another country, then this may pose both practical and legal issues concerning your ability to claim against the supplier. Your legal protections may be under foreign, rather than UK law; and you will have the added cost and difficulty of litigation against a foreign supplier. Quite often there is little you can do about this other than pick a reputable supplier. On the plus side, the recent Google case on the right to be forgotten, showed that Europe was prepared to apply its privacy laws even if there is quite a tenuous connection between the provider and Europe.
How to approach cloud services:
When using cloud computing therefore you need to establish your priorities, and plan, select, procure and implement your service, and seek to negotiate your contract. These priorities may include: cost, level of detail of supplier’s service and security commitments, risk management, data governance strategy and incident handling, location of your data, security of your data and access controls, data segregation, ease of suing your provider, ease of swapping service, performance management of the supplier, insurer requirements, and ease of monitoring, auditing and demonstrating regulatory compliance including international and cross-jurisdictional issues.
How can Geldards help:
Our lawyers are familiar with and have advised on a wide range of cloud computing contracts. We can assist from just advising you what the contract says, to helping you negotiate and amend a cloud contract and consider any regulatory issues you have. The key value we bring is our understanding of all the different aspects of cloud computing from service description, to liability, to fee structures, to duration and termination issues. We would be glad to speak to you.
If you would like to discuss any aspect of this update or our previous update please do not hesitate to contact Julian Turner