Peter A Clarke

There are no shortage of announcements about governments and businesses using cloud server providers. The New South Wales State Government has announced that 60 providers have been registered to be part of a private marketplace for IT services that will be housed in a data centre which also houses the NSW IT Government IT (see article here) while the Queensland Government is accelerating its use of cloud computing (see article here).  The Victorian Government has made announcements regarding its take up of cloud computing (see  here) including the use of cloud computing by the Victorian Supreme Court for case base managment.  In Victorian Supreme Court gets cloud for case management Zdnet reported on 28 August 2013

The Victorian government today announced its plans to finance an AU$675,000 online system for lodging, accessing, and managing case files for the state’s Supreme Court.

Unveiled on Wednesday by Victorian Minister for Technology Gordon Rich-Phillips, the cloud-based system, dubbed RedCrest, will make use of high-speed broadband to efficiently and cost-effectively manage case files, superseding the outdated, time-consuming process involving physical documents.

“RedCrest is a highly innovative system. It will transform the process of recording, storing, and providing access to court documents, bringing about significant cost savings,” Rich-Phillips said today.

“Hosted in a secure cloud environment, all case files, including associated documentation, will be uploaded to a secure site with access limited to appropriate parties from any location, 365 days a year, providing more convenient access and reducing costs for those based in regional and remote areas.”

RedCrest will initially see a limited rollout in the Commercial Court arm of the Supreme Court of Victoria across 1,400 cases and approximately 5,000 users, including judges, solicitors, and other involved parties. Each case will be given its own page, and whenever a document is filed, the system will send a notification via email to the case’s registered users.

Despite saying in 2010 that moving the court’s IT systems into a shared services environment could compromise cases focusing on terrorism, organised crime, and corruption, Supreme Court of Victoria Chief Justice Marilyn Warren today called the RedCrest system “very important for commercial litigation in Victoria”.

Previously, the court made use of the Integrated Court Management System (ICMS) for case management, which was late and ran AU$12 million over budget. In the Supreme Court’s 2011-12 annual report (PDF), it complained that it had “been frustrated and disappointed by the inadequacies of the ICMS”.

According to the court, it was due to these insufficiencies that the court then developed RedCrest for case management, implementing part of the funds designated for the state’s ICT Strategy (PDF). The final version of the strategy was published in February this year, after listening to and applying feedback from the public on the draft strategy (PDF).

Australian Information Industry Association (AIIA) board chairman Kee Wong said at the time of the strategy’s publication that it is crucial for the government to be able to learn and move on from its technology blunders.

“Putting in place processes to improve governance and planning, building internal capability, and encouraging innovations should allow for the creation of government ICT services that meet the needs of citizens, and ICT projects which have a much better chance of succeeding.”

In May, the Victorian government set aside AU$19 million in its budget for implementing the ICT Strategy.

The Federal Government released its cloud policy in May 2013 (reported  here and found here) .  During the election campaign the Coalition has expressed its enthusiasm for the development (see here) which has been described as a cloud first (see here).

The Australian Computer Society has released Cloud Computing Consumer Protocol – Discussion Paper (accessible here ) which provides a useful basis for understanding the issues (as does the Australian Privacy Foundation’s submission found here and the submission it endorsed here).

The Discussion paper sets out reasonably clearly the key issues, such as :

What is cloud computing

Cloud computing is a general term for the delivery of hosted services over the internet, enabling users to remotely store, process and share digital information and data.  As such it is more a new way of delivering technology services rather than a new technology itself.  There are three main categories of cloud, although the distinctions between them are becoming more permeable as their sophistication grows.  They are:

1. Infrastructure as a Service (IaaS) offers data centre capacity, processing and storage.  An example is Amazon web services.
2. Platform as a Service (PaaS) provides an environment for the hosting of applications.  An example is Salesforce’s online hosting services and content delivery services
3. Software as a Service (SaaS) examples include Hotmail and Flickr.

The benefits:

Cloud computing provides cost and efficiency benefits because its service delivery features are:

• Scalable and elastic– users can tailor the services to meet user demand and the size of the processing task undertaken;
• Platform agnostic – users can access services across multiple devices and operating systems.  Almost any internet enabled device, including smart phones, will provide multi-location access to data when cloud computing is adopted;
• Free of fixed costs – ongoing licence fees and equipment purchase costs are eliminated because users pay-as-they-go for services.  This permits greater economy of scale for smaller organisations.

Where Data is located:

Data Location

Cloud Service Providers may host data on a number of servers, located locally or offshore. Knowing where hosted data is located can help customers assess any risks or benefits for their business. Legal jurisdictional power over data and information may change depending on the location and the national security requirements in place.  For example, domestic legislation may prohibit some providers from revealing where sensitive data is located.

The key concern, being lack of security and privacy concerns:

Recent research by the Australian Communications Management Authority (ACMA) has disclosed that 52 per cent of respondents lack confidence in privacy settings for online service providers.[1]  More than two-thirds are concerned about security and unauthorised use of personal information by providers, (see ACMA, Communications Report 2—Australia’s progress in the digital economy: Participation, trust and confidence, 2012).  Recent publicity about access by the US government to private consumers’ online information has exacerbated this concern.  So it seems clear that to address cloud adoption barriers and ensure appropriate market conduct, the Protocol’s challenge goes beyond educating audiences on productivity enhancing technologies. 

With the amendments to the Privacy Act coming into force on 12 March 2014 organisations and agencies will need to comply with the Australian Privacy Principles (“APPs”).  In the cloud context that will mean careful consideration of APPs 1 and 8.

The benefits of the cloud have been much touted and sometimes overhyped.  In  DFAT CIO doesn’t buy into cloud ‘hype’ the Department of Foreign Affairs and Trade CIO Tuan Dao has highlighted concerns about data security and privacy.  Daniel Solove, one of the world authorities on privacy law, has highlighted the need for privacy improvements in the use of cloud technology in The Stunning Need for Improvement on Mobile and Cloud Risk.  The article provides:

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud*, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services. The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others. The results are quite startling.

The study concluded that “the greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

* Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”

* Only 19% said their organization knew how much regulated data was on mobile devices.

* Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”

* 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”

* Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.

* In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

Wow! These findings are quite alarming, and they show that organizations are significantly underappreciating the risks of mobile and cloud.

The Risks: What are the risks? Here are a few:

1. Unsafe Security Practices. With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.

2. Choice of Cloud Service Provider. There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.

3. Regulatory Troubles. If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.

4. The Ease of Sharing. Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.

5. The Ease of Losing. If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

Key Steps for Improvement: What should be done?

1. Educate the Cs. The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.

2. Develop Policies. The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.

3. Educate the Workforce. Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.

4. Instill Some Fear. The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress. The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

Given the new regulatory environment that will exist on March 2014, where the Privacy Commissioner can seek civil penalties for repeated or serious interferences with the personal information of others, not to mention the real prospect of breach of contract and confidence actions for misuse of private and confidential data the need for those persons or organisations to use the cloud should be matched by care in protecting that data.  Part of that process is careful compliance with the APPs.

As a general approach the user should consider all of the following (though it is not an exhaustive check list):

1. Determine what cloud service is appropriate for the need.
2. Work out the risk level. That will involve both an assessment of the processes, the legal exposure as well as the technical issues.
3. Know what information will be sent to the cloud.  How much of it is personal information. Part of that process involves considering the nature of the personal information being sent to a cloud provider.  Sending sensitive information (as defined in the Act) and having that disclosed in breach of the Act has potential reputational and enforcement consequences greater than more prosaic personal information.
4. Find out the security protocols the provider uses.  The personal information is likely to be in the care of some one else.  The responsibility remains the organisation and agency under the Privacy Act under the legislated accountability principle.
5. Do a check on the history of the provider.  Has it had problems with data security in the past.
6. Ensure there are adequate contractual provisions mandating appropriate security provisions and some form of auditing or reporting on them (at minimum);
7. Make sure the information is protected both while it travels and when it is in the provider’s possession. Encrypting data is the easiest and most reliable way of doing this as a first step. While encryption is not foolproof (see article here) if data is encrypted it is less likely to get misused, or to cause harm if it gets hacked or lost. If it is encrypted and the code is cracked the legal exposure will be less than if it was unprotected in any way.
8. Make sure the consents obtained from clients or those whose information is being sent into the cloud are appropriate and can stand up to scrutiny. Avoid bundled consents and have careful regard to the terms of the APPs when drafting.
9. Find out where the data centres are.
10. Determine if the cloud provider is passing the information to a third party. Avoid such practices.  Include contractual stipulations prohibiting such conduct and include means of verification that it does not take place.
11. Make sure that if there is a decision to change providers the personal information can be removed or deleted.
12. Have protocols and policies in place to deal with a a data breach by the cloud provider.  This is more than referring to a contract.  It is important to take steps quickly to remedy any breach of the APPs when discovered.  It is also imperative to be able to respond to a problem with the cloud provider.
13. Have privacy policies, contracts, technical specifications checked by professionals.  Drafting a consent is a technical matter and courts construe them strictly.  Privacy consents are becoming a sub speciality in and of themselves.  Many “do-it- yourself” consents are often bundled,. drafted generally and badly and fail to provide sufficient information to obtain an informed consent.  Similarly a poorly worded contract can be more a hinderance than a help.

The lack of knowledge about the legal issues in this emerging area of technology is concerning.  The equitable and contractual principles apply even in cyberspace.  The Privacy Act will provide the Privacy Commissioner with considerable powers which he can use for breaches of the APPs in the use of cloud computing.  There is Victorian Legislation which also can result in action.