Mitigating cloud computing risks

Cloud computing is not without its risks, but it’s up to corporations to do due diligence before they hand over their data, says one lawyer who specializes in electronic discovery.
Cloud computing services provide data storage over the Internet, commonly referred to as being “in the cloud.” Although it does have its benefits, there are risks associated with this increasingly popular phenomenon, such as potential data breaches.

A recent data breach occurred within cloud computing service provider Dropbox, which allows users to transfer their computer files to the company’s Internet servers. One of the company’s users launched a lawsuit in California alleging it didn’t secure users’ private data or notify all of them about the data breach.

The lawsuit claims Dropbox suffered a glitch where logged-in users were able to access other users’ data. It also claims instead of notifying users of the breach, it simply mentioned it in a blog post. The post allegedly said the glitch was fixed five minutes after it was discovered and that only a small group of users was affected.

That kind of response “wouldn’t fly in Canada,” says Kelly Friedman, a partner at Davis LLP and chairwoman of the steering committee at Sedona Canada. That’s because Canada has more stringent privacy rules under the Personal Information Protection and Electronic Documents Act.

Friedman says there are three major risk areas associated with cloud computing: security, privacy, and e-discovery (or the impact on litigation). “All the risks stem from the lack of control over your own data. The reality is you’re giving your data to a third party to control,” she says.

From an e-discovery perspective, Friedman says using cloud computing doesn’t change any of the corporation’s obligations for preservation and production of its data. “The court won’t say that you have relinquished control. The court cares about whether you have possession, custody, or control over information,” she says.

But with cloud computing, you actually do relinquish control by handing over your data to a third party, she adds. This can present certain risks, particularly if a data breach occurs. “The reality is if you don’t maintain legal control through the contract with the service provider, then you’re negligent in terms of best practices and managing your own data. And the court’s not going to excuse you for that.”

She suggests corporations looking to use cloud computing service providers carefully scrutinize the provider in terms of whether it is financially viable, what kind of insurance it carries, and most importantly, the service provider’s standard form contract and then negotiate specific provisions in terms of the provider’s document management obligations. This way, if the corporation needs its data for any reason, it has the contract to fall back on if the provider is unco-operative, she says.

She also mentions it’s worthwhile looking at the type of encryption the provider uses and its level of security, and where it’s storing data since jurisdictions could have different privacy legislation.

Friedman says there are some real benefits to cloud computing, but you get what you pay for. “People like cloud computing because they don’t have to go buy the IT infrastructure or get the software licences, they can just access it, and they can access it at a cheap cost. The reality is if you’re going to start imposing liability on that service provider for these risks that I’m talking about, the price is going to go up.”

She believes cloud computing data breaches stem from providers trying to keep up with quickly evolving technology. “You’re never going to 100-per-cent secure any data against security breaches . . . you have to make sure your service provider is doing the best they can with the money you’re paying,” she says.