The IT Girl: Check your own house

Lisa R. Lifshitz
As we all know, technology (including software, infrastructure, data backup and restore, etc.) is increasingly being made available as a “service” on a trans-border/global “cloud” basis. For some interested buyers, this model raises the spectre of a host of concerns regarding the location of customers’ data, the preservation of data, confidentiality/security, the secondary use of data by vendors, and the actual location of vendors’ networks and systems.

Coupled with some well-publicized data breaches and the considerable volatility in the cloud vendor market (with increasing numbers of bankrupt vendors and market consolidation), many organizations remain reluctant to go to the cloud.

When I act for prospective purchasers of cloud services, I am naturally extremely vigilant and carefully scrutinize the cloud vendor’s standard agreements to determine whether they are sufficient to meet the client’s technological, legal, and compliance requirements. This is particularly true for clients that are FRE — federally regulated entities including banks, trust and loan companies, credit associations, insurance companies — that are subject to OSFI and other guidelines, clients in the health care space that are health-care custodians or otherwise handle health information, and government entities.

And of course, our federal privacy commissioner and her provincial counterparts have issued excellent “Cloud Computing for Small and Medium-sized Enterprises” guidelines that remind all Canadian businesses of their ongoing privacy responsibilities if they opt to use the cloud.

At the same time, I sometimes wonder if certain clients realize the “do nothing” approach to risk minimization is no longer an acceptable option, particularly when dealing with older technology.

Case in point: As hopefully everyone now knows, Microsoft Corp. has announced that after April 8, it will no longer be providing technical support for Windows XP. This means Microsoft will no longer be making automatic updates (bug fixes, patches, or security updates) available to users.

As Microsoft’s web site says, if a user continues to use Windows XP after support ends, “your computer will still work but it might become more vulnerable to security risks and viruses. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter greater numbers of apps and devices that do not work with Windows XP.”

Also, the old hardware on which Windows XP was running will likely not support Windows 7 or 8. As a result, upgrading the operating system will probably mean upgrading hardware as well.

Clearly, this is a case where “if it ain’t broke don’t fix it” does not apply. Old simply becomes broken once it’s no longer supported. It no longer makes sense for any company to continue to use a software program more than 12 years old and plainly now vulnerable to attack. But change does not come easily for some, especially law firms apparently.

Interestingly, this popular operating system was still used at an astonishing 37 per cent of U.S. law firms only a year or so ago, according to a 2012 survey by the International Legal Technology Association and as reported in the ABA Journal. To my mind, this raises a red flag as law firms clearly have ethical duties to protect client privacy and can be obvious/easy targets for hackers.

So despite the lack of love for Windows 8, the message for users of Windows XP clearly has to be: migrate to a newer version of the product or another operating system by early April or be prepared to face the repercussions if your company continues to use an unsupported operating system.

At a bare minimum, one would assume companies that bury their corporate heads in the sand could be subject to exclusions in their insurance policies for damages arising from an XP security breach. As noted in the ABA Journal article, law firms that remain hold-outs could presumably also be further subject to charges of violating their ethical duties as well as possibly subject to disciplinary action.

So while there are risks to migrating to the cloud or in engaging in any kind of technology refresh, sometimes the bigger risk is to do nothing.

In addition to having robust contracts, the best solution is often to choose a robust technology provider with a long-term track record in the industry. Due diligence is especially required in connection with the choice of a good cloud vendor.

Those of us who practise IT law should be prepared to have this discussion with our clients. The better provider may not be the cheapest option, but you usually get what you pay for (or in some cases, when your client finds out that his vendor has become insolvent and has a limited ability to get his data back, you get nothing at all). And when you are thinking about minimum critical security requirements and “must haves,” consider your regulatory/business requirements, balanced against what your organization has been living with all along. In other words, check your own house.