Up in the Cloud: Tackling e-Disclosure and Multi-jurisdictional Challenges

May 26, 2014

The migration of business functions and data to the Cloud continues unabated, but too often the designers of cloud-based data architectures fail to anticipate the additional risks that the cloud creates, potentially creating serious implications for companies.

The dispersed nature of data in the Cloud means that data security is a much more difficult task than in conventional data information infrastructures, as is the protection of intellectual property stored in the Cloud. Disputes over the ownership of data may arise and companies can also encounter data protection risks if its Cloud architecture inadvertently stores employee and customer data outside its home or designated ‘safe harbour’ jurisdictions.

The move from traditional closed-wall architectures to vendor-controlled Cloud systems also increases the risk of fraudulent practices going undetected if the move adversely affects the company’s ability to monitor and control its data. These information governance challenges also come into play in the event of major litigation or a regulatory intervention. In these situations, relevant information will often be required quickly, but restoring large volumes of electronic information from cyberspace to the company servers for the purposes of e-disclosure can be a very slow process and cloud providers commonly throttle download speeds in the event of a request for large amounts of data from a single client.

It is also still rare for Cloud providers to inform clients in detail about the jurisdictions in which their data will ultimately be held. This can create severe problems if e-disclosure is required, in particular if the data is found to be located in a country with strict data protection or privacy laws, such as France, Germany or Switzerland. Laws restricting the use of personal data – be it on company-owned or leased servers or residing in a jurisdiction through the Cloud – can put a brake on access to company data. Other jurisdictions, meanwhile, have strict bans on the transfer of data beyond their borders, even if that data is only located there through a cloud architecture, in some cases enforced by custodial sentences.

The practical problem is that, at present, the law surrounding company data in the Cloud is extremely unclear and very little guidance has been provided yet by the courts. In practice, this has meant that blocks on accessing data for e-disclosure purposes have been put in place, sometimes for many weeks, while the legal position of that data is established. If accurate information cannot be accessed, analysed and disclosed on time and without damage to its admissibility, adverse inferences could be drawn, cases can be lost and reputations may be damaged. 

Save now, pay later – proactive measures and polices to reduce risk 

Many of these problems can be avoided through careful design of Cloud-based architecture as well as by using the tools provided by some of the bigger names in Cloud computing.

Most of the main Cloud providers – for example Google Apps and Microsoft Office365 – are well aware of these issues and have introduced effective tools to alleviate some of the common pitfalls of Cloud computing.

These include tools to address the problems of mapping a company’s data in the Cloud, the conversion of data into compressed formats damaging the metadata, a lack of separation of business and personal data and a general gap in understanding of the regulatory and legal responsibilities that come with handling important information. They can also deal with the bandwidth issue created by the Cloud; Google’s Apps Vault bolt-on for business e-mails can segregate a company’s e-mails and data so that, if an urgent information request is received, that data can be pulled down independently of the mass of Cloud data on its servers.

Mapping and controlling where data is stored in the Cloud remains an extremely important requirement and the privacy and data protection issues identified in this article need to be considered.

A number of best practice standards (such as ISO27001 and ISO 27002 for information security and also the draft ISO27017 for information security in the Cloud) have been developed for Cloud-based infrastructures and an independent assessment of the company’s infrastructure is advisable to ensure that they follow best practice.  Litigation-readiness training for regulatory and compliance issues is also sensible as is preparing an action plan to deal with a regulatory information request.

Measures to avoid and mitigate these risks are most effective if deployed at the outset of a project to move to the Cloud, yet some companies are hesitating to invest in the best tools and standards when making the move. However, the severe consequences of running into these problems mean that this may prove to be a false economy if those companies subsequently become the subject of an investigation. Money invested in these issues now will pay dividends in the long run.

 Ching Liu is Practice Leader for Digital Forensics at Control Risks. He is a forensic specialist in many different operating systems, ranging from personal devices to business networks and mainframe architecture. Since joining Control Risks he has been involved in numerous civil and criminal cases involving computer fraud and misuse. Ching.Liu@controlrisks.com 

Ramin Tabatabai is a Senior Consultant for Legal Technologies at Control Risks. Ramin is also a dual qualified lawyer admitted to the Bar of Cologne, Germany and Roll of Solicitors of England and Wales. Ramin.Tabatabai@controlrisks.com.  For further information visit www.controlrisks.com