Everyone is talking “Cloud”
How secure is your data?
Bianca Mueller, LL.M.
Benefits of the cloud• Scalability• Access everywhere in the world• Improved backup/disaster recovery• Reduced infrastructure costs• Software is always up to date• May save cost in the IT department• Potentially more secure then your back office
server • Faster and higher quality servers
Due diligence and risk management • Trust and security• Type of cloud service• Type of business / industry• Risk adversity • Business objective and long term vision• Commercial value of data • Reliability of connectivity• Reliability and trustworthiness of the service
provider
Risks• Security and Trust• Jurisdictional issues • Cross border privacy concerns• Contractual Issues • Lock in and document retention• What happens if the cloud service provider goes
out of business? • Regulatory compliance • Service reliability and connectivity issues
Cloud Computing Landscape
Applications
Storage
Computing
Development platform
What happens if your Service Provider goes bust?
• Will you get your data back?• Can your data be easily transferred to another
provider? • Information may not be available to you anymore
(e.g. Mega)
Tip• Conduct proper due diligence and risk management
The value of your data• Designs, plans, specifications, drafts, moulds • Research data• Operational and administrative data• Billing information, price lists etc. • Source code, financial statements, and business
plans • Everything that has actual or potential commercial
value to your business
Lifecycle of your data• What business information does you business create
and keep • And what is happening with this information after it
has been created? • What’s its value (and are you leveraging it)? • What is your Return on Investment? Tip• Classification of data into categories will determine
the type and degree of risk and how you should manage it
Risks to your data• Theft (external / internal threats)• Employee negligence • Unsecured mobile devices • Government access (e.g. NSA)• Technical and natural disastersTip• Prioritise the confidentiality, integrity, and privacy
of your information
Dealing with confidential information
• Contractual or statutory obligations to keep particular information confidential • Employees, contractors, business partners• Accountants, lawyers, GP’s or other health
professionals
TipUsing cloud services must not compromise your duty of confidentiality
Privacy concerns• There is no “OOPS” clause in privacy legislation• Privacy breaches are always costly • Negative impact on your reputation • Loss of customer’s trust in your brand
Tip• Seek advice on your organisation’s privacy
obligations and ensure that your staff understands these obligations
• In 2012, 5.4 million Australians were victims of cybercrime • Cost of cybercrime being as high as AUS $2 billion
per year
TipBecause of high risk and high cost, you should prioritise confidentiality, integrity, and privacy of your data
Financial Records• Financial records must be kept in New Zealand for
at least 7 years • Cannot be stored in DropBox, Google Drive etc. • Exemptions: Brookers, MYOB, Xero, Reckon New
Zealand, Cargo Wise New Zealand, CCH New Zealand, Farm IQ Systems, and Technology One
Small contract, big liability?
• You are responsible to ensure the security, encryption, and back-up of your data• It’s not the cloud provider’s responsibility
Tip • Ensure that you fully understand your contractual
liabilities and how they might affect your business• Read the fine print – It may surprise you!
Mitigating risks in the cloud
• Be smart and involve people with the rights skills in making cloud decisions
• Conduct an impact assessment to determine the most appropriate cloud environment
• Know your data and decide what can go into the public cloud• Don’t put all your eggs in one basket• Ensure that you fully understand the technical, commercial and
legal risks• Monitor the cloud provider’s activities and plan for cloud outages• Back up, encrypt, and bring your own key!
Bianca Mueller, LL.M.
Twitter: @LawDownUnder
Information technology law
Drafting and risk analysis of commercial IT contracts
Trademark and copyright law
Protection of ideas, trade secrets, and confidential information
Advice on information security and data protection
European privacy and technology law