Data Security in the Cloud: Issues in Cloud Law - Australia


Pormathiasfoletto- Postado em 01 novembro 2012

 

 

 

Inadequate data security leaves businesses open to significant damage and embarrassment. Whilst data security is a key concern for any business when it considers the use of its IT resources, businesses that operate within, or are seeking to operate within, the cloud need to be particularly attuned to the increased risks and dilemmas that cloud computing poses for their data security. - Data Security in the Cloud - A Whitepaper by Nicholls Legal

I Introduction

Inadequate data security leaves businesses open to significant damage and embarrassment. Whilst data security is a key concern for any business when it considers the use of its IT resources, businesses that operate within, or are seeking to operate within, the cloud need to be particularly attuned to the increased risks and dilemmas that cloud computing poses for their data security.

One of the most obvious risks in switching from in-house IT services to the cloud lies in determining whether a cloud provider can ensure adequate protection of important and sensitive data and a business’s interests in that data. In a study of 110 cloud implementations by IBM, security concerns were cited by clients as one of the biggest inhibitors for cloud computing. The report cited ‘secure and efficient data exchange across the enterprise and clouds, as well as secure application connectivity’ as the major data security concerns for businesses looking to implement cloud solutions, especially those looking to enter the public cloud.

A key area of concern for any customer seeking to enter the cloud is the fact that large cloud providers become an obvious and prominent target for hackers. Prominent recent examples include hacks of the networks of Sony, Citigroup, NAB and the Commonwealth Bank, and the ‘AntiSec’ campaign carried out against a number of high profile targets by the hacking groups Anonymous and Lulzsec.

This whitepaper analyses some key issues regarding data security in the specific context of cloud computing services – analyzing security risks through a case-study of a devastating data security breach at Melbourne web-hosting service Distribute.IT; and then examining current and potential future government and industry responses to some of these issues.

II Case Study – Distribute.IT

A Introduction

In June of 2011 Melbourne based hosting provider Distribute.IT was subject of a targeted attack by an unknown instigator rendering data from four of its servers completely unrecoverable. The result is that the stored data of 4,800 websites was lost permanently, with Distribute.IT forced to concede that:

"This leaves us little choice but to assist you in any way possible to transfer your hosting and email needs to other hosting providers."

Customers of Distribute.IT, some of whom permanently lost data, predictably responded with both shock and vitriol directed at the company both in statements to the media and on online forums such as Whirlpool. Particularly concerning for Distribute.IT in this case is that the hack appeared to be a “deliberate attempt to take down the business by destroying drive header files and not an act aimed at stealing client data.” The implication is that the hack was either in the Anonymous and Lulzsec mould, aimed purely at disruption and destruction of businesses that have exploitable data security weaknesses; or perhaps the work of a disgruntled employee or ex-employee. Distribute.IT was subsequently acquired by the Netregistry group in late June 2011 and investigations into the source of the hack ensued.

There are a number of points that can be taken away by both cloud providers and cloud customers from the Distribute.IT debacle. The first is an obvious one: cloud providers need to ensure that the data security measures they put in place are sufficient to protect from sophisticated, targeted hacking operations such as this. Rob Forsyth, director of the Internet Society of Australia and managing director of internet security company Sophos notes that it appears Distribute.IT’s security was clearly lax. In particular Mr. Forsyth observed:

"To me it seems really that there were inappropriate security settings within a number of their databases ... It appears that some of the data was not encrypted and therefore was once the servers were cracked, was available in clear text. That seems a shame."

It has also been suggested that the Distribute.IT hack highlights the need for a regulatory overhaul of customer protections and obligations of cloud providers (see below). Rob Forsyth has stated that the hack demonstrates the need for ‘mandatory disclosure legislation’ that requires companies to inform customers and authorities immediately when a security breach occurs.

A number of other takeaways from the Distribute.IT hack are outlined under relevant headings below.

B Due Diligence and ensuring adequate protection of data

The Distribute.IT hack indicates the importance for customers of ensuring their cloud provider can adequately protect their data and their interests – a concept known as ‘resiliency’. Patrick Stafford of Smart Company lists five lessons that cloud customers can take away from the hack: Grill your service provider, think twice about the cloud, don’t skimp on hosting (sign up with a trusted provider), get your security on track and keep up to date with security threats that may affect your business and your provider. Whilst these lessons are by no means new the Distribute.IT experience is a useful salutary tale as to the potential seriousness of the loss.

Australian Computer Society Chief Anthony Wong says the Distribute.IT hack indicates the need for cloud customers to go through their Service Level Agreements (SLAs) with a fine tooth comb, especially where the cloud system is critical to their business operation. In particular, customers should be prepared to negotiate SLAs that ensure adequate protection of their data in the event of a breach, rather than rely on standard SLAs that will often include a force majeure clause relieving the provider of their obligations in the event of a third party hack. At the very least this will require customers to enquire about the strength and nature of data protection from their provider, and may also require customers to undertake additional measures of their own, including keeping additional backups of all the data they upload to the cloud.

Of significant concern in the Distribute.IT hack concerning is their lack of effective backup procedures, which has come under attack from backup experts who note that such an attack,

"should not be capable of rendering a company unable to recover its data... with an appropriately designed backup system, this level of data destruction should not have happened."

Clearly the avoidance of such embarrassing and damaging incidents requires efforts by cloud providers and customers to ensure not only that their data is protected, but also that damage from any hack is minimized through effective backup procedures. Wherever possible, customers should seek to impose on their provider strict obligations on data backup. The Cloud Security Alliance in their Security Guidance for Critical Areas of Focus in Cloud Computing outlines a number of governance recommendations for cloud providers and customers to ensure the security of their data. These include:

• dedicating a portion of saved costs in migrating to the cloud to ensuring and monitoring data security and the practices of the provider;
• developing robust security governance incorporating consultation between the customer and the provider;
• ensure wherever possible that SLAs reflect and make enforceable the customers security requirements.

Such measures are common sense ways of protecting against data breaches and minimizing the potential damage when they do occur.

Another significant issue in the way data is dealt with in the cloud is the ability to migrate the data to a new provider should significant issues arise with the existing service provided. It is important for customers to ensure that their data remains portable should they choose or be forced to migrate to a different provider. In particular customers should be aware of the use of proprietary data definitions that may make migration difficult, and the consequences for their data if the company goes bust or if they are unable to pay the costs of the service in a particular month.

C Potential liability of cloud providers in negligence

The Distribute.IT hack also raises interesting questions as to the potential liability of cloud providers where insufficient security on their end results in substantial losses to their customers. Of interest to Distribute.IT and affected customers is the pending New York lawsuit against Sony (which surely will not be the last) for negligence, privacy violations and breach of contract, which may prove an interesting test case as to the extent of the application of negligence principles in particular to damaging data breaches.

The law of negligence is a developing area and the categories of negligence are never closed. Negligence law faces considerable challenges in keeping up with the pace and scope of technological change, particularly in the areas of pure economic loss, causation and the nature of harm. For instance, is the relevant relationship between Distribute.IT purely a contractual one? Or should the common law recognize that Distribute.IT also owes a common law duty of care to its customers to protect their customers from pure economic loss adequately protecting and backing up their data? Are the criminal actions of an unknown third party (the hackers) enough to place the consequences of the hack outside the scope of such a duty, or does the duty extend to the mitigation of the worst potential consequences of predictable data breaches? Could the loss of customer data be said to have been caused by the inadequate security and backup measures of Distribute.IT for the purposes of holding them liable or is the damage too remote? The common law moves at a much slower pace than technology and these questions remain wholly or partly unanswered. However, it is likely that the common law will eventually move towards imposing negligence standards on data storage providers, especially if the pace of legislative reform is perceived to be too slow, or legislation and regulation fails to prevent the adoption of lax security standards by cloud providers.

Liability in negligence may not be an appropriate method of dealing with data-security breaches in many cases. Where the breach is at a small or medium sized company such as Distribute.IT the potential losses to customers may be many orders of magnitude larger than what the company is able to bear, and the consequences of a successful claim would be ruinous. Further, a policy that encourages excessive caution or imposes burdensome obligations on cloud providers discourages the entry of new start-up players in the cloud environment and may be stifling of innovation which is vital for the sector. Arguably then an approach based on individual liability in negligence will only be preferable if industry regulation and legislation aimed at an industry wide-approach fails to prevent losses such as those incurred by Distribute.IT customers.

D Forensics in case of data breaches

Another significant issue raised by the Distribute.IT hack is the comparative difficulty of tracing hacks that occur in the cloud. Typically where a hack occurs on an in-house system the forensics for tracing the hack is relatively simple, and more often than not the person responsible will be an insider with knowledge of the system. When a breach occurs in the cloud the process is far more complicated. There are numerous points at which the hack may occur, the data may be stored overseas or in several different places and responsibility for the data may have been sub-contracted out to another company by the cloud provider. It can be difficult simply to determine where the breach actually occurred, let alone who is responsible.

Moving data into the cloud can therefore compromise the ability of companies and authorities to investigate data breaches. Where data storage moves to the cloud ‘the ability to obtain uncontaminated copies of evidentiary data may be reduced, if not eliminated.’ It is in the interests of any business looking to move into the cloud to investigate whether and how data breaches can be traced and investigated.

E Security advantages in the cloud

If the above security concerns can be adequately addressed there can be significant advantages for data security in moving to the cloud. Cloud computing does provide a number of advantages over traditional in-house IT solutions, especially for small and medium size enterprises. This section will focus on the data security advantages that cloud computing can provide and will not discuss other benefits of cloud computing, such as decreased cost, increased flexibility and elimination of system down time.

Many common cloud services such as Google Apps, Windows Azure, Amazon EC2 and IBM LotusLive are provided by extremely large multinational enterprises that have access to expertise and resources that small and medium size businesses in particular would be unable to match with an in-house IT solution. Related to this is the ability of large cloud providers to provide advanced encryption of sensitive data.

Migrating data to the cloud can also reduce the risk posed by insiders to data security. A large proportion of data breaches involve the input of an insider who has knowledge of and access to company IT resources. Moving data off-site provides an obvious advantage in reducing the risk that insiders will be able to easily access this data. The large size of cloud networks also creates obvious security benefits for customers, as ‘all kinds of security measures are cheaper when implemented on a larger scale.’ Further as security is a priority concern for many customers, this creates a driving force for providers to implement strong security measures to attract and retain customers. Finally, security updates and patches can be quickly and uniformly applied across a cloud network as compared to in-house networks.

III Regulatory Reform?

A Introduction

Cloud computing is a rapidly developing field, and as yet regulation and legislation has been largely reactionary and less than comprehensive. There is a growing recognition of a need for greater governmental and industry responses to the challenges facing cloud computing. Some current and future approaches are outlined and analyzed below.

B Security breach notification laws

Security breach notification laws places a legal requirement on corporations and organization to notify individuals when a data breach results in disclosure of their personal information or data, either where certain types of data are disclosed or where the breach carries a serious risk of harm to the person whose data has been stolen. They have become a popular tool for legislatures seeking to address data security breaches in a way that is not excessively costly to industry but still addresses the concerns of customers about their data. The theory is that mandatory disclosures of security breaches fulfill two key functions. First they address the right of individuals to know when their information has been stolen or compromised and allow customers to take action to mitigate any harm resulting from the loss or theft of this data. Second, the laws provide incentive for organizations to take adequate steps to secure personal information they hold. These two aims are respectively called the ‘Right to know’ and ‘Sunlight as a disinfectant’.

The first security breach notification laws were introduced in California in 2002. Since then they have been adopted in 46 US states and have been mandated by the European Union Directive on Privacy and Electronic Communications. The latest evidence from the US indicates that security breach notification laws reduce the frequency of identity theft resulting from data breaches by an average of 6.1%. This is an indication the ‘right to know’ argument has significant merit. However, studies are so far limited and there is no evidence aside from the anecdotal as to whether industry has been prompted by the laws to adopt more stringent data security practices.

As yet, no Australian state or the Commonwealth Government has followed this lead, despite a recommendation from the Australian Law Reform Commission (ALRC) in its 2008 review of Australian privacy laws. Calls for such legislation on a national level have been renewed in the wake of a number of high profile hacks and it seems likely that the near future will see the introduction of security breach notification laws in Australia.

C The Cybercrime Legislation Amendment Bill 2011 and the Council of Europe Convention on Cybercrime

The movement of data into the cloud also raises the need for increased international co-operation in order to effectively combat and prosecute cybercrime. The Australian government has moved recently to recognize this need in introducing the Cybercrime Legislation Amendment Bill 2011 (the Bill) facilitating Australia’s accession to the Council of Europe Convention on Cybercrime (the Convention). The Bill has three main aims. The first is facilitating for the preservation of communications by enabling agencies to request preservation of communications by a carrier over whom they intend to seek a warrant. The second is facilitating international co-operation by providing for greater access by Australian agencies to communications stored outside Australia. The third is extending the scope of certain cybercrime offences in line with the Convention.

The Bill is further evidence that the Australian government is seeking to bring Australia into line with data protection laws overseas, especially in Europe and the USA. In the context of cloud computing, the Bill has a couple of interesting features. The first is the facilitation of a 24/7 real-time network to enable efficient and free exchange of information between Australian and foreign authorities, reflecting the need for expeditious disclosure of communications and traffic data to foreign countries for identification and investigation purposes. The second is privacy implications raised by the provision of access to foreign authorities of data stored in Australia, and vice-versa, which closely parallels the difficult jurisdictional issues raised by cloud computing (discussed in depth in another of our cloud whitepapers).

D Industry self regulation and standards

As yet, there are no uniform industry regulations or standards that focus specifically on data, especially personal data, stored in the cloud. However, there are a number of industry or data specific voluntary standards that focus on data security and/or prevention of cybercrime.

1. PCI DSS

One example of industry regulations aimed at protecting data stored in the cloud (as well as locally stored data) is the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS an information security standard for organizations that handle debit, credit, prepaid, e-purse, ATM, and point of sale cardholder information. For obvious reasons this data is a frequent target for cyber criminals with more than 234 million records breached between 2005 and 2008. The PCI DSS has been criticized as doing nothing more than providing for a minimum security standard; however, it has been claimed that ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.’ Questions of effectiveness aside, the PCI DSS provides an example of a comprehensive data security standard aimed at the implementation of strong data protection from the time that a network is constructed and continued monitoring of data security. Compliance with the PCI DSS is a good starting point for any provider looking to handle sensitive information, and provides an assurance for customers as to the security standards applied to their data. This is particularly important for organizations worried about the obligations they have to their own customers about the use and protection of data.

2. The IIA icode

The icode is a voluntary code of practice for ISPs designed to protect their customers and networks from cybercrime. It is recognition that consumers and ISPs have a shared responsibility in relation to cybercrime. Whilst not strictly focusing on the provision of cloud services, one of the key aims of the code is the instilling of a culture of cyber security through both practical security measures and through education. The code also recommends that ISPs make significant efforts to inform authorities and customers about serious risks and breaches of data security (see Security breach notification laws above). The icode now has over 90% coverage and has been recognized internationally as a significant effort at voluntary industry action to combat significant cyber security issues.

3. The Cloud Security Alliance

The Cloud Security Alliance (CSA) is an US based body that describes itself as:

"a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing."

The CSA produces a number of research and guidance documents focusing on increasing and standardizing security measures in the cloud and outlining steps that providers and customers can take to ensure the security of their data. Some documents produced by the CSA include ‘Security Guidance for Critical Areas of Focus in Cloud Computing’ (mentioned above) and the ‘Top Threats to Cloud Computing’. ‘They also offer a Certificate of Cloud Security Knowledge’ delivered via a timed online quiz based at testing individual competency in cloud security issues. As yet no comparable industry body exists in Australia.

4. The European Network and Information Security Agency

The European Network Information and Security Agency (ENISA) is an agency established by Regulation (EC) No 460/2004 of the European Parliament and is charged with the task of maintaining its website as a hub for best practices and knowledge in the field of information security. As part of this role ENISA produced in 2009 Cloud Computing Benefits, risks and recommendations for information security covering a broad spectrum of security issues relating to cloud security. Of particular interest is the dual focus of this document on ‘hard’ regulatory measures such as breach disclosure and regulatory standardization throughout the EU, and ‘soft’ measures focusing on education and building consumer confidence in cloud computing.

IV Conclusion

From the above we can reach two important conclusions regarding data security in the cloud and its protection. The first is that due-diligence and appropriate data security governance are extremely important for anyone seeking to move to the cloud, and for any cloud provider, especially those storing important or sensitive customer data. In particular, backup and security measures, and service level agreements should be carefully scrutinized and managed to ensure that catastrophic losses such as those incurred by Distribute.IT and its customers cannot be incurred.

The second conclusion is that regulation, legislation and the common law regarding data stored in the cloud remain underdeveloped, meaning that currently much of the responsibility falls on individual organizations to decide on and be pro-active in implementing best-practice procedures. This also means that regulation can be expected to develop along the lines outlined above, and organizations need to be vigilant and prepared for this.

© Copyright Nicholls Legal – All rights reserved.

ABOUT THE AUTHOR: Matthew Nicholls, Alex Maschmedt
Matthew Nicholls LLB(Melb)(Hons) BCom(Melb) is the principal of Nicholls Legal. Matthew has extensive expertise since 1994 in Technology & Communications law. His background includes major national law firms Clayton Utz and Corrs Chambers Westgarth.

Matthew’s particular expertise includes negotiating and drafting agreements, litigation and providing specialist regulatory and trade practices advice. This has included advising the Department of Communications, the Australian Competition & Consumer Commission and serving as a director on the board of the Australian Communications Information Forum, ACIF (now Communications Alliance).

Matthew has acted for many of the major telecommunications players in Australia. These include AAPT/PowerTel, Soul/TPG, NEC, Primus Telecom, Hutchison 3G Australia, Macquarie Telecom, TransACT, Uecomm, Virtual Communities, WestNet, WorldxChange and the Competitive Carriers’ Coalition.

Copyright Nicholls Legal
More information about