Cloud computing – privacy and security
Continuing the recent series of articles on Cloud computing which has appeared in Law News over recent weeks (see Issue 27, 14 August 2015 and Issue 32, 18 September 2015), this article looks at the professional duties imposed on law firms relating to privacy and security when adopting a Cloudbased system.
I have highlighted in the introduction article (Issue 27) that implementation of Cloud infrastructure can lead to significant cost savings in a firm’s IT budget for data retention. However, the move to Cloud storage also imposes a number of additional duties on the law firm in order to comply with the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008.
The questions of privacy and security raised in this article, if not carefully considered and dealt with, could see a firm face prosecution for noncompliance.
Issues of professional responsibility, privacy, and security (in a nutshell)
Under New Zealand law, lawyers and conveyancers now have specific duties to protect client data that are wider than those provided under the Privacy Act 1993. A lawyer’s professional responsibility is set out in chapter 8 of the Schedule to the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 and requires the lawyer to protect and hold in strict confidence all information relating to the client and/or its affairs. In addition, r 11.4 requires the lawyer and firm to take all reasonable steps to ensure security of and access to electronic systems.
Cloud computing models open the lawyer and firm up to potential risk for non-compliance with the Rules due to the inherent security issues of the internet. These issues stem from “Transport Layer Security” (TLS) issues (discussed later), as well as inter-operational security within the data centre where the Cloud service is provided. The inter-operational issues stem from how data is stored and retrieved for the Cloud.
For example, most Cloud models provide a pooled set storage medium that is increased on demand through a Cloud service portal. This data is held in the normal way without any encryption and, if hacked, can be read by any other client of the Cloud system or a third party. To try and combat this, some providers suggest that clients requiring high security should implement private Cloud servers that are dedicated to them, with no access by any other party. However, this still provides little protection as the un-encrypted data may still be hacked once the IP and port is discovered by a would-be hacker. Further, such a system still provides an open environment, as data is moved between the server and client as the transport layer is un-encrypted and if a user is hacked, complete access may be obtained to the pool of storage, notes, applications etc.
To combat this, it is recommended to employ “Advanced Encryption Security” (AES). AES is a specification of encryption designed to provide a high-level encryption algorithm in both software and hardware. This encrypts the data on the storage medium, resulting in any access to the physical layer of the Cloud service being worthless due to the time it will take to decrypt the data. Unfortunately, to date, only a few Cloud suppliers offer AES as the standard for the hardware/software layer in Cloud service deployment and it is therefore important for firms to check carefully if their service provider, or third party reseller, offers this level of protection – otherwise a breach of security allowing a hacker to gain access could result in a breach of professional duty under r 11.4 for not taking reasonable steps to ensure security of data.
The second security issue under r 11.4 relates to data transfer, known as the “transport layer”. This data transfer occurs when a user sends or accesses data held on the server either by “http” (standard web browser), “ftp” (file transfer protocol), “SMB” (Server Message Block protocol, mostly used in Windows file shares), “CIFS” (Common Internet File System), “NFS” (network file system) or “AFP” (Apple Filing Protocol (formally AppleTalk), used in Apple devices, iTunes Bonjour and Mac OS X). Each of these protocols (the list above is not exhaustive but covers the main ones) transmits and receives data across the network by standard “handshaking” with no encryption. The ports they use to gain access are standardised and are well known by hackers and other malicious groups wishing to gain access to information. They do this by “sniffing”, a common term for watching network or internet traffic and grabbing “packets” commonly used to capture data being transmitted (such as usernames and passwords), that allow more devious behaviour later, but it is also used to rebuild entire data pools.
The use of handheld devices and laptops increases the risk of un-encrypted transmissions being hacked and opens the argument under r 11.4 as to whether reasonable steps have been taken to ensure security of data. It seems likely that lawyers will have to take ultimate responsibility for a breach of duty under r 11.4 if it is shown that they failed to undertake proper investigation. Just asking a service provider for details of a Cloud service is unlikely to absolve the legal duty as lawyers have a specific responsibility to ensure the security of the electronic systems employed under this rule and professional advice should be obtained in writing. This issue should be dealt with by an amendment in a service provider’s contract, due to the general practice of service providers attempting to absolve themselves from responsibility or being little more than resellers of other providers, whether Cloud computing is used for commercial or personal purposes.
To protect against TLS intrusion, it is suggested that firms confirm that the Cloud supplier is offering a “Secure Socket Layer” (SSL) certificate for implementation on the transport layer. This will encrypt data as it is being transmitted between server and client, preventing easy access. Of course, nothing is fool-proof and hackers may still access the data, but through confirmation of both TLS and AES security at least the requirements of r 11.4 should be satisfied due to the proactive approach of taking all reasonable steps to protect client information stored on the Cloud service.
Storing data in an off-site location may seem simple enough but can you confirm that it is still in New Zealand? Many providers are simply reselling other service providers’ services with little to no regard for the obligations that law firms have in terms of reliable evidence (as outlined in a previous article in this series, see Issue 32). These other providers may have their servers located in Australia, the US or Asia, where laws may give right to the release of information that would breach duties under the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 to New Zealand clients.
Often, firms will implement Cloud computing with no knowledge of where their data is retained. Further, Cloud providers often provide services in one location, but back-haul large data to cheaper suppliers who may be in another jurisdiction. This creates legal issues surrounding obligations under the Revenue and other Acts as discussed in Issue 32. Further, issues arise with who has legal rights to access data and in what circumstances. This may result in breaches of New Zealand duties when faced with an enactment from another jurisdiction that allows release of the information without consent.
These kinds of questions were raised by the OECD in 2014, in the course of discussions over access by government agencies, national security concerns and access for law enforcement purposes. The OECD considered that while some providers are aware of privacy issues and work to maintain compliance for business, other issues of compliance are not as easily reconciled even by the most attentive Cloud service provider (“Cloud Computing: The Concept, Impacts and the Role of Government Policy”, OECD Digital Economy Papers, No. 240, OECD Publishing).
It is therefore important for law firms to consider policies and contractual terms that deal with privacy, security layers, transport security and server/data location. Some points to consider and query include:
- What privacy principles the Cloud service provider has agreed to maintain?
- What professional agreements the provider has with its uplink providers?
- Where data is being retained, backed up and stored?
- What laws will be applicable?
- What data processing policies the provider has?
- Whether the provider is willing to adapt the terms of the contract to suit the firm’s specific data protection needs?
- Whether the provider is a reseller and, if so, what are the uplink provider’s contractual terms?
Framework standards have been set out in the European Network and Information Security Agency (ENISA) standard for Cloud computing (ENISA “Information Assurance Framework” (2009)) and have a number of relevant questions that should be asked by customers seeking to employ Cloud services. Further reading of this standard is suggested for any firm providing advice to clients on Cloud service deployment.
While this discussion provides a useful blueprint to minimum standards needed in data security, it is important to remember that the internet is an open and constantly evolving world where threats, vulnerabilities and the security measures to address them remain in constant flux. It is therefore important to have a proactive policy on risk assessment to reduce risk from these everchanging threats. This should include, but not be limited to, an active antivirus policy and firewall protection on both the Cloud and the lawyer’s method of accessing data so stored. Viruses and firewall intrusion account for large amounts of security breaches and would be considered a breach of the requirements under r 11.4 to maintain security. Policies should detail what is expected of lawyers when they use technology to access client information – for example in relation to laptop use, has the laptop been used for private browsing, to what sites and are those sites at risk of holding malicious software? Other questions may include:
- Is the antivirus protection up to date?
- Should personal computers be allowed or should access be limited to firm-supplied hardware?
- Should limits be placed on the firewall to only allow access from the firm’s site, or the firm’s approved network supplier?
- Can the IP numbers be limited or controlled for this supply or are they reliant on resale of other providers’ networks?
- Does the Cloud service provide sufficient firewall and malware protection?
These questions do not form an exhaustive list but should be considered in the firm’s policies, which should be reviewed and updated every six months. Even if firms have no immediate intentions to move to Cloud services, it can be a good idea to address these matters within the policies they already have in place. This kind of proactive approach will help ensure compliance with duties and obligations to clients.
Further reading/useful links:
• Advanced Encryption Security or AES – see Schneier, B. et al “The Twofish Team’s Final Comments on AES Selection” (2000).
• “Sniffing” – see Schweitzer, D. Internet Security made easy for pc users (Amacom Books, NY, 1997) at 158; WonderHowTo “Hack like a pro: how to use driftnet to see what kind of images your neighbour looks at online” (2014); and Rane, P. “Securing SaaS Applications: A Cloud Security Perspective for Application Providers” (2010).
• Service providers’ contracts – see for example clause 10.2 of the “My Spark Digital Terms and Conditions”.
• European Network and Information Security Agency (ENISA) “Information Assurance Framework” (2009) standards.