Interviews

Data hacking from the Cloud

by Mark Rowe

Recent hacking scandals such as those suffered by Sony Pictures and Apple’s iCloud have highlighted the ever present threat to security in cyberspace, write Justin Tivey, Legal Director, at law firm Bond Dickinson LLP; and Fiona Pearson, Associate, Bond Dickinson LLP.

This has caused concern for governments and businesses alike as to the effectiveness of their cyber security procedures and the joint US-UK task force set up last month emphasises that this is at the forefront of government agenda. The cost of traditional infrastructure, however, means that more and more business are choosing to set up using cloud based providers. This in turn has focused the spotlight firmly on just how secure the cloud really is. In this article we consider how the cloud impacts cyber risk, the legislation which governs cloud contracts and the role of cyber insurance.

Benefits of cloud computing

The cloud is not just limited to personal users uploading photos or backing up their smart phone or tablet. Cloud computing is becoming increasingly attractive to businesses, largely due to the potential cost savings in being able to store large quantities of data remotely, negating the cost of purchasing and maintaining complex bespoke computer systems and software. It also allows data to effectively be more portable and accessible from virtually anywhere. As such, it can profoundly change the way people and companies work. The cloud in essence is a form of outsourcing, where parts of the business’s IT environment are rented, instead of being operated by the business itself and can then be connected to as needed. Many businesses now use cloud computing in some way, often for services such as payroll and payment processing, employee benefit portals and data storage. In summary cloud computing clearly has the potential to offer numerous benefits including:

•Flexibility
•Increased storage capacity
•Increased data handling capacity
•Reduced infrastructure costs
•Avoidance of frequent updates to software
•Reduced internal IT staff costs

How does the Cloud impact cyber risk?

While the cloud provides numerous benefits through allowing data to be more portable and accessible, the volume of data and the number of users means it is an attractive target to hackers and recent hacking scandals are a painful reminder that data no longer resides only on the device that captured it. Many cloud users already had some reservations about the use of this relatively new phenomenon, even before the recent publicity over high profile data breaches. However, businesses put their money into banks and their paper files into third party owned storage facilities without much anxiety, so why should the cloud be different? On the one hand many companies may actually improve their security by using the cloud as cloud providers will usually make security a top priority. On the other hand, the cloud is an attractive target to hackers because of the volume of data and the number of users. While almost every service used online requires a password, more often than not, it is human weaknesses that give hackers the simplest route to compromising accounts. ‘Phishing’ – meaning to trick the user into giving up their password – is now considered perhaps the simplest and most effective way hackers gain access to accounts. Phishing was blamed for some of the leaked celebrity photos last autumn and some of the recent US retailer and healthcare hacks.

The challenge of the cloud is that it is a shared responsibility between the cloud vendor and the cloud customer. Both sides have to be aware of security issues to prevent a breach and it may not always be clear as to who is at fault when there is a security failure. Many companies will believe they have transferred their risk when their data is in third party hands. The reality is that cloud contracts often seek to leave little liability for cloud providers.

Legislation governing the cloud

The legislation governing cloud contracts is not straightforward. Firstly if personal data is being processed on a third-party server or application, the cloud provider must comply with the Data Protection Act 1998. The precise role of the cloud provider will need to be reviewed in each case to assess whether or not it is processing personal data and whether it is a data controller or data processor. The Information Commissioner’s Office (ICO) has published helpful guidance on the use of cloud computing to ensure that users comply with the Act (http://ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Practical_application/cloud_computing_guidance_for_organisations.ashx).

Contractual provisions
In relation to the contract itself, cloud computing contracts vary greatly. It may not be possible to negotiate standard terms and conditions and many cloud service providers offer ‘take it or leave it’ contracts. However businesses should critically question and fully understand any cloud contract entered into. Probably the most crucial provision to consider in the contract is liability for service failure. Cloud providers frequently exclude contractual liability for their customers’ direct losses, and even more frequently, indirect losses, as a result of service failure. It may not be possible to re-negotiate these terms. In practice therefore the solution may be to choose a cloud provider with a good track record and strong reputation. In addition, businesses should satisfy themselves that the following obligations are, where appropriate, addressed in the terms and conditions agreed with their cloud service provider:

•Data protection
•Data ownership
•Client confidentiality
•Business continuity; and
•Regulatory and professional conduct obligations.

Before entering into the contact, the business should consider what will happen if it needs to terminate it. It should ensure that if it needs to migrate services to another cloud provider, or back to the business, this can take place with minimal disruption. Accordingly the contract should provide a clear exit strategy. If possible, negotiate the removal of any contractual provisions permitting the cloud provider the right to exercise a lien over the businesses’ data.

Governing law and jurisdiction

Cloud providers and their customers are commonly located in different jurisdictions. Where this is the case, two separate issues need to be considered: applicable governing law and jurisdiction. Governing law relates to the law that governs the contract. Jurisdiction relates to courts of the country which is to resolve any dispute. In each case, the cloud contract may stipulate the choice of law and jurisdiction. However, there may also be separate rules on applicable law and jurisdiction which apply irrespective of the contract provisions.

Cloud and insurance

Insurance cover is an important issue for cloud users particularly given that cloud providers will generally accept little, if any, liability as highlighted above. A comprehensive cyber policy can look like a property damage and professional liability policy combined. It will cover the costs of responding to a cyber incident, putting right data and systems which are compromised and profit loss caused by the interruption to ordinary business. There will be third party cover to protect against claims by those adversely affected by the insured’s cyber incident, customers and others. Bespoke policies or cyber additions to existing policies are available. A widely drawn traditional policy may pick up cyber risk but reliance on untested general wording is dangerous. Cyber insurance policies commonly define the insured’s computer system to include third party networks with which the policyholder has contracted. Accordingly if a breach occurs, the policy will usually respond regardless of whether the breach occurred on a local computer system or in the cloud. However customers need to pay careful attention to the wording of the policy to ensure that problems related to the cloud are covered. Although cover will generally fall under the users’ own cyber risk policy, it is good practice to require the cloud service provider to also carry cyber cover to help fund a loss. This is something that should be discussed with the cloud provider before becoming a customer. Another consideration is that if companies rely on a third-party cloud vendor to transact business on their behalf and a security failure shuts down the cloud, the policy may not cover the resulting loss of profit. In order to do so, the policy should specifically include cover for contingent business interruption.

We expect to see insurers and insureds continue to analyse their exposure to events in the cloud. For insurers, this could give rise to concerns about numbers of insureds using a given cloud vendor and so aggregating risk. Celebrity photo leaks aside, the cloud has provided efficiency for businesses and in many cases, improvements in security. But cyber threats continue to be a growing issue, and add complexity to risk management decisions. The bottom line is that when it comes to storing data in the cloud, risks should be identified and managed in the same way as if you were storing data yourself.

Related News

  • Interviews

    Anti-corruption call

    by Mark Rowe

    Without real global cooperation and a deep sense of urgency on the need to fight corruption, the UK Anti-Corruption Summit will be…

  • Interviews

    Password day

    by Mark Rowe

    May 5 is World Password Day – championed by such IT firms as Microsoft, Intel and Lenovo – the aim is to…

  • Interviews

    Hillsborough views

    by Mark Rowe

    After last week’s announcement of Sir John Goldring, the coroner presiding over the inquest into the death of 96 Liverpool supporters at…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing