Cloudy Laws I – Cloud Computing Security and Legal Challenges

Cloud computing presents innumerable opportunities and brings with it enormous security and legal challenges.  While there is no single accepted definition of the “cloud,” the National Institute of Standards and Technology created a reference model in 2011.  NIST defined cloud computing by describing its five essential characteristics, three service models, and four deployment models. (NIST Special Publication 800-145):

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Essential CharacteristicsService ModelsDeployment Models
1. On demand self service1. Software as a Service (SaaS)1. Private Cloud
2. Broad network access2. Platform as a Service (PaaS)2. Community Cloud
3. Resource pooling3. Infrastructure as a Service (IaaS)3. Public Cloud
4. Rapid elasticity 4. Hybrid Cloud
5. Measured service
NIST Cloud Computing Reference Model

The rapid increase in the availability of cloud computing solutions ranging from Enterprise systems, to Office 365, to the ad hoc use of unencrypted Dropbox accounts, has profound implications for privacy, information security, eDiscovery and legally defensible document retention policies.  Hardly a day passes without news of another serious security breach or weakness.  The security risks and the costs of misjudgments, mistakes, or vulnerabilities are huge.   A small recent sample tells the story:

  • News reports that Russian hackers have stolen over 1 billion user credentials.
  • Target disclosed that its costs for the 2013 credit card security breach have reached $148M. Brian Krebs reported on May 14th that the costs to banks related to the Target breach was on the order of $200M and several banks have started class action suits against Target.
  • A flaw in the widely-adopted yet poorly supported open source software, OpenSSL led to the Heartbleed bug affecting hundreds of millions of secure websites.
  • Bloomberg News reported on July 29th that, “U.S. technology companies may lose as much as $35 billion in the next three years from foreign customers choosing not to buy their products over concern they cooperate with spy programs, according to an earlier study by the Washington-based Information Technology and Innovation Foundation.”
  • And to put icing on the cake, Microsoft and other U.S. companies’ attempt to offshore data to protect it from spying and comply with EU Privacy Rules have been put at risk by the ruling of a Federal Judge in New York. Judge Preska ruled that it is not the location of the email on Irish servers but rather the issue of “control” of the email by an American corporation that matters. Therefore she approved a search warrant by a U.S. Prosecutor to reach email stored solely in Ireland.  The order was stayed pending appeal but it places Microsoft in a position of being ordered by a U.S. Court to violate EU Privacy Rules.

Not surprisingly, The New York Times quoted David Jordan, CISO for Arlington County, VA speaking for all information security professionals by stating that, “(w)e are like sheep waiting to be slaughtered.”  (NYT 7/20/14).

The Microsoft Irish server email case is just one of many unresolved legal issues facing this emerging technology.    The case illustrates the conflict between EU Data Protection Directive (officially Directive 95/46/EC) and the reach of a prosecutor’s search warrant in U.S. Federal Courts.  Verizon’s amicus brief warns of the consequences of extending this reach:

It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.

The legal issue of who “controls” data in the cloud has an impact on systems architecture, legal jurisdiction, and vendor contracts.  The breadth of the problem lies in the fact that the international legal framework for cloud computing is uneven and undeveloped.  Consequently, the legitimate legal and contractual regime set up by Microsoft as a protection against the reach of U.S. courts (and NSA spying) has been upended.  Other large players in cloud services are in a similar situation and have expressed support for Microsoft’s position.

The legal reasoning in the case (however it is eventually resolved) is likely to impact procedures in civil courts and should be considered when negotiating and updating cloud services contracts.  Legal discovery rules require that a party to a lawsuit, arbitration or regulatory investigation must produce all documents and Electronically Stored Information (ESI), which is within their possession, custody or control.  Judge Preska ruled that the power to control data (e.g., a parent company’s power over an offshore subsidiary), should trump the other legal standards governing whether a court has jurisdiction over the data.

Where data resides and who has control over it should be the subject of negotiations and carefully drafted contract language, wherever possible.  For example, problems can arise where vendor contracts are silent on what happens in the event of a legal discovery demand on the client or the vendor.  Similar problems can arise when a vendor goes bankrupt or is shut down by authorities, as happened to many innocent clients when the U.S. government shut down Megaupload’s servers.  What about a third-party subpoena on a vendor – should the vendor be required to notify the client before turning over data?  Better yet, should the vendor be prohibited from turning over data until the customer has a chance to challenge the subpoena in court?  What happens if a vendor refuses to turn over data that a court has ordered?

The “control” of electronic records concerning eDiscovery and document retention/destruction policies was already challenging enough when corporate data resided on networked desktop computers and in-house servers.  The BYOD trend and the third party control of cloud computing resources present new challenges, which must be addressed as this emerging technology law evolves.