Widespread data snooping by the US National Security Agency (NSA), as revealed by whistle-blower Edward Snowden, could threaten the security of cloud computing for law firms acting in confidential merger negotiations, the Solicitors Regulation Authority (SRA) has warned.
In a detailed paper on the risks associated with cloud computing, Silver Linings: cloud computing, law firms and risk, the authority concluded that due diligence over outsourcing data processing, such as cloud computing – the use of the internet to store data remotely – should take into account government surveillance as a risk factor.
The SRA went out of its way to demonstrate that it understood the positive benefits of cloud computing, in particular for firms wishing to reduce overheads, for example with a ‘virtual’ practice model, and access their data remotely. It noted that cloud providers generally pay close attention to data security. It stressed its code of conduct does not prevent its use.
But it summed up its dilemma: “We seek to encourage the development of an efficient legal services market, and regulate based on risk. The [SRA] recognises the benefits of advanced information technology architectures. It is, however, our role to consider the risks arising from such new technologies.”
It identified breach of confidentiality as the major threat from IT systems. While the cloud dispensed with the risks associated with carrying data on memory sticks and laptops, there were different risks created by “passing data to a remote provider”, such as from their staff “who are not under the firm’s control”.
Clearly spooked by revelations of the extent of governmental agencies’ involvement in data harvesting, the authority concluded: “Governmental data seizure and surveillance powers represent a significant challenge to law firm use of cloud systems, in particular those based in countries with weaker data protections than those in the EEA [European Economic Area].”
It included the US among those states in which law firms “should give serious consideration to the risks of storing data in countries with weak data privacy protections”. The reason for this was that due to its intrusion-permitting Patriot Act, the US is not on the list of countries deemed to have “adequate” data protections by the European Commission (EC).
The SRA continued: “If firms do intend to use US providers, then they must at a minimum ensure that the provider can meet the terms of safe harbour.” US businesses can boost their EC data rating – to that required by the UK Data Protection Act – if they sign up to a voluntary safe harbour agreement.
The authority highlighted confidential merger negotiations conducted by a law firm as potentially at risk from NSA spying activities, which it said were rumoured to have led to data “being passed to commercial organisations for business advantage”, although that had been officially denied. “With the heightened need for confidentiality of law firms, this represents a challenge to their ability to use cloud services,” it said.
The harvesting of metadata – data that shows, for example, when and where e-mails were sent but not the content – was dangerous because it revealed “networks of individuals”. But if the Snowden leaks were correct, then the NSA could also obtain the content of communications directly from providers, the SRA observed.
It concluded that the encryption of data was therefore something any law firm dealing with US cloud companies should be thinking about. “Given the possibility of data seizure from the provider, the recommendation to encrypt sensitive information at the user’s end is of particular importance in this case.”
Separately, the UK cloud provider body, the Cloud Industry Forum, which has a code of practice to ensure services are “transparent, credible and certifiable”, has predicted that by the end of this year, three-quarters of all businesses will use at least one cloud service.
In November the SRA published its guidance with respect to cloud computing. Its primary take-away for me was that UK law firms will reduce their compliance burden and to my mind their attractiveness to clients, by having their cloud data hosted in the UK, as opposed to the US and I am glad to see that so many are now doing so and making the move to secure UK cloud providers.