11th November 2014

Geldards: The Cloud & Data Security

Geldards LLP report on:

Cloud Computing – Staying Safe Online & Protecting Data

The recent hacking of celebrity accounts on the Apple iCloud should give one reason to pause and think, but not panic, when it comes to using cloud computing. Cloud computing is mature, and so security breaches are going to be the exception, not the rule.

This e-shot briefly reviews some of the practical and legal protections and issues concerning data security that businesses should consider in making the move to cloud computing.

Definition: “cloud computing” means the provision of computer systems, applications and storage as a service from a remote data centre, offering on-demand, pay-for-use, and flexibility.

Practical Protections:

Cloud options

There are now a lot of different cloud options available to you. Ranging from your committing to using a vendor’s own multi-tenanted system, through options to create more dedicated physical or virtual environments just for you. In particular, given the nature of life sciences data, which may have a mixture of regulated and unregulated information, hybrid clouds are being used, which involve a mixture of cloud and in-house infrastructure, with bespoke security and encryption controls and options, and bespoke auditing features, designed to fit the specific requirements of your data. Therefore, you should not assume that there is only one option available to you.

Secure log-in

The Apple iCloud incident was not Apple’s fault, despite what the press might make of it. The affected celebrities simply chose easy to guess passwords and security answers. Apple’s response has been to offer more advice, more warnings of suspicious account activity, and additional log-in measures such as a one-time code sent to your phone. The practical lesson for anyone with valuable data in a cloud service is therefore to implement very secure log-in credentials and processes.

Picking your supplier

You will struggle to find a cloud provider who will agree to strict liability with respect to data security; and typically a contract will impose a duty to apply reasonable care and skill, or some other standard. Furthermore, you may not always have the budget or expertise to be able to audit your cloud provider’s infrastructure or security measures. Therefore you may need to pick your supplier based on other factors such as reputation, what other customers they have, the quality of security information they provide, and the standards they claim to adhere to.

Plan for the worst

Whatever may be promised, no computer system is water-tight. Any computer system will be exposed to the presence of undetected bugs, internal fraud, newly invented viruses, and even covert government monitoring. For instance the recently discovered flaw in the SSL security used to communicate between browser and server could not have been predicted. Therefore, you should always carry out a risk assessment and plan for what you would do in the case of a security breach and loss of data or service, including a risk management strategy.

Legal Protections:

Contract

In reality, unless you have some negotiating power, or an enlightened supplier, your contract is likely to be on their terms, which will be non-negotiable, have a limited service description, and be full of exclusions and limitations on liability, leaving you with little or no obvious claim. Suppliers tend to be prepared to negotiate, particularly for larger more valuable projects, but you will need to argue strongly for what you want. If you just sign the supplier’s standard terms, then you might still find some way of challenging this; for instance the UK courts do not like to enforce total exclusions of liability, and the Unfair Terms in Consumer Contracts Regulations 1999 and Unfair Contract Terms Act 1977 subject certain limits on liability in standard contracts or consumer contracts to a test of reasonableness and fairness. At the very least you should read and understand what you are signing, and a lawyer can assist here. Ideally you would put forward a strong negotiating team, backed by lawyers, to seek improvements to the contract in your favour.

Data protection

Outside contract, if you are purchasing the service as an individual (or in a partnership) then you may have the protection of personal data protection laws, which will override any contractual terms.
Confidentiality and negligenceMore generally, you may have claims under laws relating to confidentiality or negligence, where the law may imply a non-contractual duty of confidence or duty to take reasonable care. The availability of these may depend however on what the contract says.

Issue:

Regulatory Compliance

If you are using a cloud service to process data, then you will need to ensure that the cloud service fits with and enables you to comply with any regulatory obligations you are subject to, including to enable you to demonstrate to your regulators that the cloud service is compliant. For instance, you cannot transfer personal data outside Europe, unless your contract contains certain terms, or the provider and its systems are located in countries approved by Europe.

Foreign Suppliers

If your supplier or its equipment is based in another country, then this may pose both practical and legal issues concerning your ability to claim against the supplier. Your legal protections may be under foreign, rather than UK law; and you will have the added cost and difficulty of litigation against a foreign supplier. Quite often there is little you can do about this other than pick a reputable supplier. On the plus side, the recent Google case on the right to be forgotten, showed that Europe was prepared to apply its privacy laws even if there is quite a tenuous connection between the provider and Europe.

How to approach cloud services:

When using cloud computing therefore you need to establish your priorities, and plan, select, procure and implement your service, and seek to negotiate your contract. These priorities may include: cost, level of detail of supplier’s service and security commitments, risk management, data governance strategy and incident handling, location of your data, security of your data and access controls, data segregation, ease of suing your provider, ease of swapping service, performance management of the supplier, insurer requirements, and ease of monitoring, auditing and demonstrating regulatory compliance including international and cross-jurisdictional issues.

How can Geldards help:

Our lawyers are familiar with and have advised on a wide range of cloud computing contracts. We can assist from just advising you what the contract says, to helping you negotiate and amend a cloud contract and consider any regulatory issues you have. The key value we bring is our understanding of all the different aspects of cloud computing from service description, to liability, to fee structures, to duration and termination issues. We would be glad to speak to you.

Contact Geldards:

If you would like to discuss any aspect of this update or our previous update please do not hesitate to contact Julian Turner

See full article here

Cookie	Duration	Description
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
DYNSRV	session	This cookie is used for load balancing purposes to decide which server to send the visitor.
ep201	30 minutes	This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
exp_csrf_token	past	This cookie is used for the purpose of website security that is Cross-Site-Request forgery prevention. It is used to identify the trusted web traffic.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
exp_last_activity	1 year	This cookie is used by the website Content Management System. This cookie is used to record the time of last page load.
exp_last_visit	1 year	This cookie is used by the website Content Management System. This cookie is used to store the last visit date of the registered users.
exp_stashid	session	This cookie is set by the provider ExpressionEngine. This cookie is used for page caching. The cookie creates a unique ID which is used to determine the current state of the website and actions performed by the visitor.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
CSPSESSIONID-SP-8443-UP-redirects-	session	No description available.
EMSSESSIONID	session	No description
ep202	3 months	This cookie is set by the provider Surveymonkey. This cookie is used for statistical analysis and website optmization. It gathers information on user's interaction with the SurveyMonkey- Widget on thewebsite.
GS_GROUP	1 month	No description available.
GS_RESTRICT	session	No description available.
GS_REVENUE_LOC	1 month	No description available.
PERSIST-COOKIE-ENC	session	No description available.
ppwp_wp_session	30 minutes	No description
SKTID	1 year	No description
SQ_SYSTEM_SESSION	session	No description available.

Select categories:

Select categories:

News & Opportunities

Sign up to our newsletter

Geldards: The Cloud & Data Security

Join the conversation

Helpful information

Subscribe to our Mediwales newsletter