Human Rights Commercial and Property Client Newsletter Head in the Cloud, Feet Firmly Planted August 2011 Introduction In 2008, it was predicted that cloud computing would be as influential as e-business itself. Cloud computing can be defined as information technology infrastructure that hosts data or applications in the 'cloud'; that is, offsite and geographically remote software or data storage, which is accessed via the internet. The enthusiasm for cloud computing has continued into 2011, with a large number of organisations world-wide adopting it, including many government organisations in Australia. For example, the Australian Taxation Office has a number of administrative support systems which employ cloud service types, such as eTax and the Electronic Lodgement System. The rapid adoption of cloud computing is not surprising, given the numerous benefits it presents to organisations. These include cost savings, resource scalability, efficiency and availability. However, cloud computing also presents a number of risks to organisations and businesses. This newsletter discusses the key risks to a government organisation posed by cloud computing, as well as a number of contractual safeguards which can be employed in order to mitigate those risks. Summary Cloud computing has been at the forefront of information technology trends and developments in recent times. Despite extensive media and other coverage on this new approach to information technology, many organizations are still reluctant to make the leap into cloud computing. This newsletter discusses the key risks posed by cloud computing from a government perspective and suggests a number of contractual safeguards which can help to mitigate those risks. Key risks posed by cloud computing for government organisations and contractual mitigation methods Security In contrast with traditional methods of data storage, hosting data in a cloud environment means that an organisation relinquishes physical control of the data and is instead reliant on the service provider to adopt appropriate security measures to protect the data. It is therefore particularly important for government organisations to ensure that service providers have stringent security measures, which are reflected in contractual provisions. Page 2 The following factors should be considered by a government organisation prior to adopting a cloud-based model and addressed in the contract with the service provider: data is appropriately partitioned, segregated and encrypted; the service provider has the ability to prevent unauthorised access and has strict access controls, including in relation to visits to the service provider's premises; access to data is logged, and the organisation has appropriate monitoring capabilities, including the ability to monitor access to its data; the service provider has appropriate procedures and mechanisms to respond effectively to security incidents and breaches, and is required to notify the government organisation of any security incidents; there are appropriate employment checks and vetting of personnel by the service provider; all subcontracting by the service provider is approved by the government organisation; the government organisation is notified of any material changes to the service procured, for example, changes in the physical location of the cloud service, the applicable security framework (including changes in security standards and processes) and any change in control of the service provider; the government organisation has the ability to conduct audits and obtain access to third party certification reports; the government organisation has the ability to direct the service provider to destroy certain data on request; and the government organisation has the ability to conduct forensic investigations if required. Privacy If a government organisation wishes to use cloud technology to host its data, and that data includes personal information, the organisation should ensure that it is capable of complying with the Information Privacy Principles under the Information Privacy Act 2000 (Vic), in particular: 1. IPP 4.1, which requires that an organisation take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification and disclosure; and 2. IPP 4.2, which requires that an organisation take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. Offshore considerations If the service provider is an offshore entity, has a foreign parent company, or stores its data offshore, additional risks will be present. Government organisations will need to consider whether IPP 9, relating to transborder data flows, will apply to the proposed cloud arrangement. If IPP 9 applies, the service provider will typically be required to be subject to a privacy regime which is similar to that contained in the Information Privacy Act, or agree to be contractually bound by the Information Privacy Act. In addition, the organisation will need to be mindful that its information may be subject to foreign laws and requirements. Jurisdiction is commonly asserted over data which is physically located within that jurisdiction. Therefore, data located offshore has the potential to be accessed by foreign governments, particularly law enforcement agencies. Page 3 If the data to be stored contains personal information, this may infringe the unauthorised access restriction in IPP 4. Law enforcement agencies may have the ability under law to require a service provider to remove information from its server, which will affect an organisation's ability to comply with record keeping obligations (see below). Organisations should ensure that the service provider is required to notify it of any access to its data by a law enforcement agency, and of any changes in the regulatory framework in the jurisdiction in which the data is located. Having data located offshore will also limit the ability of a government organisation to take remedial action and may present enforcement difficulties, should the organisation be required to take action against a service provider. Record keeping and auditing Before adopting a cloud computing model, government organisations should ensure that it will continue to be able to comply with all applicable record-keeping requirements. A number of record-keeping considerations apply. The Public Records Act 1973 (Vic) requires that government records be managed in a way to ensure that the records can be proven to be authentic and reliable. Government organisations will also need to ensure that the evidential value of records is not diminished in any way by the use of cloud computing. Otherwise, this may affect its ability to comply with the Evidence Act 2008 (Vic). Data must be readily accessible in order for a government organisation to be able to comply with its requirements under the Freedom of Information Act 1982 (Vic) and to be able to respond to any requests for discovery under common law. Government organisations must also ensure it will be able to comply with various financial and performance audit requirements under the Audit Act 1994 (Vic). In order to ensure that the government organisation can comply with these recordkeeping and audit obligations, the service contract should contain the following: near-continuous service availability for business continuity, comprehensive data backup mechanisms, disaster recovery mechanisms including the ability to restore data promptly, and redundancy mechanisms; and the return of data in useable form following the termination of the service agreement, in addition to other transition-out arrangements. Conclusion This newsletter outlines a number of key risks posed by cloud computing for government organisations, and sets out a number of contractual safeguards which can assist to mitigate those risks. While contractual safeguards play a key role in minimising the risks presented by cloud computing, the contract is only one aspect of the cloud computing deployment strategy which government organisations need to adopt. Organisations will need to perform a thorough risk analysis to identify and assess relevant risks, and determine whether the benefits presented by cloud computing outweigh the risks. The nature of cloud computing means that there will be a level of residual risk which cannot be mitigated. It may be that these residual risks are too great for a government organisation to proceed. April 2007 Seminar DomenicIf an organisation decides to go ahead, Cristianocomprehensive due diligence should be Senior conducted on prospective service providers. The Solicitor deployment model adopted (i.e. a private, Administrati community, public or hybrid cloud) will need to ve Law reflect the risk assessment, and in particular, factors such as the nature and sensitivity of the information being stored in the cloud. After the service contract has been carefully negotiated and drafted to minimise the underlying level of risk in the service, the organisation should regularly monitor and review the service being provided to ensure that the risks are being appropriately managed. Page 4 For further information For further information or legal advice on any issues raised in this client newsletter contact: Stephen Lee, Assistant Victorian Government Solicitor stephen.lee@vgso.vic.gov.au (03) 8684 0410 Shaun Le Grand, Assistant Victorian Government Solicitor shaun.legrand@vgso.vic.gov.au (03) 9247 3053