Don’t let the hype cloud your judgment

I can remember the days when computer storage meant a stack of punched cards and disk drives were measured in kilobytes rather than petabytes; when offsite storage meant the boot of the office manager’s car. I am not very old.

Now, even the smallest law firm uses computers and it is possible to run a business from a PC, unlike the dedicated IT requirement of 30 years ago. Lawyers, however, still like keeping things whether it be paper files or electronically stored materials and our nature means that we are reluctant ever to destroy anything ”¦ just in case! Whilst my litigation colleagues will advise that indefinite storage is both a blessing and a curse – e-discovery may not turn up exactly what a party might have wished – ready and instant access to whatever is needed, from any location, is a fact of the modern legal world. No longer does one need to arrive at a meeting or at a distant court to find that the all-important document is languishing on one’s desk or, my particular hang-up, waiting to be printed from the remote printer that I have omitted to visit before rushing off.

Cloud computing is, we are told, the answer to our prayers; but is it a blessing, or a curse?

For the lawyer, both as a principal and as an adviser, this creates a number of issues and, in a series of articles in this Newsletter, I shall consider this changing paradigm in the legal background.

Data protection implications

Perhaps the first issue to be considered is the relationship between the enterprise and the employee or contractor and the data protection (or rather the data security) implications.

In the UK, as we all know, the basic principle of law is that data created by an employee during the course of his employment will, from a copyright standpoint, belong to the employer. For self-employed contractors (a phenomenon very common in the technology space) the principle is reversed, with the contractor retaining all rights save for those which have been expressly assigned in writing to a third party, such as the employer.

For so long as the employee or the contractor was performing his duties within the ambit of a corporate data centre it was relatively straightforward for the enterprise to control access to and (perhaps more relevantly) leakage of corporate data to third parties (or indeed to the employee/contractor for non-enterprise systems). Data loss could be restricted through such simple expedients as modem lockdown, preventing downloads to USB devices and physical searches. Now with the advent of widespread mobile working, such physical controls are all but impossible. It is possible to impose some technical limitations on what can be done to remotely accessed data, but this is largely at the cost of lesser utility for the enterprise and the worker.

Without remote access to corporate systems, I could not write this article from the Netherlands whilst watching my email on an Exchange server hosted in Glasgow (or perhaps Edinburgh) and receiving calls via the corporate telephone number via a VOIP solution. In short, every location with a broadband connection has become a corporate outpost, but without the traditional oversight or management controls. It is possible to grant remote users access to a limited number of functions through such solutions as a web interface without the immediate ability to store data locally, but unless severe controls are implemented as to the devices used by the remote worker, data leakage could be achieved through such simple expedients as screenshots. For many businesses that may not be a significant issue, but for others (lawyers are perhaps over-paranoid) the security of data may be more relevant.

For data to be accessible from a multitude of locations (undetermined in advance) the inevitable consequence must be that real physical control of data is nigh impossible. Such restrictions as may be required or desirable must therefore be imposed either by software or by some form of Policy imposition.

The enterprise (and that will include the law firm) needs to consider what the existing and anticipated business and working patterns may be so that appropriate amendments can be made to such software controls and policies as the enterprise / firm may have had in the past (and for many businesses that may be nil) to ensure that any changed business paradigm is reflected in the practices of the enterprise or the firm. For many enterprises or smaller law firms, this may be difficult. In recent months I have reviewed IT Policies which contain detailed provisions in relation to the handling of floppy disks and postings to bulletin boards but say nothing about data on USB devices or in the cloud, and for whom social networking services such as Facebook or Twitter are not covered at all.

This will inevitably lead to issues for both the corporate function and the HR department (perhaps in many law firms that will be the same person – indeed that may also be the “IT person” as well) as problems arise and unsuitable wording needs to be twisted or mangled into an unforeseen scenario. Is Twitter a bulletin board? If the corporate policy prohibits postings to a bulletin board, can the employee be sanctioned for tweets? Perhaps ”¦ or perhaps not.

Within the EU, we are all very familiar with the Data Protection Directives and in the UK with the Data Protection Act; we are even now seeing enforcement action by the Information Commissioner and fines being imposed on data processors in both the public and the private sector. Whilst data breach due to physical access failings is not impossible, most of these issues have arisen due to the cloud-based nature of much of data today. If data can be accessed remotely by legitimate users, the possibility must exist of its access by those without authorisation. Business needs to reflect this new reality in how it carries out its activities. Whilst there have not been any reported cases against law firms for data loss, such a scenario is not inconceivable.

Cloud computing, according to Wikipedia, is “the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). The name comes from the use of a cloud-shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user’s data, software and computation.“

The UK Information Commissioner defines cloud computing as “access to computing resources, on demand via a network.” He recognises that it is the linked network nature of such arrangements which has particular data protection risks – not least because there is often a complex structure of interlinked parties in an outsourcing arrangement which often spans several jurisdictions (including jurisdictions such as the United States where many of the major cloud hosting providers are located) where data protection safeguards are less than considered adequate under the EU legislation. However, it is this very multi-jurisdictional facility which is one of the main advantages (or at least selling points) of cloud computing.

We are all in the cloud

We are all users of cloud computing, whether or not we realise it. Cloud computing involves not only the high-end corporate databases but such everyday applications as webmail – Gmail or Sky or Yahoo! – and the storage of media on iCloud or Amazon’s Web Services. Many lawyers use a cloud-based backup solution such as Carbonite to ensure their data remains secure yet accessible. Internet shopping relies on cloud computing either to deal with the data retrieval and display or to handle the payment function.

We are all influenced by and dependent on cloud computing, whether as a user or a provider and we all, therefore, have a personal interest in ensuring that the appropriate structures, strictures and safeguards are in place to protect our data, or the data of our clients, customers, employees or business.

In future issues of the Newsletter I will consider the Guidance from the Information Commissioner and the Article 29 Working Party in relation to Cloud Computing and also to examine issues arising from the existence of the USA Patriot Act and the extra-territorial application thereof.

For the legal community, the internet and cloud computing generally allows the smaller law firm – even a sole practitioner – to have access to and utilise the IT resources which traditionally have been the sole province of the larger organisation. It does, however, come with risks and therefore, for the lawyer, it is recognising, analysing and dealing with such risks which is the challenge.

David Flint is a partner in and heads the Intellectual Property, Technology & Commercial Group at MacRoberts LLP, Glasgow, Edinburgh and shortly Dundee and, thanks to Cloud Computing a large number of other locations. He has been advising on computer law issues for over 30 years.

Email df@macroberts.com.

One thought on “Don’t let the hype cloud your judgment”

Comments are closed.