Having practiced law in the United States and still keeping a discerning eye on the occasional changes in U.S. National Security and other laws, I wrote, quite some time ago,[1] that it was important for anyone and everyone migrating to a cloud platform or not even “thinking” they used one, to be aware of such things as where their data stood, slept, or transited. Now, it seems that more Canadians are aware of the need for this, with a recent article in the Ottawa Citizen newspaper drawing attention to the “near-open-access” to any and all data on U.S. servers,[2] no matter who the owner is, or where in the world they physically sit,[3] or are legally domiciled.[4] If something is already comfortably in your own pocket where you can sense it and hear it jingle-jangle as you walk and talk, then only in the most extraordinary circumstances will someone ask you not to adjust it or look at it at your leisure, and actually have you comply.
I still believe that the Cloud “is” a positive development and that it “can” be a productive platform – especially in terms of backup and redundancy, or in disasters and emergency situations, as was recently proposed in New Jersey.[5] However, this worthy end-state can only be reached, when:
(a) Properly governed by the appropriate regulators in a more globally cooperative fashion;[6]
(b) Used with eyes wide open by both vendors and clients, and with proper regard to their rights and duties regarding third parties;
(c) Balanced with enterprise, agency, and personal best practices, and insurance coverage appropriate to the data, users, risks[7] and regulations, and custodians;
(d) Legal counsel sufficiently aware of the Cloud’s advantages and disadvantages to advise you, can draft or review your Cloud Services Agreements, or negotiate them from the outset, if the latter option is actually made available to you by the Vendor;
(e) Industry Vendors agree to some degree of stabilization and standardization, and a modicum of synchronization in exigent situations that adequately respects local laws;
(f) Companies in that space, begin – in addition to the current rules on breach disclosure, notification, and remediation – to be more open in educating the public on some of the potential Cloud hazards, as well as on the potential benefits of the many and evolving cloud-based offerings now available, including: SaaS ~ Software as a Service (tools for processing, analysis, accounting, CRM, and back-office functions); UaaS ~ Utilities as a Service (providing video, audio, and gaming on demand); PaaS ~ Platforms as a Service (for email, online backup, or desktops-on-demand); and IaaS ~ Infrastructure as a Service (tools for collaboration, integration, and visualization).
As a work in progress the Cloud space is not a perfect thing, but it “is” a growing and increasingly popular and pervasive one, and it should now be obvious that those who do not even “think” they need to know about the Cloud, should actually be paying the most attention to its growth and diffusion into more and more facets of their work, lives, and free- or down-time.
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] See Ekundayo George. To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons? Text at points (c) and (d) under “Disadvantages (potential)”. Published on ogalaws.com, December 28, 2011. Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<
[2] Ian Macleod, The Ottawa Citizen. Cloud computing law puts Canadian users at risk of snooping by American spies. Published on ottawacitizen.com, February 2, 2013. Online: >http://www.ottawacitizen.com/business/Cloud+computing+puts+Canadian+users+risk+snooping+American/7907562/story.html<
[3] The Telegraph. US authorities can spy on the iCloud without a warrant. Published on telegraph.com, January 30, 2013. Online: >http://www.telegraph.co.uk/technology/news/9836715/US-authorities-can-spy-on-the-iCloud-without-a-warrant.html<
[4] Of course, some people have proclaimed that increasing encryption is the answer to protecting one’s privacy online. However, considering the facts that: (i) the United States (although not the only place where they are made) puts severe restrictions on the export of certain technologies including those for encryption; (ii) it is commonly known in the security and technology fields that certain nations have an ability to “pre-etch” backdoors into their chips; (iii) external attacks may be targeted at specific hardware, software, or “usage/speech” by means of little known vulnerabilities, through the growing family of tools that now includes Stuxnet, Duqu, Flame, and Gauss, as well as the “Anonymous” entity, and others now in existence or still as yet unknown; and (iv) certain promoters of greater encryption have tended to receive greater regulatory attention …. this may be a little hard.
[5] Katie Eder. Experts consider how to address communications challenges ahead of next Sandy. Published on njbiz.com, February 5, 2013. Online: >http://www.njbiz.com/article/20130205/NJBIZ01/130209911/Experts-consider-how-to-address-communications-challenges-ahead-of-next-Sandy<
[6] David Kravets. Internet Safe From Globalized Censorship as UN Treaty Fails. Published on wired.com, December 14, 2012. Online: >http://www.wired.com/threatlevel/2012/12/united-nations-internet/< Many naysayers had predicted that the goal of this conference was UN-domination of the internet, but its failure might have actually been due to the reluctance or outright refusal of certain nations, to submit to limits on extraterritorial surveillance.
[7] Terry Collins and Anne D’Innocenzio, The Associated Press. Twitter hackers nab data on 250,000 accounts. Published on ottawacitizen.com, February 2, 2013. Online: >http://www.ottawacitizen.com/business/Twitter+hackers+data+accounts/7911027/story.html
Ogalaws 