Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The real risks of moving to the cloud

Guy Betar | June 30, 2015
Key obligations under Australian privacy law will become more challenging.

Last week, I highlighted the Megaupload case as an example of how seriously things can go wrong in the cloud. In the second and final article in this series, I'm going to look more closely at some of the key issues to address when investigating cloud solutions.

The first question to consider is: what are the increased risks? Some key obligations under Australian privacy law will almost certainly become more challenging.

For example, you must not to disclose personal information outside Australia unless reasonable steps are taken to prevent the offshore recipient from breaching Australian Privacy Law -- specifically Australian Privacy Principle 8 relating to the cross-border disclosure of personal information. This is relevant when your cloud supplier stores data outside Australia.

You must also protect personal information you hold from misuse, interference and other security related issues (APP11). This will be very challenging if you are not holding the data.

Finally, you must give a person access to their personal information that you hold, if they request it. Ask yourself: What will this entail if a third party holds the data?

The bottom line is that control over your data and its security are both impaired when you pass it into the hands of a cloud provider. As you can see from the three privacy elements noted above, impairment of control and protection of your data goes directly to your compliance with Australian privacy law.

This highlights the direct practical link between reduced control over your data, and increased legal exposure. It is not difficult to extrapolate this connection to other areas of possible exposure.

Using cloud services and facilities is not about eliminating risk -- it's about understanding the risks, minimising them where possible, and making informed decisions about what risks to accept. To do this, there are a number of critical tasks that need to be undertaken.

Firstly, you should review your internal disaster recovery plans. Consider them in the light of a Megaupload scenario and what that would mean to your business. Next, look at your backup procedures, and particularly whether you have access to all your data (including the data in the cloud) to ensure full backup.

If you are relying on the cloud provider to back up your data, you may have no access to it if the cloud supplier gets into difficulties, legally or technically. The IT technical staff on your team will also tell you that you need to understand how the cloud provider stores its data, and its backups, and to what extent it is co-mingled with everyone else's data.

Insurance should be next on the list. You need to thoroughly review your policies to understand what exposures they cover, and whether placing your data with a cloud supplier comes within the ambit of the policies.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.