guy who has a server in his bedroom, which is obviously a big risk for lawyers to be storing confidential information on somebody’s home computer,” Ms Cottle says. “The CloudCode can’t guarantee that we aren’t talking about somebody who has servers in their garage or bedroom, but it does a pretty good job of unveiling that.” “We want our members and cloud service providers to be transparent in the profession,” Ms Cottle says. The New Zealand scheme is not the only form of non-legal accreditation lawyers can use. Mr Crompton points to the European Union’s Binding Corporate Rules and the Asia Pacific Economic Co-operation Cross Border Privacy Rules as examples of other ways consumers can gain confidence in their cloud service provider, and what it commits to. Mr Crompton also points out that lawyers need to be careful about focusing too intently on the legal argument as it has only been about position and not on the pragmatics of international privacy law. “Regardless of the requirements of the law the question is: is it likely to be enforced?” he says. Ms Cottle reminds consumers that while there is “every privacy law that you could think of under the sun”, breaches still happen.
“I personally think the best thing you can do is understand what will happen if there is a security breach. What is the cloud service provider’s practice? How will they engage in enforcement with official agencies?” Ms Cottle says. “Lots of security breaches have occurred in the last 18 months – IRD, WINZ, ACC – and while this does happen, unfortunately, the issue is: What have the organisations done to mitigate damage after the fact?” It is important to remember that while the above examples are frequently used in discussions of data and privacy, none were caused by cloud service providers. In fact, LawTalk could not find any instances, in New Zealand, where cloud service providers were responsible for a privacy breach. However, accidental privacy or security breach due to equipment failings or human error are not the only thing that should be of concern to lawyers looking to move to the cloud. Consumers need to be wary of the possibility that cloud storage providers could sell personal information or give it to third parties, and in a post-Snowden world, the third party many are afraid of is the United States government. Although the idea of the United States government wanting to spy on the property,
Defining cloud computing The “cloud” is a marketing term that seems to have become reasonably cemented in the vernacular of outsourced data storage. While the term is circulated widely, it is often not well understood. For some it paints a clear picture of data stored off-premise and accessible from any location. For others it presents a waffly image with little relationship to the actual product, and an image of data hanging in the sky, when in fact the opposite is true. Data only travels in the air for the short amount of time it takes to move from a wireless device to a cellphone tower, or wireless router. It then journeys through connected cables underground and underseas to settle in racks of servers (not dissimilar to the one connected to your desk PC) or in server farms, which are often backed up in multiple locations around the world. Legally defining the cloud is also not easy. A search of the term “cloud” in the New Zealand legislation website will get no hits. However,
6
· LawTalk 845 · 4 July 2014
New Zealand agencies appear to refer to the United States Department of Commerce National Institute of Standards and Technology (NIST) definition as the starting point for defining the cloud. The NIST definition was years in the making, took 16 drafts, and still states “cloud computing is an evolving paradigm” and that the definition is only intended to serve as a “means for broad comparisons of cloud services and deployment strategies, and to provide a baseline for discussion from what is cloud computing to how to best use cloud computing”. NIST defines cloud computing as: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential