LSB April 2022 LR

More documents

Recommendations

Info

CLOUD COMPUTING An analysis of the Law Society of South Australia’s Cloud Computing Guidelines MARK FERRARETTO, SOLICITOR, EZRA LEGAL The Law Society publishes Cloud Computing Guidelines 1 which quite rightly guide legal practitioners through the various risks and issues associated with adoption of cloud services. What the Cloud Computing Guidelines neglect to mention, however, is that these same risks and issues also apply to on premises services. When evaluating cloud services, legal practitioners should evaluate the risk profile of cloud systems against the risk profile of adopting (or remaining with) on premises computer systems. This article and the next four that follow it analyse a set of cloud services commonly used in the legal profession against the Cloud Computing Guidelines and compares these services against on premises services. Before we get under way however, I should disclose a bias. I am a big fan of cloud services. The convenience of having information at your fingertips is simply too attractive. I constantly demonstrate to friends and colleagues how I can write on a tablet and have my writing magically appear on my desktop and on my phone at the same time. The accessibility that cloud services provide can lead to a great increase in productivity. Cloud services do pose unique challenges, data sovereignty and data security being but two. However, cloud services have evolved significantly over the last five years, to say nothing of the last 10 to 15 years. In my view, there are many contexts where using cloud services for data storage should now be considered best practice for law firms. Thus endeth my declaration of bias. What We Will Cover In this first article we’ll give a broad overview of what lies ahead, and then explore issues relating to governance of cloud computing. Firstly, we will discuss key points from the Guidelines and then discuss how I approach the analysis. The Cloud Computing Guidelines As I’ve said, the Cloud Computing Guidelines are drafted with a view to 22 THE BULLETIN April 2022 guiding practitioners through the evaluation and adoption of cloud systems. Overall, in my view, they paint a cautionary tale. The Guidelines cover a raft of issues, but they can be grouped into these broad categories: 1. Governance; 2. Confidentiality; 3. Data security; and 4. Data resilience. The Guidelines’ dealings with governance refer mainly to issues around data sovereignty and the governing jurisdiction of a cloud service’s terms of service. Data sovereignty raises issues of the underlying laws of a sovereign state that protect (or otherwise) your data. Ideally, practitioners would want their data located in Australia so that their data is protected by Australian law, which if nothing else, is a known quantity. Governing jurisdiction clauses in terms of service raise issues regarding the ease (or otherwise) of asserting a party’s legal rights. The Guidelines unsurprisingly deal extensively with confidentiality. Confidentiality stems from the risk of third party access to data but extends past this because, as we shall see, third parties always have access to our data regardless of whether it is in the cloud or on-premises. The confidentiality issue becomes a question of regulation of third-party access to a degree that satisfies practitioners’ obligations under the Australian Solicitor Conduct Rules. 2 Data security is self-explanatory and has long been a concern of those looking to migrate to the cloud. As will be demonstrated, data security is also a significant issue with on-premises systems. Data resilience refers to several aspects. The most obvious being availability of data (ie: how often does a service crash). Less obvious are issues around incident management and data portability, data portability being the ability to extract data out of a cloud service if desired. Analysis The aim of my analysis is to apply the abstract concepts in the Guidelines to the practical context of cloud services commonly used by legal practitioners. To that end, I have decided to analyse the Guidelines against a set of popular cloud services and also against an onpremises context. The could services to be analysed are: • Dropbox (the consumer version); 3 • Dropbox Business; 4 • Google Workspace; 5 • Microsoft 365; 6 • LEAP; 7 and • Actionstep. 8 It is worth stating that there are many other cloud services, large and small, that are available to legal practitioners. My intention is to focus on the more prominent services that many practitioners consider adopting or have already adopted. It is also worth stating that this analysis is not a substitute for performing your own due diligence! GOVERNANCE Two main points in the Cloud Computing Guidelines relate to governance – data sovereignty and jurisdictional issues. Let’s deal with data sovereignty first. Data Sovereignty As discussed above, data sovereignty relates to the location of data. The location of data is important as different countries prescribe different legal protections to data stored in them. Protections vary widely from country to country. Also, sovereign data protection may only extend to the citizens of a country. For example, data stored in the US may not be subject to the constitutional protections afforded to US citizens. Cloud services may store data across many countries. As cloud services usually store multiple copies of customer data (for resilience), it’s possible that information stored with a cloud service could fall under multiple widely-varying data legislation. Google, for example, stores its Google Workspace data in 18 different countries across the world, from the USA to Finland to Indonesia. 9
CLOUD COMPUTING TABLE 1 GOVERNANCE DATA SOVEREIGNTY (Location of data) GOVERNING JURISDICTION Dropbox ‘All around the world’ USA Dropbox Business Ideally, as practitioners, we would want our data stored in Australia so that it falls under the protections of Australian law which, although may not the most protective laws, at least are well-known and understood. So, we will assess data sovereignty by asking the question: ‘Can my data be stored exclusively in Australia?’ Governing Jurisdiction Governing jurisdictional issues arise as most cloud service providers are based outside of Australia and usually require their customers to agree to have their agreements governed under foreign, predominantly US, laws. For Australians this predominantly raises a convenience and cost issue as any dispute needs to be litigated overseas. It also subjects agreements to foreign laws that may not contain the same level of consumer protection as Australian law. Data sovereignty and governing jurisdiction are clearly not issues in an on-premises environment. Data on premises is stored in Australia. For firms that outsource their IT support, they do so with local firms and these agreements are governed under Australian law. In contrast, these issues do arise with cloud services, particularly so with consumer services, such as Dropbox. The consumer Dropbox stores its data ‘around the world’ 10 , giving a user no control over where their data resides. Dropbox’s business offering is better, allowing file storage to be limited to Australia, but file File data in Australia, metadata and ‘Paper’ data in the US USA Google Workspace Worldwide USA Microsoft 365 Australia USA LEAP Australia Australia Actionstep Australia Australia On Premises Australia Australia metadata and other products, such as its ‘Paper’ product, remain located in the US. 11 Google’s Workspace business offering gives no option to nominate where data is to reside. A Workspace subscriber must accept that their data will reside in any of the 18 locations where Google has data centres. 12 Microsoft 365 allows its customers to specify that all data, including email, file storage, SharePoint and Teams data, be located in Australia. 13 Both LEAP 14 and Actionstep 15 also locate data exclusively in Australia. Most of the cloud services reviewed contain jurisdictional clauses that govern agreements under US law. The Dropbox Business terms also impose a mandatory arbitration process. 16 The only exceptions for the services reviewed are LEAP and Actionstep which are governed under NSW law 17 (for LEAP) and ‘Australian law’ 18 according to Actionstep’s terms. The Verdict Clearly the on-premises solution wins out in this category. Data sitting in a practice’s office will be located in and governed by the jurisdiction a practitioner is most comfortable with. The practice management systems also do well in this category. The big cloud providers are all based in the US so while some, such as Microsoft, allow for location of data in Australia, terms are still governed by US Law. On-premises wins this round. In the next article we discuss confidentiality. B Endnotes 1 ‘Cloud Computing Guidelines’ (Law Society of South Australia, February 2016) . 2 ‘Australian Solicitors’ Conduct Rules (SA) 2011 V3 with Commentary’ (Law Society of South Australia, 1 July 2015) . 3 ‘Dropbox’, Dropbox In this paper ‘Dropbox’ means the consumer version of Dropbox (which has a free offering) and ‘Dropbox Business’ means the business offering (which has no free offering). 4 ‘Secure Team Collaboration - Dropbox Business’, Dropbox . 5 Google, ‘Google Workspace | Business Apps & Collaboration Tools’, Google . 6 ‘Compare All Microsoft 365 Plans | Microsoft’ . 7 ‘Legal Practice Management Software | LEAP Legal Software’, LEAP AU . 8 ‘Actionstep - Legal Practice Management Software’ . 9 Google, ‘Global Locations - Regions & Zones’, Google Cloud . 10 Dropbox, ‘Privacy Policy’, Dropbox . 11 Dropbox, ‘Dropbox Business Security, A Dropbox Whitepaper’ 13 . 12 Google (n 9). 13 Microsoft, ‘Privacy & Security Terms’, Microsoft | Licensing . 14 LEAP, ‘LEAP Information Security Policy | LEAP Legal Software’, LEAP AU . 15 Actionstep, ‘Tems of Use’, Actionstep [9.4] . 16 Dropbox, ‘Business Agreement’, Dropbox [13.2], [13.3] . 17 This was confirmed to me by email in 1 February 2022 from a LEAP representative. 18 Actionstep (n 15) [10.5]. April 2022 THE BULLETIN 23
Page 1 and 2: THE BULLETIN THE LAW SOCIETY OF SA
Page 3 and 4: This issue of The Law Society of So
Page 5 and 6: PRESIDENT’S MESSAGE New conduct r
Page 7 and 8: CYBER ATTACKS Spear phishing often
Page 9 and 10: Calls to the Australian Cyber Secur
Page 11 and 12: CYBER ATTACKS Endnotes 1 ‘Persona
Page 13 and 14: Transparent IT Support and Managed
Page 15 and 16: Boost your bottom-line Collaborativ
Page 17 and 18: FEATURE consenting to. Further, an
Page 19 and 20: FEATURE When held to ransom: Legal
Page 21: FEATURE sector. 18 Ransomware attac
Page 25 and 26: FEATURE representatives for the Min
Page 27 and 28: FEATURE did not seek Djokovic’s v
Page 29 and 30: FEATURE 2. Re-cancellation The re-c
Page 31 and 32: CYBERSECURITY to abide by, based on
Page 33 and 34: FEATURE The Tour de France winner s
Page 35 and 36: TAX FILES limited views expressed i
Page 37 and 38: WELLBEING & RESILIENCE Doomscrollin
Page 39 and 40: FAMILY LAW CASE NOTES Berman & Harp
Page 41 and 42: BOOKSHELF F Assaf SC 3 rd ed LexisN
Page 43 and 44: CLASSIFIEDS VALUATIONS MATRIMONIAL

LSB April 2022 LR

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?