While the Australian e-commerce market continues to grow, new research has found that many companies aren’t aware of their legal obligations when it comes to working in the cloud.
A whitepaper launched this week set out to consider what business leaders need to assess when moving or storing data in the cloud – and the findings paint a risky picture for Aussie businesses.
David Vaile, chief author of the whitepaper, believes legal concerns about the cloud have so far been overlooked amongst all the excitement in the new capabilities it offers.
“Knowing where and under whose jurisdictional control your data is held can be a fundamental issue for transparency and risk assessment,” Vaile said.
In your business, how much collaboration has there been between legal advisors and your IT department? The whitepaper states that the selection of a cloud provider must be made by drawing on knowledge and expertise from corporate security, risk management, and legal counsel within an organisation.
Additionally, when choosing a cloud provider decision makers must consider a provider’s financial condition, disaster recovery plans, insurance coverage, methods for preventing unauthorised access or introduction of malicious code, and experience with your own systems as a customer.
It’s also important to be aware of the infrastructure of the cloud provider, breach notification protocols and security procedures, location of their data centres, and record of reliability.
Craig Scroggie, CEO of NEXTDC, a whitepaper sponsor, shared his ten commandments of data sovereignty:
National law
Thou must be aware that information stored in a cloud environment can conceivably by subject to more than one nation’s laws.
Local law
Thou must remember that the onus is on the business to ensure the cloud provider used complies with local laws.
International law
Thou must remember that by nature, a cloud computing environment invites international considerations.
Insurance
Thou shalt check whether your cloud service provider has extended its insurance policy so that it also includes cover for your data; not all clouds are created equal.
Data profile
Thou must acknowledge it is not the application but the data that needs to be profiled and classified so a policy can automate its resident within a hybrid cloud.
Data sovereignty
Thou shalt investigate and formulate criteria that determine what information should be housed in Australia or exclusively under Australian control.
Privacy rules application
Thou shalt investigate whether ‘personal information’ really needs to be stored in identifiable form, since permanent de-identification can mean privacy rules no longer apply.
International treaties
Thou should know the US has entered into mutual legal assistance treaties with over 50 countries.
Foreign vendors
Thou must be aware a foreign-owned vendor may be subject to their country’s laws, even if they operate in Australia.
Privacy act
Thou should note the ramifications of the revised Privacy Act coming into effect in 2014, where it’s not stipulated that foreign providers must company with Australian Privacy Law.