Warning: Cloud Could Bring Storm

The article below was distributed to members of the AICPA (American Institute of Certified Public Accountants). I’ve decided to post this article on my blog because many of the issues CPA’s and their clients face – about “Cloud Computing” - are very similar to, if not the same as, the issues that Reprographers and their clients face.

"Warning: Cloud Could Bring Storm" Storage of data is moving to the cloud. Make sure you know the risks and how to avoid them before lightning strikes. February 27, 2012 by Jason Rosenthal, JD and Nicholas Gowen, JD

Cloud computing may sound transcendental, but it actually is nothing new. It is simply a trendy term to describe Internet-based computing services. Cloud computing allows businesses and individuals to use the Internet to access software programs, applications and data from computer centers that third-party vendors manage.

But there are perils in the cloud. Servers can be hacked, destroyed by natural disaster, or attacked by a computer virus, which can lead to data being breached, lost or otherwise compromised. While cloud computing — and particularly data storage — presents many advantages and likely will become more prevalent, there are unique risks to CPA firms and their clients. This column analyzes some of these risks.

Confidentiality and Data Security Concerns

Whether you are storing your CPA firm’s own data or that of your clients, confidentiality and security issues are of paramount concern. There are limitations to protecting the confidentiality of your firm’s data when dealing with third-party vendors, and the risks of unauthorized disclosure of your firm’s sensitive data by cloud providers can be significant. (Editor’s note: According to Generally Accepted Privacy Principles, confidentiality refers to the protection of non-personal information and data from unauthorized disclosure, while privacy is about the protection of personal information).

This article, much like other electronic data in cyberspace, may long outlive the lives of its authors. Thus, it is important to remember that, unless the data is properly deleted or otherwise purged, it may remain in cyberspace longer than intended. CPA firms need to keep this in mind and act accordingly when entering into contracts with cloud providers.

To protect data confidentiality, be prepared to negotiate specific contractual terms before uploading data into a cloud storage system. CPA firms should consider factors such as:

• Whether the provider will segregate your data;

• Whether the provider will access, use or copy data for its own purposes;

• Whether the provider will delete or return your firm’s data at your request;

• How the provider will adequately purge data to ensure that confidential information is not compromised; and

• What the cloud provider’s obligations are to notify your firm of a potential data breach.

CPA firms need to be concerned about security lapses in cloud data storage systems. Major data breaches are continuing to occur at an unprecedented pace, affecting millions of customers. In January, Amazon.com-owned clothing and shoe retailer Zappos.com revealed that a hacker had gained access to account information on more than 24 million customers. Last year, one of the largest cyberattacks to date breached Sony’s PlayStation Network and compromised data on 77 million customers.

When a data breach occurs, the implications can be disastrous (see Insurance Coverage for Data Breaches).You should establish preventative and back-up measures to protect the integrity of your firm’s data and that of your clients. Ensure that your service provider offers advanced security capabilities that include:

• A high level of tested encryption technology to ensure the shared storage space safeguards all data;

• Stringent access controls to prevent unauthorized access to the data;

• Scheduled data backup and safe storage of the backup media; and

• Business continuity and disaster recovery solutions.

Intellectual Property Issues

As the U.S. economy has transitioned from a manufacturing base into the information age, the legal system has also been forced to adapt. Property law concepts in existence for centuries are now being applied to modern day concepts. Be aware that courts do not generally consider a distinction between the content of data stored electronically in the cloud and the data stored in paper files in your storage room. For example, in Thyroff v. Nationwide Mut. Ins. Co., 8 N.Y.3d 283 (2007), a New York appellate court held that a party could sue for conversion of intangible electronic records that are stored on a computer. The court recognized the intrinsic value of both electronic and print documents and declined to draw a distinction between electronically stored information and printed documents for these purposes. Similarly, several courts have held that electronic information stored on computer disks, magnetic tapes, and audio files and even data sent via electronic signals are protectable property rights.

Moreover, the data that your firm stored may constitute trade secrets, copyrighted work or other materials that U.S. intellectual property laws protect. If your firm’s cloud resides off-shore in another country, the laws of that country may not provide adequate protection if someone else obtains this information.

Concerns Regarding Compelled Disclosure to Third-Parties

CPA firms also need to be aware that cloud providers may be compelled to disclose their firm’s data and their clients’ data if the provider is served with a civil or criminal subpoena or search warrant.

Government officials can use current U.S. law — including the Electronic Communications Privacy Act, the Stored Communications Act and the USA PATRIOT Act — to obtain your clients’ data that is stored on cloud servers. Although cloud-based computing was not considered when these statutes were enacted, they are being used to gain access to data in the cloud, possibly without notice being given to the owner of the data. For example, in 2010 FBI agents served Google with a search warrant demanding e-mail and “all Google Apps content” for an alleged criminal spammer. Google reportedly produced the requested files 10 days later, including many incriminating documents that were stored on the suspect’s Google Docs account. Although the original search warrant was issued under seal, the FBI publicly disclosed its actions in a follow-up search warrant affidavit filed in federal court in Denver in 2011 (In the Matter of the Search of Yahoo! Inc, 10-sw-5056-MEH).

Moreover, the law is currently unsettled regarding whether Fourth Amendment protections even apply to data stored in the cloud, as opposed to data stored locally or in print. Thus, you and your client may be unable to prevent disclosure of sensitive information stored in the cloud that may otherwise not be disclosed if stored on a local server. This is notwithstanding the previous discussion regarding courts finding no general distinction between the content of electronic and paper documents.

CPA firms need to be aware that their clients’ data stored in the cloud may not be protected from compelled disclosure to the government or civil litigants. Thus, you should consider the ramifications of uploading sensitive data to cloud servers.

Jurisdictional Issues

Although your data may be stored in the cloud, that cloud — or at least a corresponding server — has a physical location. It may be in another state or even another country. Moreover, the cloud can move. The provider storing the data may itself move or may decide to relocate your data to a server stored in one of its other locations. While you should be able to access your data from anywhere, chances are you may not know the location of the physical server being accessed.

Cloud service contracts may provide that any disputes arising out of the service agreement are to be resolved in a foreign jurisdiction. Whether that means another state, or another country’s legal system altogether, it may present unique challenges if the parties need to turn to the court system to resolve a dispute.

Pay particular attention to whether the contract contains a venue or choice-of-law provision, and consider whether it will be problematic. Litigating in foreign venues can be a significant disadvantage to your CPA firm.

Regulatory Concerns

The jurisdiction in which your data is stored may have different regulations than the U.S. For example, countries’ privacy laws vary and may affect the ability to access data.

Sarbanes-Oxley and other laws may require a company to audit certain information. This may include information that is stored on a cloud server. Thus, CPA firms and their clients need to make sure up front that they have any necessary audit rights.

Conclusion

Cloud computing presents opportunities for managing data, but it also presents risks. Before your CPA firm blindly flies off into the cloud, take proper steps to protect your firm and its clients.