Cloud ignorance exposed by Commissioner

Privacy Commissioner working with regulators globally on cloud computing issues

If your company uses smartphones are you using overseas ICT infrastructure?

According to the majority of government agencies and companies responding to the Privacy Commissioner’s survey on the use of overseas ICT infrastructure in cloud computing, the answer is “No.”

“That was the most startling result,” Commissioner Marie Shroff told Computerworld. “Some of the other results are not good, but they weren’t such a surprise. But this one was a surprise and that was actually something we added into the survey at the last minute. We suddenly thought maybe we’d better specify and ask them if they have internet-capable phones, because there is a possibility they don’t realise what they are doing [that smartphones connect to overseas infrastructure] and sure enough, that is what the results showed.”

In the survey of 50 respondents, 46 said their organisation used mobile internet/email devices. But when asked ‘whose overseas infrastructure does your organisation use?’ just over half – 26 respondents – stated they didn’t use overseas infrastructure at all. A further six respondents said only their own organisation’s overseas infrastructure was used.

Although the survey number is small, it includes large government departments such as the Ministry of Social Development and police, and major companies such as ASB Bank, Fonterra and Air New Zealand.

Shroff says the results show a large number of respondents that send data overseas do not check the overseas organisation’s use and management of the information, and often the decision to offshore information is made on an ad hoc basis.

She released the survey results during an event in Auckland to mark Privacy Week (May 1- 7). At the event, questions were asked about companies’ liability, if data is offshore and there is a security breach.

“You’re responsible for it so it is really important for you to get some really good controls in place,” says Katrine Evans, assistant commissioner for legal and policy. “That is not to say that mistakes won’t happen, they will happen. But you have got to do what is reasonable to stop them from happening.”

So what is “reasonable”?

Shroff says encrypting the data, ensuring there are controls over the use and retrieval of data is written into contracts with overseas providers, and making sure those controls are monitored, are among the steps a business that offshores client’s data should take.

“If, for example, you have a rogue employee we won’t necessarily ping you as hard as we would, if its clearly something happening in the context of negligence as it is in the context of trying really hard and perhaps just having a bit of bad luck.”

In the survey there was no clear market leader in the cloud environment, with a range of vendors, including big names such as Google, IBM, Amazon and Microsoft, being cited.

Most of the information is offshored to Australia and the US.

Shroff says she is working on a global basis with privacy regulators on the issue of privacy in the cloud. “My general impression is that at least some of the cloud computing providers, the very big ones, are conscious of this and they in turn want to do the best for their customers in order to make sure the businesses don’t damage their relationships.

“Business in a sense has got it in a way that perhaps government haven’t. That complex ICT is something that needs to be handled with the utmost caution and care.”

When asked by Computerworld about the seeming disconnect between the Department of Internal Affairs pushing cloud computing solutions, and the IRD appearing to caution against offshoring, (as with the warning about accounting records in December) Shroff replied that they the departments worked in different areas of the government, but she said it was a struggle in most countries to keep tax law up to date with ongoing developments in ICT.

See also Regulatory Compliance in the cloud