D Forensics in case of data breaches

Another significant issue raised by the Distribute.IT hack is the comparative difficulty of tracing hacks that occur in the cloud.  Typically where a hack occurs on an in-house system the forensics for tracing the hack is relatively simple, and more often than not the person responsible will be an insider with knowledge of the system.  When a breach occurs in the cloud the process is far more complicated.  There are numerous points at which the hack may occur, the data may be stored overseas or in several different places and responsibility for the data may have been sub-contracted out to another company by the cloud provider.  It can be difficult simply to determine where the breach actually occurred, let alone who is responsible. 

Moving data into the cloud can therefore compromise the ability of companies and authorities to investigate data breaches.  Where data storage moves to the cloud ‘the ability to obtain uncontaminated copies of evidentiary data may be reduced, if not eliminated.’[13] It is in the interests of any business looking to move into the cloud to investigate whether and how data breaches can be traced and investigated.

E Security advantages in the cloud

If the above security concerns can be adequately addressed there can be significant advantages for data security in moving to the cloud.  Cloud computing does provide a number of advantages over traditional in-house IT solutions, especially for small and medium size enterprises.  This section will focus on the data security advantages that cloud computing can provide and will not discuss other benefits of cloud computing, such as decreased cost, increased flexibility and elimination of system down time.

Many common cloud services such as Google Apps, Windows Azure, Amazon EC2 and IBM LotusLive are provided by extremely large multinational enterprises that have access to expertise and resources that small and medium size businesses in particular would be unable to match with an in-house IT solution.  Related to this is the ability of large cloud providers to provide advanced encryption of sensitive data.

Migrating data to the cloud can also reduce the risk posed by insiders to data security.  A large proportion of data breaches involve the input of an insider who has knowledge of and access to company IT resources.  Moving data off-site provides an obvious advantage in reducing the risk that insiders will be able to easily access this data.  The large size of cloud networks also creates obvious security benefits for customers, as ‘all kinds of security measures are cheaper when implemented on a larger scale.’[14]  Further as security is a priority concern for many customers, this creates a driving force for providers to implement strong security measures to attract and retain customers.  Finally, security updates and patches can be quickly and uniformly applied across a cloud network as compared to in-house networks.

III Regulatory reform?

A Introduction

Cloud computing is a rapidly developing field, and as yet regulation and legislation has been largely reactionary and less than comprehensive.  There is a growing recognition of a need for greater governmental and industry responses to the challenges facing cloud computing.  Some current and future approaches are outlined and analysed below.

B Security breach notification laws

Security breach notification laws places a legal requirement on corporations and organisation to notify individuals when a data breach results in disclosure of their personal information or data, either where certain types of data are disclosed or where the breach carries a serious risk of harm to the person whose data has been stolen.  They have become a popular tool for legislatures seeking to address data security breaches in a way that is not excessively costly to industry but still addresses the concerns of customers about their data.  The theory is that mandatory disclosures of security breaches fulfil two key functions.  First they address the right of individuals to know when their information has been stolen or compromised and allow customers to take action to mitigate any harm resulting from the loss or theft of this data.  Second, the laws provide incentive for organisations to take adequate steps to secure personal information they hold.[15]  These two aims are respectively called the ‘Right to know’ and ‘Sunlight as a disinfectant’.[16]

The first security breach notification laws were introduced in California in 2002.[17]  Since then they have been adopted in 46 US states[18] and have been mandated by the European Union Directive on Privacy and Electronic Communications.[19]  The latest evidence from the US indicates that security breach notification laws reduce the frequency of identity theft resulting from data breaches by an average of 6.1%.  This is an indication the ‘right to know’ argument has significant merit.  However, studies are so far limited and there is no evidence aside from the anecdotal as to whether industry has been prompted by the laws to adopt more stringent data security practices.

As yet, no Australian state or the Commonwealth Government has followed this lead, despite a recommendation from the Australian Law Reform Commission (ALRC) in its 2008 review of Australian privacy laws.  Calls for such legislation on a national level have been renewed in the wake of a number of high profile hacks[20] and it seems likely that the near future will see the introduction of security breach notification laws in Australia.[21] 

C The Cybercrime Legislation Amendment Bill 2011 and the Council of Europe Convention on Cybercrime

The movement of data into the cloud also raises the need for increased international co-operation in order to effectively combat and prosecute cybercrime.  The Australian government has moved recently to recognise this need in introducing the Cybercrime Legislation Amendment Bill 2011 (the Bill) facilitating Australia’s accession to the Council of Europe Convention on Cybercrime (the Convention).  The Bill has three main aims.  The first is facilitating for the preservation of communications by enabling agencies to request preservation of communications by a carrier over whom they intend to seek a warrant.  The second is facilitating international co-operation by providing for greater access by Australian agencies to communications stored outside Australia.  The third is extending the scope of certain cybercrime offences in line with the Convention

The Bill is further evidence that the Australian government is seeking to bring Australia into line with data protection laws overseas, especially in Europe and the USA.[22]  In the context of cloud computing, the Bill has a couple of interesting features.  The first is the facilitation of a 24/7 real-time network to enable efficient and free exchange of information between Australian and foreign authorities, reflecting the need for expeditious disclosure of communications and traffic data to foreign countries for identification and investigation purposes.  The second is privacy implications raised by the provision of access to foreign authorities of data stored in Australia, and vice-versa, which closely parallels the difficult jurisdictional issues raised by cloud computing (discussed in depth in another of our cloud whitepapers).

Pages: 1 2 3 4