Cloudy with a chance of data leaks: What business professionals need to know before using the cloud

Cloud computing is the practice of using a network of remote servers hosted on the Internet to store, manage and process data as opposed to relying on this information to be saved on a local server or personal computer. Some popular cloud services include Dropbox, Microsoft OneDrive and Google Docs. Using such services is convenient, accessible, and cost effective for businesses. As a result, cloud computing has become increasingly common in the workplace. 

However, it’s important to understand and appropriately manage the risks of cloud usage, particularly when it comes to protecting sensitive client data.

Risks of using cloud services in the workplace

There are countless instances of business professionals using services such as Dropbox to share files with clients that may be too large to send through email. Some employees also save files to cloud services so they can continue to work on these files from home or on the road. 

However, it’s important to be aware of the risks involved with such activity as well as understand how different cloud services may store, manage, process, and disclose data. Without proper security measures, information that comes into contact with cloud services may run the risk of being exposed to hackers, sold for third-party profits, lost, exploited, or stored in a way that breaches privacy legislation in British Columbia. Two main considerations you should examine before using cloud service providers are: (1) Where is the information stored? and (2) Can you ensure a level of confidentiality that complies with your professional obligations

Where is the information stored?

While it is convenient that information in the cloud is stored within large servers owned by cloud computing companies (and not taking up space on your hard drive), it is important to consider where exactly these servers are located. This is important for individuals such as chartered professional accountants (CPAs) or lawyers who work with public sector clients to be aware of. Generally, under section 30.1 of the British Columbia Freedom of Information and Protection of Privacy Act (FIPPA), a public body must ensure that personal information under its control is only stored and accessed within Canada. Therefore, CPAs, lawyers, and other professionals who work with public sector clients have to be mindful of not uploading public sector information to cloud services that may store that information in foreign jurisdictions.

BC’s private sector privacy legislation, the Personal Information Protection Act (PIPA), does not have any such requirement. However, if you are storing information in the cloud outside of Canada, the Office of the Information and Privacy Commissioner (OIPC) recommends that clients be notified. The OIPC has suggested that the best way to do this is to establish a detailed, user-friendly privacy policy. As a starting point, the OIPC has developed guidelines for private sector organizations for developing a privacy policy. Such a policy could be signed by clients along with their retainer agreements.

Can you ensure a level of confidentiality that complies with your obligations?

Under both PIPA and FIPPA, sections 34 and 30 respectively state that an organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or other similar risks. As a result, all professionals who upload information using cloud services are responsible for making sure the cloud provider they are using maintains a level of security that is appropriate to the sensitivity of the information stored. For example, psychologists collect information that is generally more sensitive than information collected by engineers. Nevertheless, both professions require under their respective codes of conduct that the confidentiality of information be maintained, subject to specific exceptions. This is in addition to the general requirements of PIPA that all private organizations in BC are subject to.

CPAs in BC are governed by CPABC’s Code of Professional Conduct (the “Code”), which imposes a duty of confidentiality as a professional obligation. Under the Code, CPAs have a duty to take appropriate measures to protect any confidential information acquired as a result of professional, employment, and business relationships. The Code mentions the cloud and states that the use of cloud computing and storage “may increase security requirements.”

10 due diligence actions to take before using the cloud

Ultimately, business professionals should conduct due diligence before using a cloud service. Here are 10 considerations to keep in mind:

1. Determine if the information is being transferred or stored on remote servers outside of Canada.
2. Clarify who owns the data and who has access to it.
3. What are the provider’s security measures? For example, does the company protect information with strong authentication, authorization and encryption systems?
4. How is data archived? Determine what tools are available for data recall and recovery. It’s also recommended to see if archived content is protected by robust security measures. 
5. Know what your options are in case the cloud system crashes.
6. Is there a third party in the cloud? For example, does the cloud computing company outsource any of the services covered in the contract? The introduction of third parties can increase risk so it’s important to be aware of any third parties and have an understanding of their roles and responsibilities.
7. Review and negotiate your terms of service with cloud providers that you intend to use. You should take proactive steps to ensure the confidentiality of client and other sensitive information is protected. 
8. Seek out high quality service providers. This can be done by assessing a service provider’s reputation and quality of work through discussions with existing customers and inspecting audit and incident reports. Providers who keep security at the forefront should be able to easily provide detailed security information.
9. Do not use the cloud as the only location for data storage – use other backup solutions. This will be critical in the event of a temporary cloud outage or worse, a cloud crash resulting in data loss.
10. Do not upload data to the cloud if you wouldn’t be comfortable with that data being exposed sometime in the future. The nature of cloud services is inherently risky since any data saved to the cloud is being held by a third party. For the most sensitive information, cloud storage may not be the best option.

Regardless of whether or not cloud services are used, the potential for sensitive information becoming exposed is always an ongoing risk for organizations and should therefore be considered in every businesses’ overall risk management strategy along with other, more general privacy and security issues related to digital communications. For example, what are your obligations if you travel to another country with confidential client information on your devices? As the digital landscape continues to evolve and as business professionals increasingly benefit from new technological advances, the responsible handling of information should always be at the forefront. 

Michela V. Fiorido is a privacy lawyer at Harris & Company LLP in Vancouver. She regularly advises private and public sector employers on information access, protection and privacy policies as well as technology use in the workplace.