Myth #20: Your personal or business information and data is safe in the “cloud”.
We have all heard the phrase, “information is power”.
This concept is becoming increasingly relevant in the constantly evolving technological age that we live in. Information is more readily available which is good in many ways but it also means that we need to guard our personal information more carefully.
Identity theft, for example, is an ever increasing problem and has received much attention in recent years as criminals look to the internet and e-mails as a way of obtaining people’s personal data and information.
In recent years, “cloud” computing has become popular as a way of cheaply storing and accessing a huge amount of electronic information and data.
Basically, “cloud” computing is the practice of using a network of remote servers hosted on the internet to store, manage, and process information and data, rather than using local servers or a personal computer.
The “cloud” is especially attractive to businesses as an efficient and cost- effective way of dealing with huge amounts of information and data. The information and data can be stored in the “cloud” instead of purchasing and maintaining servers physically located in your office. The information and data can then be managed by a third party, both of which cut costs significantly. The information and data can also be easily and quickly accessed from anywhere, which allows businesses to increase productivity and efficiency.
However, as we know, faster and cheaper is not always better and there are pitfalls associated with “cloud” computing.
Most importantly, where is your information? Information and data security is probably the most significant potential problem with the “cloud” model of computing.
For personal users, this may not appear to be a big change, as most people do not have a server at their home. But these personal users should be aware that many Internet service providers are now providing their services through the “cloud” rather than using their own servers. This begs the question, where does your information go when it is in the “cloud”?
Is it in Bermuda?
With the “cloud”, your information and data is stored on servers in one or even many locations around the world.
Some providers in Bermuda do have servers located on the island, but others may not. This means that the information could be spread or shared between several different server locations within the provider company or even outside of the provider company if they have subcontracted out the work. This may all be happening without your knowledge.
When your information and data is in another jurisdiction, it will be subject to the different laws of that jurisdiction. For example, if your information is on a server in the United States or even on a server owned by a company that is subject to US law, those servers and the access to the information on them will be subject to US law.
The US Patriot Act immediately comes to mind as one way in which the US government may access your information without your knowledge.
Further, it is estimated that there are over 10,000 agencies in the United States that are able to access information stored with third parties by way of a subpoena without notice, rather than a warrant.
As a starting point, you should ask your Internet provider where their servers are physically located, where your information is stored and who has access to it. Do not assume that because your Internet provider is based in Bermuda, that your information is solely on servers in Bermuda.
These questions are particularly paramount for businesses and they also need to consider their professional obligations. For lawyers, we have an obligation to keep client information secure and confidential.
This obligation could be in jeopardy if you are storing a client’s information on a server outside of Bermuda. Other professions, such as doctors and accountants, will undoubtedly have similar obligations or client expectations that may be at risk.
When it comes to guarding and protecting personal information, faster and cheaper is not always better and you should not assume that your information and data is secure in the “cloud”.
While practising in Canada, I was involved in disputes and litigation surrounding the alleged misuse of personal information, particularly information and data stored using “cloud” computing. This is a developing area of law and regulation, and many jurisdictions around the world are struggling to keep up with the developments in technology.
We have been told that the Bermuda Government is in the process of creating privacy legislation which is expected to codify how personal information is stored, accessed and distributed by both government and businesses in Bermuda.
This is a very welcome development, but for now, it would be prudent for all Bermudians and businesses to educate themselves about how and where their personal information is stored and being used. Further, considering the impending privacy legislation, businesses should review or create their own privacy policies, not only to protect their clients’ information but to avoid potential litigation in the future.
Based on my professional experience, I would advise businesses and professionals to take a proactive approach to protecting themselves and their clients when it comes to privacy and technology.
John Hindness is an associate, Litigation and Advice Team at Marshall Diel & Myers Limited. He may be contacted at john.hindess@law.bm or 295-7105
This column is for general guidance only and does not constitute legal advice.