The term cloud is often used but widely misunderstood. The cloud comes in different shapes and sizes. The three most common cloud service models are Infrastructure as a Service (e.g. data storage), Platform as a Service (e.g. web servers, operating system) and Software as a Service (e.g. applications, software, web email).
These three service structures can be deployed in four different ways: public cloud, private cloud, community cloud, or hybrid cloud.
1. 22 | ISSUE 02
PRIVACY
BY BIANCA MUELLER
Bianca Mueller is a qualified judge from Germany, a German
attorney (Rechtsanwältin), and an enrolled solicitor in New
Zealand. Bianca routinely presents and publishes both
nationally and internationally on a variety of topics, including
criminal law, intellectual property, and international law. Bianca
can be contacted at info@lawdownunder.com.
Cloud-based IT services are touted as a big
money saver. They offer flexibility and scalability,
enabling users to pool and allocate IT resources as
needed by using a minimum amount of physical IT
infrastructure to service demand. Cloud- based IT
services also offer the convenience of being able to
work remotely and access data from anywhere in
the world.
Sometimes businesses move to the cloud too
fast, and fail to conduct a rigorous risk analysis
and evaluation of its return on investment. When
planning a cloud deployment it pays to look past
the hype and to compare the trade-offs between
the different types of cloud environments.
DIFFERENT SHADES OF CLOUD
The term cloud is often used but widely
misunderstood. The cloud comes in different
shapes and sizes. The three most common cloud
service models are Infrastructure as a Service
(data storage), Platform as a Service (web servers,
operating system) and Software as a Service
(applications, software, web email).
These three service structures can be deployed
in four different ways: public cloud, private cloud,
community cloud, or hybrid cloud.
In the public cloud, users access services over
the Internet. The infrastructure is shared and data
can be located in different locations across the
globe (virtualisation). Some of the most well-known
public cloud providers are Google, Facebook, and
Evernote.
A private cloud supplies IT services to a
restricted group of users within an organisation
over a dedicated network link. The private
infrastructure can be located onsite or managed
through an external provider. A hybrid cloud is a
mix of both public and private cloud elements.
The privacy and security implications may
vary substantially for each user depending on the
type of cloud service environment, and the type of
information being used.
While the public cloud offers the highest
potential for cost savings, it also poses the biggest
risks in terms of control over data, regulatory
compliance, service- level availability, and security.
In some situations, the risks of using standard
public cloud solutions may outweigh the cost
saving benefits.
CYBERSECURITY RISKS
One problem with the cloud is that it is not secure.
Common threats stem from criminal hacking
attacks, spying by government agencies, employee
negligence, or access through unsecured mobile
devices.
Over a month ago a flaw was found in the
encryption standard used by the majority of web-
based services. The Heartbleed bug compromised
a swathe of cloud services enabling hackers
to retrieve sensitive data, such as secret keys,
ticket keys, passwords, etc. The Heartbleed bug
is a significant security issue and even more so
because it took two years for it to be discovered.
REGULATORY COMPLIANCE IN
THE PUBLIC CLOUD
Most public cloud infrastructures that are available
in New Zealand are hosted offshore which gives
rise to privacy, security, and jurisdictional issues.
The lack of public cloud providers with New
Zealand hosting severely reduces the range of
public clould services available to New Zealand-
based organisations.
All agencies that collect, transmit, or store
personal information in New Zealand are bound
by the privacy principles of the Privacy Act 1993.
Organisations that deal with personal information
have to comply with the privacy principles. In this
regard there is no difference between using cloud
services, fixed-server system, or good old paper.
EVERYONE IS TALKING CLOUD –
HOW SAFE IS YOUR DATA?
2. NEWLAW 13 JUNE 2014 | 23
PRIVACYREVIEW
HOW TO BENEFIT FROM THE CLOUD’S FLEXIBILITY AND COST
SAVINGS WHILE STILL PROTECTING YOUR DATA:
Conduct an impact assessment to determine the most appropriate cloud environment.
Do not buy into the hype – know your data and decide what can go into the public cloud
and what cannot.
Do not put all your eggs in one basket.
Ensure that you fully understand the technical and contractual risks and how they might
affect your particular business.
Monitor the cloud provider’s activities, and plan for cloud outages.
Back-up, encrypt, and bring your own key!
The only exception is Principle 5 of the
Privacy Act, which requires that reasonable
security safeguards are taken against loss,
misuse, unauthorised access, use, disclosure, or
modification, and that if information is disclosed to
another party (eg cloud service provider) everything
reasonable is done to prevent unauthorised use
or disclosure. Compliance with Principle 5 may be
challenging in a public cloud environment because
most public cloud providers are based overseas
and some countries do not provide the same level
of privacy protection as New Zealand.
The recently announced overhaul of New
Zealand’s privacy laws is likely to increase legal
responsibilities for organisations. The revamp of
the Privacy Act 1993 is overdue, and is needed to
ensure that it reflects technological developments,
and is in line with New Zealand’s major trading
partners.
Another regulatory compliance issue arises
in the public cloud with regards to the retention
of business records. As an example, financial
records must be kept in New Zealand under the
Tax Administration Act 1994 and the Goods and
Services Tax Act 1985 for at least seven years.
However, most public cloud providers are hosted
and managed overseas which means New
Zealanders cannot use them to process and store
their business records.
Tax payers and cloud service providers may
apply for permission from the Commissioner of
Inland Revenue to hold records offshore, Providing
the storage of those records offshore does not
impede the Commissioner’s compliance activities.
So far only eight cloud service providers have
received IRD approval to store and hold business
records of New Zealand customers outside of New
Zealand (Brookers, MYOB, Xero, Reckon New
Zealand, Cargo Wise New Zealand, CCH New
Zealand, Farm IQ Systems, and Technology One).
Other statuary requirements to keep records in
New Zealand are contained in the Companies Act
1993, Employment Relations Act 2000, Electronic
Transactions Regulations 2003, and Public Records
Act 2005.
An individual or a business may have
contractual or statutory obligations to keep
particular information confidential. For instance, an
employee or contractor who signed a confidentiality
agreement may breach that very agreement by
uploading confidential work information into their
personal Dropbox account.
On the other hand, accountants, lawyers,
general practitioners, and other health
professionals are by bound by law to confidentiality.
For these professions it may not be advisable
to use the public cloud to process data relating
to their client or patient (ie to use icloud, Google
Drive, Dropbox, Evernote).
CONTRACTING ISSUES – SMALL
CONTRACT, BIG LIABILITY?
Users of cloud services should know that they
bear the sole responsibility for adequate security,
encryption, and back-up of any data, even though
the data is hosted by the service provider.
Many publicly available cloud services limit the
liability of the hosting provider to a level that is not
in line with the potential risks. Read the fine print
on any contract and know where your risks and
liabilities lie. It may surprise you. NL
If you are expecting this one-day
course to equip you against the
sharpest of judicial tongues, or to
pull off Denny Crane-style antics
and annihilate your opposition, then
Gary Gotlieb’s Courtroom Confidence
workshop as part of the College of
Law’s Advanced Business Skills
series is not for you.
However, if you would like to
know the inner workings of correct
court procedures so that your court
appearances run smoothly then you
are in luck.
Ask any lawyer or barrister
about success in court and they
will most likely tell you it is all about
being well-prepared. But it is not
all about knowing your case inside
out, it is also about familiarising
yourself with how court processes
operate, etiquette, knowing who is
responsible for what, dealing with
clients in stressful situations, being
respectful to court staff, and even
allowing yourself some extra time
when arriving at court to allow for
last-minute courtroom changes
so that you do not arrive late and
flustered. It all sounds like relatively
low-level stuff, but even the more
senior attendees at the workshop
admitted to being unfamiliar with
certain processes.
With over 40 years of legal
practice, Gary Gotlieb is arguably
one of country’s most experienced
barristers. He captivated the
workshop attendees who were
PDS, private practice, and in-
house lawyers at varying levels of
experience and practice areas.
“The biggest thing you have is
your reputation,” is one of the first
things Gary says to us.
We cover conduct in court and
with clients – having empathy for
all involved in learning the new Civil
and Criminal Procedure Rules, never
making an assumption about a how
a judge works, using registrars to
ensure you are doing admin correctly,
always being mindful of saving the
court time, always having a copy of
the Lawyers and Conveyancers Act to
hand, dealing with self-represented
litigants, demonstrating good
collegiality among counsel, not being
afraid to request an adjournment if
there is an unexpected change of
tack.
We then move on to procedures,
where Gary had invited two senior
court staff to join us to discuss the
correct administrative procedures for
filling out court forms and filing that
will ultimately make the experience
smoother for everyone involved.
Everything to ensure that you do not
end up on the naughty list of slack
lawyers – there is one, you know!
Courtroom Confidence is suitable
for all types of lawyer, even the more
experienced ones who may not have
had much recent court time.
The next Courtroom Confidence
workshop is scheduled for 26 June
2014 and is eligible for seven CPD
hours.
Other Advanced Business
Skills Series Workshops include:
Investigative Interviewing, Practical
Tax for Lawyers: GST and Land,
Practical Tax for Lawyers: Tax
Disputes and Dealing with the IRD,
and Legal Project Management.
For more information please visit
www.collaw.ac.nz
THE COLLEGE OF LAW: ADVANCED BUSINESS
SKILLS SERIES – COURTROOM CONFIDENCE
REVIEWED BY ANGELA JACOBSEN