Data, the cloud and regulation – walking the tightrope
With regulation of data storage and the embrace of the cloud not necessarily sitting well together, Mark Andrews explores some practical approaches that law firms can take to protect valuable client information – while also defending the reputation of the firm itself.
Data sovereignty is nothing new.
Companies and firms have been dealing with the concept for many years. Pre-cloud, the landscape was much simpler as you physically knew where your data was located and had direct control of it.
As the use of data centres grew, there was still a level of control because you could select which data centre you would use and where backups would go. In the era of Software as a Service (SaaS), you can include a range of contract provisions and request configuration settings to control where your data resides, but it is a significantly more complex space.
The geopolitical landscape is leading to more regulation and control at the same time as we are using technologies that allow far more flexibility and nimbleness and the ability for data to travel across the globe very easily. Various commentators put the value of the SaaS market at about US$200 billion this year. There are about 25,000 available SaaS solutions, and this number is only set to grow. Therefore, firms need to be up to date in a new data-sovereignty era.
In terms of data regulation and privacy – whether you consider Australia, the Asia-Pacific region, or globally – there is no shortage of new and emerging regulations and bar rules covering issues such as where data is located; where it is backed up; who has access to it and for what purpose; where it transits through; and how it is stored.
Regulations increasingly focus on national boundaries. While it is not the focus of this article, it is noteworthy that cyber criminals have no regard for boundaries and one might question the extent to which regulations provide any genuine protection, or whether they simply impose cost and complexity. This is not to say that there is no value in regulation, but it would seem more beneficial to focus on storage, retrieval and security protection, rather than a focus on boundaries.
Major SaaS vendors are concerned with meeting the regulatory requirements of various countries, but others are less equipped to do so. The commercial reality for some vendors is that it is simply not worth them establishing the necessary in-country infrastructure and, as a result, firms may need to maintain some on-premise systems or select alternate SaaS vendors.
At the larger end of the vendor landscape, it remains the responsibility of the firm to understand their own data and to understand how the vendor proposes dealing with regulations, and whether the same approach applies to each component of their SaaS offering.
One could be tempted to think that moving to the cloud is too complex, but there is unquestionable benefit. This includes the investment vendors make in security, the environmental benefits of scale, the range of solutions available, and the chance for internal IT specialists to focus more on deployment and adoption of solutions and less on the maintenance of solutions.
We have certainly seen a significant change in the past five years in preparedness to embrace the cloud and SaaS – and I do not see that trend changing.
All about data
Critical to walking the regulatory tightrope is knowledge of your own data.
This is not just about ‘what’ data, but also about the ‘where’, ‘how’, ‘who’ and ‘why’. In thinking about the ‘what’ of data, you must understand the range of data you have – and this can be surprising. A careful review of data inflow and outflow, along with data creation and destruction, will likely reveal data you may not have realised you had or were keeping.
As an example, let us consider the recruitment of new staff – what data do you capture on potential recruits, and what data do you retain? Do you keep any form of personal data and ID-related information such as a driver’s licence or passport? What data are you retaining in email relating to potential candidates? What data do you really need to keep, and are you keeping too much data? One can quickly appreciate that asking the ‘what’ question leads to many potential discoveries.
The other dimension to the ‘what’ question is the type or classification of data you have. This is critically important when it comes to regulatory compliance and the use of SaaS.
Different approaches apply to public data versus personally identifiable information, versus confidential data. If you do not classify data, you may either be trying to apply controls and complexity where they may not be needed, or equally putting yourself at risk of a breach of regulations by not understanding what personal data you hold. What data you have is not just about the data itself, but the type of data it is.
Once you have built up a clear picture of the data you have in a particular area of the business, think about where the data is stored and be sure to think broadly (i.e., outside the primary system that you think should contain the data). If you are using SaaS solutions, do you confidently know where the data is stored and whether this applies to live data and backup, or just live data? Do you have control over where the data is stored, and can it be moved under emergency situations without your knowledge and consent?
The ‘where’ question is not just about data at rest (i.e., data that is sitting in storage somewhere) but data in transit (i.e., when data travels from storage over a network of any kind). Where does your data transit through, as even if it is stored in a particular location it may transit through locations that you do not want it going through.
The ‘how’, ‘who’ and ‘why’
The ‘how’ question is more about structuring and labelling. In thinking about the ‘how’ of data, you need to ask whether elements of data mean the same thing in each place they are stored, whether they are called the same thing, and whether they are structured in the same way.
As an example, consider how you identify a lawyer in the various systems you have. Is the identifier field called the same thing in different systems and, if so, is it the same value and meaning across the various systems?
The ‘who’ question considers access to data. Who within your firm has access to data and for what reason? Who outside your firm has access, and is there a system of control that allows you to determine permissions, particularly when is comes to SaaS systems, or can anyone in the vendor access data because they are administrators of your SaaS solution?
These questions all might seem obvious, but challenge yourself with each area of data and with each vendor with whom you are dealing and you may find some gaps.
The ‘why’ question is one that many firms find very challenging. Some view their ability to be able to retrieve data from many years ago as being a source of competitive advantage and a reason that clients come to them.
As a result, there is often an aversion to deleting data, with a just-in-case mentality prevailing. What is often missed with such an approach is that the more data that is retained, the greater the impact can be from a breach.
Asking the ‘why’ question needs to go deeper than the just-in-case response. If it is about competitive advantage, consider what clients are really after – is it the accumulated knowledge and precedents your firm possesses, along with knowledge of the historic context in which decisions were made, or is it a specific email from 15 years ago?
Aside from obvious requirements for litigation hold, what would happen if you did not have that email from 15 years ago? Would you really not be able to retain the client? The landscape is changing as more clients demand clear rules on retention and destruction.
The ‘why’ question is also illuminating in terms of people-related data. Why, for example, do you have a résumé of someone you interviewed two years ago, but did not hire? Asking ‘why’ about each area of data will often lead back to a ‘what’ question – ‘why’ do we have it, and ‘what’ do we have? Do we need a subset of the data, or any of the data at all?
There are, of course, entire disciplines around data, but using the ‘what’, ‘where’, ‘how’, ‘who’ and ‘why’ approach is a practical way to think about data and its use.
SaaS and regulation
Assuming you have a good grasp of your data, you need to apply the same analysis to SaaS solutions. This allows you to truly understand how your data will be managed and to determine whether the SaaS provider can meet your needs and the requirements imposed upon you.
You cannot outsource your custodial duties over the data for which you are responsible. Always dig deeper beyond assurances and contract terms so that you understand at a granular level where your data is, both at rest and in transit.
SaaS has many benefits and there are some very capable vendors to support you, but there is unquestionably a need for a far better understanding of your own data.
Balancing the embrace of SaaS with data regulations is very much a case of walking a tightrope.
It requires care, focus and close attention to detail – and the consequences of a fall are significant both reputationally and financially. I hope this article has prompted further thought about data classification and the use of SaaS.
Mark Andrews is Director – Global IT Service Delivery at Baker McKenzie. He has a varied background, including time in the public and private sectors, along with considerable professional services experience. He has held roles ranging from HR to management consulting and has previously been a guest lecturer in the business faculty of the University of Technology, Sydney - teaching at both Bachelor and Masters (MBA) level.