The (encryption) key to dealing with data insecurity

Ah, the cloud. Much has been written about the benefits and drawbacks of storing massive amounts of corporate data in remotely located servers around the globe. As a lawyer who works with technology companies, I feel that one of the less appreciated disadvantages of the wholesale movement of data to the cloud is the extent to which it can cause lawyers to lose sleep (and hair).

The first problem that we lawyers have when we hear "data" and "cloud" used in the same sentence is that data is valuable, and the cloud concentrates that value. Having large amounts of business and consumer data stored on Internet-connected servers tends to attract the wrong sort of attention. To paraphrase Willie Sutton, this happens because large storage providers are where the data is. Fortunately, the largest providers (like the banks that drew Sutton's interest) know this, and so they build strong walls and safeguards to secure the ever-increasing amounts of data they are contracted to store.

But as the amount of stored data increases, the law of large numbers predicts that the number of attempted and successful intrusions will rise as well. And so it has. For instance, from January 2009 to February 2012, there were approximately 300 publicly reported data breaches, and an unknown but likely larger number of unreported incidents. The Identify Theft Resource Center reported that hacking represented over 30% of the data breaches recorded during the first six months of 2012, on pace for a record year.

The second problem is that the damages from a data breach can be breathtakingly large. Even if a business merely suspects a security breach, the costs begin to pile up. First, the task of discovering the nature of the breach and the extent of the damage will require technical and legal experts and their associated fees. If the investigation requires critical servers to be taken offline, then any lost revenues will add to the total. Further legal assistance will be required to evaluate the potential liability (especially if any sort of financial or healthcare data is involved), analyze mitigation strategies and navigate the patchwork of federal and state laws related to data privacy and security. Notification of customers and associated remedial measures, including arranging for data theft insurance for affected individuals, will also not come cheap. Finally, there is the unquantifiable reputational damage from the publicity surrounding such an event -- the affected business may need to undertake broad marketing campaigns to overcome the negative impressions and win back customers.

Faced with these two problems, lawyers asked to advise on a cloud-computing plan might be inclined to just say no rather than compromise their ability to get a good night's sleep. But balanced against these very real drawbacks are benefits that are just as real: the ease of use and lower cost afforded by cloud-based storage. Denied the option of saying no, the lawyers turn their attention to the cloud-computing contract and use it to assign responsibility and liability between the parties. In legal jargon, this task is known as "risk allocation."

Naturally, data security liability is often the subject of aggressive negotiations, especially in an environment where the background threat level is much higher than in the past. For obvious reasons, customers desire the best security possible for their data. Providers, for their part, will assume responsibility for their own failures but are keenly aware that hackers may penetrate even the best-defended system. The argument about risk allocation tends to become an even louder argument about the provider "insuring" its customers against the risk of a data breach. After the shouting dies down, the parties are generally able to reach agreement after evaluating the types of data involved and the security measures to be used. One security measure, encryption, seems to be more effective at pacifying the parties than any other.

From a business perspective, encryption theoretically reduces the value to third parties of any data compromised in a breach, thereby mitigating the associated cleanup costs. From a legal perspective, this reduced value lowers the risk to be allocated and shifts the focus to the encryption techniques to be used. As a bonus, encryption may provide data owners with a degree of control over the data that they otherwise would not have in cloud-computing environments. For example, document retention policies may be made more "cloud-compatible" with a combination of encrypted data and time-sensitive keys.

Of course, all technologies involve trade-offs. Encryption requires higher processor overhead at one or more levels of the storage chain (although Moore's Law should help with this). Customer-level encryption offers more control over the encryption techniques and key-handling procedures, but it may increase storage consumption requirements due to abandoned-data issues.

I will leave it to the experts to sort out the technical details regarding best practices, but my sense is that the standardization of cloud-based encryption will help resolve a number of operational and legal challenges facing providers and customers (subject to the lawyers identifying new issues created by its implementation).

It may even leave more lawyers with a full head of hair.

Brian Henchey is a partner in the corporate section of Baker Botts, representing clients in connection with cloud computing agreements, large-scale outsourcing transactions, technology licensing and other technology transactions. He no longer has a full head of hair.

Read more about cloud computing in Computerworld's Cloud Computing Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingsecuritycloud computinginternet

More about Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brian J. Henchey

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place