Lawyers warn of cloud rogue risks

Beverley Head
Monday, 21 November 2011 13:16

Organisations which jump into the cloud without performing some form of due diligence on the personnel who will have access to their data are exposing themselves to high levels of risk according to international legal firm Norton Rose.

The firm has released its second international outsourcing survey, which also examines cloud computing and offshoring. Although a relatively small sample - 74 companies - was interviewed for Norton Rose's Outsourcing in a Brave New World report, it offers important insights as to what could well become cloud best practice.

According to Michael Park, a technology partner in the firm's Australian practice; 'Where a company puts any elements of its business into the cloud it must ensure that due diligence has been undertaken on the suppliers' staff given that they may have access to data about the company and its clients.'

But the firm's research found that two thirds of companies weren't conducting that level of detailed due diligence of a supplier's staff, and also found that some suppliers actively discouraged the practice. In fact 35 per cent of customers conduct no due diligence on a supplier's personnel whatsoever.

As the Norton Rose report notes; 'We were surprised at these results. A project manager who has misrepresented his qualifications might fatally damage a project. In light of the prevailing economic climate and the fallout from rogue employees at Satyam and EDS, we think that customers should review their processes to ensure they are properly protected.'

The report made clear the potential risks of failing to properly protect data - especially for financial institutions using outsourcers of cloud providers.

'It is not just data privacy regulators who can impose fines on financial institutions, financial regulators can too. For example, the UK FSA imposed a £2.75 million fine on Zurich Insurance plc when its captive outsourcer in South Africa lost customer data.'