Australian Computer Society chief executive, Anthony Wong
As Distribute.IT's server compromise and subsequent acquisition by Netregistry Group this week has shown, companies who are the subject of a hack attack can be taken out of business permanently. The scale of the Distribute.IT disaster raises issues both for customers who use hosting providers to store sensitive business information and for the providers themselves.
That the incident should happen when there is increasing hype around the use of Cloud services, with organisations either hosting assets in the Cloud or using hybrid private/public models, throws into stark relief the legal minefield enterprises face when they rely on another party to store their data.
While Distribute.IT's customers and remaining assets have been transferred, customer data on four servers, along with the backups, has been wiped — forever.
So what can hosting providers do to avoid a similar fate, and what can businesses do to safeguard data?
Australian Computer Society (ACS) chief executive, Anthony Wong, says the Distribute.IT case has some parallels with an incident in the US in 2009, when internet service provider Core IP Networks was raided by the FBI and a multi-tenant server from a data centre was taken to gather evidence in an investigation of an attempt to defraud $US15 million from Verizon and AT&T.
"Unfortunately this disrupted the businesses whose data and information was hosted on the same server," says Wong "One company called Liquid Motors went out of business because it no longer had a system to use."
He says customers should go through service level agreements (SLAs) with a fine tooth combs. "They [customers] need to review those service levels and look at those responsibilities," Wong says.
"Most standard agreements trigger a force majeure or Act of God clause that relieves the affected party of its obligations when disaster occurs. In this case, Distribute.IT could say it was an Act of God because someone hacked the system and it was beyond their control. A customer has to look at that clause because if the system is critical to their business operation; they should negotiate the SLA and contract."
There can be legal hurdles, particularly when using Cloud, such as compliance issues, SLAs and performance, cross-border issues, data protection, privacy and termination.
"There is no law for cyberspace or Cloud computing for the internet in Australia, however there are a number of specific laws that apply such as the Electronic Transactions Acts, Privacy Act 1988, the Cybercrime Act 2001 and the Spam Act of 2003," Wong said.
One issue that is pertinent in the Distribute.IT case is preservation and retention of data, because record retention requirements will not be the same for each organisation.
"It has been asserted there are over 450 separate Acts of Parliament in Australian that contain provisions dealing with retention of records," Wong said.
"Courts are not likely to be very understanding just because your data is in the Cloud."
For people running a business, he says there is an obligation to retain online records for tax purposes.
"In this case with Distribute.IT, it sounds like most of the customers used it for their websites as well as emails. I assume the records of all those transactions are gone due to the data being lost. If the backups are lost, how are they going to comply with data retention and preservation for business records?" he said.
According to Wong, companies needed to look at four key issues with legal compliance including a review of corporate governance and industry regulation requirements, compliance with mandatory disclosures and financial reporting, as well as checking if there were special standards and compliance for the particular industry and being able to comply with data retention requirements during litigation.
"One example is financial services companies must first notify Australian Prudential Regulatory Authority (APRA) before conducting an offshore data transfer," says Wong.
"Financial services companies must demonstrate appropriate risk management and governance procedures where is the potential to compromise such as confidentiality and integrity of sensitive data."
Another common issue faced by businesses when selecting a hosting provider or Cloud service is which country's court system would settle a dispute if the data is stored offshore.