Cloud-based Data Storage: The Government vs. MSPs?
As if hackers and cloud outages didn’t offer enough headaches for MSPs and their SMB clients, there is another potential liability that has been brought to light by a column in the Huffington Post. That liability is known as the government. Apparently there is currently no coherent, national standard regarding how much access the government has to data stored in the cloud. Here’s the update.
While data stored locally on a hard drive is protected by the Fourth Amendment of the Constitution (basically meaning a warrant issued by a judge is needed for the government to look at it), the US Justice Department is arguing data stored on the cloud is not subject to Fourth Amendment protection. This would mean a prosecutor or FBI agent could issue a subpoena to gain access to data stored in the cloud, with no court approval needed.
According to the Huffington Post, different local appeals courts have made different rulings on this matter, meaning cloud-stored data may be protected more in some states than others and that currently its protection from government snooping is a gray area. Until and unless the Supreme Court makes a final ruling, there will probably continue to be legal uncertainties surrounding this issue. So what is an MSP who is storing client data in the cloud, especially data from an SMB who especially relies on proprietary information to remain competitive, to do?
At least until the Supreme Court clears up the confusion regarding how much access the government has to cloud-stored data (which could be decades, according to the Huffington Post), MSPs need to handle data storage on the cloud with care.
Vet your clients before providing cloud-based data storage services. Even a business with a handful of people could be involved in complex transactions that attract the attention of the government.
- Are they involved in global import/export?
- Do they have a history of lawsuits and/or legal trouble?
- Do they handle government contracts?
- Is it clear who the owners are, or could this SMB be a shell company for another, less reputable corporation?
Also, being upfront with clients about possible government snooping risks is probably the best way to go. If the government does subpoena data you have stored for a client on the cloud, fighting it will require an expensive and lengthy legal process. The government has numerous full-time lawyers and taxpayer funding at its disposal. You don’t.
Realistically, fighting a government attempt to access data you have stored on the cloud is an extremely tough proposition. Taking caution to ensure it doesn’t happen, or to minimize the fallout if it does, is the best way of dealing with this unique cloud liability.