Is it safe to store your documents in the cloud? Financial advisors dealing with sensitive data have more client confidentiality issues to worry about than most business people. Before you beam your data and your clients onto the Internet, some due diligence is required.
Cloud storage has become increasingly popular in the past few years. Simply put, it means transferring your data to a remote storage service via the Internet. This offers several benefits.
The first is resilience. If your main computer’s hard drive is corrupted, you can get your files back by accessing your storage in the cloud and copying it all back to your hard drive.
Second, cloud-based services are great for synchronization. You can automatically copy your files to the cloud from your office PC, for example, and then replicate them on your iPad or your smartphone, as well as on your Mac at home.
Finally, the cloud makes it possible to share files more easily, and to collaborate on them. This can be useful when sending large files to clients or colleagues that would be difficult to deliver via email. And, unlike email storage, central file storage makes files easy to find.
Sharing information in the cloud is legally permissible for financial advisors. In some Canadian jurisdictions, such as British Columbia and Nova Scotia, public-sector organizations are prohibited from outsourcing their records to cloud storage providers. However, excepting these restrictions, the law is relatively hands-off.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is the go-to legislation when discussing the protection of sensitive data. The legislation includes 10 principles, one of which is safeguarding information.
Who is responsible if information isn’t safeguarded well and a client’s sensitive private records are compromised while stored in the cloud? In Europe, a new data-protection regulation will make the cloud storage provider liable for damages if it mishandles individuals’ data. The provider could be subject to large fines amounting to 2% of its overall revenue if it contravenes the new law.
However, in North America, the onus is still squarely on the controller of that information (in this case, you, the financial advisor) to protect sensitive information adequately when outsourcing to a third party.
That may be worrisome, but it also is comforting because it forces you to put your own controls in place, securing your data before it is uploaded to a cloud provider.
Safeguarding information includes physical controls (such as locking your desk drawers) and organizational measures (such as restricting access to certain individuals on your team). Perhaps the most significant measure, though, is the use of technological tools, such as encryption.
Done properly, encryption is still one of the most powerful security tools, and it can complement the cloud synchronization services that have appeared over the past few years. Encryption scrambles a file using a digital key and can be unlocked only with the right credentials. So, even if the file is intercepted, an intruder won’t be able to understand it.
Before considering a move to the cloud, you should understand the difference between encryption in transit and encryption at rest. Any cloud service worth considering will encrypt your data while it is in transit – that is, when it is both being sent to the cloud from your computer and being beamed back to your other devices from the Internet. This process stops snoopers who may be monitoring your network or wireless connection.
However, not all cloud synchronization services encrypt your data once it is stored in the cloud provider’s huge bank of hard drives – at rest. This means that if an intruder is able to grab the file by hacking the cloud provider’s server, your information is compromised.
Evernote, provided by Moun-tain View, Ca.-based Evernote Corp., for example, is one of the most convenient cloud storage options available. It allows users to upload everything from text notes to images, scanned documents and even audio. However, Evernote doesn’t automatically encrypt data on the server. Users must select specific text in a text note and ask for it to be encrypted. And that won’t work with a scanned document, however.
Conversely, Sugarsync Inc., a San Mateo, Ca.-based cloud synchronization service, will encrypt data both in transit and at rest. However, it is a pure synchronization service and lacks the additional functionality of Evernote (which can read your scanned documents and images, recognize the text, and make it searchable).
Some cloud storage offerings, such as San Francisco-based folder synchronization service Dropbox Inc., will encrypt your data at rest and also hold the decryption keys to your information. This makes it theoretically possible for Dropbox employees to access your data illegitimately – or for government agencies to subpoena it.
Interference by government is the subject of one of the biggest debates in the cloud-storage sector at present. The U.S. Patriot Act enables the U.S. government to subpoena any data held by a cloud storage provider, making encryption at rest a moot point. If the U.S. government wants to access your client’s data, it could just demand the decryption keys from the cloud storage provider. This has led cloud users to question the wisdom of storing data with a provider located in the U.S., and to ask for Canada-based cloud storage.
All this controversy is a distraction, however. The truth is that your data is not completely safe anywhere. Canadian financial advisors storing their data with a Canada-based cloud storage provider must ensure that the provider is not a subsidiary of a U.S. company, otherwise it is still subject to the U.S. Patriot Act.
Even advisors storing their data with Canadian-owned cloud providers will find Canadian laws just as draconian. Canada’s Bill C-12, currently making its way through Parliament, will cement existing rules under PIPEDA, enabling government agencies to obtain data from companies without a warrant.
The upshot is that financial advisors using the cloud should encrypt their sensitive data at the source. There are free tools available for this. Redmond, Wa.-based Microsoft Corp.‘s Windows already has an encryption mechanism called Bitlocker built into it, and other software tools such as the open-source Truecrypt can be used to encrypt entire folders. You can then keep the password used to unlock your data in your head, and even complement it with a specially encoded USB key that must be used in conjunction with the password.
By all means, use the cloud. But understand what must be done to protect your data before it is uploaded. Once it’s up there, you never can be sure where it might end up.IE
© 2012 Investment Executive. All rights reserved.