When Online File Storage Gets Legal: Regulatory Compliance

With the ease and accessibility of online file storage, it’s no surprise that many organizations are turning to cloud service providers. But at the same time as tapping into apparently limitless resources at bargain prices, storing your files in someone else’s servers may raise certain regulatory issues. These include confidential data that is transmitted outside its country of origin, confidentiality and encryption, and specific requirements for data recovery after backing up files.
Starting Off With SOX
The Sarbanes-Oxley Act (SOX) applies across the board to all publicly held companies in the US. Access controls and authentication, logging of system events and successful access attempts, a five-year data retention period and a commitment to prevent the alteration, destruction or concealment of records are all part of the obligation to comply. SOX doesn’t specify how data storage is to be done, but any online file storage has to stack up with these requirements. Other countries have ‘SOX-equivalent’ laws – for example, in Japan, it’s ‘J-SOX’.  Similarly, a company doing business in Europe must observe the Data Protection Act of the European Union.
Online File Storage in Finance and Health
Money makes the world go round, making close control of financial data mandatory. Official mechanisms for checking up on financial institutions include FINRA compliance and SEC rules. The Gramm-Leach-Bliley Act specifies requirements for the storage of the personal financial data of consumers by any financial organization. In the health sector, data security requirements feature in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for US organizations, the Regulation of Health Information Privacy in Australia and the Health Privacy Code in New Zealand, just to mention a few cases. Any files stored online must have end-to end data protection in terms of both integrity and confidentiality.
Government Gives Guidance to its Agencies
Governments may try to steer their agencies towards enterprise-class online file storage, rather than consumer-level services. Despite the possible additional cost, reasons for this include the difficulties that consumer offerings may pose concerning security, privacy, copyright and retention of public records. In particular, the ‘click-through’ agreements in such consumer offerings make it more difficult for agencies to conduct specific data searches and often associate the subscription with a person, not an organization. If the employee responsible for subscribing to the service leaves the agency, the agency may well find it can no longer access the files stored online.
The Online Outlook for Lawyers
Online file sharing sites present particular challenges for members of the legal profession. Risks include the lack of assurance that files stored online will be deleted after users have finished with them. In addition, many protective or restraining orders require that associated data are definitively destroyed once the case is complete. Third party access may also be a danger, not just by employees at the online file storage company but also partners with which the online file storage company works to provide storage space. A maxim about using online file storage in the legal profession is to ‘only store online data you can accept losing’ – which may also be a good rule of thumb for agencies and organizations in general.