Emails stored in the cloud may be exposed to access by other entities and governments
One of the easiest applications to move into the cloud is email messaging services. For most organizations the email application stands alone and therefore can be easily exported to the cloud. On the positive side this can reduce costs and free up resources that can be better used elsewhere.
Unfortunately, most executives are unaware of the potential risks they are taking by doing so. Business and IT executives need to fully understand the risk exposures and ensure, to the best of their abilities, that the business is maximally protected.
Metadata and Content
For all data that is kept in a file or database somewhere there is the actual data itself and data about the data i.e., metadata. For emails metadata is envelope information such as the sender, receiver, date of transmission, and file size. According to rules in the U.S. and most other countries the metadata is considered a business record while the contents of the email are treated as personal communications.
When an enterprise employs a cloud service provider (CSP) to handle its email services, it is authorizing the CSP to have access to the metadata. This can be used for archiving, billing purposes, restoring lost records, etc. This authorization may be for the duration of the contract or it may be for as long as the records are retained at that CSP, which could be for years after contract termination.
Most companies do not intend to allow the CSP to have access to the email contents. But if the terms are not clearly called out in your contract, then the CSP may use the content for its own purposes without informing anyone within your organization.
Business records (metadata) are much easier for government agencies to obtain access to than the personal communications. In the U.S. the email itself is protected by the Constitution's Fourth Amendment, which protects against unreasonable searches and seizures.
Thus, it is not too difficult for government agencies to subpoena your business records from your CSP without your knowledge. But a warrant is needed to actually search the emails themselves. The CSP may or may not inform you of the warrant request.
Current Cloud Challenges
There are some current legal actions that raise issues business and IT executives should be aware of and think about relative to their own emails. In the July 30, 2014 Wall Street Journal the Microsoft general counsel and executive VP for legal and corporate affairs discussed the upcoming hearing it has concerning the federal government's attempt to force it to turn over customer emails stored exclusively in other countries.
The emails are stored in Microsoft's Dublin, Ireland data center, which services customers outside of the U.S. The federal government is asserting the emails you store in the cloud do not belong exclusively to you but are the business records of the CSP. This gives them easier access and you do not need to be notified of the request.
This government action does not conform to the recent unanimous Supreme Court decision last month wherein it concluded a warrant was needed before a government agent could search a cell phone. Here the court concluded that an individual's email account is an electronic "cache of sensitive personal information."
Nonetheless, in this case, a U.S. judge deemed U.S. law can apply anywhere in the world if a U.S.-headquartered technology company has control over data in a foreign land. The ruling will be stayed to allow Microsoft time to appeal.
Moreover, quite recently the British passed a law asserting its right to require technology firms to produce emails stored anywhere in the world, including those of U.S. citizens that have never been to the UK. These invasive actions may just be the beginning of an assault by multiple countries into private email correspondence.
Furthermore, if these redefinitions of the rules take hold, then the CSPs themselves (or employees with their own personal agendas) could assume they have rights to the content of corporate emails. None of this is good news for cloud service providers, privacy rights or organizations that store emails in the cloud.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.