UK Warns of Concerns Over Cloud Security in US
This post appeared on our sister site, www.accountingweb.co.uk
Concerns over the security of cloud storage when servers are located in the US is raising some interesting questions among our UK readers.
If you are lucky enough to be using a modern cloud based accounting solution (or are looking at moving to the cloud) you should definitely check where your cloud data is stored. If your provider stores it on a UK data centre, then you can be pretty much assured that our laws and government provide adequate protection. The same is not true of course if your provider stores your data off-shore, certainly if it is outside the EU with one of the many US based services.
It’s worth checking with your cloud supplier but if the data centre is in the United States (such as the case for Intuit’s QuickBooks On-line or FinancialForce for example) then you are not protected by the Data Protection Act, and the FBI and other government agencies such is the IRS can under the Patriot Act 2001 gain access your data without requiring your permission.
Imagine what the implications could be of the Federal Trade Commission having access to critical business data and such data becoming available to US corporations in order to gain competitive advantage?
So whilst a UK based centre seems on first impressions to be a safer more secure bet, if it’s provided and run by an American owned entity, again no protection from such interrogation is available to you or your business. At the launch of Office 365, Microsoft’s UK MD Gordon Frazer admitted that as a business with its headquarters in the United States of America, the Patriot Act applies to them and their data centers world wide.
The question put to Microsoft at the time, which obviously impacts Microsoft Dynamics on-line services as well as users of Office 365 and applications developed to run on the Azure which Microsoft’s cloud computing platform, was “Can Microsoft guarantee that EU stored data held in EU data centers, will not leave the European Economic Area under any circumstances, even under the Patriot Act?”. Frazer explained that “as Microsoft is a US headquartered company, it has to comply with local laws” he said ”customers would be informed where possible” he could not provide a guarantee that they would be informed if a gagging order, injunction or US National Security Letter permits it.
If you are an accountant in practice and the cloud based finance software you use (and your clients use) has data centers outside of the UK, remember it is your responsibility to ensure your engagement letters inform your clients of this, and that you have their permission to conform to the terms of the Data Protection Act, to store their data outside of the UK.