In this two-part series, legal expert Robert McHale, author of Data Security and Identity Theft: New Privacy Regulations That Affect Your Business, provides a comprehensive overview of the legal security and privacy risks associated with cloud computing.
Part 1 discusses the principal federal and state laws regulating cloud activities.
Part 2 provides a practical due diligence checklist companies should consult before entering into a cloud service agreement.
While storage of user data on remote servers is hardly a recent phenomenon, the current explosion of cloud computing warrants a closer look at the associated privacy and security implications.
Cloud computing carries with it its own unique risks regarding the privacy, confidentiality, and security of business information, which companies must fully assess before migrating to the cloud. Armed with an appropriate legal compliance and risk-management strategy—and strong, fully-negotiated contractual protections—companies should be able to safely transfer their data and applications to the cloud.
Part I of this article discusses the principal federal and state laws regulating cloud activities, and the legal security and privacy risks associated with cloud computing.
U.S. Laws and Regulations Governing Data Security and Privacy
The United States has numerous federal and state data security and privacy laws with implications for cloud computing. Unfortunately, there is not a single, comprehensive legal framework in which the rights, liabilities, and obligations of cloud providers and cloud users are regulated or defined. Instead, U.S.-based cloud users and providers must rely upon a veritable hodgepodge of (oftentimes) sector-specific laws to evaluate their legal risks and obligations, and the contractual terms between them.
The most notable data security and privacy laws are examined here.
The European Union Data Protection Directive
The location of information stored in the cloud can have a profound impact upon the level of privacy and confidentiality protections afforded the information in question, and upon the privacy obligations of the cloud provider.
For instance, the European Union’s Data Protection Directive, which regulates the processing of personal data within the EU as a means to safeguard individual citizens’ privacy, is of particular significance.
Under the EU Data Protection Directive, personal data may be transferred to third countries (non-EU member states) only if that country provides an “adequate” level of protection. Most notably, the United States is not on the list of countries that meet the EU’s “adequacy” standard for privacy protection. Accordingly, an organization that does its processing in the cloud may be violating EU law if the data goes to a server outside of the EU to prohibited countries, such as the United States.
In order to provide a means for U.S. companies to comply with the Directive (and thereby ensure continued trans-Atlantic transactions), the U.S. Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor Program” designed to protect accidental information disclosure or loss.
Cloud Security and Privacy: A Legal Compliance and Risk-
Management Guide, Part 2
Due Diligence and Cloud Service Agreements
An organization’s contractual agreement with a cloud service provider is perhaps the most critical component in evaluating cloud computing risks, and therefore should be carefully examined before being entering into a cloud relationship.
Cloud Service Agreements (CSAs) should clearly describe the services provided, guarantees, warranties, limitations, liabilities, and the responsibilities and rights of each party.
Proper due diligence requires inquiry into the following categories of concern: data security, performance, limitations of service, data migration, government and third-party litigation access, handling of trade secrets/confidential information, and exit plan, all of which are discussed in detail below.
Data Security
To properly manage the operation risk associated with cloud services, the cloud provider’s level of data security should be carefully examined. At a minimum, the following should be ascertained:
- Is the cloud provider contractually obligated to protect the customer’s data at the same level as the customer’s own internal policies?
- Who has access to customer data, and what are their backgrounds?
- Where is the provider’s data center physically located, and what safeguards exist to prevent data centers from unauthorized access (for example, 24/7 security personnel)?
- Does the provider promise to maintain user data in a specific jurisdiction and/or to avoid certain jurisdictions?
- What are the provider’s migration policies regarding moving data back internally or to alternate providers? (Companies need to make sure that no data is lost or falls into the wrong hands.)
- Does the provider conduct regular backup and recovery tests?
- Do the provider’s security policies comply with all applicable regulatory rules?
- Is the provider willing to undergo on-demand or periodic audits and security certifications?
- Is the provider required to investigate illegal or inappropriate activity?
- Is the provider required to disclose any new vulnerabilities that may affect the confidentiality of customer data, or the integrity and availability of their services?
- In the event of lost or compromised data, can the data be backed up, and can it be easily reconstituted from the backups?
- What are the provider’s policies on data handling/management and access control? Do adequate controls exist to prevent impermissible copying or removal of customer data by the provider, or by unauthorized employees of the company?
- What happens to data when it is deleted?
- What happens to cloud hardware (for example, trailers of servers) when the hardware is replaced?