Whether you realize it or not, you are probably storing some personal or business data in the cloud. The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. [1] Within this cloud model, there are five essential characteristics, three service models, and four deployment models.[2] In other words, the idea of “cloud computing” is really all-encompassing at this point in time.
Gartner has predicted that by 2020, a no-cloud policy will be as rare as a no-internet policy today.[3] Cloud services globally will reach $312 billion annually by 2019, with year-over-year growth of over 15 percent.[4] The cloud services industry is the fastest growing segment of IT spending as a whole, because organizations continue to take advantage of the high degree of standardization, self-service functionality, and level of automation offered by paying only for what they need when they need it.[5] The more information that we allow to be transmitted and held outside of a physical device, the more we need to be vigilant about how that data is being protected.
There are three big issues that every company should be aware of before engaging a cloud computing service:
-
understand various jurisdictional privacy laws;
-
understand how the cloud service provider will protect your data; and
-
understand and explore different encryption tools for your data. This level of awareness will by no means ensure a leak-proof data security policy, but it will, at the very least, facility the ability to utilize a privacy-by-design approach for your data holdings.
When we talk about data privacy in the cloud, the first thing that we need to recognize is that this concept of “privacy” is really a misnomer. Depending on the type of cloud provider with whom you contract, you’ll have to consider if your data is going to be mined by the supplier or others. Typically, cloud storage is accompanied by a clickwrap agreement, wherein you agree to be bound by certain rules and restrictions of the cloud service provider. READ THIS DOCUMENT CAREFULLY! You need to understand the level of access that the service provider has to the data you are storing in the cloud. If this is an area of concern, don’t just blindly sign a service agreement without first negotiating third-party access to your data.
If you are storing data in the cloud, you must also consider the type of data that is being warehoused because certain data types implicate different security obligations. For example, if the data you have implicates The Health Insurance Portability and Accountability Act (HIPAA) or The Gramm-Leach-Bliley Act (GLBA), you have to ensure that your cloud provider protects the privacy of the data in compliance with those more stringent security requirements. Your cloud service provider may have obtained certain certifications for compliance standards and controls; if so, find out what those certifications are and whether they comport with your own security obligations for the data you are storing.[6] The same goes for data collected from any EU nation, because that data is governed by the European Union’s Data Protection Directive.[7]
Some companies, such as Google Cloud Platform and Amazon Web Services, allow you to designate what region your data will be stored.[8] Keep in mind that service providers are required to comply with the local laws of the region where the servers are actually located. Even if you’ve entered into an agreement with a company in the United States, if the servers are being hosted in a different country, it is likely that country’s privacy laws will govern how your data is protected. If you are concerned about the level of access and security controls in place, you should inquire as to where, exactly, your data is being housed.
The United States still lacks comprehensive data privacy laws or cloud protocols. At best, the FTC enforcement actions have taken action against companies that don’t live up to their privacy terms of service, but that’s about as far as regulations have gone thus far. This article should serve as a reminder to be vigilant about not just who you’re doing business with in the cloud, but to take a deeper look at what data you are storing on the cloud, and what steps your service provider is taking to protect that data. For a better understanding of the data privacy that has been offered to you by your cloud service provider, ask us to audit the data you are storing in the cloud and review your service contract and the company’s compliance certifications.
[1] http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf; see also https://www.ibm.com/cloud-computing/learn-more/what-is-cloud-computing
[2] Id. (referencing the “essential characteristics” as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service; defining the “service models” as software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS); defining the deployment models as private cloud, community cloud, public cloud, and hybrid cloud).
[3] Predicts 2016: Cloud Computing to Drive Digital Business (Gartner)
[4] Gartner (2015, August 26) Forecast Analysis: Public Cloud Services, Worldwide, 2Q15 Update
[5] Forrester (2015, December 8) TechRadar Cloud Computing Q4 2015
[6] Google publishes its compliance certifications here: https://cloud.google.com/security/compliance
[7] In July 2016, the European Commission concluded that the EU-U.S. Privacy Shield Framework provides an adequate mechanism to allow EU companies to comply with requirements under the Directive in connection with transfer of personal data from the European Union to the United States. If you do business with any European companies and are storing data in the cloud, you should ensure that they are certified under Privacy Shield. Certification information can be found here: https://www.privacyshield.gov/list.
