Are we nearing the point where most companies can purchase an affordable, off-the-shelf cloud service in all situations that are privacy and security compliant? Have service providers listened to the regulators and adjusted their products and services to accommodate the regulations locally and globally? As companies, lawyers, regulators and cloud providers explore cloud questions, just what will be the overall impact to outsourcing and trans-border flow of personal information in general?

Heidi Salow, Attorney and Shareholder, Privacy, Data Security and eCommerce, Greenberg Traurig, LLP, Washington DC, has extensive experience with global privacy, security and e-commerce matters. She shares with us her perspective on the maturity of the cloud services when it comes to privacy and security compliance.

Heidi has a great deal of experience in managing complex matters involving domestic and international privacy and data security laws.   Among other things, she has developed complex multi-national data protection compliance programs in the U.S., Europe and Asia.  She also regularly drafts and negotiates outsourcing, service provider/vendor and partnership agreements, many of which involve cloud computing.

Nymity:  What Is “Cloud Computing?”

Salow: With data storage costs plummeting, a great deal of information that was once stored on local computer hard drives is now being stored on remote servers, sometimes referred to as “clouds.” The term “cloud computing” has many meanings¹, but in general it refers to the outsourcing of data processing functions to a group of servers connected via the Internet. Cloud computing offers the scalable use of information technology (IT) resources and facilities, to save costs. In some cases, entire technological processes are transferred to the cloud; in others, cloud computing simply covers peaks in demand that overburden internal IT infrastructures.

Although cloud computing is now being hotly debated by privacy and data security experts, it is not new. It has existed since the earliest days of data processing under the rubric of “outsourcing.” Web hosting and Virtual Private Networks (VPNs), for example, were early forms of cloud computing.

Nymity: How does a company comply and reconcile with both U.S. and European Union Data Protection Obligations?

Salow: EU/EEA Data Protection Laws

The EU legal regime allows transfers of personal data to the U.S. only if a legally acceptable mechanism is used. Companies that need to transfer personal data from the EU to the United States have a number of options. They can: 1) obtain consent from the individuals whose personal data will be transferred; 2) obtain a US-EU Safe Harbor certification; 3) implement Binding Corporate Rules; or 4) require the entity to whom the data will be transferred to sign standard contractual clauses. The right choice depends on several variables, such as where the data will flow, for what purposes the data will be “processed,” who will perform the processing and to whom it will be made available.

Under EU data protection law, there are two entities involved -- the “data controller” and the “data processor.” The distinction between controllers and processors is not always clear in practice, but the basic concept is that a controller makes decisions about what data to collect and how to use it, while a processor merely performs operations on data only on behalf of the controller and according to its instructions. Whether an entity is classified as a data controller or data processor affects the liability of the entity for compliance with EU data protection requirements.

If a data controller located in the EU hires a non-EU-based cloud provider to process personal data on its behalf, it will have limited options from a liability perspective. It will either need to ensure that the cloud provider is Safe Harbor certified (being mindful of the limitations described below) or it will need to execute an agreement containing EU standard contractual clauses.

With respect to the latter option, the European Commission recently adopted new "controller-to-processor" standard contractual clauses ("SCCs") to protect personal data transferred from Europe to a data processor located outside the EU. Pre-existing contractual arrangements are grandfathered, but any new contracts with data processors must include the new version of the SCCs. The principal change is that a data processor (such as a cloud provider) must now obtain prior written consent from the data controller before subcontracting any of the processing, and the subcontractor must be contractually bound to the same obligations that apply to the data processor. The new SCCs came about as a result of the increased use of subcontracting for functions involving processing, storage, and technical support. This is particularly common in cloud computing, where several entities might be involved in handling and storing data. The new SCCs are designed to ensure that any European company that remains responsible as a data controller is informed about any proposed subcontracting, and that all parties handling the data are subject to the same obligations of confidentiality and security.

U.S. Privacy/Data Security Laws

Unlike in the EU, in the U.S. there are a number of federal and state privacy, data security, and computer fraud statutes. These laws are intended to protect certain types of personally identifiable information - such as credit card information, personal information collected from children, financial information and health information³, or certain types of activities - such as sending marketing-related emails⁴ or using credit information for employment purposes⁵.   There are also numerous technological standards, such as those found in the Federal Information Security Management Act of 2002 (FISMA) and the Payment Card Industry Data Security Standards. They regulate certain types of entities and the collection, use (or misuse) of various types of personal data. These laws theoretically apply even if such data is transferred from the U.S. to offshore clouds. For example, state data breach notification and data protection laws are intended to protect state residents, regardless of where their personal data resides, and govern entities that do business with state residents, regardless of where those entities are located.

A principal U.S. federal statute is the 1986 Electronic Communications Privacy Act (“ECPA”), which governs access to electronic communications and records relating to such communications. Unfortunately, ECPA’s rules for governmental access to email and stored documents are not consistent, which may discourage cloud service providers from locating their servers in the U.S. A single email is subject to different legal standards depending on whether it is being transmitted between individuals, opened by the recipient or stored by an email service (e.g., cloud) provider. For example, a document opened and stored on a desktop computer is protected by the Fourth Amendment warrant requirement, but the same document stored with a cloud service provider may not be subject to the warrant requirement. If an email is left unopened on a cloud service provider’s server, it receives less protection than it did while in transit to the server. To make matters more confusing, ECPA has been subject to different and somewhat inconsistent interpretations by various courts.

A few weeks ago, Senator Leahy (the lead author of ECPA in 1986) introduced much-anticipated legislation to update ECPA.  Leahy’s bill would enhance privacy protections for the contents of emails and other electronic communications. Law enforcement would need a search warrant based on probable cause. The amendments would also subject geolocation information to the search warrant/ probable cause standard. At the same time, the new law would allow service providers to voluntarily disclose the contents of communications when necessary to address a cyber-attack involving their computer networks.

In sum, U.S.-based cloud services are potentially subject to a host of U.S. federal and state privacy, breach notification and data security requirements, regardless of where the data resides. In order to achieve compliance with these laws, the EU Data Protection Directive, and data protection laws in a host of other countries, cloud providers may have to adopt private or hybrid models. These deployment models make compliance much easier to achieve because the hardware, storage and network configuration is dedicated to a single client. Apparently, this is how Google has been able to meet governmental regulatory requirements such as FISMA and strict government data security policies.

Nymity:  What About the Safe Harbor Program?

Salow: The U.S.-EU Safe Harbor program provides many benefits for U.S. and EU entities including the following:

Nevertheless, in certain countries where the data protection laws are more restrictive than elsewhere in the EEA, like Germany, Safe Harbor certification as a means of legitimizing personal data transfers is frowned upon. In fact, a few published German legal opinions have found that EU-U.S. Safe Harbor certification does not adequately meet German data protection law (called the “BDSG”) and that additional steps must be taken to meet such requirements. In addition, last summer the German Data Protection Authority (“DPA”) issued a ruling that clouds located outside the U.S. are per se unlawful under EU law. The ruling goes on to state, however, that if a company adheres to German rules on data processing and uses the EU standard contract clauses for controller-processor data transfers, it will be deemed compliant with German law.

Last year a group of German data protection officials contacted the Federal Trade Commission (“FTC”) to encourage the FTC to more closely monitor compliance with the EU-U.S. Safe Harbor framework. Thilo Weichert, head of the data protection commission in the northernmost German state of Schleswig-Holstein, also issued a press release doubting that cloud providers could become compliant with data protection laws in the EU.  Other EEA countries such as Spain and Italy may take a similar stance. Thus, a company that relies on a cloud provider’s Safe Harbor certification faces some risk that a European DPA will look unfavorably on the company’s decision to store personal data in the U.S.

Nymity: Are cloud providers offering up cost effective solutions that provide the categories/types of cloud services you describe complete with the contractual requirements you define? In short, can most companies buy an affordable, off-the-shelf cloud service? If not, where are the gaps?

Salow: When a company or government agency considers the possible use of cloud services, the most important factors are  naturally what personal information is to be collected, stored, processed, shared, transferred across borders, retained and destroyed, and where such information will flow. Regardless of the type of cloud service, other factors will dictate which laws and regulations apply, such as the types of personal information to be stored by the cloud provider, who controls it and for what purposes, where such data will flow and the choice of law specified in the contract between the parties. . There is really no “one size fits all” solution  because each company or government agency will have its own requirements and foreign and/or U.S. laws will add to the complexity of any cloud computing arrangement.  

Given this complexity, companies and government agencies must fully understand their compliance requirements. 

Thus, a company or a government agency may opt to investigate the other emerging types of clouds, such as community or hybrid clouds created for a specific industry or specific regulatory environment. Such clouds may have been established for other industries subject to similar legal compliance requirements and may be more cost effective than the private cloud alternative.

Finally, depending on where the data originates and will flow, it may be important to seek out cloud service providers that will sign the new EU model clauses binding all of their sub-processors to the EU requirements.

At the end of the day, companies and government agencies that plan to use cloud services must ask the right compliance questions, to ensure that the services they are purchasing are not only cost effective, but do not subject them to potential liability which could otherwise be avoided.  

Nymity: What alternatives do companies have in the meantime, while they wait for cloud service providers to develop their solutions?

Salow:   As indicated above, business and government entities may want to purchase certain types of clouds that provide compliance assurances. This will provide certain economies of scale to be achieved for the near term while hopefully eliminating the need for lengthy contract negotiations and expense that may eliminate the cost savings associated with cloud computing.

Nymity: In general, as companies and government entities consider and implement cloud services, what might they be mindful of?

Salow:  As companies move applications and personal data to clouds, there are a few key issues to consider:

• Internal IT Security Controls: Data processed outside a company’s network brings with it an inherent level of risk, because the processing bypasses the physical, logical, personnel and technical controls that internal IT personnel can put in place.
• Server Elasticity: One of the major benefits of cloud computing is flexibility, so the servers hosting personal data may be reconfigured or de-commissioned frequently to accommodate current capacity requirements. This means that the entity or individual which hired the cloud provider can never be 100% sure where the data resides at any given time.
• Compliance with Laws and Regulations: As explained above, companies are ultimately responsible for the security and integrity of data entrusted to them, even when it is stored in a cloud.  For example, if the data is subject to Sarbanes-Oxley, HIPAA/HITECH, GLBA, the Payment Card Industry Data Security Standards (“PCI DSS”), FISMA, EU data protection laws, and/or other laws and regulations, the cloud computing provider must be able to demonstrate that it is fully compliant.
• Alleviating Customer and Employee Concerns: Companies must be able to demonstrate to employees and customers -- or anyone else from whom they are entrusted with personal data -- that such data is secure despite a lack of physical control over external systems.
• Access controls and monitoring of cloud administrators: While most companies perform background checks on their own IT administrators, they do not likely have any involvement in their service providers’ hiring processes. Encryption, tokenization, masking, auditing and monitoring, however, can reduce the risk that a rogue administrator will make an unauthorized copy of a database or engage in similar malicious behavior. By way of example, the company responsible for the data -- or a separate third party, but not the cloud provider -- should have the ability to monitor all activity in its databases in real time.
• Physical Infrastructure: it is important to determine whether the cloud provider has physical security measures in place, such as card key entry to its data center(s), video cameras, and monitoring by security personnel. Most cloud providers will have implemented these controls, but it is important to ask anyway.

Many of these issues can be addressed by negotiating a contract with robust privacy and data security provisions. Among other things, the cloud provider should agree to periodic audits and to indemnify against third party claims (including government investigations) resulting from its failure to comply with its contractual obligations.

Nymity: As cloud categories/types are refined to accommodate the various regulations, what will companies need to consider not only for their cloud solutions, but also for their outsourcing in general?

Salow: Many of emerging cloud types -- i.e., public, private, hybrid, community or ‘to be determined’ clouds -- have already been used as corporate and government outsourcing solutions. Entities using cloud computing services for the first time, or evaluating existing cloud arrangements, may need to retrofit SLAs, policies, procedures and contracts to ensure compliance with various local laws and regulations.

Of course, while this interview focuses on the EU/EEA and U.S. laws and regulations, it is also necessary to integrate other foreign laws into the due diligence process, such as the data protection laws in Canada, the Asia Pacific, Latin America, Africa and the Middle East.

Nymity: What have we not asked that would be meaningful for our customers to know about?

Salow:  Understandably, privacy and security are major concerns for entities that transfer data and/or IT resources from locally-maintained servers to cloud computing systems.  Although cloud computing is not new, there is still a good deal of debate and uncertainty surrounding it - particularly in the EU. The 2009 European Network and Information Security Agency (ENISA) report, “Security and Resilience in Governmental Clouds,” illustrates some of these concerns.

The report states that public administrators and organizations holding highly sensitive data, such as hospitals, must develop new data models and review risk levels. In addition to implementing robust contractual protections, ENISA recommends adopting a legal framework for data storage outside of national boundaries to avoid exposing citizens and economies to “unacceptable risk.”⁶

Best practices include:
 
1) strong password protection,
2) tight access controls,
3) physical security where servers are located,
4) good Service Level Agreements (SLAs) with cloud providers,
5) mandating background checks for third-party IT administrators and others will access to personal data,
6) ensuring that data center employees are bonded/insured,
7) requiring cloud providers to sign Non-Disclosure Agreements and
8) other strong contractual protections such as indemnification and audit rights.

If these best practices are followed, the benefits and costs savings associated with cloud computing will likely outweigh the risks.

__________________________________ 

¹ One widely accepted definition has been offered by the National Institute of Standards and Technology (NIST): “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.”
² Cloud Computing Privacy and Security: Domestic and international Issues, IAPP Privacy Advisor, May 2011, by Heidi Salow
³ See, e.g., Children's Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506 (1998), Health Insurance
Portability and Accountability Act (“HIPAA”), 42 U.S.C. § 300gg and 29 U.S.C § 1181 et seq. and 42 U.S.C. 1320d et seq. (1996) and Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. 7701, et seq. (2003).
⁴ CAN SPAM Act, 15 U.S.C. 7701 et seq. (2003).
⁵ Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.
⁶ See http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment (last visited April 24, 2011).

• Free Resources
  • Accountability Charts
  • Interviews with Experts
  • Privacy Studies

• Receive Free Newsletter