Cloud computing privacy and data security: Domestic and international issues

With data storage costs plummeting, a great deal of information that was once stored on local computer hard drives is now being stored on remote servers, sometimes referred to as “clouds.” The term “cloud computing” has many meanings, but in general, it refers to the outsourcing of data processing functions to a group of servers connected via the Internet. Cloud computing offers the scalable use of information technology (IT) resources and facilities to save costs. In some cases, entire technological processes are transferred to the cloud; in others, cloud computing simply covers peaks in demand that overburden internal IT infrastructures.

Although cloud computing is now being hotly debated by privacy and data security experts, it is not new. It has existed since the earliest days of data processing under the rubric of “outsourcing.” Web hosting and Virtual Private Networks (VPNs), for example, were early forms of cloud computing.

There are now several different types of cloud service offerings.

There are also several different types of clouds.

is a group of networked computers, all of which are run by a single data processing entity. Private clouds include virtualized desktops, which allow employees to access their desktops via thin clients, mobile laptops or devices or other types of computers. Private clouds also refer to computer networks formed by affiliated entities, such as entities within the same corporate structure.

involve processing data via worldwide networks of distributed servers and server farms owned by one or more providers. Public clouds are offered by huge global IT companies such as Amazon (EC2), Google, Microsoft, IBM and Hewlett-Packard. In addition to these commercial providers, a number of public—primarily academic—institutions offer cloud computing.

uses a combination of public and private storage clouds. Hybrid storage clouds are often useful for archiving and backup functions, allowing local data to be replicated to a public cloud.

involves the sharing of infrastructure by several organizations with similar requirements. The costs are spread over fewer users than a public cloud but more than a single user. This type of cloud service may offer a higher level of privacy and security. Examples of community clouds include Google's "Gov Cloud."

One widely accepted definition of cloud computing has been offered by the National Institute of Standards and Technology (NIST).

According to NIST, “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.”

The 1995 European Union (EU) Data Protection Directive (1995 Directive) prohibits the transfer of personal information to countries whose laws do not provide an “adequate” level of data protection. The U.S. is one of those countries because it has no omnibus privacy or data protection laws that meet EU data protection standards.

Nevertheless, the EU data protection regime allows transfers of personal data to the U.S. if a legally acceptable mechanism is used. Companies that wish to transfer personal data from the EU to the United States have a number of options. Such companies can: 1) obtain consent from the individuals whose personal data will be transferred; 2) obtain a U.S.-EU Safe Harbor certification; 3) implement Binding Corporate Rules; or 4) require the entity to which the data will be transferred to sign standard contractual clauses. The right choice depends on several variables, such as where the data will flow, for what purposes the data will be “processed,” who will perform the processing and to whom it will be made available.

Under EU law, there are two entities involved—the “data controller” and the “data processor.” The distinction between controllers and processors is not always clear in practice, but the basic concept is that a controller makes decisions about what data to collect and how to use it, while a processor merely performs operations on data only on behalf of the controller and according to its instructions. Whether an entity is classified as a data controller or data processor affects the liability of the entity for compliance with EU data protection requirements.

As discussed in more detail below, EU-based companies that engage cloud providers operating outside the EU have limited options in adhering to EU data protection requirements.

Unlike in the European Economic Area (EEA), in the U.S. there is a patchwork of federal and state privacy, data security and computer fraud statutes. These laws are intended to protect certain types of personally identifiable information—such as credit card information, personal information collected from children, financial information and health information—or certain types of activities, such as sending marketing-related e mails or using credit information for employment purposes.

They regulate certain types of entities and the collection, use (or misuse) of various types of personal data. These laws theoretically apply even if such data is transferred from the U.S. to offshore clouds. For example, state data breach notification and data protection laws are designed to protect state residents—regardless of where their personal data resides—and govern entities that do business with state residents, regardless of where those entities are located.

Another principal U.S. federal statute is the Electronic Communications Privacy Act (ECPA), enacted in 1986. Unfortunately, ECPA’s rules for governmental access to e-mail and stored documents are not consistent, which may discourage cloud service providers from locating their servers in the U.S. A single e-mail is subject to different legal standards depending on whether it is being transmitted between individuals, opened by the recipient or stored by an e-mail service (e.g., cloud) provider. For example, a document stored on a desktop computer is protected by the Fourth Amendment warrant requirement, but the same document stored with a cloud service provider may not be subject to the warrant requirement.

If an e-mail is left unopened on a cloud service provider’s server, it receives less protection than it did while in transit to the server. To make matters more confusing, ECPA has been subject to different and somewhat inconsistent interpretations in various court decisions.

In sum, if a company engages a cloud provider to handle personal data associated with U.S. residents, they will potentially be subject to a host of U.S. federal and state privacy, breach notification and data security requirements, regardless of where the data resides. In order to achieve compliance with laws such as the Federal Information Security Management Act of 2002 (FISMA), HIPAA and Sarbanes-Oxley in the United States, the EU Data Protection Directive and the credit card industry's data security standards (PCI DSS), cloud providers may have to adopt private or hybrid models. These deployment models make compliance much easier to achieve because the hardware, storage and network configuration is dedicated to a single client. Apparently, this is how Google has been able to meet governmental regulatory requirements such as FISMA and strict government data security policies.

In order to bridge the different approaches to privacy and provide a streamlined means for U.S. companies to comply with the 1995 Directive, the U.S. Department of Commerce and the European Commission developed a "Safe Harbor" program. The U.S.-EU Safe Harbor program provides many benefits for U.S. and EU entities. For example,

Nevertheless, in certain countries—like Germany—where the data protection laws are more restrictive than elsewhere in the EEA, Safe Harbor certification as a means of legitimizing personal data transfers is frowned upon. In fact, a few published German legal opinions have found that EU-U.S. Safe Harbor certification does not adequately meet German data protection law (called the BDSG) and that additional steps must be taken to meet such requirements. In addition, last summer the German Data Protection Authority (DPA) issued a ruling that clouds located outside the U.S. are per se unlawful under EU law. The ruling goes on to state, however, that if a company adheres to German rules on data processing and uses the EU standard contract clauses for controller-processor data transfers, it will be deemed compliant with German law.

Last year a group of German data protection officials contacted the U.S. Federal Trade Commission (FTC) to encourage the FTC to more closely monitor compliance with the EU-U.S. Safe Harbor framework. Thilo Weichert, head of the data protection commission in the northernmost German state of Schleswig-Holstein, also

doubting that companies could become compliant with data protection laws in the EU.

Other EEA countries, such as Spain and Italy, may take a similar stance. Thus, a company that relies on a cloud provider’s Safe Harbor certification faces some risk that a European DPA will look unfavorably on the company’s decision to store personal data in the U.S.

As explained above, whether an entity is classified as a data controller or processor is important in determining its responsibilities for compliance with EU data protection requirements. If a data controller located in the EU engages a non-EU-based cloud provider to process personal data on its behalf, it will have limited options from a liability perspective. It will either need to ensure that the cloud provider is Safe Harbor certified (being mindful of the limitations described above) or execute an agreement containing EU standard contractual clauses.

With respect to the latter option, the European Commission recently adopted new "controller-to-processor" standard contractual clauses (SCCs) to protect personal data transferred from Europe to a data processor located outside the EU. Pre-existing contractual arrangements are grandfathered, but any new contracts with data processors must include the new version of the SCCs. The principal change is that a data processor (such as a cloud provider) must now obtain prior written consent from the data controller before subcontracting any of the processing, and the subcontractor must be contractually bound to the same obligations that apply to the data processor.

The new SCCs came about as a result of the increased use of subcontracting for functions involving processing, storage and technical support. This is particularly common in cloud computing, where several entities might be involved in handling and storing data. The new SCCs are designed to ensure that any European company that remains responsible as a data controller is informed about any proposed subcontracting and that all parties handling the data are subject to the same obligations of confidentiality and security.

As companies move applications and personal data to clouds, there are a few key issues to consider.

Data processed outside a company’s network brings with it an inherent level of risk, because the processing bypasses the physical, logical, personnel and technical controls that internal IT personnel can put in place.

One of the major benefits of cloud computing is flexibility, so the servers hosting personal data may be reconfigured or decommissioned frequently to accommodate current capacity requirements. This means the entity or individual that hired the cloud provider can never be 100 percent sure where the data resides at any given time.

As explained above, companies are ultimately responsible for the security and integrity of data entrusted to them, even when it is stored in a cloud. If the data is subject to Sarbanes-Oxley, HIPAA/HITECH, the Payment Card Industry Data Security Standards (PCI DSS) or other regulations, the cloud computing provider must be able to demonstrate that it is fully compliant.

Companies must be able to demonstrate to employees and customers—or anyone else from whom they are entrusted with personal data—that such data is secure despite a lack of physical control over external systems.

While most companies perform background checks on their own IT administrators, they do not likely have any involvement in their service providers’ hiring processes. Encryption, tokenization, masking, auditing and monitoring, however, can reduce the risk that a rogue administrator will make an unauthorized copy of a database or engage in similar malicious behavior. By way of example, the company responsible for the data—or a separate third party, but not the cloud provider—should have the ability to monitor all activity in its databases in real time.

It is important to determine whether the cloud provider has physical security measures in place, such as card key entry to its data center(s), video cameras and monitoring by security personnel. Most cloud providers will have implemented these controls, but it is important to ask anyway.

Many of these issues can be addressed by negotiating a contract with robust privacy and data security provisions. Among other things, the cloud provider should agree to periodic audits and to indemnify against third-party claims (including government investigations) resulting from its failure to comply with its contractual obligations.

This paper addresses the unique legal challenges and security concerns associated with cloud computing. Although cloud computing is not new, there is still a good deal of debate and uncertainty surrounding it, particularly in the EU. The 2009 European Network and Information Security Agency (ENISA) report “Security and Resilience in Governmental Clouds” illustrates some of these concerns. The report states that public administrators and organizations holding highly sensitive data, such as hospitals, must develop new data models and review risk levels. In addition to robust contractual protections, ENISA

adopting a legal framework for data storage outside of national boundaries to avoid exposing citizens and economies to “unacceptable risk.”

It is understandable that privacy and security are major concerns for entities that transfer data and/or IT resources from locally maintained servers to cloud computing systems. But there are ways to alleviate these challenges. Best practices include: 1) strong password protection; 2) tight access controls; 3) physical security where servers are located; 4) good Service Level Agreements (SLAs); 4) mandating background checks for third-party IT administrators and others with access to personal data; 5) ensuring that data center employees are bonded/insured; 6) requiring providers to sign non-disclosure agreements, and 7) other strong contractual protections such as indemnification and audit rights.

If these best practices are followed, the benefits of cloud computing will likely outweigh the risks.