How will customer data be protected in the cloud?

W ith the breakneck pace of advancements in artificial intelligence and machine learning, how can these systems be used in a responsible and ethical way that deserves the trust of users and society?

In Summary

• Et odio pellentsque diam volutpat commodo sed egestas fringilla phasellus faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus.
• Et odio pellentsque diam volutpat commodo sed egestas fringilla phasellus faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus.
• Et odio pellentsque diam volutpat commodo sed egestas fringilla phasellus faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus.

Cloud computing is the convergence of Internet technologies, virtualization and information technology (IT) standardization. The cloud offers flexible, affordable and scalable software, platforms, infrastructure and storage to all sizes of businesses in all sectors. For these reasons, it is not surprising that cloud services revenue will increase from $68.3 billion spent in 2010 to $150 billion by 2013 (Gartner, June 22, 2010). It is also not surprising that, as businesses move to this next generation of outsourced IT services, one of the key questions is: How will customer data be protected in the cloud?

Businesses have good reason to ask this question of their cloud services providers. In the last two years, they have seen significant data breaches involving cloud services and third-party providers. In April 2011, an e-mail services provider experienced a data breach compromising the names and e-mail addresses of customers of major companies (e.g. American Express, Hilton, Best Buy Canada). The costs of the breach have been estimated at $650M. In the same month, an online video game network experienced one of the most significant data breaches to date when hackers stole names, addresses, and credit cards belonging to more than 100 million users. This breach has led to several class-action lawsuits, and remediation costs are estimated at $200 million. The U.S. Federal Trade Commission is investigating a cloud service that enables files to be transferred and synchronized between multiple computers. This cloud services provider experienced a data breach when users were able to access one another’s files.

Headlines such as those that accompanied the above-mentioned incidents make businesses apprehensive about moving to the cloud. Gartner reported that 64 percent of businesses evaluating public cloud computing view privacy concerns as a criterion for exclusion (Gartner, February 2011). However, the benefits of cloud services and its increasing maturity in the marketplace are causing even the most cautious businesses to address privacy concerns.

The following are some of the privacy areas that businesses considering cloud services need to consider.

Understanding how your cloud provider will protect your customers’ data

Businesses using cloud services will no longer have physical control of customer data. Instead, businesses will need to work with their cloud services providers to understand how the provider will use technical and administrative controls to protect data. This means putting in place contracts that define data protection standards and establishing service level agreements (SLAs) for security and privacy measures.

In order for contracts and SLAs to have a practical effect, businesses must actively manage them. Businesses should require regular reports on the adequacy of security and privacy measures, database activities and any incidents or issues that may put customer data at risk. Businesses should have a dedicated security and privacy contact within the cloud services provider’s organization who can address issues, questions and incidents immediately.

Finally, businesses may use reviews, assessments or audits to confirm that their cloud services providers are meeting the data protection standards set out in contracts. These may be third-party audits that the cloud provider makes available to its clients or reviews that clients conduct themselves.

Compliance with privacy legislation in various jurisdictions

Under cloud computing models, data is often stored or processed in multiple jurisdictions. This means that businesses will be responsible for complying with privacy legislation outside of their own jurisdictions. This presents complexity for businesses, which must now understand their obligations in various jurisdictions outside of where they normally operate and potentially deal with conflicting laws and regulators. Cloud services providers face the same issue as they struggle to make clear to their clients how they are managing data in various jurisdictions and how that data may be accessed by government and law enforcement. In order to address this, many businesses have taken the approach of meeting the highest privacy standard. This approach can entail more work, but it ensures that businesses comply with laws in all jurisdictions and that customer data is protected.

In addition to understanding the obligations of laws in various jurisdictions, businesses operating in the European Union (EU) must be mindful of data transfers outside the EU that may occur when using cloud services. Under the 1995 EU Data Protection Directive, EU businesses may only transfer personal information to countries whose laws provide an “adequate” level of protection to that provided in the Data Protection Directive. Canada’s privacy legislation is considered adequate; however, U.S. legislation is not. This means that businesses transferring data to the U.S. must ensure that the cloud services provider processing information on the businesses’ behalf has obtained EU-U.S. Safe Harbour Certification, implemented corporate binding rules or signed standard contractual clauses.

Data breach notification

Mandatory breach reporting is required in most U.S. states, but only for certain types of information. In Canada, mandatory breach reporting is only required in the private sector in Alberta under the Personal Information Protection Act. In the health sector, Ontario IT service providers (referred to as “health information network providers” under the Personal Health Information Protection Act, 2004) providing services to clients, such as hospitals and other healthcare providers, must notify their clients of data breaches. However, the government has reintroduced amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would require organizations to report “material breaches of personal information” directly to the Privacy Commissioner of Canada and notify individuals when their information is compromised. This means that there are few legal incentives for cloud services providers to advise clients of data breaches. For this reason, businesses should ensure that breach notification is addressed in contracts.

End of contract management

Businesses must consider what will happen to their customers’ data once cloud services are no longer required. This means either retrieving data from cloud services providers or ensuring it is permanently removed from the cloud infrastructure. These directions should be set out in the contract with the cloud provider and proof of removal of data obtained from the cloud provider at the end of the contract.

Secondary Uses of Data

Several cloud providers use client data to manage the cloud service. For example, the cloud services provider may collect statistics, such as number of logins or data storage size, to ensure availability of its service. Businesses should read and understand cloud services providers’ privacy policies to ensure secondary uses are limited to the use of non-identifiable information for only service management purposes.

Ultimately, businesses continue to be responsible for protecting their customers’ data, regardless of the cloud services they may engage. This means that businesses will need to work closely with their cloud services providers to clarify responsibilities for data protection and establish meaningful mechanisms to monitor the activities of providers.