Lora Bentley spoke with Proskauer Rose partner Tanya Forsheit regarding the privacy concerns raised when one opts for cloud computing. Forsheit and her colleague Nolan Goldberg will participate in a panel discussion on proving compliance in the cloud during next month's CSI SX Conference.
Bentley: Why does cloud computing seem to be raising all kinds of compliance concerns these days?
Forsheit: Frankly, the law is far behind in trying to address the issues that are involved here. The law as we know it does not really sufficiently contemplate the world as it exists, which is that data is already in the cloud. Just so we're clear on cloud computing -- some of this is new, some of it is not so new. Things like Web mail have been around for a long time, and other kinds of third-party services where people are outsourcing their data. That's essentially what you're talking about, is third-party providers hosting this stuff.
Bentley: So what are the issues that have compliance professionals concerned?
Forsheit: From a privacy perspective, one of the biggest issues has to do with the applicability of laws around the world, and particularly in the European Union. If you don't know where your data is, where it's actually residing -- which, frequently you're not going to know, if it's in the cloud being hosted by a third party somewhere -- you could very well be running afoul of the EU data protection directive. It's the most stringent privacy regime in the world.
“If you don't know where your data is, where it's actually residing ... you could very well be running afoul of the EU data protection directive. It's the most stringent privacy regime in the world.”
- Tanya Forsheit
- Proskauer Rose
Bentley: How so?
Forsheit: It says, among other things, that the vast majority of countries in the world do not have adequate security safeguards from the European perspective. This means that the legal regimes in those other countries don't have stringent enough requirements for the protection of individual data. Also keep in mind that if you're talking about the EU, the definition of personal data is far more broad than what it is here. While in the United States we might talk about a name in conjunction with a Social Security number, or a driver's license or an ID, or an account number as being personal information, in the EU, it can be just about anything that describes an individual -- for example, an e-mail address. So you can imagine, that's a lot of the electronic data floating around out there.
And the EU says because the rest of the world, including the United States, does not have sufficient safeguards, there are certain steps that must be taken in order to comply with the data protection directive. One possible way is to get certified under the U.S. Safe Harbor program, but that would only apply if you're transferring data between the EU and the U.S. But if your data's in the cloud, chances are we're not just talking about the EU and the U.S, so that doesn't really work.
Another way to do it is binding corporate rules, which have not become very popular yet. It's the newest mechanism for compliance, and it's more expensive and more involved. That said, however, a number of larger companies have endeavored to create these binding corporate rules. If eventually effective, they will allow the companies to transfer data around the world. The problem there is, if the data is going outside of the corporate group that is bound by the rules, you're no longer in compliance.
Bentley: Is there another option?
Forsheit: Model contractual clauses are the third way. That would mean you would have to have who knows how many contracts set up to allow for not only transfers outside the company, but also intracompany data transfers if you have an internal cloud. It can just be very complex and unwieldy, particularly with respect to the EU.
Bentley: What's a company to do, then?
Forsheit: Really what we're seeing is there just isn't yet a practical solution for protecting data in the cloud, so the law has to kind of catch up with the way the world works here. But like any other kind of outsourcing, one thing that companies must do if they are using these commercial-grade cloud solutions, is to have some kind of contract of course in place with their provider that covers protection of the data, what kinds of safeguards are being used -- encryption, authentication, rights, access, disposal, etc. -- so that at a very minimum, they're not creating a higher risk of breach. By putting data in the cloud, you are necessarily going to increase the risk of a breach, but if you have sufficient due diligence procedures in place to make sure your vendors are trustworthy, that they meet standards and that they are in compliance with the various data security laws that apply in the U.S. and elsewhere... That's something that's really essential.
Bentley: It's just a matter of the law and the compliance technology catching up with the rest of the tech, then?
Forsheit: The potential here is tremendous, and I'm sure there's no turning back on this.
Sign up now and get the best business technology insights direct to your inbox.
Preventing Data Corruption in the Event of an Extended Power Outage
Query Offloading for Improved Performance and Better Resource Utilization
The IT Service Catalog Management Toolkit
Budget & Finance Toolkit for IT - 2010 Edition
To ShareThis, click on a service below: