In the United States, historically, there have been few laws on the books to protect individuals’ privacy. With fresh examples of data breaches in the news, over the past decade there has been a fundamental shift at both the state and federal level leading to the adoption of new data privacy laws and interpretation of existing laws to provide for greater privacy over individuals’ information. Previously, corporations could consider data on its servers or in its control to be the property of the company, but now must consider dozens of jurisdictions where an explicit privacy control must be considered. Legal requirements for individual companies will be based upon the industry of the corporation, the type of data maintained, and the geography of the business and/or individual. Examples of potential regulatory impacts include:
- Healthcare: Privacy rule of the Health Insurance Portability and Accountability Act (HIPAA)
- Banking: Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) and Fair Credit Reporting Act
- eCommerce: California Online Privacy Protection Act and Children’s Online Privacy Protection Act
- Education: Family Education Rights and Privacy Act
Individual states, with California and Massachusetts as leaders, are also developing their own privacy regulations which must be considered. Typically, state regulations are based upon post-breech notification when personally identifiable information of a customer has been disclosed, however some states require implementation of a security program. As it relates to cloud adoption, Massachusetts has specific requirements that companies utilizing third-party providers must commit them, by contract, to implement and maintain appropriate security measures for personal information.
US companies or companies hosting with US cloud providers must recognize that they will live with a regulatory patchwork whereas they need to comply with their home country, US Federal law, and individual state laws as well as industry self-regulation that may apply.
For US based multi-national companies or European companies looking to host with companies based in the United States, there are concerns related to the USA PATRIOT Act. As part of the PATRIOT Act, the federal government has easier access to individual information via the National Security Letter process. While these laws have been highlighted in cases where EU companies are declining to use Microsoft’s Office 365 product due to PATRIOT Act concerns, many believe the concern is blown out of proportion.
The PATRIOT Act has come to be a kind of label for this set of concerns, Ambassador Philip Verveer, U.S. coordinator for International Communications and Information Policy at the State Department, told POLITICO. We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.
In order to help clear the air related to the PATRIOT Act, the Obama administration has started diplomatic talks around the world in an effort to put to rest fears related to the controversial surveillance law’s power to give the U.S. government access to international data stored by American companies. In the long-term, look for the United States to pass additional laws protecting individuals such as the Consumer Privacy Bill of Rights which was introduced in the Senate in 2011 and highlighted by the US Commerce Secretary during the March, 2012 joint US-EU High Level Conference on Privacy and Protection of Personal Data. In the interim, EU companies can continue legally transfer of personal data to the US as long as they have committed to the principles of 2000 “Safe Harbor” agreement between the EU and US.
Organizations considering the deployment of cloud technologies must consider the following:
- IT must partner with their legal and compliance teams to understand the privacy requirements for data being migrated to the cloud
- An effort to understand the privacy programs adopted by the cloud provider must be documented
- Differences between the cloud providers standard offering and regulatory requirements must be addressed
- Additional technical requirements such as encryption or strong authentication must be considered
- Additional legal requirements such as a HIPAA Business Associates Agreement or Massachusetts service provider contracting agreements must be written
- Service Level Agreements related to privacy including notification of security breaches and allocation of exposure expense must be addressed
- The IT, Legal, and Compliance teams must regularly review their cloud provider relationships in light of changing technical standards and legal requirements