Most organizations outsource at least some IT functions to third party service providers. Cloud computing arrangements are becoming increasingly popular as more and more organizations are attracted to the potential cost savings and enhanced flexibility that cloud computing services can offer. While there are a number of benefits to outsourcing data storage or processing to a cloud provider, there are also a number of steps that an organization should take to help ensure that the security and integrity of its data is maintained in the cloud and to ensure that it complies with its privacy law obligations.
Data Security and Protecting Information
One of the most critical concerns of cloud computing is data security. By moving data into the cloud an organization is relinquishing custody of that data to the cloud provider. Therefore, the organization needs to understand how its cloud provider will protect the data and what security standards and procedures are being applied to help prevent data theft or a security breach. An organization can help reduce security risks associated with cloud computing by ensuring that the following items are addressed in the contract with the cloud provider:
- Data Segregation and Ownership. The use of shared infrastructure can create data commingling and segregation issues. For this reason, an organization may choose not to move sensitive or confidential information into the cloud. Further, depending on the nature of the information that is being stored or processed, the organization may need to ensure that its data can be segregated from all other third-party data as part of the cloud-service. The ownership of the data by the organization should be confirmed in the contract and the cloud provider should be required to return or destroy the data in its possession at the end of the relationship.
- Location of Data. A cloud provider’s infrastructure may be located in different jurisdictions which can result in a number of legal issues for the organization. Among other things, if data is transferred to another country it may become subject to the privacy laws of that country. Therefore, the physical location of the servers where the organization’s data will be stored should be specified in the agreement with the cloud provider. The contract should also restrict the locations where the data may be held (for example, if the cloud-service is provided from a location in Canada, the contract should prohibit transmission of data outside of Canada without the organization’s specific consent).
- Security Procedures/Standards. The level of security and the encryption procedures that will apply to the organization’s data should be identified. If possible, an actual, specific and independent security standard should be identified in the contract.
- Access Protocols. The specific access security protocols that are being implemented by the cloud provider should be identified in order to help reduce the risk of unauthorized access or data theft.
- Audit Rights. The contract should include a right for the organization to audit the cloud provider’s security procedures as well as the cloud provider’s compliance with the contract generally. The contract should also include a right for the organization (and the organization’s external auditor) to access the cloud provider’s data center or premises where the organization’s data is located.
- Notification of Security Breaches. The cloud provider should be required to provide the organization with immediate notice of any security/data breaches so that the organization can manage these events as effectively as possible.
Organizations should assess the benefits and risks for privacy when considering a cloud solution. Private sector privacy legislation in Canada generally allows an organization to transfer personal information to a cloud provider for processing or storage (including a cloud provider in another jurisdiction). However, the organization will remain accountable to protect the personal information and it must remain in control of that information.
Cloud computing and storage can also create new privacy issues for an organization. Specifically, when data in a cloud system is accessed, stored or processed, new “transactional information” is often created which can constitute personal information under Canadian privacy legislation. In other words, the new transactional data can be subject to the same privacy law requirements as the primary data.
Further, if information that the organization is sending to the cloud is processed or stored in another jurisdiction then the organization may have privacy obligations in the jurisdiction where it collects personal information as well as the jurisdiction where the data will be located. For example, if data is being stored in the United States as part of a cloud-service then that data may be subject to access by the US government as a result of the USA Patriot Act.
In light of the above, an organization intending to move personal information into the cloud should do the following:
- Implement a privacy compliance program that addresses collection and use of personal information in the cloud.
- Determine the type of data that will be sent to the cloud and how the information will be stored by the cloud provider. Outsourcing data storage can create a risk of misuse or unauthorized disclosure and therefore an organization may choose to retain its most confidential information under its direct control.
- Ensure that that appropriate consents have been obtained to send personal information to a cloud provider. An organization needs to maintain “control” over personal information that is sent to the cloud provider and prevent secondary uses of that personal information. If the cloud provider will use personal information for new purposes then additional individual consents may need to be obtained.
- Review the cloud provider’s contract terms to ensure that personal information received by the cloud provider is treated in a manner consistent with the organization’s obligations under applicable privacy laws. If personal information will be located outside of Canada then the cloud provider must provide a comparable level of data security as would be required under Canadian law.
This is not an exhaustive list of the data security and privacy issues that an organization will need to address when considering a cloud computing solution and each arrangement will have its own special considerations.
Further, while data security and privacy risks are key issues that need to be addressed in the agreement with your cloud provider they are not the only risks or legal issues that arise with cloud-computing. If your organization is contemplating entering into a cloud-computing contract we recommend that you seek the advice of an experienced legal advisor.