News / Cloud /

Cloud Compliance: Read the Fine Print

A column in Computer World by Thomas J. Trappler adds further clarity – and probably a little more anxiety – to the issue of compliance for business and public sector organizations working with confidential client data: those organizations can actually be held responsible for compliance failures by their cloud provider. Trappler writes: “If you move a function to the cloud that’s governed by legal or regulatory requirements and later your company falls out of compliance due to an error on the cloud vendor’s part, the law won’t go after the vendor – it will come after you.”

In some cases, company executives can face charges if their cloud vendor does not meet compliance. How’s that for adding anxiety to the compliance process?

Trappler references the Gramm-Leach-Bliley Act, which requires financial organizations to “enter into contracts with third parties that they share their customer information with to ensure that the third party handles that information securely.” There’s also the Sarbanes-Oxley Act, which applies to financial reporting protocols. This act dictates which records can be stored in the cloud and for how long, and requires the data owner “to know the location of the data in the cloud and to maintain control of it.”

Further complicating the issue, Trappler reports, is that your cloud provider is often considered a third party to the confidential data they’re storing on your company’s behalf. Are they legally entitled to do so? Do you need to add special provisions to your service agreement? These are questions companies need to ask.

Although the column focuses exclusively on American compliance issues, it’s a good reminder that Canadians need to pay close attention to the regulations governing data storage in Canada. As Trappler points out, technology and the laws that govern it are rapidly evolving – and not always in step. “Though you may have initially done an effective job at capturing any compliance requirements in the contract,” he writes, “it’s important to track any subsequent technical and legal changes.”

Share this article:
Comments are closed.