Data Privacy in the Cloud: 5 things you didn’t know

Although cloud providers may go to great lengths to ensure the security of information stored in the cloud, they can still be subject to government regulations that take precedence over privacy rights.

Share this article:

Interest in cloud computing is growing rapidly, as many organizations are realizing the benefits of adopting a highly scalable, robust and cost-effective model of computing. However, you may not be aware of all the privacy risks that come with putting your sensitive corporate and customer data in the cloud.

Here are five things you may not have considered about data privacy and the cloud:

1. Your data may simultaneously be subject to the competing objectives of both the USA Patriot Act and the data privacy/protection laws of other countries.

Customer data in the cloud may not be physically stored or pooled in one place; it could be spread across a service provider’s global cloud network and subject to the data privacy regulations of multiple jurisdictions. In many cases, customers may not know where their data is actually stored, or may assume that since the provider has a local presence, their data is stored locally. This can place cloud customers in a Catch-22: on one hand, the USA Patriot Act (and similar legislation elsewhere) contains provisions for the seizure of data unbeknownst to the target of the investigation, and on the other hand, privacy protection laws in other jurisdictions require that the target be notified of any requests made for the turning over of personal data.

In addition, your data may be subject to industry and government regulations such as HIPAA, PIPEDA and FISMA. These laws specify how personal data is handled regardless of where it is stored, essentially as a precondition of doing business in an industry governed by the legislation (e.g. health care).

2. You cannot rely on data encryption to ensure data privacy.

Most cloud storage service providers automatically encrypt the data that is stored in their clouds. However, this alone does not guarantee protection of your privacy. For example, under the USA Patriot Act, the US government may not only order a service provider to surrender data to the authorities, but also demand the encryption keys used to protect that data. To truly protect your data, you will need to encrypt it before storing it on the cloud, which is an added step that drives higher costs and increased complexity.

3. There is no legal requirement for businesses to store customer data in Canada.

In general, federal and provincial privacy laws do not place any restrictions on where customer data is stored. However, they specify how and when law enforcement or other individuals may access that data. For example, if a law enforcement agency wants access to an individual’s data stored in the cloud and makes that request of a service provider, privacy legislation in Alberta and Quebec require the service provider to notify the targeted individual that such a request has been made. In other provinces, even if this notice isn’t legally required the Privacy Commissioner of Canada advises it’s a best practice to follow.

4. You cannot assume that your data is ‘gone’ from the cloud once you remove it or have discontinued your contract with your service provider.

There are a number of questions you must ask your cloud provider to confirm that your data is properly destroyed or returned to you, including:

  • How does the cloud provider destroy proprietary data at the end of a contract?
  • How do you ensure that your data is destroyed by the service provider at the right point and is not available to other cloud users?
  • How do you know that your provider won’t retain additional copies?
5. Just like physical servers, virtual servers are vulnerable to hacks and security breaches.

More than any legislation, external attacks remain the primary threat to the privacy of data stored in the cloud. Although the security of the physical cloud infrastructure may be in place, you must also build firewalls for the areas within and between the virtual machines in the cloud. Don’t assume that your cloud provider ‘has it all covered’ in the monthly fee; make sure a comprehensive, professionally monitored security solution is included as part of the service.

Are you concerned about data privacy and the cloud? Feel free to share your thoughts and comments below. 


Share this article:

1 Comment

  1. Hi Craig,

    Your post makes some great points.

    I think we’ve all seen instances where Canadian companies have concerns about the USA Patriot Act of 2001.

    Fundamentally, if the thought of governmental access to your data or processes is an unacceptable risk then the cloud may not be for you. There are ways, as you point out, for organizations to enable cloud services. I’d add a couple of other options:

    – separate your sensitive/critical and non-sensitive data or apps when assessing cloud suitability.
    – encrypt your data first (it’s not that hard) – then you hold the keys and any legal requirement to access it will be under your control

    Legislated and regulatory access rights by various agencies exist in every country. The USA is not unique. It’s important to understand the legalities, particularly when it comes to “gag” orders that may prevent you from even knowing your data is being looked at.

    There’s no substitute for following good corporate policies, doing thorough due diligence and conducting legal reviews as part of your cloud buying process. Don’t forget to think through the impact of “collateral damage” if certain servers, domains or other shared resources are locked down due to the malfeasance of others. In 2011, 84,000 web servers were disabled in the pursuit of another criminal crackdown. The recent Megaupload takedown caused petabytes of legitimate shared storage to be taken down.

    It’s worth doing your homework, as you identify, since the benefits of scalability, flexibility, performance, price and innovation from cloud services are too large to ignore.

    Rick Zwiep / 11 years ago