Interest in cloud computing is growing rapidly, as many organizations are realizing the benefits of adopting a highly scalable, robust and cost-effective model of computing. However, you may not be aware of all the privacy risks that come with putting your sensitive corporate and customer data in the cloud.
Here are five things you may not have considered about data privacy and the cloud:
1. Your data may simultaneously be subject to the competing objectives of both the USA Patriot Act and the data privacy/protection laws of other countries.
Customer data in the cloud may not be physically stored or pooled in one place; it could be spread across a service provider’s global cloud network and subject to the data privacy regulations of multiple jurisdictions. In many cases, customers may not know where their data is actually stored, or may assume that since the provider has a local presence, their data is stored locally. This can place cloud customers in a Catch-22: on one hand, the USA Patriot Act (and similar legislation elsewhere) contains provisions for the seizure of data unbeknownst to the target of the investigation, and on the other hand, privacy protection laws in other jurisdictions require that the target be notified of any requests made for the turning over of personal data.
In addition, your data may be subject to industry and government regulations such as HIPAA, PIPEDA and FISMA. These laws specify how personal data is handled regardless of where it is stored, essentially as a precondition of doing business in an industry governed by the legislation (e.g. health care).
2. You cannot rely on data encryption to ensure data privacy.
Most cloud storage service providers automatically encrypt the data that is stored in their clouds. However, this alone does not guarantee protection of your privacy. For example, under the USA Patriot Act, the US government may not only order a service provider to surrender data to the authorities, but also demand the encryption keys used to protect that data. To truly protect your data, you will need to encrypt it before storing it on the cloud, which is an added step that drives higher costs and increased complexity.
3. There is no legal requirement for businesses to store customer data in Canada.
In general, federal and provincial privacy laws do not place any restrictions on where customer data is stored. However, they specify how and when law enforcement or other individuals may access that data. For example, if a law enforcement agency wants access to an individual’s data stored in the cloud and makes that request of a service provider, privacy legislation in Alberta and Quebec require the service provider to notify the targeted individual that such a request has been made. In other provinces, even if this notice isn’t legally required the Privacy Commissioner of Canada advises it’s a best practice to follow.
4. You cannot assume that your data is ‘gone’ from the cloud once you remove it or have discontinued your contract with your service provider.
There are a number of questions you must ask your cloud provider to confirm that your data is properly destroyed or returned to you, including:
- How does the cloud provider destroy proprietary data at the end of a contract?
- How do you ensure that your data is destroyed by the service provider at the right point and is not available to other cloud users?
- How do you know that your provider won’t retain additional copies?
More than any legislation, external attacks remain the primary threat to the privacy of data stored in the cloud. Although the security of the physical cloud infrastructure may be in place, you must also build firewalls for the areas within and between the virtual machines in the cloud. Don’t assume that your cloud provider ‘has it all covered’ in the monthly fee; make sure a comprehensive, professionally monitored security solution is included as part of the service.
Are you concerned about data privacy and the cloud? Feel free to share your thoughts and comments below.