Making the Cloud and Privacy Regulations Across the Globe Work Together
|By David Canellos
PerspecSys President and CEO
Australian companies are a step closer to fines of up to $1.1 million for severe or repeated breaches of privacy regulations. – “Committee recommends bill containing new penalties after serious privacy breachesThe Australian, September 18, 2012
So you’ve decided, or it’s been decided for you, that your company will use cloud applications in 2013. Maybe you already are among the converted and you’re ready to expand use of cloud apps. What you may not have seen among the forecasts for cloud adoption rates are shifting sands under your feet in the form of local, national and international laws that put you in the cross hairs – mandatory fines and potentially jail sentences – should your information be compromised. Thinking again about your plans? Lots of people are, and justifiably so.
Consider a typical deployment. You select a cloud vendor, get an SLA, ensure you have redundancy in case of an outage. You’re set. That’s the promised ease of use and deployment, correct? But did your cloud vendor explain that each country/geography where you have customers and employees has very specific, and very different, cloud data protection regulations? If you have employees accessing cloud applications from China, for example, there are more than 200 local/provincial laws you must adhere to, and those regulations are complicated further by China-specific industry sector-based regulations. Among the most onerous are the country’s State Secret Laws.
Close by, companies doing business in Australia have been warned that the risk for litigation should be factored into their due diligence when selecting a cloud vendor. And each country/geography where they store and process data, which may be different from where they physically operate, also has specific data laws that must be followed. To complicate matters, these rules and regulations are very likely to change over time, particularly as technological advances emerge and government regulators fine tune their policies. A solution to these challenges that gives companies downstream flexibility is critical.
As a first step, cloud customers need to scrutinize service provider security policies thoroughly before jumping into an arrangement based primarily on cost savings and scalability.
In regulated jurisdictions, cases of information misuse will be investigated and prosecuted. And more often than not, the cloud user will be the target of the litigation. As highlighted in Australia’s Cloud Computing Information Sheet, for example, if a business can’t answer basic questions about where its data is located, who owns and controls the service provider organization, and what happens to data when contracts terminate, the business is directly at risk.
Put another way, seize the day and take advantage of everything cloud has to offer now, but trust no one when your personal hide might be on the line. Big brand or little, domestic or foreign provider, read the contract closely. Carefully investigate statements made by cloud providers about legal compliance or other security credentials. Especially with international vendors, they may not know the details of the regulations that an individual enterprise needs to adhere to, let alone those of a specific geographic region, or the specific policies of an industry group. Should data become compromised, they are not liable in most cases.
Technical Shell Game
Since compliance and privacy regulations are in-flux, you must check in great detail the technical methods used to protect your sensitive data in the cloud. Be wary of technical approaches pitched as “compliant” to “de-identify” personally identifiable information (PII). What does this mean? Permanently removing personally identifiable information is not a valid option for data protection because this often destroys the data’s intrinsic business value. Industry approved approaches, such as encryption using strong algorithms (i.e., FIPS 140-2 validated) or tokenization, which replaces PII with randomly generated tokens with no relation to the original information (e.g. – “#$%” instead of “Mark”), are methods that should be explored, but be careful to consider your end user’s experience with their cloud applications and make sure they are not adversely impacted by the protections you put in place.
Tokenization, in particular, should be looked at very carefully as it helps to solve data control, access, and location issues because the data controllers themselves maintain ownership of the protection system and the original data. In fact, since tokenization enables that all sensitive information can truly be kept in-house – what travels to the cloud are randomly generated tokens (replacement values) vs. actual data – many practitioners believe that it is the best solution for complying with data residency regulations mandating sensitive data remain “resident” within specified geographic jurisdictions. And employees accessing the protected cloud data can enjoy full application functionality and the same user experience, such as searching and sorting, on tokenized data, with the standard cloud SaaS application – all while staying within the legal lines.
Bottom line: data control is becoming a key legal requirement in many countries and jurisdictions. Are you and your organization prepared to abide by all the rulebooks and play nice with everyone on the global cloud playing field?
PerspecSys Inc. is a leading provider of cloud data security and SaaS security solutions that remove the technical, legal and financial risks of placing sensitive company data in the cloud. PerspecSys accomplishes this for many large, heavily regulated companies by never allowing sensitive data to leave a customer’s network, while maintaining the functionality of cloud applications. Based in Toronto, PerspecSys Inc. is a privately held company backed by investors that include Intel Capital and GrowthWorks.