As a general counsel for a corporation with offices and employees spanning multiple countries, the risk-management part of your job necessarily entails understanding the laws and regulations implicated by your corporation's activities. Meanwhile, the ubiquitous nature of electronic communication, along with the high cost of maintaining an internal information technology infrastructure fast enough to keep pace with the speed of business, ushered in the use of cloud computing services to store and move your company's electronic data.
This article provides an overview of the factors corporate counsel should consider before contracting for cloud computing services and allowing electronic data access and movement across borders.
Cloud computing vastly improves network storage capabilities by allowing on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) — available for rapid provisioning and release with minimal management effort or service provider interaction. Whether applied to your internal business metrics or an email system, cloud computing increases efficiency and reduces information technology costs.
However, cloud computing involves the dispersal of data across servers located anywhere in the world. How the cloud transcends national boundaries creates potential dangers by moving data into, or allowing data access from, countries with restrictive data privacy and protection laws. If a corporation using the cloud to store electronic information becomes embroiled in an investigation or litigation, the corporation must consider relevant laws before gathering, reviewing, and producing responsive electronic data.
Protection laws, data privacy, and security in cloud computing
Most data privacy and protection statutes protect the personal information of each country's citizens. These laws generally govern entities' and individuals' ability to "process" — collect, preserve, organize, store, use, etc. — the data of others, and they apply when someone stores, collects, processes, or communicates information to or from the country. Given the increasingly common use of mobile devices for business purposes, a Mexican citizen working in Canada whose Brazilian cloud computing services provider stores his communications there would likely trigger certain provisions within all three countries' statutory schemes. To avoid transgressions of these laws, a general counsel needs to keep track of their corporation's electronic data as it moves across borders.
The primary focus of most data privacy laws is consent. To process an employee's personal information, the employer, or data user, generally must first obtain the employee's — the "data owner's" — consent to do so. Accordingly, you will need to know when and how you must obtain consent from employee or customer data owners. For example, under Spanish law, data users must obtain express consent from data owners in writing and that consent is revocable at any time. If you have employees in Spain or a country with a similarly stringent data privacy statute, you will need to obtain consent from each employee and then exercise selectivity in terms of placing any personal information into the cloud.
Some data privacy statutes exempt the need to obtain consent when gathering or processing personal data for a judicial proceeding or to fulfill legal obligations. For instance, Argentina's fairly strict data privacy law includes such an exception which states that any cross-border transfers of personal data out of Argentina may only be made to countries that provide similar data protection — not the United States — unless the transfer happens pursuant to express consent, an executed data transfer agreement prepared with regulator guidance, international judicial cooperation, or other very limited exceptions.
Reporting requirements vary by country
In addition, you need to understand the security and reporting requirements of each implicated data privacy regime. In Mexico, the 2010 Federal Law on the Protection of Personal Data Held by Private Parties requires the maintenance of industry-standard physical, technical, and administrative security measures designed to protect data from unauthorized damage, alteration, loss, or use. Moreover, where there are breaches of personal data, data users must promptly notify each data owner of possibly affected personal data. This is a common requirement, so companies using cloud computing services should have communication processes capable of quickly and effectively notifying employees, or other data owners, about any potential breach in data and cloud security.
Argentina's data protection law requires all data users to register public and private databases with its data protection agency. However, Argentina's law passed in 2000, so understandably it did not fully anticipate the current use of cloud or Internet-based networks physically located outside of Argentina — reaching into the country for electronic personal data. For this reason, it is unclear how far Argentina's registration requirement reaches.
While it seems clear that a company setting up a server in Argentina for employees working in the country would fall within this requirement, there is no guidance on how the requirement applies to a cloud system that extends into the country. If the law works similarly to Spain's data protection law, the data user established in Argentina would register its database and identify its cloud service provider. In turn, that provider would be subject to the law even if it, and its subcontractors, are located outside Argentina.
Some countries, like Uruguay, expressly allow cross-border transfers of personal data between or within a group of companies without any additional authorization when the parent, subsidiary, affiliate, or branch receiving the personal data has adopted a conduct of code duly registered with the proper data protection authority. Once again, if your corporation operates in multiple countries, you should research these kinds of requirements before placing electronic data into the cloud.
Understanding enforcement, penalties
Finally, you should research the enforcement mechanisms and potential penalties tied to any transgression of an applicable data privacy regime. Mexico, for instance, created a federal agency, the Instituto Federal de Acceso a la Información (IFAI), to oversee its 2010 data protection regime. IFAI, which has operational, budgetary, and decision-making autonomy, is responsible for monitoring and enforcing compliance with the data protection regulations, responding to complaints from data owners, and imposing sanctions for non-compliance.
IFAI exercised its enforcement authority in the private sector, imposing several significant sanctions since Mexico's law went into effect. For instance, in December 2012, the IFAI imposed sanctions of over 2 million Mexican pesos, over $162,000 USD, on Pharma Plus S.A. de C.V., a company that operates pharmacies in Mexico, for failing to provide a sufficient privacy notice to patients filling prescriptions for psychotropic medications whose information Pharma Plus's pharmacies systematically collected.
Carefully and knowledgeably entering the cloud
Before you contract with a cloud computing services provider to put your company's electronic data into the cloud, or even if you already have, do so carefully and knowledgeably by examining the following four core issues.
Data security
Consider the type of data you put into the cloud. Sensitive, critical, or regulated information requires additional security and may need segregation. Personal information, as noted above, is often governed by data protection laws and regulations.
You’ll need to know about encryption. Data at rest, meaning data that is not actively moving from one device to another but is in a single location, is often encrypted using Advanced Encryption Standard (AES), which uses encryption keys to protect data. That is the National Institute for Standards and Technology – Federal Information Processing Standards (NIST-FIPS) recommendation. AES was originally developed for the U.S. federal government, and now many private organizations use it to ensure their data is as secure as possible and prevent data breaches. It’s available in most commercial encryption products.
To protect data that’s in transit, meaning it is actively moving from one location to another, whether from a data center to the cloud, between clouds, or elsewhere, often involves encryption using Transport Layer Security (TLS). Encryption and the authentication of endpoints happen before the data transmits. Upon arrival, data decryption occurs, and another tool verifies whether or not the data changes.
Identity and access management framework allows IT managers to control users’ access to critical data. The framework uses systems like multi-factor authentication, which requires two or more methods of authenticating one’s identity, and role-based access control (RBAC), which allows permissions based on one’s role within an organization. This framework can also use privileged access management (PAM), which monitors, detects, and prevents unauthorized privileged access to a resource using various tools and technologies.
Firewalls protect network boundaries by blocking and filtering traffic. Intrusion detection systems (IDS) monitor and analyze network traffic for suspicious activities in real-time and alert system administrators to cloud breaches or other problems.
Regular security audits and compliance with the EU’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the international ISO 27001 standard, which provides a framework for organizations to establish, implement, and manage an information security management system, are critical when dealing with cloud data.
Data location
Whether your cloud infrastructure is a public or private cloud or a hybrid environment, and whether you use Google Cloud, Amazon Web Services (AWS), or Microsoft Azure, ask where your cloud vendor’s servers are, where its primary users work, and how your data transfers. The answers to these questions impact legal jurisdiction and data protection laws, which you must research and understand for each country implicated.
Geographical considerations include complying with data protection laws in different countries, such as GDPR and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Data sovereignty has implications for storing data in the cloud, as well. Digital data is subject to the laws and governance structures of the country where it is physically located.
It is important to have redundant data storage and regular backups for data security. Storing multiple copies of data across various cloud storage services in multiple locations lessens the risk of data loss. Having backups and redundancy ensures companies meet compliance obligations and helps with disaster recovery if there is data loss. Remember that backups, too, are subject to governance in their geographic location.
Data oversight
While cloud providers monitor the cloud infrastructure for security breaches, cloud security is a shared responsibility, with best practices for your legal team including a need to:
- Evaluate the cloud provider's security policies for intrusion detection, reporting, and security audits.
- Ensure the cloud provider communicates with you during every step of the data oversight process. That is crucial for complying with data privacy and data security in cloud computing and protection laws, which often require prompt notification of any data breach and documentation of all steps taken to remedy the problem.
- Ensure you have an audit trail and monitor user activities to ensure compliance and detect unauthorized data access.
- Implement comprehensive compliance reporting tools to help you adhere to various data protection regulations.
Assessing and managing the risks associated with third-party vendors in cloud environments is also critical. Third-Party Risk Management (TPRM) means identifying, assessing, and controlling the risks that can occur with third parties, who introduce different security, privacy, regulatory compliance, and other risks. TPRM includes procurement and off-boarding procedures, as well.
Data control
It is critical to obtain user consent for data collection and processing, which includes their explicit permission to collect, store, process, and share their data. You’ll need clear privacy policies that inform users how you will handle personal data, what rights they have, and how to use them.
You need to have data classification and handling protocols in place. You’ll need to classify data based on sensitivity, importance, and compliance needs. Then, your data classification policy should specify how you handle, protect, and share each type of cloud data.
Understand who will have permission to gain access to your corporation's data. Make sure you know what categories of employees at the cloud provider access your data, and confirm whether the provider uses any subcontractors who may require data access. In addition, implement a process through which you can responsibly gather and process potentially responsive data from employees when faced with litigation or an investigation. That often entails drafting a form for consent, documenting the legal justifications for requesting the data, and engaging or consulting with outside counsel to understand the local authorities better.
Data portability is another crucial part of data control. Customers need the ability to move their sensitive client data between different public, private, and hybrid cloud service providers, applications, computing environments, or programs. They must also have the "right to be forgotten" or, in other words, to have their private information removed from internet searches and other locations in some circumstances. That is especially important in the context of GDPR, which explicitly includes that right.
Managing the lifecycle of data
Data Lifecycle Management (DLM) covers the entire data lifecycle in a cloud environment, from creation and storage to retrieval, archiving, and deletion. Not only does it help maintain data integrity and compliance, but it also details the planning and coordination of data storage costs, how you’ll comply with retention policies, and ensures timely disposal of sensitive customer data.
By considering each of these four issues and reviewing and understanding the data privacy and data security in cloud computing and protection laws that apply to your corporation's data, you can reduce the risk of sanctions or heavy consequences for inadvertent missteps.
About the author
John C. Eustice is a member at the law firm Miller & Chevalier, chartered in Washington, D.C. His practice focuses on the counseling and representation of businesses and individuals facing complex civil litigation. He is a contributing member of The Sedona Conference® and regularly writes about and speaks on technological, cloud computing, and electronic discovery matters. He can be reached at jeustice@milchev.com.
Two complete Practical Law Connect resources and other relevant resources on data privacy.