Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, May 18, 2010

Cloud Service Users Face Confusing Legal Landscape

Cloud computing has great benefits for businesses but legal uncertainties threaten to hamper adoption, said a group of lawyers speaking during a seminar in Seattle this week “We will have to create a robust legal system and we will have to do it sooner rather than later and before we have the cloud computing equivalent of an offshore oil rig blowout,” said Barry J. Reingold, a partner at Perkins Coie in Washington, D.C.

Lawyers speaking at the Law Seminars International event on Monday offered advice about the types of research companies should do before signing up for cloud services to make sure they can protect themselves from potential legal fallout.

One of the most important issues facing companies that wish to store or process data in the cloud is determining which legal systems have jurisdiction over the data.  A company using a cloud service could have users all over the world and those users’ information could be shifted to facilities around the globe.  “So there are four possible legal locations for the information at any moment,” James said.  Laws applicable to the location of the company’s headquarters, the location of the servers, the location of the consumer and the location of the communications equipment transmitting the information between the user and the provider could all potentially apply.

On the federal level, legislation like the Health Insurance Portability and Accountability Act and the Children’s Online Privacy Protection Act defines how businesses handle certain kinds of data like information related to health and children.

In addition, 45 states have laws covering how companies must secure customer data.  “Although many state statutes are similar, there are enough outliers that you need to think about them,” said Reingold.  For instance, some states define personally identifiable information as including a mother’s maiden name, biometrics and birth dates while others only include more basic information like name, Social Security number and driver’s licence number.

“The reason we can have this service that is inexpensive is because [cloud providers] can put their servers anywhere and can shift loads based on things like where the cost of energy is lower,” said Francoise Gilbert, a lawyer with IT Law Group.

Some companies may initially think it’s a good strategy to find a provider with data centers in countries that have no data protection laws.  Europe and a few countries that have adopted a similar model including Tunisia, Morocco and Uruguay have clear laws covering what kinds of personal data companies can store and whether they can move that data in and out of the country.  In the U.S., companies may collect some of that information to look for diversity in their workforce.  But if they use a cloud provider with data centers in Europe, European law prohibits them from storing that kind of data.

“The legal system has been far, far outpaced by technology,” said Reingold.

Posted on 05/18