Is Your Cloud Migration Legally Secure?

Where is your data being stored?

The fact that your Cloud provider is located within the United States does not mean that your data is being stored or processed in the United States. Many Cloud providers do not own or control their own data centers because operating a secure data center is very expensive. Many Cloud providers seek to reduce costs by creating a “virtual data center” on servers located in a data center operated by a larger Cloud provider, such as Amazon, Google or Microsoft, which have servers located throughout the world. Depending upon which larger provider your Cloud provider uses, your data may be stored in Virginia, Oregon, Finland, Iceland, the Philippines or at various other locations. The laws of the jurisdictions in which your data is hosted may permit government officials or others to access your data. Even in the United States, the government may rely on the USA Patriot Act and other laws to request access to data under certain circumstances, and large Cloud providers have been known to voluntarily provide data or metadata (primarily related to emails) to government officials and third parties without the consent of the person owning the data. Government access may be a more significant problem in jurisdictions in which governments are less likely to follow existing law or respond to court orders.

Companies considering moving their data to the Cloud need to understand exactly where their data will be located or processed. If you have an international business, a Cloud provider that stores data throughout the world may create “edge caching” efficiencies, which can balance bandwidth costs and decrease latency. At the same time, it means your data may be subject to the laws of various international jurisdictions. Even if you determine that your provider stores data in only acceptable jurisdictions, it may subsequently transfer your data to different locations as it expands or seeks to reduce costs. You should consider limiting in your Cloud service agreement the jurisdictions, or even the data centers, in which your data may be located without your consent. You may also want to request that the Cloud provider give notice if it changes the location in which your data is stored.

Is the Cloud service appropriate for your security and regulatory needs? The first question when moving any data to the Cloud is whether the Cloud provider has data security policies and protocols that are appropriate for business users. Not all Cloud services are designed to provide a high level of security and protection for your data. Cloud services targeted at the consumer market, such as those providing free email, permitting the upload and sharing of photos or providing simply document storage, sharing and backup services, often do not employ state-of-the-art security measures. In addition, their privacy policies often permit them to analyze your data, your usage or associated metadata, which they use for purposes such as targeted advertising or to predict consumer trends. For most businesses, the use of such a Cloud provider would not be appropriate. A first step in your due diligence should be to analyze the target market for the Cloud provider, review its privacy policy and understand what the terms of use or service agreement provide with respect to the privacy and security of your data. Assuming you are comfortable that the Cloud provider is an enterprise level provider, additional due diligence and negotiation, should focus on higher levels concerns such as the following:

  • Requiring that the Cloud provider have standard security and internal control certifications, such as SAS 70 Type II and its successor SSAE 16;
  • Ensuring that the service agreement acknowledges your sole ownership of the data stored on the service and that both contractual and logical controls (such as limitations on use of portable drives or downloads) prevent vendor access without your authorization;
  • Reviewing the Cloud providers business continuity plan (or an outline of it) and requiring notice of changes to that plan, and if this is not possible, setting certain minimum business continuity requirements in the service agreement;
  • Ensuring that the Cloud provider has an obligation to provide you with notice of its receipt of any warrant, subpoena or similar request and to provide you an opportunity to intervene and prevent the data disclosure; and
  • Ensuring that all data centers, whether owned by the vendor or third parties, maintain an adequate level of physical security controls, such as appropriate alarm systems, fire suppression, visitor access procedures, security guards and video surveillance.

Of course, not all provisions of Cloud service agreements are negotiable, and some Cloud providers are more willing to negotiate than others. Legal counsel should be involved early in the process so that a list of key data protection and service agreement requirements can be addressed at the “shopping” stage, not after you are, as a practical matter, committed to a Cloud provider. In addition, if you possess third parties’ personal information, such as health information and financial information, you need to review the Cloud provider security infrastructure and related agreements in light of laws governing your possession of such data. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that medical records, billing and account information meet certain standards. A Cloud provider may in some circumstances be a “business associate” subject to certain HIPAA requirements. This needs to be reviewed on a case-by-case basis, and service agreement provisions need to be adjusted accordingly. Similarly, those in the financial service industry are subject to the requirements of the Gramm–Leach–Bliley Act (GLB), and related rules, and need to be sure that the Cloud relationship satisfies the data safeguarding requirements. In addition, various states, such as Massachusetts, are adopting laws applicable to all businesses that collect personal data. Privacy laws, and Cloud computing service offerings are rapidly evolving, and you need to review the Cloud relationship in light of the then-current laws and interpretations. What happens when your contract is terminated or expires? It is essential that you address, as part of the due diligence and negotiation process, what happens to your data after your relationship with the Cloud provider has terminated. Identifying a new Cloud provider or building an in-house data management system requires time, as does the data migration process. The service agreement should include provisions under which you are provided at least 90-days, and preferably 180-days notice of the date your data will be locked or deleted. The Cloud provider should also be obligated to cooperate and assist at market rates with the data migration process. Once the data is migrated, your service agreement should require that all of your data will promptly be deleted in a manner precluding subsequent reconstruction of the data. The Cloud provider should certify the completion of the deletion. Some Cloud providers offer a service in which information in the Cloud is periodically replicated on a server located at your location or in a secure, third-party data center. Such arrangements not only provide an additional confidence that data will not be lost but facilitate the migration to a new system.

Related Articles:

For more information contact Bryan T. Allen