If a breach of security happens in the cloud and no customer is around to hear it, does it make a sound? A silly question perhaps, but it is often surprisingly complicated to ensure that an enterprise will be promptly informed by a cloud provider in the event of a cloud data breach.
None of these cloud providers' websites contains a commitment that the company will inform its customers of the occurrence of a security breach that affects personal information.
Since 2002, most U.S. states and territories require companies that suffer a breach of security to promptly notify individuals whose unencrypted personal information was acquired, or is reasonably believed to have been acquired, by an unauthorized person. In general, the law applies only to certain limited categories of personal information and only then if the information was kept in an unencrypted form.
In California, for example, California Civil Code Sections 1798.29 and 1798.82 limit this disclosure requirement to the loss of individuals' first name or initial and last name in combination with one of more of the following data elements: Social Security number; driver's license number or ID card number; account number, credit card number or debit card number (in combination with any security code or password); medical information; or health insurance information ("regulated information").
The obligation applies both to the entity that "owns or licenses computerized data" (i.e., generally, the company that collected the information from the individual) and the entity that "maintains the computerized information" (e.g., the service provider that hosts or processes the data on behalf of its customer). In the former case, the entity must provide the notice to the individuals with whom it has a direct relationship. In the latter case, the service provider must inform its customers (usually the entity who has the direct relationship with the individuals, or possibly another service provider), who, in turn, would inform the individuals with whom it has a direct vendor-to-client relationship.
Companies that rely on cloud computing services to process files containing unencrypted personal information also have an obligation to ensure that, in the event of a cloud data breach that affects this information, they will be able to promptly inform the affected individuals of the breach.
A June 2013 survey of the "terms and conditions of services" published by some of the major cloud service providers, including Amazon, Box.com, Google, Microsoft and Salesforce.com, provides little comfort and many uncertainties when it comes to cloud data breach notification. None of these cloud providers' websites contains a commitment that the company will inform its customers of the occurrence of a security breach.
Cloud providers have a litany of reasons for why this is the case, including stipulations in their terms stating that certain categories of personal information shouldn't be uploaded to their cloud, but customers are still stuck wondering how to securely store personal information in the cloud.
So, how should cloud customers go about ensuring they are notified of security breaches in cloud environments? Here are some options to consider, including but not limited to:
Data evaluation: Before uploading data to the cloud, identify the categories of data that will be hosted or processed in the cloud, and then determine whether these data categories are subject to various security breach disclosure laws. If some data is within the scope of a security breach disclosure requirement, reconsider sending this data to the cloud.
Technical capabilities: If, despite what it says above, you persist in wanting to take advantage of the cloud, evaluate whether encryption might be a workable solution for you. Strong encryption may protect data from unauthorized access, copy, modification or other attacks to the integrity and security of the data. A vital question for enterprises to answer is whether encryption can be used through all phases of a cloud deployment. Companies must understand the limitations of encryption, including cases where encryption is not possible or not sufficient to adequately protect data.
Cloud provider dialogue: Just because a cloud provider displays a master services agreement on its website does not mean that these are the only terms available. Reach out to the proposed cloud service provider and explain that your company wishes to upload personal information to its cloud environment, and then ask for the services it offers in connection with the disclosure of security breaches affecting regulated information. Perhaps surprisingly to some, a cloud provider representative may provide better terms, including a provision for the disclosure of security breaches. Be prepared, however, to see the price for the services increase because the cloud provider would be accepting an additional liability when compared to the published terms and conditions.
Negotiate satisfactory contract provisions: If the proposed cloud provider is willing to host regulated information and provide the required disclosures, be sure to negotiate appropriate contract provisions that address issues such as defining precisely what constitutes a breach of security; what the breach response strategy will be; when and how the cloud provider will make the disclosure to the customer; how and by whom the security breach will be investigated; the roles and authority of the respective parties in the investigation; who will be responsible for the cost of notifying the individuals; who will pay for the costs of the professionals or experts participating in the cleanup, the cost of the forensic analysis; and who will arrange and/or pay for the cost of the credit monitoring services that might be needed to reduce the risk of identity theft. Additional contractual provisions might include representations and warranties regarding the use of specific security measures; the existence and maintenance of an incident response plan; indemnification of the customer in case of a security breach; limitation of liability of the service provider; and a requirement to purchase insurance coverage.
More than 10 years after the first Security Breach Disclosure Act was passed, it is not possible to ignore that certain categories of data require greater protection than others, that the loss or compromise of such data must be properly disclosed to the affected parties and that other disclosures (e.g., to the relevant State Attorneys General) must be made in a timely fashion. A company that expects to upload files containing personal information to the cloud should inform its cloud provider of the sensitive nature of the data to be uploaded, obtain proper, detailed information regarding how, when and whether the cloud service provider would notify the company of the occurrence and effect of a security breach.
In the absence of a satisfactory answer, an enterprise should negotiate a better deal, change business models or find a cloud provider willing to make the necessary commitment under reasonable terms.
About the author:
Francoise Gilbert focuses on information privacy and security, cloud computing and data governance. She is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She has been named one of the country's top privacy advisors in a recent industry survey and, for several years, has been recognized by Chambers USA and Best Lawyers in America, among others, as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy and Security Law, which analyzes the data protection laws of 65 countries on all continents. She serves on the Technical Board of Advisors of the ALI-CLE and co-chairs the PLI Privacy and Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.