Legal response to data breaches in the cloud
By Thomas J. Shaw, Esq., CIPP
Cloud computing, as it moves closer to being a public utility like power and water, will be defined mostly by the risks involved. These include data privacy risks. As is often the case with new IT services riding a marketing boom, the risks of cloud computing tend to be minimized by the marketers. Yet it is by understanding, assessing and managing those risks that confidence in cloud computing can expand significantly, for both organizational and personal users of the cloud. Given the increasing deployment of bring your own device (BYOD) into the corporate space, the prior distinctions between organizational and individual data and process are becoming blurred, and thus the cloud risk evaluation process should be applicable to all types of users.
When evaluating the risks of cloud computing, organizations and individuals (hereafter, cloud consumers) need to take a hard look at both themselves and their cloud service providers (CSPs). Cloud consumers first need to understand how they organize and manage their confidential data, which then provides a foundation for assessing their CSPs. A standard methodology can be used in evaluating the risks for both cloud consumers and CSPs, whether the outsourcing is to private clouds, hybrid clouds or public clouds and regardless of the service model(s) used. Cloud consumers will first need to understand all the types of cloud computing risk before being able to assess and manage the risk.
There are six major categories of cloud computing risk: legal, data protection, contracting, governance, verification and response. Legal risk comes from the totality of all legal obligations that an organization has from all cloud-related statutes it is subject to globally. Data protection risk involves the design, implementation and evaluation of safeguards by the cloud consumer and CSP to protect the privacy of data. Contracting risk is how well cloud consumers have legally protected themselves against undesirable cloud-related events. Governance risk looks at how interoperable data and process are and how portable they are to new CSPs. Verification risk comes from the comprehensiveness and quality of independent third-party assurances about the CSPs used. Response risk involves dealing with security-related incidents that impact the consumer’s data privacy, including data breaches.
Privacy issues arise under both data protection risk and response risk. The protections to safeguard the privacy of data are well understood and not new with cloud computing, although they do reemphasize certain controls. For example, encryption is a must-have in the cloud computing world. Encryption must be deployed not only during transit from the cloud consumer to the CSP, but while stored by the CSP on disk, in mirror sites, on backup tapes, etc., and in use, to the extent possible. Data protection risk has both a technical/process aspect and a legal aspect, in complying with a burgeoning number of general; i.e., reasonableness, or specific; i.e., requiring information security policies, provisions in laws globally.
Similarly, response risk to a cloud data breach has both technical/process and legal aspects, plus an added dimension. The technical/process response includes how to identify that a security incident has occurred; how to quarantine the intrusion, repair infected systems and restore affected data, and how to undertake reviews and remediations to prevent recurrence. The added dimension is the business/reputational response, which tries to limit the impact on the entity’s financial viability, revenue loss and diminishing of trademarks and brand names. The legal response requires that organizations comply with a variety of statutory and regulatory requirements for notification, to get law enforcement and regulators involved and for imaging or safeguarding potential evidence.
There are many different data breach notification laws globally, often part of the local privacy laws, and these are growing. It is important to remember that when cloud consumers enter the cloud, they have by default become global players, meaning that they will likely be subject to the data privacy laws of more than one country. In Europe, the e-Privacy Directive requires EU member states to implement local legislation for service providers responsible for hosting and transmitting consumers’ data to notify the appropriate national authorities upon the event of a data breach. If consumers’ data is breached and the breach could have a negative impact on the consumers, they must then also be notified.
While there is yet no general federal data breach notification requirement in the United States, there are sector-specific regulations in healthcare and financial services for reporting of data breaches. Also, there are general data breach notification laws in almost every state. These laws typically require notification to consumers if their data is breached, thereby exposing them to risk of harm. This is most typically the case when the data is personally identifiable information or financial information that is stored in an unencrypted format. What may vary between the different state statutes is the type of information that must be reported, to whom it must be reported, and when it must be reported. These laws are constantly changing, as several U.S. states; i.e., Connecticut and Vermont, have recently revised their data breach statutory requirements.
In the Asia-Pacific region, there are both voluntary guidelines and industry-specific requirements to report breaches. For example, Australia has no general data breach statute but the government has issued voluntary guidelines. In Hong Kong, the proposed changes to the local privacy ordinance will make the breach notification process voluntary, but the government has promulgated guidelines and templates in advance of those changes. Japan has industry-sector regulations regarding data breach notification. In Taiwan and South Korea, newer revisions to privacy laws require data breach notifications. In China, local versions of data breach laws complement national breach notice regulations on service providers.
The legal response to a data breach when data is outsourced to the cloud essentially comes down to answering a series of questions:
- What data breach notification and privacy laws are implicated by a data breach at a CSP, given that the data servers and consumers may be situated in disparate countries around the world?
- Who is responsible for reporting a data breach, the CSP or the cloud consumer?
- When must the breach be reported—immediately, after an investigation or perhaps never?
- To whom must the breach be reported: the local data protection authorities, industry regulators, local and/or international law enforcement; i.e., Interpol, Department of Justice agencies and/or the data owners or their data custodians, if outsourced?
- In what circumstances must the data breach be reported, such as when a certain number of records or a certain type of sensitive data was breached or when criminal activity is suspected?
- What types of information must be reported?
- How does the CSP know, in a virtual-resource multitenant cloud environment, which cloud consumer’s data has been breached?
- What type of evidence must be saved for future criminal investigations or civil litigation; i.e., network and system logs or data/system images, and how can this be done in a multitenant cloud environment?
This example guidance from the Hong Kong government provides some insight into part of the legal response. It suggests that the data custodian first gather information, including when and where the breach occurred, how it was detected, the cause, what type of personal data was affected and the number of data subjects potentially impacted. It advises notifying data subjects when the “real risk of harm is reasonably foreseeable.” In its breach notification, it suggests including the date and time of the breach and its discovery, the cause of the breach, the personal data breached, the potential risks of harm, the remedial measures to ensure no further data loss, a contact person and number, the law enforcement or other agencies notified, what is being done to assist affected consumers and what they can do themselves to mitigate the risk of harm, such as identity theft and financial fraud.
With data breaches, all cloud consumers should take the approach that the question is not if they will happen but when—and will I be ready? Much like business continuity plans but with even less certainty as to timing, data breaches can and do occur, and to some of the best-known brand names and organizations, even those with a strong public Internet security profile. CSPs, by centralizing cloud consumers’ data, are a target for bad actors, so cloud consumers should create and test a robust response plan to use when the data breach event occurs and the privacy of their cloud-based data is compromised. This plan should address all three areas of cloud data breach response, as explained above, including the legal aspects. Only then can cloud consumers confidently expand their footprint in the cloud.
Thomas J. Shaw, Esq., CIPP, is an attorney at law, CPA, CRISC, CIP, CISM, ERMP, CISA, CGEIT and CCSK, focusing on cloud computing, global information and Internet law, governance, risk and compliance. He speaks and writes frequently on these topics and runs CloudRisk Asia, which assesses risk for organizations and cloud service providers. Shaw is the author of Cloud Computing for Lawyers and Executives: A Global Approach, and Children and the Internet: A Global Guide for Lawyers and Parents, and lead author/editor of Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists. He is also editor of the ABA’s Information Security and Privacy News and the EDDE Journal.
Read More by Thomas Shaw:
Right to privacy: Risks to children on the Internet
E-Discovery in Asia/Pacific: Litigation Readiness for Asian Companies
E-Discovery in Asia/Pacific: U.S. litigation exposure for Asian companies
Asia-Pacific data privacy laws: model corporate privacy principles
Asia-Pacific Privacy Law: assurance via certification and audit