Cloud computing: You can't outsource your compliance obligations

By Thomas J. Trappler, Computerworld |  Cloud Computing, compliance

The other client, an institution of higher education, was investigating using a cloud service for a function involving student data. In such cases, the applicable regulation is the Family Educational Rights and Privacy Act (FERPA). FERPA is intended to protect the privacy of student education records by limiting how and to whom they can be disclosed. Under FERPA, the use of a cloud vendor can also be viewed as inappropriately disclosing information to a third party. One solution is to contractually identify the cloud vendor as a "school official" and state its obligation to ensure that data is handled in compliance with FERPA.

Other laws or external regulations that frequently come into play with the cloud include:

Gramm-Leach-Bliley (GLB) Act

Requires financial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third party handles that information securely. Executives of those financial organizations can be held personally liable for failure to do so.

Sarbanes-Oxley Act (SOX)

Defines specific security mandates and requirements for financial reporting to protect shareholders and the public from accounting errors and fraudulent practices. SOX dictates which records are to be stored and for how long and requires the data owner to know the location of the data in the cloud and to maintain control of it. Failure to comply can result in fines and/or imprisonment.

Payment Card Industry Data Security Standard (PCI DSS)

While not a law, PCI DSS applies to all organizations that hold, process or exchange credit card information and was created to provide increased controls around data to ensure that consumers are not exposed to potential financial or identity fraud and theft. If your organization needs to be able to process credit card payments, then it can be important to confirm that your cloud vendor complies with PCI DSS, and at what level.

These are just a few examples. Whatever the legal/regulatory compliance requirement, it's important that your contract obligate the cloud vendor to comply, and potentially include related details and/or instructions.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Cloud ComputingWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Ask a Question