February 26, 2009, 2:24 PM — Companies looking to reduce their IT costs and complexity by tapping into cloud computing services should first make sure that they won't be stepping on any privacy land mines in the process, according to a report released this week by the World Privacy Forum.
The report runs counter to comments made last week at an IDC cloud computing forum, where speakers described concerns about data security in cloud environments as overblown and "emotional." But the World Privacy Forum contends that while cloud-based application services offer benefits to companies, they also raise several issues that could pose significant risks to data privacy and confidentiality.
"There are a whole lot of companies out there that are not thinking about privacy" when they consider cloud computing, said Pam Dixon, executive director of the Cardiff, Calif.-based privacy advocacy group. "You shouldn't be putting consumer data in the cloud until you've done a thorough [privacy] review."
According to the World Privacy Forum's report (download PDF), the data stored in cloud-based systems includes customer records, tax and financial data, e-mails, health records, word processing documents, spreadsheets and PowerPoint presentations. The list of potential privacy issues cited in the report include the following:
Breaking the rules. Organizations could find themselves on the wrong side of privacy regulations if they aren't careful, the report said. For example, a federal agency that uses a cloud service to host personal data may be in violation of the Privacy Act of 1974, especially if it doesn't have provisions for protecting the data in its contract with the cloud provider, according to the report. In addition, it said, federal records management and disposal laws may limit the ability of agencies to store official records in the cloud.
Similarly, the privacy rules in federal laws such as HIPAA and the Gramm-Leach-Bliley Act restrict companies from disclosing personal health care or financial data to nonaffiliated third parties unless specific contractual arrangements have been put in place, the report said. In another example, it noted that IRS rules prohibit tax preparers from using third parties such as cloud service providers to host returns. "Companies could be loading data into the cloud illegally without their knowing it," Dixon said.
Surprises in the fine print. Companies need to understand that the data-disclosure terms and conditions set by cloud vendors and the storage and access rights they include in contracts can have a significant effect on privacy, the report claimed. And the privacy risks can be magnified, Dixon said, if a cloud vendor retains the ability to change its terms and policies at will. Users should make sure, she added, that they're protected against attempts by cloud providers to access or use data for any secondary purposes -- for instance, using personal health information to deliver targeted marketing messages to consumers.
Lost protections. Storing data on cloud-based systems and accessing it via the Internet could have an impact on any legal protections afforded to the data, according to the report. For instance, it claimed that trade secrets and privileged lawyer-client information may not have the same level of protections when hosted on third-party servers as they do when stored internally.
Open doors on data. The report said that government agencies as well as parties involved in legal disputes may be able to more readily obtain data from a third party than from the owner of the information. For instance, laws such as the USA Patriot Act and the Electronic Communications Privacy Act give the federal government authority to compel disclosure of records held by cloud vendors, the report maintained, adding that many of the vendors are likely to have less incentive to resist such requests than the actual data owners do.
Location counts. The location of a cloud provider's operations may have a significant bearing on the privacy laws that apply to the data it hosts, the report said. It added that companies should examine whether laws such as the European Union's Data Protection Directive could be applied to data that is stored by a cloud vendor in Europe, even if the information is being kept there on behalf of a U.S. company.
In addition, companies should have plans in place for protecting their data in the event that a cloud provider is bought by another vendor or declares bankruptcy, the report warned. A change in ownership could result in new terms and conditions or a change in where data is kept, it said. Similarly, a bankruptcy filing could force a cloud provider to sell its assets, which might end up including the data of its customers, according to the report.
David Hobson, managing director of Global Secure Systems Ltd., a U.K-based security vendor and consulting firm, agreed that companies storing data in the cloud need to have a full understanding of the information and the confidentiality requirements attached to it.
"The minute you outsource the data, you are opening yourself up to potential problems," Hobson said. Often, a company may not even know exactly where its data will be stored, Hobson said, noting that the information sometimes can end up in multiple locations, each of which may be subject to different privacy requirements.
Businesses also should do due diligence on hosting companies and make sure that the data security and privacy practices in cloud environments are at least as good as their own are, Hobson said. And it's important to know the kind of business continuity and disaster recovery measures that cloud providers have in place, and their policies for dealing with data breaches, according to Hobson. It's easy for users who are intent on cutting costs via cloud computing to overlook such issues, he said, but he thinks privacy protections need to be spelled out in contracts.
On the other hand, Jeff Kalwerisky, chief security evangelist at Burlington, Mass.-based Alpha Software Inc. and a former executive at Accenture Ltd.'s risk management consulting practice, said that while some of the privacy concerns are valid, technology fixes are available for many of them.
For instance, encrypting data, both while it's stored on a cloud vendor's servers and being transmitted to end users, mitigates some of the privacy risks associated with accidental or malicious exposure of the information, Kalwerisky said. In addition, implementing a two-factor authentication scheme for controlling access to data hosted by a cloud vendor will ensure that only users who have legitimate access to the data will be able to see it, according to Kalwerisky.
"You've got to think about some of these things carefully," he said. "But if you do all of it right, and you do all of it upfront, there isn't a heck of a lot of difference whether you [store data] yourself or if a cloud provider does it."
"It's not that there's anything sinister going on with cloud computing," Gellman said. "But information may be at risk for disclosure or uses that you didn't anticipate, and that may have legal consequences for you."