Reproduced with permission from BNA's Privacy & Security Law Report, 10 PVLR 1317 (Sep. 12, 2011). Copyright 2011 by The Bureau of National Affairs, Inc. (800.372.1033)
Businesses seeking operating cost reductions by moving to the cloud face increased privacy and security risks, the authors warn, providing tips on how companies can help address those risks through the contracting process with cloud computing services providers.
Businesses are being driven by the recession to take advantage of cost-effective technologies such as cloud computing, despite the growing danger to the privacy and security of stored information in shared environments. In this article, we will explore the world of cloud computing, the increased risk to the privacy and security of data, and how such risks can be addressed through the contracting process with providers of cloud computing services.
What Is Cloud Computing?
The National Institute of Standards and Technology defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or vendor interaction.”1 The general concept is that any computer connected to the “cloud” may be connected to a pool of computer servers, applications, storage, and files to facilitate sharing of resources and costs among many users.2
Cloud computing has been around for more than 30 years in various forms of data center shared services but has become popular due to the growing need for a scalable, cost-efficient model. Cloud computing has shifted processing and other resources from the user's computer to a remote location. This shared services model can range from hosting, software as a service, outsourcing of technology, to virtualization of the computer environment. As a result, businesses benefit from cost savings and take advantage of technologies that were otherwise unavailable due to their cost and complexity.
There are two basic structures of a cloud—a private cloud and a public cloud.3 The private cloud refers to a localized data architecture of servers and storage area network (SAN) hardware where the company's IT department maintains managerial control over the cloud and, accordingly, the security of the data processed and stored in the cloud. In a public cloud, the servers and SAN hardware are managed by a third-party vendor, but the company's IT department continues to manage the user's software applications. In a public cloud, users access resources on a self-service basis over the Internet via Web applications that are hosted off-site by the vendor. Since security is jointly managed by the IT department and the vendor, businesses should carefully consider the security risks of handing information to a third party in a public cloud.
Privacy and Security Risk
Any organization that desires to employ cloud computing should balance the potential cost savings against the increased risk to the privacy and security of the organization's data, which can often be its most valuable asset.
Some of the challenges to operating in the cloud include: (i) interfaces to the network are publicly available and vulnerable to hacking; (ii) sensitive information of different organizations is often stored on common servers; (iii) multiple parties in different locations may provide cloud services and have access to the data; and (iv) rules for data protection and data breaches may be inconsistent across geographic regions, which makes compliance difficult.4
The following impacts on security compliance should also be considered: (i) encryption becomes more necessary with cloud computing; (ii) identity management becomes more complicated; (iii) vulnerability testing and penetration testing may no longer be practical; (iv) destruction of all copies of data may be difficult to verify; and (v) security controls, incident management procedures and business continuity plans must be synchronized between the organization and the vendor.
Data breaches are increasing; the Privacy Rights Clearinghouse has reported data breaches of more than 500 million records since 2005.5 Hackers are particularly motivated to penetrate the cloud because data from thousands of companies can be stored on large cloud servers, meaning hackers have more to gain through one single attack.6 In a survey report released June 6, 2011, 43 percent of companies with 500 or more employees experienced security lapses in their cloud computing use over the last 12 months.7 The 1,200 respondents surveyed were purchase decision makers or key influencers for cloud computing services, server virtualization and/or virtual desktop infrastructure. Forty percent of the respondents indicated that their IT security requirements were not being met by their current cloud providers/offerings. In addition, half of the respondents indicated that the concern over cloud data security is a “key reason holding back our adoption of cloud technologies,” and 85 percent said they encrypt all data sent to the cloud.
Regulation and Enforcement
The U.S. Federal Trade Commission (FTC) has broad authority under Section 5 of the Federal Trade Commission Act (the Act) to bring actions against companies that engage in unfair or deceptive information practices.8 Pursuant to Section 5, Christopher Soghoian filed a complaint (the Complaint) with the FTC on May 11, 2011 against Dropbox, Inc., a San Francisco-based provider of “cloud” backup, sync and file sharing services, alleging that Dropbox made deceptive statements to consumers regarding the extent to which it protects and encrypts data, which rose to the level of a deceptive trade practice subject to review by the FTC.9 For example, Dropbox indicated to Web site visitors “Your files are always safe” and told consumers elsewhere on its Web site that “Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military to send and store your data.” The Complaint alleged that these statements were false and misleading to consumers.
In the Complaint, Mr. Soghoian explained that Dropbox did not utilize best practices with respect to storage and management of encryption keys. Instead of encrypting user data with a key known only to each user, Dropbox allowed its employees access to the keys used to decrypt data and did not inform consumers about this practice. Since competitors of Dropbox did encrypt data with keys known only to the users, which increased the operating costs of those companies, Dropbox received an unfair competitive advantage. Further, if Dropbox had disclosed its practices, consumers might have opted to protect their data using one of the competing cloud vendors. As such, the Complaint urged the FTC to enjoin Dropbox's deceptive practices, notify the 25 million existing customers by e-mail of its encryption processes and offer refunds to anyone who felt they were misled.
In addition to the FTC, state and federal legislation regarding data breaches impose substantial criminal and civil penalties. For example, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) can impose civil monetary penalties in the event of a security breach of $100-$50,000 per violation (annual aggregate of $1.5 million), and criminal penalties including imprisonment up to 10 years.10 State attorneys general have the authority to bring civil actions on behalf of residents of the state, and some states allow private rights of action.
Companies that offer cloud computing services often make broad claims in marketing materials regarding the safety and security of data stored on their servers. Given the scope of the FTC's Section 5 powers as evidenced by the Dropbox Complaint and other enforcement regimes, it would be prudent for these companies to review such materials and conform their statements to clearly and accurately reflect their security practices.
Cost of a Security Breach
Businesses must be mindful of the increased risk and cost of security breaches. According to the annual U.S. Cost of Data Breach Study (the Breach Study) published by the Ponemon Institute, an organization that conducts independent research on consumer trust, privacy, data protection, and emerging data security technologies, the average total per-incident costs for a data breach incident were $6.75 million in 2009 and are steadily increasing.11 The cost calculation took into consideration outlays for detection, escalation, notification and response, as well as legal and investigative expenses, customer defections, opportunity loss, reputation management, and costs associated with information hotlines and credit monitoring subscriptions. Cloud computing requires a heavy dependency on third parties, and it is these third parties who cause 34 percent of the data breaches.12
In addition to the cost of a breach response, mitigation, and remediation of the security incident, reputational harm to the customer can be significant. The risk of entrusting core data assets to a third party outside of a customer's control can be reduced by de-identifying data, mandating a security assessment of the third party and establishing security and data protection policies for the third party to follow. Insurance specifically covering privacy and security losses should be obtained by the customer and cloud computing vendor.
Addressing Risks Through Contract
In light of the extremely high costs associated with a breach of security, and the increased risk of breach in a cloud computing environment, businesses need to take contractual steps to allocate a portion of the risk to the cloud computing services provider. A customer must understand what exactly is being provided by the cloud computing vendor. The scope of the cloud computing services will impact the respective responsibilities of the vendor and the customer. This contractual clarity is especially important given that most cloud computing vendors believe security of data is the customer's responsibility, not theirs. The Ponemon Institute notes that less than 10 percent of such vendors' operational resources are allocated to security and most vendors do not have confidence that they are meeting customer's security requirements.13 The contracting department should work closely with the IT department to identify the company's specific requirements and incorporate appropriate provisions to ensure the company's needs are met.14
A customer should consider incorporating the following key concepts in its contract with the cloud computing vendor:15
Beyond the above matters related to the data and technology, customers should be sure to include the following risk mitigation provisions in any agreement with cloud-computing vendors:
Despite the convenience and cost savings associated with cloud computing, operating in the cloud may mean that the company is giving up control over its data to a third-party vendor, which drastically increases the risk to the privacy and security of the organization's data. Cloud computing customers are urged to make sure that their agreements with cloud computing vendors are clear as to the expectations and needs of the customer, along with the steps such vendors will take to safeguard companies' data, and include appropriate risk mitigation/shifting provisions.
1 Attorneys Advised to Learn Tech Basics Before Advising on Cloud Service Contracts, Privacy & Sec. L. Rep. (BNA) No. 10, at 637 (Apr. 25, 2011) [hereinafter Attorneys Advised] (10 PVLR 637, 4/25/11).
3 See Attorneys Advised, supra note 1.
4 Information and Security, A Practical Guide for Global Executives, Lawyers and Technologists 279-83 (Thomas J. Shaw ed., 2011) [hereinafter Information and Security].
5 See Privacy Rights Clearinghouse, 500 Million Sensitive Records Breached Since 2005, (Aug. 26, 2010), http://www.privacyrights.org/500-million-records-breached.
6 Firms Wary of Moving to Cloud, L.A. Times, June 17, 2011.
7 TrendMicro, Cloud Security Survey Global Executive Summary (June 5, 2011), http://us.trendmicro.com/imperia/md/content/us/trendwatch/cloud/global_cloud_survey_exec_summary_final.pdf.
8 Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 2010), http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
10 45 C.F.R. § 160.400, et seq.
13 Ponemon Institute, Security of Cloud Computing Providers Study (April 2011).
14 See Attorneys Advised, supra note 1.
15 See Information and Security, supra note 4.
16 See Amer. Inst. of CPAs, Service Organization Control Reports, http://www.aicpa.org/soc (last visited Sept. 7, 2011).
17 See Information and Security, supra note 4.
18 See Attorneys Advised, supra note 1.
Sharon R. Klein and Tabitha Rainey Sullivan
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.