What is the cloud computing security environment in 2020?
As years are passing by, more technology trends are emerging in the digital market. One thing always remains the same: the need to ensure the security of your personal data. With cloud computing, companies are leveraging the benefits of re-engineering their technology stack. Meanwhile, cloud service providers must be able to demonstrate a high level of security and compliance expertise in a regulated environment.
Following my previous article on this subject, I decided to prepare an updated overview of the security laws and regulations governing the cloud computing environment in 2020.
Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – enacted in March 2018
As no territorial boundaries exist on the Internet, there was a need to modernize the privacy laws in the US to reflect this, as well as the increased use of cloud computing services.
Under the CLOUD Act, all US cloud service providers should provide US Authorities with access to any data stored on their servers upon request, including data stored abroad. This law received a lot of criticism. The main reason was its wide scope of application which circumvents other countries’ laws regarding privacy and information protection.
General Data Protection Regulation (GDPR) – enacted in April 2016
GDPR can have a significant effect on the operations of US companies that collect, process, and store personal data of the EU residents.
Any cloud service provider that is subject to the GDPR legal requirements has the obligation to appoint a data protection officer and will be liable for all fines and penalties. But beware because penalties for non-compliance and data breaches can get as high as €20 million or 4% of worldwide annual turnover, whichever is higher.
Health Insurance Portability and Accountability Act (HIPAA) – enacted in August 1996
Under HIPAA’s Privacy Rule, a company may not use or disclose protected health information (PHI) unless as permitted or required by the Rule, or as authorized in writing by the affected individual.
A cloud provider can store records containing PHI in a cloud computing facility. However, that is permitted only after entering into a business associate agreement with the HIPPA-covered entity. Beware of the potential conflicts that might arise between HIPPA’s substantive requirements and the cloud provider’s own terms of service.
The Gramm-Leach-Bliley Act (GLBA) – enacted in November 1999
The GLBA’s Privacy and Safeguards Rules restrict financial institutions from disclosing individuals’ non-public personal data to non-affiliated third parties.
Cloud providers must enter a contract with financial institutions to get access to customers’ personal data. Under this contract, the information is used only to carry out the purposes for which it was disclosed.
Family Educational Rights and Privacy Act (FERPA) – enacted in November 1974
Under the FERPA’s Rule, the educational institutions need the students’ consent prior to disclosing their personal data. Like for example, their grades or enrollment status.
The use of cloud computing solutions for the purpose of hosting education records is not prohibited under FERPA. However, they must prove they can ensure the security of the students’ personal information.
As a US cloud service provider, you should make sure you are legally compliant with all the relevant laws. It is always a good idea to hire a legal expert to help you better understand your risks and obligations.
Are you compliant with all these laws and regulations governing the cloud computing environment? Do you find it challenging to be a cloud service provider in such a regulated environment? Share your thoughts in the comments section below!