Three Facts of Data Security Legislation for the Cloud
- — 19 December, 2012 12:49
Over the last 2-3 years cloud computing has promised, and in many instances delivered, a lower total cost of ownership. This has helped organisations return the focus of operation to their core activities—reducing the effort spent on managing IT infrastructure and applications.
By utilising cloud services, organisations can demonstrate reduction in their global carbon footprint, and this, among other things, is pushed as one of the benefits of cloud computing.
As to every action there is always an equal and opposite reaction. Cloud computing is not without its shortcomings, be it vendor lock in, lack of governance or oversight over the subscription of cloud services by the engaging organisation, the increased risk to regulatory non-compliance (e.g., SOX, PCI-DSS), or the contrasting compliance posture of cloud vendors—all present risks that are unique to the cloud landscape.
Most recently, hurricane Sandy demonstrated yet another risk, the risk of service availability, where IT services could be impacted by the use of cloud in a remote geographic location.
None of these risks get talked about as much as the constant discussion around privacy and security, and more specifically, the nature and extent of government’s access to data in the Cloud.
In my last article “Think cloud, think Patriot Act” we discussed how there is no cloud sourcing discussion that does not refer to the Patriot Act in some manner, it is assumed to be the big brother of all legislation, and that everyone talks about it when considering cloud sourcing.
So here I present three facts pertinent to data security legislation for the cloud that I have used in discussions with technology executives and cloud naysayers. As none of the decision makers are experts in international law, I’ve resorted to fact based discussions.
Fact 1 – The Patriot Act is not the only legislation that is required to be considered when sourcing Cloud services from vendors based in the USA.
There are multiple other items that organisations are required to take into account, or at least consider: Foreign Intelligence Surveillance Act of 1978 (FISA) and the National Security Letters (NSLs). NSLs are an extraordinary search procedure that gives the US Federal Bureau of Investigation (FBI) the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others. These entities are prohibited, or "gagged," from telling anyone about their receipt of the NSL, which makes oversight difficult.
There are numerous provisions within U.S. law through The Fourth Amendment of the U.S. Constitution and common principles derived from the International Covenant on Civil and Political Rights (ICCPR), which prohibit cloud service organisations voluntarily releasing customer data to government agencies in the absence of a formal legal request, hence it’s not all doom and gloom.
Fact 2 – Multiple European Data Security and Privacy Legislations end up being more stringent and intrusive than the Patriot Act.
Cloud services are not solely undertaken and supplied from within the USA, cloud suppliers’ service their customers globally from datacenters across the Americas, Europe and Asia, thus discussion on data security legislation for cloud and potential government access to cloud data should not be singled out and focused on the provisions within the Patriot Act, as a plethora of privacy and data security legislation across major European countries, when combined together, create an environment that is far more restrictive.
Hogan Lovells Whitepaper on “A Global Reality: Governmental Access to Data in the Cloud” provides a summary of these across 10 jurisdictions, however I would highlight Germany and the UK as an illustrative example that demonstrates why we need to focus on multiple privacy and data security legislations. It shows why we need to make an informed decision about the location of the organisation’s data assets when signing up with a cloud services provider. In my view it’s more of the same, discussions should not be limited to just the Patriot Act.
In Germany, court orders and warrants can be obtained under the Telecommunications Act (Telekommunikationsgesetz, TKG) and the Data Protection Act (Bundesdatenschutzgesetz, or BDSG) to access data hosted and stored at a cloud service provider. Provisions within the Telecommunication Act derived from amendments in Article 10 of the Basic Law known as “G10 Act”, amongst others, restrict the Telco provider from informing its customers that a request to access their cloud hosted data has been received. An interesting point to note here is that Article 13 of Germany's Basic Law recognises that judicially ordered search warrants will provide government access to cloud data.
In the United Kingdom court orders and warrants can be obtained under the Intelligence Services Act (1994), Data Protection Act 1988 (DPA) for communications data which, for a cloud services provider will be traffic, usage, and customer data including, but not limited to, email services and storage services.
It really is more of the same. USA, Germany or the UK, it does not really matter if your cloud service provider is in the USA, Germany or the United Kingdom, if state governments require access to cloud data, they will get it.
Fact 3 – All hope is not lost.
An important landmark for data security and privacy legislation was the amendment of the US Patriot Act National Security Letter (NSL) power under 18 U.S.C. 2709 Section 505 which was considered one of the most invasive. These letters served to communications service providers allowed the FBI to demand data and internet activity without any meaningful oversight or prior judicial review. Recipients of NSLs are subject to a gag order preventing the recipient of the letter from disclosing that the letter was ever issued.
However, contrary to popular belief, NSLs as an engine of the Patriot Act cannot be used to obtain access to the “content” of electronic records and documents stored on a cloud service provider’s servers. Note emphasis is on "content”, as the Electronic Communications Privacy Act (ECPA) prohibits the United States government from intercepting electronic data in transit or storage unless a judge determines that there exists probable cause to believe that the data will contain evidence of a federal crime, and that normal investigative procedures have been tried and failed.
As such my understanding is that data stored with cloud service providers within the US cannot be accessed at will by governmental agencies, in addition, a recent ruling by a United States appeals court “Suzlon Energy, Ltd. v. Microsoft Corp., ___F.3d __, 2011 WL 4537843 (U.S. Court of Appeals for the 9th Circuit 2011)” confirmed that statutory protections are extended to non-United States citizens for data physically maintained in the United States and stored in the cloud, which is relevant to the concerns of foreign countries and the data of their citizens.
My view is simply that if government agencies require access to your organisation’s data and it is hosted in the cloud, they will get it, PERIOD.
What you need to do is:
1. Carefully consult your terms of service with all cloud service providers to ensure that security, transparency and legal certainty are the key drivers supporting your cloud computing services.
2. Select a cloud provider that guarantees compliance with your own and the data protection legislation of the country where the cloud service is based.
3. Understand and verify how the cloud services provider will guarantee the lawfulness of any cross-border international data transfers.
Outside of this cloud is great.