Three Facts of Data Security Legislation for the Cloud

Over the last 2-3 years cloud computing has promised, and in many instances delivered, a lower total cost of ownership. This has helped organisations return the focus of operation to their core activities—reducing the effort spent on managing IT infrastructure and applications.

By utilising cloud services, organisations can demonstrate reduction in their global carbon footprint, and this, among other things, is pushed as one of the benefits of cloud computing.

As to every action there is always an equal and opposite reaction. Cloud computing is not without its shortcomings, be it vendor lock in, lack of governance or oversight over the subscription of cloud services by the engaging organisation, the increased risk to regulatory non-compliance (e.g., SOX, PCI-DSS), or the contrasting compliance posture of cloud vendors—all present risks that are unique to the cloud landscape.

Most recently, hurricane Sandy demonstrated yet another risk, the risk of service availability, where IT services could be impacted by the use of cloud in a remote geographic location.

None of these risks get talked about as much as the constant discussion around privacy and security, and more specifically, the nature and extent of government’s access to data in the Cloud.

In my last article “Think cloud, think Patriot Act” we discussed how there is no cloud sourcing discussion that does not refer to the Patriot Act in some manner, it is assumed to be the big brother of all legislation, and that everyone talks about it when considering cloud sourcing.

So here I present three facts pertinent to data security legislation for the cloud that I have used in discussions with technology executives and cloud naysayers. As none of the decision makers are experts in international law, I’ve resorted to fact based discussions.

Fact 1 – The Patriot Act is not the only legislation that is required to be considered when sourcing Cloud services from vendors based in the USA.

There are multiple other items that organisations are required to take into account, or at least consider: Foreign Intelligence Surveillance Act of 1978 (FISA) and the National Security Letters (NSLs). NSLs are an extraordinary search procedure that gives the US Federal Bureau of Investigation (FBI) the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others. These entities are prohibited, or "gagged," from telling anyone about their receipt of the NSL, which makes oversight difficult.

There are numerous provisions within U.S. law through The Fourth Amendment of the U.S. Constitution and common principles derived from the International Covenant on Civil and Political Rights (ICCPR), which prohibit cloud service organisations voluntarily releasing customer data to government agencies in the absence of a formal legal request, hence it’s not all doom and gloom.

Fact 2 – Multiple European Data Security and Privacy Legislations end up being more stringent and intrusive than the Patriot Act.

Cloud services are not solely undertaken and supplied from within the USA, cloud suppliers’ service their customers globally from datacenters across the Americas, Europe and Asia, thus discussion on data security legislation for cloud and potential government access to cloud data should not be singled out and focused on the provisions within the Patriot Act, as a plethora of privacy and data security legislation across major European countries, when combined together, create an environment that is far more restrictive.

Hogan Lovells Whitepaper on “A Global Reality: Governmental Access to Data in the Cloud” provides a summary of these across 10 jurisdictions, however I would highlight Germany and the UK as an illustrative example that demonstrates why we need to focus on multiple privacy and data security legislations. It shows why we need to make an informed decision about the location of the organisation’s data assets when signing up with a cloud services provider. In my view it’s more of the same, discussions should not be limited to just the Patriot Act.

In Germany, court orders and warrants can be obtained under the Telecommunications Act (Telekommunikationsgesetz, TKG) and the Data Protection Act (Bundesdatenschutzgesetz, or BDSG) to access data hosted and stored at a cloud service provider. Provisions within the Telecommunication Act derived from amendments in Article 10 of the Basic Law known as “G10 Act”, amongst others, restrict the Telco provider from informing its customers that a request to access their cloud hosted data has been received. An interesting point to note here is that Article 13 of Germany's Basic Law recognises that judicially ordered search warrants will provide government access to cloud data.

In the United Kingdom court orders and warrants can be obtained under the Intelligence Services Act (1994), Data Protection Act 1988 (DPA) for communications data which, for a cloud services provider will be traffic, usage, and customer data including, but not limited to, email services and storage services.
It really is more of the same. USA, Germany or the UK, it does not really matter if your cloud service provider is in the USA, Germany or the United Kingdom, if state governments require access to cloud data, they will get it.

Fact 3 – All hope is not lost.

An important landmark for data security and privacy legislation was the amendment of the US Patriot Act National Security Letter (NSL) power under 18 U.S.C. 2709 Section 505 which was considered one of the most invasive. These letters served to communications service providers allowed the FBI to demand data and internet activity without any meaningful oversight or prior judicial review. Recipients of NSLs are subject to a gag order preventing the recipient of the letter from disclosing that the letter was ever issued. 

However, contrary to popular belief, NSLs as an engine of the Patriot Act cannot be used to obtain access to the “content” of electronic records and documents stored on a cloud service provider’s servers. Note emphasis is on "content”, as the Electronic Communications Privacy Act (ECPA) prohibits the United States government from intercepting electronic data in transit or storage unless a judge determines that there exists probable cause to believe that the data will contain evidence of a federal crime, and that normal investigative procedures have been tried and failed.

As such my understanding is that data stored with cloud service providers within the US cannot be accessed at will by governmental agencies, in addition, a recent ruling by a United States appeals court  “Suzlon Energy, Ltd. v. Microsoft Corp., ___F.3d __, 2011 WL 4537843 (U.S. Court of Appeals for the 9th Circuit 2011)” confirmed that statutory protections are extended to non-United States citizens for data physically maintained in the United States and stored in the cloud, which is relevant to the concerns of foreign countries and the data of their citizens.

Go figure.

My view is simply that if government agencies require access to your organisation’s data and it is hosted in the cloud, they will get it, PERIOD.

What you need to do is:

1. Carefully consult your terms of service with all cloud service providers to ensure that security, transparency and legal certainty are the key drivers supporting your cloud computing services.

2. Select a cloud provider that guarantees compliance with your own and the data protection legislation of the country where the cloud service is  based.

3. Understand and verify how the cloud services provider will guarantee the lawfulness of any cross-border international data transfers.

Outside of this cloud is great.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Hurricane SandyriskPatriot Actsecuritycloud servicescloud sourcingdata security legislationglobal carbon footprintcloud computingcloud landscapeprivacy

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts