Cloud Computing: You Can't Outsource Your Compliance Obligations
When it comes to moving functions to the cloud, there's no such thing as being too thorough.
Say you've got an application that's been running in-house but is now nearing end of life. You find a cloud service that can achieve the same result. You evaluate the vendor's infrastructure and security mechanisms, processes and procedures and determine that they're sufficient to meet your needs. You're looking forward to outsourcing this to the cloud and relieving yourself of all the associated responsibilities. It's all smooth sailing ahead, right?
Maybe, but unfortunately, there's one more thing: You can't outsource your compliance obligations to a cloud vendor.
If you move a function to the cloud that's governed by legal or regulatory requirements and later your company falls out of compliance due to an error on the cloud vendor's part, the law won't go after the vendor--it will come after you. So you need to ensure that the cloud vendor can fully comply on your behalf.
What kinds of laws might apply in a cloud scenario? Two recent clients of my "Contracting for Cloud Computing Services" seminar offer good examples.
The first is in the healthcare industry and was contemplating using a cloud service that would involve personal health information. Of course, such information is covered by the Health Insurance Portability and Accountability Act (HIPAA), which mandates standard practices to ensure security, confidentiality and data integrity for healthcare-related data. Under HIPAA, the use of a cloud service is viewed as disclosing information to a third party. Any cloud vendor that handles your organization's HIPAA information should be subject to a business associates contract, under which the vendor essentially affirms that it will handle the data in compliance with HIPAA.
The other client, an institution of higher education, was investigating using a cloud service for a function involving student data. In such cases, the applicable regulation is the Family Educational Rights and Privacy Act (FERPA). FERPA is intended to protect the privacy of student education records by limiting how and to whom they can be disclosed. Under FERPA, the use of a cloud vendor can also be viewed as inappropriately disclosing information to a third party. One solution is to contractually identify the cloud vendor as a "school official" and state its obligation to ensure that data is handled in compliance with FERPA.
Other laws or external regulations that frequently come into play with the cloud include:
Requires financial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third party handles that information securely. Executives of those financial organizations can be held personally liable for failure to do so.
Defines specific security mandates and requirements for financial reporting to protect shareholders and the public from accounting errors and fraudulent practices. SOX dictates which records are to be stored and for how long and requires the data owner to know the location of the data in the cloud and to maintain control of it. Failure to comply can result in fines and/or imprisonment.
While not a law, PCI DSS applies to all organizations that hold, process or exchange credit card information and was created to provide increased controls around data to ensure that consumers are not exposed to potential financial or identity fraud and theft. If your organization needs to be able to process credit card payments, then it can be important to confirm that your cloud vendor complies with PCI DSS, and at what level.
These are just a few examples. Whatever the legal/regulatory compliance requirement, it's important that your contract obligate the cloud vendor to comply, and potentially include related details and/or instructions.
Technology and laws continuously evolve, but technology tends to do so at a much more rapid pace. The result is that laws have a difficult time staying current and pertinent. Though you may have initially done an effective job at capturing any compliance requirements in the contract, it's important to track any subsequent technical and legal changes and their impact on your use of the cloud service and the vendor's continued compliance. To ensure that your contract remains current relative to pertinent laws, it's important to review things at least once a year and potentially update to reflect any pertinent changes.
Thomas Trappler was recently named a "Cloud Luminary" by CA Technologies, along with Vivek Kundra, Nicholas Carr, Timothy Chou and others. Computerworld congratulates him for receiving this honor. Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.
Read more about cloud computing in Computerworld's Cloud Computing Topic Center.