When it comes to privacy and security laws governing sensitive data, you don’t have to be a financial or health institution to have information that is subject to state and federal regulation. Almost every organization with employees stores some personally identifiable information.
Simply storing an employee’s name, email address and date of birth will be enough to trigger state regulation around access and disclosure of such information. For organizations handling information subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), it is even more important to understand the restrictions. Even after determining that such regulated information can be stored in the cloud, you still must make sure that the cloud provider will be HIPAA and/or GLBA compliant. For example, when deleting or disposing of information subject to HIPAA, the cloud provider must certify in writing that it was properly disposed. More importantly, upon receiving your organization’s protected health information, even if encrypted, the cloud provider will become a business associate under HIPAA. At a minimum, the cloud provider will need to sign a Business Associate Agreement, but you should conduct a thorough risk analysis to determine whether they can comply with the regulatory requirements for these types of information.
In Assessing Risk, Don’t Forget Your Proprietary Data and Intellectual Assets
Your organization may find several benefits in moving to cloud services, but before you sign up to transmit and store any of your data that is currently on premise, you should analyze your data’s sensitivity. Information relating to HIPAA or GLBA or other similar information that subjects your organization to a heightened security standard is clearly sensitive, but what about your organization’s intellectual property?
The trend for traditionally on-premise solutions to move to the cloud means that your organization’s trade secrets, unpatented inventions and other proprietary information may be stored in the cloud. This valuable information — especially trade secrets — requires protection when on-premise, so maintaining the security of such information is just as crucial when stored in the cloud. In considering whether to use a cloud application or storage solution for proprietary information, ask:
- What can your organization do to limit the potential disclosures of IP?
- What can the cloud provider do to protect your IP against outside threats?
While more than 25 percent of cybercriminals are IP spies, most IP breaches actually involve former or current employees, and the single biggest reason for IP breaches is the abuse of system access and privileges. Another prominent risk is employee negligence in handling an organization’s IP. With that in mind, the first step in protecting your IP in the cloud is to ensure that only certain people have access to confidential IP, by:
- Monitoring access for employees whose jobs require access.
- Ensuring ex-employees cannot access files, including files emailed to themselves.
- Implementing security policies and procedures to help employees avoid accidental disclosures (e.g., ensuring all files are encrypted, or reviewing your mobile device policies and procedures to ensure sensitive IP cannot be accessed).
The upside is that a reputable cloud provider may be in a better position to safeguard your information than your organization’s traditional network servers, so long as the provider employs suitable security practices. You may ask the cloud computing provider how it plans to control access rights and whether it will create a chain of custody for every person who may touch the intellectual property. If the cloud provider can provide an audit trail to monitor all access to your trade secrets and other sensitive and proprietary information, you may be able to preemptively stop an attack, or at least catch it early. With the right cloud computing provider and a solid contract clearly defining security measures, it’s possible that a cloud provider can keep your trade secrets and proprietary confidential information more secure than your own organization could, but you must be sure. Once a trade secret is discovered, it may be too late.
Customer and Vendor Contracts
Finally, don’t forget about your customer or vendor contracts. With the prevalence of cloud computing use and seemingly never-ending data breaches, many of your vendors or customers may prevent your organization from using cloud services to store or transmit their information. Additionally, vendors or customers may even require that you receive security guarantees or other specific representations from cloud vendors who are handling their information. You must know and understand your obligations to your existing suppliers and customers in order to negotiate a sound contract with a cloud provider, so do some due diligence before signing up.