The Cloud – What does it mean for privacy ?

Old No Comments on The Cloud – What does it mean for privacy ? 8

This is a very tricky and complex subject. As IT professionals, we don’t normally think about these things. Privacy, confidentiality, legal requirements, auditing, etc. We aren’t lawyers, we’re technologists. Unfortunately, this topic is something we need to become familiar with, and fast.

The cloud. It’s a term we’re hearing more and more in our everyday lives. First, we need to define the cloud. The term can range from anything from a private cloud within the office (think virtualization or network storage), to full-fledged applications and services hosted and delivered over the internet. For the purpose of this discussion, we’ll assume that ‘the cloud’ means a hosted service or application residing on the internet, delivered by a third party.

Privacy. Sure, we all know the stories of the NSA and all that. But this isn’t about that, this is about the legal requirements for your clients and their information. The legal requirements can vary depending on where you’re physically located, so make sure that you check into your area’s local legislation. For us in our area, there are some straight forward rules regarding privacy of information:

  • Breach disclosure: If your digital systems are compromised and you know that your internal customer / individual information was leaked, you must inform all potentially affected entities.
  • Privacy of records: You are responsible for ensuring that your internal customer / individual records are kept compliant with local legislation, regardless of where you might be storing data.
  • Liability: You are liable for ensuring compliance with privacy legislation, even if a third party is deemed at fault for a loss.

There are many more rules of course, but these three are big ones for us IT professionals.

Firstly, breach disclosure. If a breach happens and a client has to inform all of the customers / individuals that they deal with, this could be a huge disaster for them. In some cases, it can and has bankrupted companies. In the best case scenario, it becomes a huge embarrassment. This could cost you your support contract. Think about this: what if the breach happened at the online, third party CRM that your client is using ? The breach may have had nothing to do with the systems and network you personally administer. Yet, the breach will still wind up being on your shoulders.

Secondly, privacy of records. Some organizations, like NGOs, have confidential records such as medical, employment, legal, etc. Depending on the type of information, this data might be governed under additional regulations in terms of privacy, as compared to a standard business. For example, your client uses a cloud storage service based in the United States. The Patriot Act in the United States gives law enforcement agencies some sweeping powers in regards to surveillance and legal right to look at private information. If that cloud storage service, hosted in the United Sates, were subject to such action, it is possible that private information could be seen. This would violate our local legislation, since United States law enforcement is not deemed as authorized law enforcement here (we’re in Canada). Essentially, because the American authorities looked at the data, there has now been a breach of law, even though the Americans were fully within their right in their own jurisdiction. This presents a HUGE grey area for the courts. Legislation has often not been drafted with these situations in mind (remember, services like cloud storage didn’t exist as they do today as little as 10 years ago). When making recommendations for services like cloud storage, you need to ensure that they will comply with your local laws.

Thirdly, liability. Just like the point above, imagine you’re using a hosted cloud storage service. Imagine that service gets compromised by malicious users. Is this your fault ? No. Did you deploy and administer the security systems on that cloud service ? No. Are you still liable for the loss of private information ? You bet. Your clients will still be liable for any information lost. If the information lost was your client’s customers, those customers can then take action against your client. This becomes another huge legal mess, but it is important to note: your clients are still liable for the information. It is their decision whether to put it in the cloud or not.

I could go on and on about this topic and the potential implications it has for you and your clients. Suffice it to say, you need to understand your local area’s legislation when it comes to the topic of privacy and responsibility. Don’t get caught learning it after something bad has happened.

Author

Martin Lehner

Martin Lehner is an technology professional working for an IT services firm in Whitehorse, Yukon (Canada). He has been working in the technology field for over a decade. With a degree in Business Admin and numerous industry certifications, Martin leads a team of IT professionals that provide third party support for clients. Originally starting a company to offer web development services, Martin quickly realized that clients wanted the entire spectrum of technology services. When Martin is not at work (which is not often, since his company offers 24/7 support), he is busy at home spending time with his family.

Related Articles

Leave a comment

Back to Top