Simply storing an employee’s name, email address and date of birth will be enough to trigger state regulation around access and disclosure of such information. For organizations handling information subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), it is even more important to understand the restrictions. Even after determining that such regulated information can be stored in the cloud, you still must make sure that the cloud provider will be HIPAA and/or GLBA compliant. For example, when deleting or disposing of information subject to HIPAA, the cloud provider must certify in writing that it was properly disposed. More importantly, upon receiving your organization’s protected health information, even if encrypted, the cloud provider will become a business associate under HIPAA. At a minimum, the cloud provider will need to sign a Business Associate Agreement, but you should conduct a thorough risk analysis to determine whether they can comply with the regulatory requirements for these types of information.

In Assessing Risk, Don’t Forget Your Proprietary Data and Intellectual Assets

Your organization may find several benefits in moving to cloud services, but before you sign up to transmit and store any of your data that is currently on premise, you should analyze your data’s sensitivity. Information relating to HIPAA or GLBA or other similar information that subjects your organization to a heightened security standard is clearly sensitive, but what about your organization’s intellectual property?

The trend for traditionally on-premise solutions to move to the cloud means that your organization’s trade secrets, unpatented inventions and other proprietary information may be stored in the cloud. This valuable information — especially trade secrets — requires protection when on-premise, so maintaining the security of such information is just as crucial when stored in the cloud. In considering whether to use a cloud application or storage solution for proprietary information, ask:

• What can your organization do to limit the potential disclosures of IP?
• What can the cloud provider do to protect your IP against outside threats?

While more than 25 percent of cybercriminals are IP spies, most IP breaches actually involve former or current employees, and the single biggest reason for IP breaches is the abuse of system access and privileges. Another prominent risk is employee negligence in handling an organization’s IP. With that in mind, the first step in protecting your IP in the cloud is to ensure that only certain people have access to confidential IP, by:

• Monitoring access for employees whose jobs require access.
• Ensuring ex-employees cannot access files, including files emailed to themselves.
• Implementing security policies and procedures to help employees avoid accidental disclosures (e.g., ensuring all files are encrypted, or reviewing your mobile device policies and procedures to ensure sensitive IP cannot be accessed).

The upside is that a reputable cloud provider may be in a better position to safeguard your information than your organization’s traditional network servers, so long as the provider employs suitable security practices. You may ask the cloud computing provider how it plans to control access rights and whether it will create a chain of custody for every person who may touch the intellectual property. If the cloud provider can provide an audit trail to monitor all access to your trade secrets and other sensitive and proprietary information, you may be able to preemptively stop an attack, or at least catch it early. With the right cloud computing provider and a solid contract clearly defining security measures, it’s possible that a cloud provider can keep your trade secrets and proprietary confidential information more secure than your own organization could, but you must be sure. Once a trade secret is discovered, it may be too late.

Customer and Vendor Contracts

Finally, don’t forget about your customer or vendor contracts. With the prevalence of cloud computing use and seemingly never-ending data breaches, many of your vendors or customers may prevent your organization from using cloud services to store or transmit their information. Additionally, vendors or customers may even require that you receive security guarantees or other specific representations from cloud vendors who are handling their information. You must know and understand your obligations to your existing suppliers and customers in order to negotiate a sound contract with a cloud provider, so do some due diligence before signing up.

1. Host applications, thereby eliminating the need to install and run applications on users’ own computers or data centers (known as Software-as-a-Service, or SaaS).
2. Host the hardware and software on its own infrastructure, thereby eliminating the need to install in-house hardware and software needed to develop or run a new application (known as Platform-as-a-Service or PaaS).
3. Provide virtualized computing resources, thereby eliminating the need to install and run hardware, software, servers, storage or other infrastructure in the user’s own facility (known as Infrastructure-as-a-Service or IaaS).

Knowing Where Your Data is Stored is Mission-Critical

Don’t let the term “cloud” fool you into thinking that the information is not in a specific location. It is, and it’s important to know the exact geographic location of the server where your data will be stored, including any back-up locations.

First, your legal obligations relating to the information can completely change according to the geographic location of where your information is stored. For example, if the cloud provider sends your organization’s personally identifiable information (PII) to a server in the European Union, you will be subject to the ultra-strict privacy rules of the General Data Protection Regulation (GDPR), set to take effect in May 2018.

Second, your information may not be as secure if the privacy and security laws in the server’s location are not as protective as in the United States. Servers in India, for example, are subject to India’s Information Technology Act , which allows the Indian government to intercept and demand decryption of information with serious fines and/or imprisonment for non-compliance.

Third, with some countries’ data localization laws, you may be required to store certain information within a specific country, and you may be prevented from exporting it out of that country. Russia’s localization law, for example, requires a multinational organization to host data concerning Russian citizens only on a server in Russia, which may mean creating a new data center in Russia.

Depending on the type of information you are sharing, you may also have to comply with U.S. export control regulations. This is an especially important contract consideration for information relating to items classified as “dual use,” or technology with encryption functionalities that are subject to Export Administration Regulations. Storage of such information outside the United States may lead to serious sanctions if required licenses are not obtained.

Finally, in the event of a data breach, U.S. and foreign law enforcement agencies have broad rights to obtain subpoenas to information stored in the cloud. However, rules surrounding a data breach vary from country to country and even state to state — some states, for example, exempt organizations from disclosing a data breach if the data is encrypted, and the encryption key was not exposed.

Conclusion

While cloud computing offers many benefits to organizations, it also introduces its own legal obligations and risks, many of which are tied closely to the geographic location of the stored data. As such, organizations must work proactively to understand the particular data privacy regulations applicable to their cloud computing arrangement. This due diligence will help organizations determine if they should engage with a cloud vendor or continue to store their data on-site.

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com