Inside Privacy - Updates on Developments in Global Privacy & Data Security

On February 7, 2013, the Payment Card Industry (PCI) council released a supplement to the payment card industry data security standards (PCI-DSS) on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environments.  The supplement is intended for merchants, service providers, assessors, and other entities in evaluating the use of cloud computing in the context of PCI DSS.

The supplement considers “cloud computing” to mean a model for enabling on-demand network access to a shared pool of computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.  Both cloud computing users and cloud service providers (CSPs) have compliance responsibilities under the supplement that depend on a number of variables, including (1) the purpose for which the client is using the cloud service, (2) the scope of PCI DSS requirements that the client is outsourcing to the CSP, (3) the services and system components that the CSP has validated within its own operations, (4) the service option that the client has selected to engage the CSP (Infrastructure as a Service, Platform as a Service, or Security as a Service), and (5) the scope of any additional services the CSP is providing to proactively manage the client’s compliance. 

The supplement provides cloud-related considerations for each of the PCI-DSS standards and allocates responsibility for each consideration between the user and CSP depending on the specific service option.  There are a number of compliance challenges associated with the use of cloud computing, such as the lack of visibility into CSPs’ security infrastructure and oversight of cardholder data storage, and the supplement provides guidance for addressing those challenges within the context of the user-CSP relationship.

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.)

Among other things, those regulations—most of which took effect in March 2010— require companies to implement a written information security program containing certain elements, including a requirement that personal information be encrypted when transmitted wirelessly or across public networks, and when stored on portable computing devices (including laptops).  The regulations also require companies to take “reasonable steps” when selecting a service provider to ensure that the provider is capable of maintaining appropriate measures for the protection of personal information.  

To be clear, the service provider contract provision has been in effect since March 2010 for all contracts entered into after that date.  But the provision contains a grandfather clause that exempted pre-March 2010 contracts from the requirement.  This exemption expires on March 1, 2012.

Companies considering moving to the cloud sometimes are cautioned that heightened data security risks pose a potential drawback to cloud computing.  And it is certainly correct that before making a decision about whether and how to adopt cloud-based computing, companies should carefully consider the security practices of potential cloud service providers or build security into their internally-developed cloud system.  However, a recent announcement from Diebold that it is developing cloud-based automatic teller machines (ATMs) provides a reminder that local-based computing and storage can pose its own security risks, which sometimes may outweigh those in the cloud.

Diebold is developing ATMs that will both store data remotely and run software from the cloud.  Diebold describes the system they are developing as “virtualized” ATMs, and their CTO stated that they believe that no other ATM manufacturer has yet deployed fully cloud-based ATMs.  Despite physical and software security measures, ATMs are unusually vulnerable both because they are by necessity publicly accessible and because the data the financial data they process is especially valuable for fraud and identity theft.  Of course, ATMs also store money, and as InformationWeek reports, thieves in some countries have stolen entire ATMs, raising the risk that they will access not only the cash contained in the device but also any locally-stored data.

Given the unusual risks, it is perhaps not surprising that Diebold is developing cloud-based ATMs.  In particular, Diebold’s move highlights the risks involved in local computing and storage where the storing computers are readily accessible or contain especially valuable data.  Companies facing such circumstances or others that render local storage risky may contemplate a shift toward cloud computing, but in doing so should be sure to account for security in choosing a cloud service provider or developing their own cloud systems, in order to avoid simply replacing old risks with new ones.

Government agencies maintain large quantities of information about individuals, covering everything from physical description to the person’s family life, property, political activity, employment history, criminal records, and health condition.  In a light of a recent finding that reports of information-security incidents at federal agencies have increased more than 650 percent over the past five years, it is unsurprising that data-handling requirements for government entities and contractors are a subject of ongoing concern.  A roundup of recent developments:

• A recent General Services Administration (“GSA”) cloud computing procurement solicitation attempted to address data security concerns by limiting the foreign countries where vendors’ servers could be located, but this requirement was rejected on October 17 as unduly restrictive.  Noting that the GSA had failed to explain its basis for differentiating between acceptable and unacceptable locations, the Government Accountability Office (“GAO”) recommended that the solicitation be revised to reflect the agency’s actual needs. 
• On October 18, Sen. Daniel Akaka (D-HI) introduced the Privacy Act Modernization for the Information Age Act of 2011 to strengthen privacy protections for government records.  Among other things, the bill would create a federal chief privacy officer position, update penalties for violating the Privacy Act, and establish a centralized website for information about records maintained by individual agencies. 

Continue Reading

As the Electronic Communications Privacy Act (ECPA) turns 25 years old this week, calls are increasing for an update to bring this aging law into the age of cloud computing.  Senators Ron Wyden (D-Ore.) and Mark Kirk (R-Ill.) this week joined with the Digital Due Process Coalition to call for significant revisions of the law, which establishes standards for law enforcement access to electronic communications and associated data.  The Digital Due Process Coalition is composed of a diverse group of companies, associations, and privacy advocates that includes Apple, Amazon, Facebook, Microsoft, the Center for Democracy and Technology, EFF, and a number of notable academics in the field of Internet law.  The group’s guiding principles would require law enforcement to:

• Obtain a search warrant before compelling a service provider to disclose a user’s private communications or documents stored online;
• Obtain a search warrant before tracking the location of a cell phone or other mobile communications device;
• Obtain a court order based on demonstrating relevance to an authorized criminal investigation, before obtaining transactional data in real time about when and with whom an individual communicates using e-mail, instant messaging, text messaging, the telephone, or any other communications technology.
• Obtain a court order based on demonstrating relevance to an authorized criminal investigation, before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect.

Most law enforcement, industry, and consumer advocates would concede that ECPA, which was passed before the Internet was widely available, is outdated.  Efforts to modernize the bill have been made repeatedly, particularly in 1998 and 2000.  ECPA sets inconsistent and increasingly irrational standards over the life of electronic content.  For example, access to an email may depend on whether it is stored by the service provider or on a local computer, and whether it is opened by its recipient.  An electronic document may be protected by the Fourth Amendment when stored locally, but potentially available to law enforcement without a warrant if stored in the cloud. 

But differences in views with respect to how the law should be updated have complicated the legislative process.  The Department of Justice (DOJ), concerned that lawmakers may revise ECPA in a way that hinders prosecutors in expediently obtaining digital data to assist in investigations, supports only clarifications in the law that would reflect the DOJ’s interpretation of the current law.  However, Senators Wyden and Kirk, along with Representative Jason Chaffetz (R-Utah) in the House) have introduced legislation consistent with the Digital Due Process Coalition’s goals.  A similar bill was introduced by Senate Judiciary Chairman Patrick Leahy (D-Vt.) earlier this year.  Senator Leahy noted today during a floor speech that he is aiming to mark up the bill “before the end of the calendar year."

By Christine Enemark

To some customers of computing storage, processing and online services, the “cloud” seems no different from the traditional information technology services they have used for years.  Amazon’s cloud computing outage last week, and the associated downtime and data loss suffered by a number of Internet web sites, highlights how public cloud computing services are different – and how the contracts for those services are different, too.  Here are just three ways that typical cloud contracts may not be adequate to protect a customer’s interests in the cloud.

No Quality of Service Commitment.  Cloud computing is becoming a commoditized service, provided like a public utility.  Contracts for public cloud services are often presented to customers as non-negotiable, take-it-or-leave-it agreements.  For many customers, the cost benefits of cloud services may seem to outweigh the legal costs associated with negotiating a specific service agreement.  But typically, cloud service contracts include no commitments regarding quality of service, uptime, security, or other key factors that customers have come to expect from traditional IT providers.  In the case of an outage, then, customers may have no contractual recourse against the cloud provider, even for catastrophic data loss.

No Security and Back-Up Services.  Most IT contracts include detailed provisions, with an allocation of responsibility, for data protection and data back-up and disaster recovery.  Not so in most cloud computing contracts.  In the cloud, the customer is usually ultimately responsible for basic security, such as encryption, to protect critical data.  Yet cloud customers may not realize that certain services they use are in the cloud, and that the data provided in these services is unprotected.  Similarly, customers do not necessarily get commitments from cloud providers on data back up to protect critical information and systems in the event of a network outage or other service failure.  The cloud may be an easy resource for customers who need to provide their own redundancy – so a customer can use one service provider one as a primary service, and one for data back-up.  (Of course, this only works if one service provider is not simply reselling cloud services provided by the other – due diligence is important.)  But in general, each customer is ultimately responsible for protecting its own critical data.  It cannot blindly assume the cloud provider is securing, or protecting, its data.

No Audit Rights.  The cloud, and its inherent efficiencies for data storage and processing, makes any audit to evaluate and verify system operations difficult.  The cloud allocates spare processing and data capacity to wherever it is needed, whenever it is needed.  This elasticity creates the impression that computing resources are infinite, and infinitely available.  But customers will not know at any particular time where its data is actually physically located.  Certainly, this creates regulatory risk of which any customer using the cloud to store and process sensitive data (personally identifiable information, credit card information, health information) must be aware.  But separately, the very benefits of the cloud make it difficult for customers to examine whether the service they have purchased is really working the way it ought to be working.

At a minimum, last week’s Amazon outage should encourage cloud customers to reexamine the commercial terms on which they purchase cloud services, and to rethink what terms they can live with in the cloud.

Email marketing company Epsilon announced last week that its databases had been hacked, compromising customer names and e-mail addresses for a number of major companies that outsource their marketing communications to Epsilon.

The Epsilon data breach illustrates some of the security challenges when dealing with cloud computing environments.  Although there are security risks associated with any outsourcing solution, the potential effect of a breach is magnified in a multi-tenant cloud.  Only 2% of Epsilon’s estimated 2,500 clients were affected by the attack, and that still amounted to millions of exposed records.  According to one estimate, the total number of affected individuals could be as high as 100 million. 

Dave Frankland of Forrester Research observes that this incident may cause companies to question whether a multi-tenant deployment model is the best way to process customer data, given that a single breach can give a perpetrator access to a wealth of data. 

Continue Reading

We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  We have also published client alerts on the FTC report and the DOC green paper.  In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.  

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. 

Continue Reading

EU Home Affairs Commissioner Cecilia Malmström announced that the European Commission will propose amendments to the Data Retention Directive (2006/24/EC) following publication of an evaluation report on the Directive early next year.  Under the Directive, Member States must ensure that providers of publicly available electronic communications services or public communications networks retain certain traffic data on communications for a period of six months to two years.  Such data should ensure that authorities can determine the date, time, duration, source and destination of each communication, and the service and equipment used including the location of mobile devices.

Continue Reading