Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Category Archives: Cloud Computing

Subscribe to Cloud Computing RSS Feed

ISO’s New Cloud Privacy Standard

Posted in Cloud Computing, Data Security, European Union, International

This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud — ISO 27018.  Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that… Continue Reading

President Obama Issues Cybersecurity Executive Order

Posted in Cloud Computing, Cybersecurity, Department of Commerce, Financial Institutions, United States

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why… Continue Reading

PCI Council Releases PCI-DSS Cloud Computing Guidelines

Posted in Cloud Computing, Financial Privacy, United States

On February 7, 2013, the Payment Card Industry (PCI) council released a supplement to the payment card industry data security standards (PCI-DSS) on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environments.  The supplement is intended for merchants, service providers, assessors, and other entities in evaluating the use of cloud… Continue Reading

Rep. Lofgren Introduces Legislation to Update ECPA

Posted in Cloud Computing, Congress

Last Friday, Rep. Zoe Lofgren (D-CA) introduced the ECPA 2.0 Act, H.R. 6529, which would strengthen the legal standards for law enforcement to gain access to electronic communications and location information.  The Electronic Communications Privacy Act (ECPA) is more than 25 years old and is widely seen as needing modernization to address changes in digital… Continue Reading

FFIEC Issues Risk Management Guidance for Cloud Computing

Posted in Cloud Computing, Data Security, Financial Institutions, Financial Privacy, United States

On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing.  The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’”  The guidance also… Continue Reading

Article 29 Working Party Publishes an Opinion on Cloud Computing

Posted in Cloud Computing, European Union

On July 1st, 2012, the Article 29 Working Party (WP29), a group consisting of data protection authorities of all EU Member States, adopted a long-awaited opinion on cloud computing.  While acknowledging the advantages of cloud computing, the opinion sets out a number of data protection issues that may arise from the wide-scale deployment of cloud… Continue Reading

Mass. Data Security Regulation Governing Service Provider Contracts Takes Effect Soon

Posted in Cloud Computing, Data Security, United States

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.) Among other things, those regulations—most of which took effect in… Continue Reading

NIST Issues Guidelines on Public Cloud Security, Privacy

Posted in Cloud Computing, Data Security, Department of Commerce, United States

The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on… Continue Reading

Planned Virtualized ATMs Highlight Potential Security Benefits of Cloud

Posted in Cloud Computing, Data Security

Companies considering moving to the cloud sometimes are cautioned that heightened data security risks pose a potential drawback to cloud computing.  And it is certainly correct that before making a decision about whether and how to adopt cloud-based computing, companies should carefully consider the security practices of potential cloud service providers or build security into… Continue Reading

NIST Releases Draft Roadmap for the U.S. Government’s Implementation of Cloud Technology

Posted in Cloud Computing, Department of Commerce, United States

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released for public comment a draft roadmap for implementing cloud computing technology across U.S. government agencies.  The roadmap is intended to foster adoption of cloud computing by federal agencies, reduce uncertainty surrounding cloud computing by improving the information available to policymakers, and facilitate… Continue Reading

Privacy and Security Requirements for Handling Government Records Under Scrutiny

Posted in Cloud Computing, Congress, United States

Government agencies maintain large quantities of information about individuals, covering everything from physical description to the person’s family life, property, political activity, employment history, criminal records, and health condition.  In a light of a recent finding that reports of information-security incidents at federal agencies have increased more than 650 percent over the past five years,… Continue Reading

The Swedish DPA Issues Guidelines on the Provision and Use of Cloud Services

Posted in Cloud Computing, European Union, International

Recently, the Swedish Data Protection Authority (“DPA”) published a review of the use of cloud services, informed by the practices of three Swedish municipalities’ use of services from leading cloud providers.  Based on the study, the DPA has published guidelines (currently only available in Swedish) that clarify the requirements of Swedish data protection law with… Continue Reading

USA PATRIOT Act and the Use of Cloud Services

Posted in Cloud Computing

By David Fagan and Alex Berengaut Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data.  In this regard, one of the principal privacy-based concerns raised in connection… Continue Reading

Cloud Outages Highlight Contractual Risk

Posted in Cloud Computing

By Christine Enemark To some customers of computing storage, processing and online services, the “cloud” seems no different from the traditional information technology services they have used for years.  Amazon’s cloud computing outage last week, and the associated downtime and data loss suffered by a number of Internet web sites, highlights how public cloud computing… Continue Reading

Observations from Cloud Discussions

Posted in Cloud Computing, Data Security

I’ve recently had the opportunity to participate in or moderate several panels on cloud computing, addressing issues such as governance, security, privacy, and legal liability.   One issue that frequently comes up is whether cloud computing is really new or different.  That depends on how you look at it.  As a legal matter, the model itself… Continue Reading

Epsilon Data Breach Highlights Security Challenges in the Cloud

Posted in Cloud Computing, Congress, Data Breaches, Data Security

Email marketing company Epsilon announced last week that its databases had been hacked, compromising customer names and e-mail addresses for a number of major companies that outsource their marketing communications to Epsilon. The Epsilon data breach illustrates some of the security challenges when dealing with cloud computing environments.  Although there are security risks associated with… Continue Reading

Towards a European Cloud Computing Strategy

Posted in Cloud Computing, European Union, International

Following on from ENISA’s recent report on cloud computing in government, Commissioner Neelie Kroes set out some further thoughts on a European Cloud Computing Strategy last week at Davos.  In an encouraging sign for cloud providers and European industry more broadly, Commissioner Kroes spoke positively about the need to ensure that effective data protection and the EU’s Single… Continue Reading

Implications of the FTC Report and DOC Green Paper for IT Contracts

Posted in Cloud Computing, Congress, Data Security, Federal Trade Commission, Sourcing, Technology Transactions, United States

We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  We have also published client alerts on the FTC report and the DOC green paper. … Continue Reading

Governmental Cloud in the EU – New ENISA Report

Posted in Cloud Computing, Data Security, European Union, Health Privacy, International

Hot on the heels of its report on data breach notifications in the EU, the EU’s cyber security regulator, ENISA, published yesterday a new report on cloud computing in the government.  The report is targeted at senior managers of public bodies who are considering cloud computing platforms and services, and it aims to highlight the… Continue Reading

EU Plans Revisions to Data Retention Directive

Posted in Cloud Computing, European Union, International

EU Home Affairs Commissioner Cecilia Malmström announced that the European Commission will propose amendments to the Data Retention Directive (2006/24/EC) following publication of an evaluation report on the Directive early next year.  Under the Directive, Member States must ensure that providers of publicly available electronic communications services or public communications networks retain certain traffic data on… Continue Reading