On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide. The CLOUD Act, enacted as part of the Consolidated Appropriations Act, has two components. Part I: Extraterritorial Reach of … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
In a 2-1 decision on August 16, the Sixth Circuit refused to dismiss a claim against the maker of an online surveillance tool for wiretapping under both federal and state laws, and for intrusion against seclusion. While the breadth of this holding is unclear, and the case may be an outlier, the Sixth Circuit’s reasoning … Continue Reading
The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful. With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services. European healthcare is particularly affected by such restrictions. This has motivated a significant … Continue Reading
The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year. Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities: designated* “operators of essential services” within … Continue Reading
By Vera Coughlan, Monika Kuschewsky and Kristof Van Quathem Yesterday, the European Commission launched its “Digitising European Industry” package, a series of industry related initiatives aimed at “updating Europe’s digital infrastructure”, see press release here, Q&A here and homepage here. The package includes reports and proposals addressing cloud computing, ICT standardization, eGovernment, Internet of Things … Continue Reading
As businesses increasingly work with various types of third parties that process sensitive information and, in some cases, access a company’s networks, there is an inherent risk: these third parties create new avenues of attack against a company’s data, systems, and networks. Covington attorneys David Fagan, Nigel Howard, Kurt Wimmer, and Elizabeth Canter describe these … Continue Reading
In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany). The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give … Continue Reading
By Susan Cassidy, Alex Sarria, Patrick Stanton, and Catlin Meade On August 26, 2015, the Department of Defense (DoD) issued an interim rule that significantly expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information. The interim rule revises the … Continue Reading
Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information. Among the fourteen education tech companies … Continue Reading
This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud — ISO 27018. Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that … Continue Reading
In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of critical infrastructure. President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why … Continue Reading
On February 7, 2013, the Payment Card Industry (PCI) council released a supplement to the payment card industry data security standards (PCI-DSS) on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environments. The supplement is intended for merchants, service providers, assessors, and other entities in evaluating the use of cloud … Continue Reading
Last Friday, Rep. Zoe Lofgren (D-CA) introduced the ECPA 2.0 Act, H.R. 6529, which would strengthen the legal standards for law enforcement to gain access to electronic communications and location information. The Electronic Communications Privacy Act (ECPA) is more than 25 years old and is widely seen as needing modernization to address changes in digital … Continue Reading
On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing. The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’” The guidance also … Continue Reading
On July 1st, 2012, the Article 29 Working Party (WP29), a group consisting of data protection authorities of all EU Member States, adopted a long-awaited opinion on cloud computing. While acknowledging the advantages of cloud computing, the opinion sets out a number of data protection issues that may arise from the wide-scale deployment of cloud … Continue Reading
As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations. (You can read our overview of these regulations here.) Among other things, those regulations—most of which took effect in … Continue Reading
The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on … Continue Reading
Companies considering moving to the cloud sometimes are cautioned that heightened data security risks pose a potential drawback to cloud computing. And it is certainly correct that before making a decision about whether and how to adopt cloud-based computing, companies should carefully consider the security practices of potential cloud service providers or build security into … Continue Reading
Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released for public comment a draft roadmap for implementing cloud computing technology across U.S. government agencies. The roadmap is intended to foster adoption of cloud computing by federal agencies, reduce uncertainty surrounding cloud computing by improving the information available to policymakers, and facilitate … Continue Reading
Government agencies maintain large quantities of information about individuals, covering everything from physical description to the person’s family life, property, political activity, employment history, criminal records, and health condition. In a light of a recent finding that reports of information-security incidents at federal agencies have increased more than 650 percent over the past five years, … Continue Reading
Recently, the Swedish Data Protection Authority (“DPA”) published a review of the use of cloud services, informed by the practices of three Swedish municipalities’ use of services from leading cloud providers. Based on the study, the DPA has published guidelines (currently only available in Swedish) that clarify the requirements of Swedish data protection law with … Continue Reading
As the Electronic Communications Privacy Act (ECPA) turns 25 years old this week, calls are increasing for an update to bring this aging law into the age of cloud computing. Senators Ron Wyden (D-Ore.) and Mark Kirk (R-Ill.) this week joined with the Digital Due Process Coalition to call for significant revisions of the law, … Continue Reading
By David Fagan and Alex Berengaut Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data. In this regard, one of the principal privacy-based concerns raised in connection … Continue Reading
