Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released for public comment a draft roadmap for implementing cloud computing technology across U.S. government agencies. The roadmap is intended to foster adoption of cloud computing by federal agencies, reduce uncertainty surrounding cloud computing by improving the
Cloud Computing
Privacy and Security Requirements for Handling Government Records Under Scrutiny
Posted on
Government agencies maintain large quantities of information about individuals, covering everything from physical description to the person’s family life, property, political activity, employment history, criminal records, and health condition. In a light of a recent finding that reports of information-security incidents at federal agencies have increased more than 650 percent over the past five years, it is unsurprising that data-handling requirements for government entities and contractors are a subject of ongoing concern. A roundup of recent developments:
- A recent General Services Administration (“GSA”) cloud computing procurement solicitation attempted to address data security concerns by limiting the foreign countries where vendors’ servers could be located, but this requirement was rejected on October 17 as unduly restrictive. Noting that the GSA had failed to explain its basis for differentiating between acceptable and unacceptable locations, the Government Accountability Office (“GAO”) recommended that the solicitation be revised to reflect the agency’s actual needs.
- On October 18, Sen. Daniel Akaka (D-HI) introduced the Privacy Act Modernization for the Information Age Act of 2011 to strengthen privacy protections for government records. Among other things, the bill would create a federal chief privacy officer position, update penalties for violating the Privacy Act, and establish a centralized website for information about records maintained by individual agencies.
Continue Reading Privacy and Security Requirements for Handling Government Records Under Scrutiny
The Swedish DPA Issues Guidelines on the Provision and Use of Cloud Services
By Dan Cooper on
Recently, the Swedish Data Protection Authority (“DPA”) published a review of the use of cloud services, informed by the practices of three Swedish municipalities’ use of services from leading cloud providers. Based on the study, the DPA has published guidelines (currently only available in Swedish) that clarify the requirements of…
Continue Reading The Swedish DPA Issues Guidelines on the Provision and Use of Cloud Services
USA PATRIOT Act and the Use of Cloud Services
By David Fagan on
Posted in Cloud Computing
By David Fagan and Alex Berengaut
Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data. In this regard, one of the principal…
Continue Reading USA PATRIOT Act and the Use of Cloud Services
Cloud Outages Highlight Contractual Risk
By Inside Privacy on
Posted in Cloud Computing
By Christine Enemark
To some customers of computing storage, processing and online services, the “cloud” seems no different from the traditional information technology services they have used for years. Amazon’s cloud computing outage last week, and the associated downtime and data loss suffered by a number of Internet web sites…
Observations from Cloud Discussions
By David Fagan on
Posted in Cloud Computing, Data Security
I’ve recently had the opportunity to participate in or moderate several panels on cloud computing, addressing issues such as governance, security, privacy, and legal liability.
One issue that frequently comes up is whether cloud computing is really new or different. That depends on how you look at it. As a…
Epsilon Data Breach Highlights Security Challenges in the Cloud
Posted on
Email marketing company Epsilon announced last week that its databases had been hacked, compromising customer names and e-mail addresses for a number of major companies that outsource their marketing communications to Epsilon.
The Epsilon data breach illustrates some of the security challenges when dealing with cloud computing environments. Although there are security risks associated with any outsourcing solution, the potential effect of a breach is magnified in a multi-tenant cloud. Only 2% of Epsilon’s estimated 2,500 clients were affected by the attack, and that still amounted to millions of exposed records. According to one estimate, the total number of affected individuals could be as high as 100 million.
Dave Frankland of Forrester Research observes that this incident may cause companies to question whether a multi-tenant deployment model is the best way to process customer data, given that a single breach can give a perpetrator access to a wealth of data. Continue Reading Epsilon Data Breach Highlights Security Challenges in the Cloud
Implications of the FTC Report and DOC Green Paper for IT Contracts
By Nigel Howard on
We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” We have also published client alerts on the FTC report and the DOC green paper. In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.
My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners.
The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations. As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider.
The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance. In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider. IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. Continue Reading Implications of the FTC Report and DOC Green Paper for IT Contracts
Governmental Cloud in the EU – New ENISA Report
By Mark Young on
Hot on the heels of its report on data breach notifications in the EU, the EU’s cyber security regulator, ENISA, published yesterday a new report on cloud computing in the government. The report is targeted at senior managers of public bodies who are considering cloud computing platforms and…
Continue Reading Governmental Cloud in the EU – New ENISA Report
EU Plans Revisions to Data Retention Directive
By Inside Privacy on
EU Home Affairs Commissioner Cecilia Malmström announced that the European Commission will propose amendments to the Data Retention Directive (2006/24/EC) following publication of an evaluation report on the Directive early next year. Under the Directive, Member States must ensure that providers of publicly available electronic communications services or public communications networks retain certain traffic data on communications for a period of six months to two years. Such data should ensure that authorities can determine the date, time, duration, source and destination of each communication, and the service and equipment used including the location of mobile devices.Continue Reading EU Plans Revisions to Data Retention Directive