January 21, 2019

January 18, 2019

Subscribe to Latest Legal News and Analysis

Cloud Privacy for Your Enterprise’s Data: Whose Choice?

While teens on Facebook may not worry about who’s looking at their posts, CEOs in the boardroom have a real problem to solve. Not only do large enterprises have to protect themselves against data breaches, they must follow a complex maze of privacy and data-hosting laws that vary by country and state.

Security and compliance can, ironically, become much more difficult thanks to a shift that otherwise makes IT easier and less expensive. Moving IT operations to the cloud has many advantages, but by placing data in the hands of a cloud vendor, companies frequently surrender a lot of control over that data: where it’s stored, how it’s handled and how it’s secured.

Furthermore, most customers have no idea of the physical location of the data center holding their information. That creates an immediate compliance problem with EU data privacy and hosting regulations—and non-compliance can be costly.

As an enterprise customer, having choices as to where your content is stored is crucial to your ability to meet all those requirements. Indeed, data sovereignty has become increasingly important in the wake of Safe Harbor, so companies need cloud solutions that enable them to maintain the highest levels of visibility and control over their data. Data regulators have (for now) rejected the EU-U.S. Privacy Shield agreement, making it even more important for global enterprises to ensure they remain in compliance with regional privacy laws, protect employee personal information and preserve the confidentiality of valuable corporate intellectual property.

So when considering a cloud vendor, enterprises need to factor flexibility of location into their purchase decision. The ability to use private cloud, public cloud, and/or on-premises storage within a single account will offer global enterprises a flexible range of options. Along with that, enterprises should look for a cloud vendor that offers the enterprise’s IT department maximum visibility and control to choose the right storage location, based on national sovereignty, data sensitivity, and other factors that concern regulators.

Another crucial consideration is the security of the data – in particular, who ultimately controls access. It is really impossible for an enterprise customer to know if there is a hidden “back door” in the vendor’s system that might allow law enforcement (or a clever hacker) to get access to the most sensitive information of the enterprise. More importantly, should the FBI or NSA come calling, the enterprise has no way to know whether their vendor will allow those agencies access to data or if the vendor has agreed to the routine surveillance of their systems and, therefore, the customer data stored there.

What company or organization would willingly place that kind of responsibility in the hands of a cloud vendor?

Because the enterprise is responsible for the protection of its own data and that of its customers, as well as its reputation, the customer rather than the vendor should decide these issues with full knowledge, based on its own core values.

Whether a company has the ability to take on this responsibility, however, does rest with its cloud vendor, because the customer only can control what the vendor allows.

As custodians of the information entrusted to them by customers, cloud vendors have a duty to build in the highest levels of security to protect that data. Vendors should never be in a position to hand over a customer’s data on their own, any more than a bank should be able to open your safe deposit box without your key. It doesn’t matter what the cloud vendor’s position may be on the continuum between privacy and intelligence gathering.

In addition, vendors also have a responsibility to provide their enterprise customers with the ability to control precisely where their data are stored. Admittedly, keeping data secure is a daunting task from the vendor’s perspective. Attacks are more sophisticated every day and there are new laws and lots of uncertainty around them internationally.

These are enormously important issues and companies that want to be in the business of managing data for others must take them seriously. Doing anything less than this is an abject failure by the vendor. Enterprise customers need to make these issues a central part of deciding which vendor to use. Doing anything less puts their business – and their customer’s data – in jeopardy.

This post has been authored by John Huberman.

Risk Management Magazine and Risk Management Monitor. Copyright 2019 Risk and Insurance Management Society, Inc. All rights reserved.


About this Author

Risk Management Magazine is the premier source of analysis, insight and news for corporate risk managers. RM strives to explore existing and emerging techniques and concepts that address the needs of those who are tasked with protecting the physical, financial, human and intellectual assets of their companies. As the business world and the world at large change with increasing speed, RM keeps its readers informed about new challenges and solutions.

Risk Management Magazine is delivered monthly to 17,000 readers. It is published by the Risk and Insurance Management Society, Inc. (...