Cloud Computing and Cybersecurity Laws

Cloud computing has become the normal protocol to store data for most individuals and businesses. The fact that online storage is cheaper these days has contributed to the expansion of this technology. There are numerous companies out there that provide cloud storage facilities which may be inside or outside of your jurisdiction. Now, the question is why is that important at all? Well, the answer is because the laws of each jurisdiction may be different when it comes to interstate commerce and cybersecurity. This is one good reason to make sure you read and understand the cloud service provider’s terms and conditions before you sign up. There will be provisions that can help you understand your rights and responsibilities. For example, where and how the parties can resolve their disputes? Also, the laws of which state will be used to resolve the dispute? The answers will be in the venue, choice of law, or governing law provisions. In some cases, the cloud service provider includes an arbitration clause which requires the parties to resolve their dispute through arbitration.

There are various cloud computing platforms that allow the users to send and receive information. So, obviously the users should use precautions when transferring data towards the cloud service provider. For example, it’s recommended to encrypt the data before transferring it. Also, it’s a good idea to confirm that data integrity will be protected after the transfer. The users should also have a functioning backup of their files in a safe place in case the data is lost, stolen, or destroyed.

The Privacy Shield Program applies to cloud computing platforms that do business with other countries – e.g., European Commission, Switzerland. This program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce and enables U.S.-based organizations to join the Privacy Shield Frameworks. For example, a U.S.-based organization must self-certify to the Department of Commerce and commit to the Framework’s requirements. It’s not mandatory to join the Privacy Shield Program, but once the organization makes the public commitment to comply with the Framework’s requirements, the commitment will become legally enforceable. The participating organization will receive the following benefits:

  1. All Member States of the European Union are bound by the European Commission’s finding of “adequacy,” and Switzerland is bound by the Swiss Government’s finding of “adequacy”;
  2. Participating organizations are deemed to provide “adequate” privacy protection, a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU Data Protection Directive and outside of Switzerland under the Swiss Federal Act on Data Protection;
  3. EU Member State requirements for prior approval of data transfers either are waived or approval will be automatically granted; and
  4. Compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises.

There are state, federal, and international cybersecurity laws that have been implemented to ensure safety. These online transactions occur by sending and receiving data over the internet’s infrastructure. However, keep in mind that most of the internet’s infrastructure is managed by non-governmental organizations – e.g., private communication service providers – that must comply with various laws.

First, there has been cybersecurity legislation at the federal level. On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. The federal statute elevates the mission of the former National Protection and Programs Directorate (NPPD) within DHS and establishes the Cybersecurity and Infrastructure Security Agency (CISA). CISA builds the national capacity to defend against cyberattacks and works with the federal government to provide cybersecurity tools, incident response services, and assessment capabilities to safeguard the ‘.gov’ networks that support the operations of partner departments and agencies.

Second, there has been cybersecurity legislation at the state level. For example, California has, via Assembly Bill 814, passed a law clarifying that, for purposes of the prohibition against unlawfully accessing a computer system, a computer system includes devices or systems that are located within, connected to, or integrated with, a motor vehicle.

Third, there has been cybersecurity legislation at the international level. For example, the European Commission instigated the European Union General Protection Regulation (GDPR) in an effort to bring a single standard of data protection for its members. The European Council also adopted a regulation to ban unjustified geo-IP blocking of member states in an effort to deal with unreasonable discrimination based on geographic location. In addition, Korea has passed the Network Act and Personal Information Protection Act to promote cybersecurity and protect personal information.

We work with clients regarding cloud computing and cybersecurity issues. Please feel free to contact our law firm in order to speak with an attorney who has knowledge about cloud computing and cybersecurity laws.