Cloud Computing Laws and Regulations

There has been a surge of new laws and regulations passed by governments to implement security and privacy measures for companies storing information in the cloud. This surge is due to recent security breaches and the realization of how much information can be compromised. Information stored in the cloud ranges from personal information to confidential government intelligence. Although, the most publicized breaches may be of celebrity’s compromising photographs, many other breaches of medical insurance companies and credit card accounts have affected the public. It is only natural that a set of new privacy and security laws are drafted both internationally and domestically as the use of cloud computing technology expands.

What are some of the international laws?

In general, each country has been forming its own laws governing privacy and security of information. For example, Australia, Canada, Japan, and Korea have comprehensive privacy regimes without onerous registration requirements. Also, organizations, such as the Cloud Security Alliance (CSA) and Information Technology & Innovation Foundation (ITIF) are trying to assist in finding a clear set of widely-accepted security procedures that will lead to a more consistent set of policies for companies to follow when storing information. Until this is accomplished, companies have to assess the laws and regulations of countries that may affect them. Companies then have to decide the best security and privacy measures to protect them from liability.

What are some of the domestic laws?

The domestic laws governing the security and privacy of the cloud technologies are on state and federal levels. For example, there is a federal law that clarifies how to build security for cloud-based applications that specifically contain private student records. This statute is entitled the Family Educational Rights and Privacy Act (FERPA) and protects student grades and educational records.

Two additional acts are the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA). GLBA requires companies that provide financial products or services to protect all of the private financial information they acquire. This law has two rules: (i) Financial Privacy Rule; and (b) Safeguards Rule, which requires institutions to communicate with the consumer when the relationship is established and every year after to review the personal information collected, location stored, sharing/usage, and most importantly, consumers are told how that private information is protected.  Each company is required to create a plan to protect its client’s private financial information.

HIPAA was implemented to protect the private health information collected by health insurance companies. It also contains security regulations, which according to the Department of Health & Human Services “sets national standards for the security of electronic protected health information.”

An example of non-governmental regulations is the Payment Card Industry Data Security Standard (PCI DSS). In 2004, MasterCard and Visa worked together to create this standard, which assists companies in establishing security systems for information stored in the cloud.

At our law firm, we are well versed and up-to-date in laws governing cloud computing technologies. You may contact us to setup a free consultation.