Protecting data on overseas cloud servers and navigating aggressive regulation promise to keep tech lawyers employed for years to come, if the EU’s quick succession of Privacy Shield, GDPR and the forthcoming ePrivacy Regulation provides any indication of what’s in store.
Data guardians must be prepared to bring their technical A-game in regard to knowing the exact location of everything and potential legal liability surrounding their overseas cloud storage, concur experts bracing for a new round of regulatory scrutiny in light of mishaps.
“The legal requirements can be quite complex as a multinational U.S. company needs to manage one set of data across many different countries and/or economic unions and trade blocks, each having its own distinct regulatory environment,” says Pravin Kothari, CEO of CipherCloud.
As to the fast pace new regulations are being introduced, Kothari acknowledges, “On a global basis, there is constant change with respect to policies that involve data privacy, encryption, and government access to this data in any form on servers located within their country.”
Somewhat unnerving is that such government access, known as “forced disclosure,” can happen with, or without, permission or the data owner’s knowledge depending on the country.
“Governments are using forced disclosure to require cloud providers to share your data,” Kothari notes. “Even if you choose to utilize encryption offered by the cloud providers, they have the master keys, as is the case with many cloud application providers, such as, for example, the Salesforce.com cloud, they can gain complete access to your data, perhaps without either your permission or your knowledge.”
Gabriel Gumbs, vice president of product strategy for STEALTHbits Technologies, says that while Europe might be perceived ahead of the rest of the world in regard to protecting overseas data, in regard to cloud computers, it doesn’t go far enough.
“No one regulation should be considered adequate for protecting overseas cloud computers, and GDPR has a privacy focus which does not address the specific ways in which cloud computing resources should be secured,” Gumbs says. “The guidance of the Cloud Security Alliance (CSA), in conjunction with GDPR, would be the low-water mark in my professional opinion for frameworks that address the protection of overseas cloud computers. Today, as data security laws have been updated, there are more structured and defined procedures for handling data security on overseas servers.”
Harmonization of the complex, and at times, conflicting meshwork can be a nightmare, points out Timothy Yim, senior regulatory counsel for Imperva.
“In recent years, that meshwork has created a host of new obligations, including documenting records of processing, vendor flow-down requirements, expanded data subject rights, cross-border data transfer mechanisms, and data localization,” Yim says.
Tracking each country’s differences across global data infrastructure or in data lakes would be a “nightmare,” he admitted. But the evolution of the European Union Data Protection Directive into GDPR demonstrates a new navigational mentality that’s necessary to reap the benefits of a global distributed cloud infrastructure, Yim stresses.
“The habit of storing data on overseas servers is a common one and indeed fundamental to the original concept of cloud-based storage where access was the key rather than physical data location,” points out Steve Durbin, managing director of the Information Security Forum (ISF).
“The GDPR is one of the strongest pieces of regulation we have seen when it comes to protecting the individual’s rights with regard to personally identifiable information irrespective of where in the world that data is stored or processed,” Durbin says.
Overseas cloud strategies today are informed by a heightened focus to maintain to highest degree of data security, transparency and encryption.
“The pseudonymization of personal data,” Durbin notes, requires vendors and clients alike “to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
In the event of a breach or incident, typically cloud providers’ contracts oblige them to restore the availability and access to data in a timely manner, as well as before a problem: regularly test, assess and evaluate the effectiveness of its security technical and organizational measures, he adds.
In the wake of the Facebook/Cambridge Analytica debacle, Members of the European Parliament (MEPs) have emphasized the need for better monitoring of the EU-U.S. Privacy Shield, given that both companies are certified under the agreement, Durbin observes.
Furthermore, the EU Parliament is also worried about the recent adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a U.S. law (with an intended acronym relevant to this article) that grants the American and foreign police access to personal data across borders.
“The concern is that the U.S. law could have serious implications for the EU and could conflict with EU data protection laws,” Durbin said. “What does this all mean? Well MEPs recently voted in favor of suspending the data exchange deal unless the U.S. complies with EU data protection rules by Sept. 1, 2018. Whether or not this happens we’ll need to wait and see but in practice, it’ll mean a lot of companies moving over to standard contractual clauses instead of relying on Privacy Shield.”
For mid-size companies in particular this will probably be a problem since these contracts are complex often requiring significant legal input and therefore cost and resource time, Durbin notes.
Yaniv Avidan, CEO and co-founder of MinerEye Ltd., observes that overseas cloud computing arose out of a need for collaboration, and the exponential growth of data that various parties need to access.
“Cloud adoption has been pushed by the levels of companies, even CEOs,” Avidan says, explaining the recent growth of cloud service providers beyond the dominating large players, including Google, Amazon, IBM and Microsoft, in this space.
He noted that Europe’s recent implementation of GDPR and plan at the end of the year for the ePrivacy Regulation requires that the service providers are as much responsible for the protection of PII as are the clients. “They’re (the regulations) are being directed at the cloud vendors.”
That being said, it behooves both service provider and customer alike to know exactly what data exists and where it lies, prior to a breach, notes Avidan.
“I would say that Europe’s data privacy laws are stringent enough that if you don’t have a presence over there it’s going to be hard to do business there,” comments security expert Ian Eyberg, founder of NanoVMs.
Russia, Durbin points out, was one of the first countries to insist that Russian data be stored on Russian soil. “The sensitivity to geographic boundaries is one that the major cloud providers have needed to respond to with the establishing of local data centers able to provide local storage where and when required,” he adds.
Doug Peckover, founder of VaultChain, Inc., agrees as to Europe’s leadership role in protecting data in general, as well as cloud computing specifically, in contrast with the rest of the world.
“Virtually every industrialized country follows the EU privacy lead except for the U.S.,” Peckover says, noting California is the only state attempting to protect its citizens’ PII.
Peckover takes a practical view of the potential risk of relying on overseas cloud networks.
“We have no control of where packets end up, let alone where servers and data end up,” he says. “So VaultChain takes the position that everything is at risk for both hacking and compliance reasons. We include what we call ‘embedded forensics’ so at least the data owner has an idea of the where and when data is being requested (without putting the data at risk). Anything less is just wishful thinking.”
Measures like GDPR and eSecurity Regulation are “a start but they apply to all data, not just cloud data,” Peckover pointed out. For example, data in overseas (and local) legacy databases must also be protected, “so compliance could end up being a line-by-line review just like the industry had for Y2K (which was estimated to cost almost $500 billion),” he says.
Various vendor solutions aim to meet the stated requirements of GDPR (and quantum computers) without the need for these programming changes.
The experts expressed skepticism that staffing levels are sufficient for regulators to monitor compliance, yet another high-profile case or two could up the ante.
Large enterprises might have taken to address GDPR’s full compliance deadline this past May, but others are unsure how to comply because of infrastructure inadequacies to manage global data sets. “Much of it is window dressing,” Kothari says.
Peckover suggests observers keep an eye on the amount of fines being leveled against firms like Google and Facebook, alluding to the latter’s fallout surrounding Cambridge Analytica.
“We take the position that the court of public opinion will have a faster and greater impact than traditional courts,” he concludes.
