Microsoft Adopts International Cloud Privacy Standard

Public cloud computing services-- computing resources (such as networks, storage, applications, and services) purchased from another company (a “cloud services provider”)-- offer many potential benefits for businesses, among them economies of scale, lower capital costs, and improved accessibility.

However, cloud computing is not without risk. Various data protection laws require businesses to safeguard and protect the privacy of personal information stored in the cloud. As a result, businesses must assess and address information security and privacy risks before becoming a customer of a cloud services provider and entrusting personal information to that provider.

On August 1, 2014, the International Organization for Standardization (ISO) issued ISO/IEC 27018- a standard for protecting personal information stored in the cloud. To learn more about ISO/IEC 27018 and its personal information protection requirements, click here.

As we wrote previously, ISO 27018 may be a helpful tool for businesses to use in evaluating a cloud service provider’s capabilities to protect personal information stored in the cloud.

On February 16, 2015, Microsoft announced that that it had become the first major cloud provider to adopt ISO/IEC 27018. ISO/IEC 270018 requires Microsoft to take the following steps (among others) to protect the privacy of personal information stored in the Microsoft Cloud:

Process personal information only as instructed by the customer;
Never process personal information for advertising and marketing purposes without the customer’s express consent;
Reject requests for personal information that are not legally binding; consult the customer when legally permissible before making any disclosure of personal information; and accept any requests for disclosures of personal information authorized by a customer;
Notify the customer of any request for disclosure of personal information by a law enforcement authority, unless that disclosure is otherwise prohibited;
Notify the customer promptly of any unauthorized access to personal information or loss, disclosure or alteration of personal information;
Help the customer meet its obligations in the event of a data breach; and
Require all individuals with access to personal information to be bound by a confidentiality agreement.

Privacy protections are increasingly the focus of existing and proposed state and federal laws here in the United States, and mandated by various jurisdictions around the world. As a result, ISO/IEC 27018 may emerge as a commonly utilized standard for cloud service providers to follow in order to protect personal information in the cloud.

Related Knowledge

Education

Know Your Contracts

February 14, 2019
The 2018 Legal Ethics Year in Review: News You Can Use

February 11, 2019
Government Relations, Federal

Zach Butterworth Provides Congressional Update on LaPolitics Podcast

February 06, 2019

Knowledge

4/10/2015

Related Knowledge

Knowledge

It’s Time for Insurers to Review Policy Wording Following Texas Decision on Energy Package Policies

February 14, 2019

Know Your Contracts

The 2018 Legal Ethics Year in Review: News You Can Use

Zach Butterworth Provides Congressional Update on LaPolitics Podcast