Public cloud computing services-- computing resources (such as networks, storage, applications, and services) purchased from another company (a “cloud services provider”)-- offer many potential benefits for businesses, among them economies of scale, lower capital costs, and improved accessibility.
However, cloud computing is not without risk. Various data protection laws require businesses to safeguard and protect the privacy of personal information stored in the cloud. As a result, businesses must assess and address information security and privacy risks before becoming a customer of a cloud services provider and entrusting personal information to that provider.
On August 1, 2014, the International Organization for Standardization (ISO) issued ISO/IEC 27018- a standard for protecting personal information stored in the cloud. To learn more about ISO/IEC 27018 and its personal information protection requirements, click here.
As we wrote previously, ISO 27018 may be a helpful tool for businesses to use in evaluating a cloud service provider’s capabilities to protect personal information stored in the cloud.
On February 16, 2015, Microsoft announced that that it had become the first major cloud provider to adopt ISO/IEC 27018. ISO/IEC 270018 requires Microsoft to take the following steps (among others) to protect the privacy of personal information stored in the Microsoft Cloud:
- Process personal information only as instructed by the customer;
- Never process personal information for advertising and marketing purposes without the customer’s express consent;
- Reject requests for personal information that are not legally binding; consult the customer when legally permissible before making any disclosure of personal information; and accept any requests for disclosures of personal information authorized by a customer;
- Notify the customer of any request for disclosure of personal information by a law enforcement authority, unless that disclosure is otherwise prohibited;
- Notify the customer promptly of any unauthorized access to personal information or loss, disclosure or alteration of personal information;
- Help the customer meet its obligations in the event of a data breach; and
- Require all individuals with access to personal information to be bound by a confidentiality agreement.
Privacy protections are increasingly the focus of existing and proposed state and federal laws here in the United States, and mandated by various jurisdictions around the world. As a result, ISO/IEC 27018 may emerge as a commonly utilized standard for cloud service providers to follow in order to protect personal information in the cloud.