Microsoft Adopts International Cloud Privacy Standard

Public cloud computing services-- computing resources (such as networks, storage, applications, and services) purchased from another company (a “cloud services provider”)-- offer many potential benefits for businesses, among them economies of scale, lower capital costs, and improved accessibility.

However, cloud computing is not without risk. Various data protection laws require businesses to safeguard and protect the privacy of personal information stored in the cloud. As a result, businesses must assess and address information security and privacy risks before becoming a customer of a cloud services provider and entrusting personal information to that provider.

On August 1, 2014, the International Organization for Standardization (ISO) issued ISO/IEC 27018- a standard for protecting personal information stored in the cloud. To learn more about ISO/IEC 27018 and its personal information protection requirements, click here.

As we wrote previously, ISO 27018 may be a helpful tool for businesses to use in evaluating a cloud service provider’s capabilities to protect personal information stored in the cloud.

On February 16, 2015, Microsoft announced that that it had become the first major cloud provider to adopt ISO/IEC 27018. ISO/IEC 270018 requires Microsoft to take the following steps (among others) to protect the privacy of personal information stored in the Microsoft Cloud:

Process personal information only as instructed by the customer;
Never process personal information for advertising and marketing purposes without the customer’s express consent;
Reject requests for personal information that are not legally binding; consult the customer when legally permissible before making any disclosure of personal information; and accept any requests for disclosures of personal information authorized by a customer;
Notify the customer of any request for disclosure of personal information by a law enforcement authority, unless that disclosure is otherwise prohibited;
Notify the customer promptly of any unauthorized access to personal information or loss, disclosure or alteration of personal information;
Help the customer meet its obligations in the event of a data breach; and
Require all individuals with access to personal information to be bound by a confidentiality agreement.

Privacy protections are increasingly the focus of existing and proposed state and federal laws here in the United States, and mandated by various jurisdictions around the world. As a result, ISO/IEC 27018 may emerge as a commonly utilized standard for cloud service providers to follow in order to protect personal information in the cloud.

Related Knowledge

Crisis Response and Preparedness

Jeff Brooks Quoted in New Orleans CityBusiness on COVID-19 Legislation

March 30, 2020
Litigation

Pera Comments on Law Firm Loans to Stay Afloat During Coronavirus Pandemic in ABA Journal

March 30, 2020
Maritime

U.S. Coast Guard Issues Guidelines for Reducing Cyber Risks at MTSA Facilities

March 30, 2020

Knowledge

4/10/2015

Related Knowledge

Knowledge

How the Stimulus Package Affects Your Business

March 30, 2020

Jeff Brooks Quoted in New Orleans CityBusiness on COVID-19 Legislation

Pera Comments on Law Firm Loans to Stay Afloat During Coronavirus Pandemic in ABA Journal

U.S. Coast Guard Issues Guidelines for Reducing Cyber Risks at MTSA Facilities