Microsoft Adopts International Cloud Privacy Standard

Public cloud computing services-- computing resources (such as networks, storage, applications, and services) purchased from another company (a “cloud services provider”)-- offer many potential benefits for businesses, among them economies of scale, lower capital costs, and improved accessibility.

However, cloud computing is not without risk. Various data protection laws require businesses to safeguard and protect the privacy of personal information stored in the cloud. As a result, businesses must assess and address information security and privacy risks before becoming a customer of a cloud services provider and entrusting personal information to that provider.

On August 1, 2014, the International Organization for Standardization (ISO) issued ISO/IEC 27018- a standard for protecting personal information stored in the cloud. To learn more about ISO/IEC 27018 and its personal information protection requirements, click here.

As we wrote previously, ISO 27018 may be a helpful tool for businesses to use in evaluating a cloud service provider’s capabilities to protect personal information stored in the cloud.

On February 16, 2015, Microsoft announced that that it had become the first major cloud provider to adopt ISO/IEC 27018. ISO/IEC 270018 requires Microsoft to take the following steps (among others) to protect the privacy of personal information stored in the Microsoft Cloud:

Process personal information only as instructed by the customer;
Never process personal information for advertising and marketing purposes without the customer’s express consent;
Reject requests for personal information that are not legally binding; consult the customer when legally permissible before making any disclosure of personal information; and accept any requests for disclosures of personal information authorized by a customer;
Notify the customer of any request for disclosure of personal information by a law enforcement authority, unless that disclosure is otherwise prohibited;
Notify the customer promptly of any unauthorized access to personal information or loss, disclosure or alteration of personal information;
Help the customer meet its obligations in the event of a data breach; and
Require all individuals with access to personal information to be bound by a confidentiality agreement.

Privacy protections are increasingly the focus of existing and proposed state and federal laws here in the United States, and mandated by various jurisdictions around the world. As a result, ISO/IEC 27018 may emerge as a commonly utilized standard for cloud service providers to follow in order to protect personal information in the cloud.

Related Knowledge

Maritime

Is Every Seaman an Exempt Employee? Confusing Ruling Puts Jones Act and FLSA at Odds

February 18, 2021
Appellate

Appellate Pointer – Top 10 Tips for Zoom Arguments

February 16, 2021
Financial Services

CFPB Considers Limiting Fintech, Data Aggregators’ Access to Consumer Data

February 10, 2021

Knowledge

4/10/2015

Related Knowledge

Knowledge

Seven Points to Know in New Cyberinsurance Guidance that Help Companies and Insurers

February 26, 2021

Is Every Seaman an Exempt Employee? Confusing Ruling Puts Jones Act and FLSA at Odds

Appellate Pointer – Top 10 Tips for Zoom Arguments

CFPB Considers Limiting Fintech, Data Aggregators’ Access to Consumer Data