01 Feb Legal and Compliance Issues With Cloud Based Data Management
Security in a cloud based computing environment is at the forefront of concerns for enterprises. Cyber security is a risk to any organization that relies heavily on data, and this is compounded by regulatory issues that organizations face. Legal compliance and privacy are two significant risks associated with cloud data breaches.
Cloud Compliance
Companies that maintain Personally Identifiable Information (PII) are under strict regulation by most state governments, and this type of information is anything that can be associated directly to an individual’s identity such as social security numbers, driver’s license ID, or even financial information.
There are a few standards in place such as PCI-DSS, HIPAA and HITECH that apply to various industries and industry segments, but there is no real standardization across all industries as of yet.
Financial institutions, merchants are retailers all must comply with the Payment Card Industry Data Security Standard or PCI-DSS. While this standard can be complex, a simple description is that anyone who comes in direct contact with any data associated with a person who uses a credit or debit card to make a purchase is responsible for the safekeeping of that person’s data. PCI compliance is required of any online retailer, brick and mortar retailers, and all financial institutions and the standard is even applicable to organizations that may not actually come in direct contact with cardholder data.
The Health Insurance Portability and Accessibility Act, also known as HIPAA, is designed to protect the health information of individuals along with the Health Information Technology for Economic and Clinical Health, or HITECH standard. These standards are in place to ensure that health information such as medical conditions, treatments, medications and other similar health information is kept private by the people who are exposed to this information during the conduct of legitimate business.
Once you are aware of these standards, it is important to consider the ramifications of a data breach when implementing a cloud-data infrastructure. Cloud Compliance with these standards is possible and many organizations are able to remain compliant in a cloud environment.
Today the government currently has significant reach when it comes to your personal data. While private companies must be compliant with the aforementioned standards, a person’s private information is not currently protected under US law from inquiries by the Federal Government. Some lawmakers are attempting to change this and if you are engaging in a cloud-based data storage solution, it is something to consider carefully.
When it comes to Federal legislation, Sarbanes-Oxley (SOX) is also a concern when it comes to privacy standards and cloud computing. Financial institutions that are responsible entities under SOX must ensure that any cloud vendors are in full compliance with SOX as well under the statute. In order to ensure that this is accomplished, new auditing standards known as SSAE 16 have been established. When a financial institution publishes the required reports under SSAE 16, they must demonstrate that they have adequate internal controls and process when it comes to the handling of information. This is a broad ranging examination of all data related activities including networking, power redundancy and data protection policies.
Many organizations manage to operate in Cloud Compliance with the standards noted above every day. A close examination the steps they are taking can provide guidance so those practices can be emulated within your own organization.
Knowledge of current regulatory requirements and issues is of the utmost importance when considering any cloud-based data alternatives for your enterprise. The laws and risks associated with new technology can become problematic for those who delve into the process without the proper background and expertise in compliance with these standards. Be sure to understand the regulations that apply to your business, and which laws may be unique to your own state to ensure a successful utilization of a cloud-based system.
Sorry, the comment form is closed at this time.