D Industry self regulation and standards

As yet, there are no uniform industry regulations or standards that focus specifically on data, especially personal data, stored in the cloud.  However, there are a number of industry or data specific voluntary standards that focus on data security and/or prevention of cybercrime.

1.  PCI DSS

One example of industry regulations aimed at protecting data stored in the cloud (as well as locally stored data) is the Payment Card Industry Data Security Standard (PCI DSS).  The PCI DSS an information security standard for organisations that handle debit, credit, prepaid, e-purse, ATM, and point of sale cardholder information.  For obvious reasons this data is a frequent target for cyber criminals with more than 234 million records breached between 2005 and 2008.[23]  The PCI DSS has been criticised as doing nothing more than providing for a minimum security standard;[24] however, it has been claimed that ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.’[25]  Questions of effectiveness aside, the PCI DSS provides an example of a comprehensive data security standard aimed at the implementation of strong data protection from the time that a network is constructed and continued monitoring of data security.  Compliance with the PCI DSS is a good starting point for any provider looking to handle sensitive information, and provides an assurance for customers as to the security standards applied to their data.  This is particularly important for organisations worried about the obligations they have to their own customers about the use and protection of data.

2.  The IIA icode

The icode is a voluntary code of practice for ISPs designed to protect their customers and networks from cybercrime.  It is recognition that consumers and ISPs have a shared responsibility in relation to cybercrime.[26]  Whilst not strictly focussing on the provision of cloud services, one of the key aims of the code is the instilling of a culture of cyber security through both practical security measures and through education.  The code also recommends that ISPs make significant efforts to inform authorities and customers about serious risks and breaches of data security (see Security breach notification laws above).  The icode now has over 90% coverage and has been recognised internationally as a significant effort at voluntary industry action to combat significant cyber security issues.[27]

3.  The Cloud Security Alliance

The Cloud Security Alliance (CSA) is an US based body that describes itself as:

a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

The CSA produces a number of research and guidance documents focussing on increasing and standardising security measures in the cloud and outlining steps that providers and customers can take to ensure the security of their data.  Some documents produced by the CSA include ‘Security Guidance for Critical Areas of Focus in Cloud Computing’ (mentioned above) and the ‘Top Threats to Cloud Computing’.  ‘They also offer a Certificate of Cloud Security Knowledge’ delivered via a timed online quiz based at testing individual competency in cloud security issues.  As yet no comparable industry body exists in Australia.

4.  The European Network and Information Security Agency

The European Network Information and Security Agency (ENISA) is an agency established by Regulation (EC) No 460/2004 of the European Parliament and is charged with the task of maintaining its website as a hub for best practices and knowledge in the field of information security.  As part of this role ENISA produced in 2009 Cloud Computing Benefits, risks and recommendations for information security covering a broad spectrum of security issues relating to cloud security.  Of particular interest is the dual focus of this document on ‘hard’ regulatory measures such as breach disclosure and regulatory standardisation throughout the EU, and ‘soft’ measures focussing on education and building consumer confidence in cloud computing.

IV Conclusion

From the above we can reach two important conclusions regarding data security in the cloud and its protection.  The first is that due-diligence and appropriate data security governance are extremely important for anyone seeking to move to the cloud, and for any cloud provider, especially those storing important or sensitive customer data.  In particular, backup and security measures, and service level agreements should be carefully scrutinised and managed to ensure that catastrophic losses such as those incurred by Distribute.IT and its customers cannot be incurred.

The second conclusion is that regulation, legislation and the common law regarding data stored in the cloud remain underdeveloped, meaning that currently much of the responsibility falls on individual organisations to decide on and be pro-active in implementing best-practice procedures.  This also means that regulation can be expected to develop along the lines outlined above, and organisations need to be vigilant and prepared for this.

 

_______________________________________________

 

For more information, contact Matthew Nicholls

 

The assistance of Alex Maschmedt, Law Clerk at Nicholls Legal, in preparing this whitepaper is gratefully acknowledged.

 

Download this Whitepaper

 

© Copyright Nicholls Legal – All rights reserved.



[1] IBM Academy of Technology, Cloud computing insights from 110 implementation projects, (October 2010) <http://www-935.ibm.com/services/us/leveragingit/learnings_from_100_early_cloud_adopters.pdf> (accessed July 7 2011).

[2] Ibid.

[3]< http://www.distributeit.com.au/> (accessed 22 June 2011).

[4] <http://forums.whirlpool.net.au/forum-replies.cfm?t=1711718> (accessed 22 June 2011).

[5] Suzanne Tindal, ‘Distribute.IT data unrecoverable post-hack’, (21 June 2011) ZDNet, <http://m.zdnet.com.au/distribute-it-data-unrecoverable-post-hack-339317149.htm> (accessed 7 July 2011).

[6] Claire Connelly, ‘Call for harsher cyber laws after Distribute.IT attack’, (21 June 2011), News.com.au,  <http://www.news.com.au/technology/call-for-harsher-cyber-laws-after-distributeit-attack/story-e6frfro0-1226079427802#ixzz1RNZyNFro> (accessed 21 June 2011).

[7]Hamish Barwick ‘What lessons should be learned from the Distribute.IT meltdown?’, (24 June 2011) Computerworld, <http://www.computerworld.com.au/article/391395/what_lessons_should_learned_from_distribute_it_meltdown_/> (accessed 4 July 2011).

[8] Preston de Guise, ‘This is wrong’, (21 June 2011) The Net Worker Blog,  <http://nsrd.info/blog/2011/06/21/this-is-wrong/> (accessed 4 July 2011).

[9] Security Guidance for Critical Areas of Focus in Cloud Computing, (2009), <https://cloudsecurityalliance.org/research/projects/security-guidance-for-critical-areas-of-focus-in-cloud-computing/> (accessed 7 July 2011).

[10] Donoghue v Stevenson [1932] AC 562 at 619; [1932] All ER Rep 1

[11] Nigel Wilson, ‘Regulating the information age — How will we cope with technological change?’ (2010) 33 Australian Bar Review 119, 124.

[12] Jennifer A Chandler, ‘Negligence Liability for Breaches of Data Security’, (2008) 23(2) Banking & Finance Law Review 223.

[13] Patrick Cunningham and Jesse Wilkins, ‘A walk in the cloud’, (2009) Jan/Feb Information Management 22, 29.

[14] Daniele Catteddu and Giles Hogben (ed’s), Cloud Computing Benefits, risks and recommendations for information security (November 2009)

[15] Alana Maurushat, ‘Data breach notification laws around the world from California to Australia’, (2009) 11 University of New South Wales Faculty of Law Research Series

[16] Sasha Romanosky, Rahul Telang, Alessandro Acquisti, ‘Do Data Breach Disclosure Laws Reduce Identity Theft? (Updated)’,

[17] SB1386 California Security Breach Information Act.

[18] ‘State Security Breach Notification Laws’ (12 October 2010) National Conference of State Legislatures <http://www.ncsl.org/Default.aspx?TabId=13489 > (accessed 7 July 2011)

[19] Directive 2002/58 on Privacy and Electronic Communications.

[20] For example on Sony, Commonwealth Bank and NAB and Distribute.IT

[21] Dudley Kneller, ‘Security breaches force lawyers to rethink cyber laws’, (1 July 2011) The New Lawyer, <http://www.thenewlawyer.com.au/article/Security-breaches-force-lawyers-to-rethink-cyber-laws/530402.aspx> (accessed 5 July 2011).

[22] See also House of Representatives Standing Committee on Communications , Hackers, Fraudsters and Botnets – tackling the problem of cyber crime: Report of the inquiry into cyber crime, June 2010.

[23] PCI Quick Reference Guide, v. 1.2 (March 2009).

[24] Greg Reber ‘PCI compliance falls short of assuring website security’, (27 Oct 2008) Search Software Quality.com, <http://searchsoftwarequality.techtarget.com/news/1335662/PCI-compliance-falls-short-of-assuring-website-security> (accessed 5 July 2011).

[25] Ellen Richey, Chief Enterprise Risk Officer at Visa, quoted in Jaikumar Vijayan, ‘Visa: Post-breach criticism of PCI standard misplaced’, (20 March 2009) Computerworld, <http://www.cso.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/> (accessed 5 July 2011).

[26] ‘icode commenced 1 December 2010’, <http://www.iia.net.au/index.php/all-members/869-get-ready-for-icode-in-force-1-december-2010.html> (accessed 6 July 2011)

[27]‘ISPs sign on to icode’, < http://www.iia.net.au/index.php/all-members/890-isps-sign-on-to-icode.html> (accessed 6 July 2011).

Pages: 1 2 3 4