D Industry self regulation and standards
As yet, there are no uniform industry regulations or standards that focus specifically on data, especially personal data, stored in the cloud. However, there are a number of industry or data specific voluntary standards that focus on data security and/or prevention of cybercrime.
1. PCI DSS
One example of industry regulations aimed at protecting data stored in the cloud (as well as locally stored data) is the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS an information security standard for organisations that handle debit, credit, prepaid, e-purse, ATM, and point of sale cardholder information. For obvious reasons this data is a frequent target for cyber criminals with more than 234 million records breached between 2005 and 2008. The PCI DSS has been criticised as doing nothing more than providing for a minimum security standard; however, it has been claimed that ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.’ Questions of effectiveness aside, the PCI DSS provides an example of a comprehensive data security standard aimed at the implementation of strong data protection from the time that a network is constructed and continued monitoring of data security. Compliance with the PCI DSS is a good starting point for any provider looking to handle sensitive information, and provides an assurance for customers as to the security standards applied to their data. This is particularly important for organisations worried about the obligations they have to their own customers about the use and protection of data.
2. The IIA icode
The icode is a voluntary code of practice for ISPs designed to protect their customers and networks from cybercrime. It is recognition that consumers and ISPs have a shared responsibility in relation to cybercrime. Whilst not strictly focussing on the provision of cloud services, one of the key aims of the code is the instilling of a culture of cyber security through both practical security measures and through education. The code also recommends that ISPs make significant efforts to inform authorities and customers about serious risks and breaches of data security (see Security breach notification laws above). The icode now has over 90% coverage and has been recognised internationally as a significant effort at voluntary industry action to combat significant cyber security issues.
3. The Cloud Security Alliance
The Cloud Security Alliance (CSA) is an US based body that describes itself as:
a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.
The CSA produces a number of research and guidance documents focussing on increasing and standardising security measures in the cloud and outlining steps that providers and customers can take to ensure the security of their data. Some documents produced by the CSA include ‘Security Guidance for Critical Areas of Focus in Cloud Computing’ (mentioned above) and the ‘Top Threats to Cloud Computing’. ‘They also offer a Certificate of Cloud Security Knowledge’ delivered via a timed online quiz based at testing individual competency in cloud security issues. As yet no comparable industry body exists in Australia.
4. The European Network and Information Security Agency
The European Network Information and Security Agency (ENISA) is an agency established by Regulation (EC) No 460/2004 of the European Parliament and is charged with the task of maintaining its website as a hub for best practices and knowledge in the field of information security. As part of this role ENISA produced in 2009 Cloud Computing Benefits, risks and recommendations for information security covering a broad spectrum of security issues relating to cloud security. Of particular interest is the dual focus of this document on ‘hard’ regulatory measures such as breach disclosure and regulatory standardisation throughout the EU, and ‘soft’ measures focussing on education and building consumer confidence in cloud computing.
From the above we can reach two important conclusions regarding data security in the cloud and its protection. The first is that due-diligence and appropriate data security governance are extremely important for anyone seeking to move to the cloud, and for any cloud provider, especially those storing important or sensitive customer data. In particular, backup and security measures, and service level agreements should be carefully scrutinised and managed to ensure that catastrophic losses such as those incurred by Distribute.IT and its customers cannot be incurred.
The second conclusion is that regulation, legislation and the common law regarding data stored in the cloud remain underdeveloped, meaning that currently much of the responsibility falls on individual organisations to decide on and be pro-active in implementing best-practice procedures. This also means that regulation can be expected to develop along the lines outlined above, and organisations need to be vigilant and prepared for this.
For more information, contact Matthew Nicholls
The assistance of Alex Maschmedt, Law Clerk at Nicholls Legal, in preparing this whitepaper is gratefully acknowledged.
© Copyright Nicholls Legal – All rights reserved.