What US businesses should know about compliance and regulatory issues before adopting a cloud strategy

Plenty of confusion still exists around the compliance and regulatory implications of cloud computing, particularly in regards to data. Here's a quick summary of what U.S. companies need to know.
Written by Thoran Rodrigues, Contributor

For all the advances made by cloud computing over previous years, data security is still the number one issue that comes up when cloud computing is discussed within companies, especially in the enterprise market. Existing concerns are compounded by the fact that there is still a lot of confusion regarding legal compliance and privacy issues.

Data privacy and protection: PCI-DSS and HIPAA / HITECH

In the US, most, if not all, states have implemented legislation concerning the protection of Personally Identifiable Information (PII). This applies to any kind of information that can be tied back to an individual in the physical world. It includes things such as Social Security Numbers, financial records, and other similar elements.

Unfortunately, there isn’t a single, all-encompassing standard that applies to everyone. Different business segments have different requirements that need to be met in order to be fully compliant with current legislation. Perhaps the two most well-known information security standards are the PCI-DSS and HIPAA / HITECH.

PCI-DSS stands for Payment Card Industry Data Security Standard. It applies to all financial institutions, merchants, online retailers, and to everyone who provides services to these companies. In a rough simplification, it states that everyone who at some point in the chain touches cardholder data – credit card number, name and expiration date – is fully responsible for its protection, and for having all the infrastructure necessary to do so. Every company that has an online store should be PCI-compliant, even if they are only forwarding the cardholder data to someone else and never storing it. Furthermore, every company that has clients in the retail or financial services space should be concerned with PCI, regardless of actually touching cardholder data or not, simply because of the weight placed by these markets on this standard.

HIPAA stands for Health Insurance Portability and Accessibility Act, while HITECH stands for Health Information Technology for Economic and Clinical Health. These two acts are focused on the protection of individually identifiable health information, including a person’s current, past or future medical/health status, the provision of health care, or the payment for the provision of medical care. The acts affect not only health service providers, but every company that touches this sort of information, especially insurance companies and, sometimes, human resources companies (or even human resources departments inside large enterprises).

Understanding these rules' standards and how they apply to your company is the first step when looking to adopt cloud computing. The easiest way to ensure compliance, regardless of the standard, rule or legislation that applies to you, is to look for cloud providers who are already compliant themselves.

One odd point on data protection legislation is that US law does not protect, from the client’s point of view, the privacy of data that has been placed under the care of a third party (in cloud services, for instance) from the government. According to the US Justice Department, you have no constitutional rights over your data once it is placed in the hands of an external service provider, and they can request this data without a warrant. While there is legislation being pushed to try and change this, it is a concern that companies must have when looking to the cloud.

Sarbanes-Oxley and the cloud

The Sarbanes-Oxley (SOX) law clearly states that a company is responsible for any accounting or financial wrongdoings, even if these are the result of a third-party, such as a cloud service provider. If a company falls under the purview of SOX, their service providers must have all the necessary processes and controls in place to ensure SOX compliance. In order to make this easier, a set of auditing standards, called the SSAE 16, has evolved.

The SSAE 16 standard (which replaces the old SAS 70 standard), is a report that states that a company has the proper internal controls and processes for the type of information and transactions it handles, and for the impact (financial and otherwise) it causes on other organizations. These can range from data center related elements, such as networking and power redundancy, all the way through to data protection policies.

As in the case of data protection, the easiest way to ensure compliance is to look for providers who are already compliant themselves. Some SOX provisions require that service providers have SSAE 16 audits, so if your company falls under these provisions, there isn’t much of a choice. Even if it doesn’t, it might make more sense in the long run to start off with providers that are already compliant, thus avoiding the headache of changing providers down the road.
The international aspect

A final point of concern for cloud adopters is geographical location. A cloud service provider, especially a software-as-a-service provider, can offer its services over the web for companies all over the world, and store everyone’s data in a single country. Wherever the data is stored, we need to be aware that it will be subject to that country’s data privacy laws and related legislation, as well as any access restrictions. The geographical dispersal of information, often used by service providers to reduce costs and improve reliability, can be a major legal liability. Knowing where your provider will store your data and what legislation applies there is fundamental.

Regulatory concerns can quickly derail any cloud adoption plan if we’re not fully aware of all the implications and requirements of moving data and processing to external providers. Understanding the existing legislation, and how it applies to your particular company, which may vary with the states where you do business, the type of data you handle, and even the service or product you are providing, are all fundamental steps for a successful move to the cloud.

Further reading

Here are links for sources of information on the different issues discussed here, for anyone who is interested in exploring them further

  • PCI Security Standards Council – In addition to detailing the PCI standard, there are several guidelines and additional material, including a recently released Cloud Computing guideline.
  • US Department of Health and Human Services – This website contains information and many resources related to HIPAA and HITECH compliance, including links to tools that let you determine if your company falls under this legislation or not. 
  • List of US Privacy Laws – A list of links to several different pieces of privacy-related legislation on the US.
  • Center for Democracy & Technology – The CDT is a nonprofit organization focused on trying to solve the regulatory and legislative issues related to information privacy. There are many good articles on privacy and privacy legislation to be found here. 
  • Wikipedia Entry on US Privacy Laws – Good broad summary of privacy legislation on the US, with many references.
  • SSAE 16 Auditing Standard Homepage – The homepage for the SSAE 16 standard with plenty of resources and reference material.
Editorial standards