Regulatory guidance on risks that may be posed by cloud computing was issued by Europe's Article 29 Working Party on July 3, 20121 and by the Federal Financial Institutions Examination Council ("FFIEC") on July 10.2 Although the guidance from the two organizations differs in many respects, the regulators are united in recommending that anyone wishing to use cloud computing should undertake a thorough risk analysis—and there is no "one-size-fits-all" answer.
Companies in the financial services sector are probably familiar with the FFIEC, which is made up of representatives from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. On July 10, the Information Technology Subcommittee of the FFIEC issued a 4-page statement that addressed "key elements of outsourced cloud computing implementation and risk management." The primary focus of the guidance is protection of sensitive data, and the FFIEC recommends that a financial institution's due diligence of a potential cloud provider include:
considerations of data classifications (including encryption), data segregation and recoverability and vendor management (including changes to meet regulatory obligations);
auditing (including augmenting the financial institution's internal audit staff to include expertise in evaluating shared environments and virtualized technologies);
information security (including removal of data);
identification and mitigation of legal, regulatory and reputational risks (including security incident reporting); and
business continuity planning (including both the cloud service provider and network carriers).
The FFIEC cautioned: "As with other service provider offerings, cloud computing may not be appropriate for all financial institutions."
Article 29 Working Party
The FFIEC document provides a brief summary of some key risks, but those seeking additional information may find the detailed opinion from Europe's Article 29 Working Party to be more helpful. This independent advisory body consists of a representative of the supervisory authority (or multiple authorities) designated by each EU country; a representative of the authority (or multiple authorities) established for the EU institutions and bodies; and a representative of the European Commission. The Working Party's mission relates to the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The 25-page Working Party Opinion focuses on data protection risks primarily due to the customer's (data controller's) loss of control of the data once it is entrusted to the cloud provider (typically, the processor). The Opinion is based on the European directives relating to data protection and e-privacy.3 Readers must keep in mind that the European directives set a baseline for regulation, and individual countries within the European Economic Area (EEA) may have additional requirements. The Opinion states that "if a cloud client is established outside the EEA, but commissions a cloud provider located in the EEA, then the provider exports the data protection legislation to the client."4
The Opinion recognizes that many cloud computing service customers "may not have room for manoeuvre in negotiating the contractual terms" of the agreement, but the customer "must choose a cloud provider that guarantees compliance with data protection legislation."5 The Opinion then provides a list of 14 issues that the contract "should also set forth."6 These issues range from penalties for non-compliance, to specification of security measures, to erasure of data, to a "guarantee that both cloud provider and all subcontractors shall act only on instructions from the cloud client."7 The opinion is clear that compliance with data protection laws is required: "This imbalance in the contractual power of a small controller with respect to large service providers should not be considered as justification for the controllers to accept clauses and terms of contracts which are not in compliance with data protection law."8
Many American companies that have operations or do business internationally have sought to comply with European privacy requirements by joining the Safe Harbor program, administered by the U.S. Department of Commerce, and typically self-certifying their compliance. With respect to the cloud however, the Working Party stated that "sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment."9 The Opinion recommends that the customer exporting data from the EEA "should obtain evidence that the Safe Harbor self-certification exists and request evidence demonstrating that their principles are complied with."10 The Opinion specifically addressed U.S. cloud providers:
Finally, the Working Party considers that the Safe Harbor principles by themselves may also not guarantee the data exporter the necessary means to ensure that appropriate security measures have been applied by the cloud provider in the US, as may be required by national legislations based on the Directive 95/46/EC. In terms of data security cloud computing raises several cloud-specific security risks, such as loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures, which are not sufficiently addressed by the existing Safe Harbor principles on data security.11
Instead, the Working Party recommended those exporting personal data from the EU use either standard contractual clauses or binding corporate rules—neither of which has the geographic limitations of the Safe Harbor.12 With respect to customers' possible application of the exemptions located within the Directive, the Opinion found that "it is almost impossible to rely on exemptions in the context of cloud computing."13
Finally, the Working Party found that a cloud provider will typically be a processor unless it, for example, "re-processes some personal data for its own purposes. In such a case, the cloud provider has full (joint) responsibility for the processing and must fulfill all legal obligations that are stipulated by Directives 95/46/EC and 2002/58/EC (if applicable)."
This article was prepared by Sue Ross (firstname.lastname@example.org or 212 318 3280), David Kessler (email@example.com or 212 318 3382), Pamela Jones Harbour (firstname.lastname@example.org, 202 662 4505 or 212 318 3324) and Bob Wilson (email@example.com or +49 89 2429-3200) of Fulbright's e-Discovery and Information Governance Practice and Privacy, Competition and Data Protection Practice.
To learn more about our e-discovery and information governance practice and privacy, competition and data protection practice, please go to www.fulbright.com/edig and www.fulbright.com/privacy.
1 Opinion 05/2012 on Cloud Computer, 05/12/EN WP 196 (July 1, 2012) is located at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf .
2 FFIEC Information Technology Subcommittee, "Outsourced Cloud Computing," July 10, 2012, located at http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_computing_-_public_statement.pdf .
3 95/46/EC and 2002/58/EC (as revised by 2009/136/EC), respectively.
4 Opinion § 3.2. As long as personal data is processed on equipment—automated or otherwise—located in any EEA member state, the law of that member state will apply. Id. at n.8.
11 Id. (footnotes omitted).