In the fall of 2010, a Google executive testified before a U.S. congressional subcommittee that more than three million businesses worldwide were customers of its cloud service offerings.  In addition, Gartner Inc. predicts that cloud computing will be a $140 billion industry by 2014.  We all recognize the advantages of cloud computing, but we also must be aware of the risks and risk management programs necessary when moving to the cloud.  The Committee of Sponsoring Organizations is a leader in enterprise risk management best practices.  It has recently released “COSO Enterprise Risk Management for Cloud Computing”.  The goal of this publication is to “….enable executives to identify, monitor, and mitigate or accept the risks that come with using cloud computing.”

I found this white paper to be very informative.  I highly recommend it to anyone embarking upon a cloud project.  It provides a nice framework and real world suggestions of risk management steps that can be taken.

Outsourced General Counsel would be happy to discuss your cloud computing plans and risk management program.  If you need assistance obtaining a copy of the paper, please let us know.

Massachusetts Breach of Data Privacy Notification Requirements

Where a person who owns or licenses personal information and knows or has reason to know (1) of a breach of security, or (2) that the personal information of a Massachusetts resident was acquired or used by an unauthorized person or for an unauthorized purpose, that person must, as soon as practicable, and without unreasonable delay, notify the Attorney General, the Office of Consumer Affairs and Business Regulation and each affected resident of that breach or unauthorized acquisition or use.

A “breach of security ” is defined in the law as “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”

“Personal information” is defined in the law as “a resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number.  Personal Information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public are excluded under the definition.

The notifications to the Office of Consumer Affairs and Business Regulation and to the Attorney General must include:

• A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
• The number of Massachusetts residents affected as of the time of notification;
• The steps already taken relative to the incident;
• Any steps intended to be taken relative to the incident subsequent to notification; and
• Information regarding whether law enforcement is engaged in investigating the incident.

The notifications to the residents affected must include the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies, provided however, that said notification shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use.

Notwithstanding the requirement to provide notice to residents, notice may be delayed if a law enforcement agency determines that provision of such notice may impede a criminal investigation and has notified the attorney general, in writing, thereof and informs the company of such determination. If notice is delayed due to such determination and as soon as the law enforcement agency determines and informs the company that notification no longer poses a risk of impeding an investigation, notice shall be provided, as soon as practicable and without unreasonable delay. The company shall cooperate with law enforcement in its investigation of any breach of security or unauthorized acquisition or use, which shall include the sharing of information relevant to the incident; provided however, that such disclosure shall not require the disclosure of confidential business information or trade secrets.

Does your business receive, store, maintain, process or otherwise have access to personal information (e.g., generally defined as a Massachusetts resident’s name (first name or first initial and last name) in combination with his/her social security number, driver’s license, state ID card number, passport number, or financial account or credit/debit card number that would permit access to the resident’s financial accounts.) in connection with the provision of goods or services OR in connection with employment?  If yes, you must develop, implement, maintain and monitor a comprehensive written information security program (“WISP”) applicable to that information.  Your WISP must contain administrative, technical and physical safeguards that are appropriate to (i) the size, scope and type of your business; (ii) the amount of resources available to you; (iii) the amount of stored (electronic or paper based) data; and (iv) the need for security and confidentiality of both consumer and employee information.  The WISP safeguards must be consistent with safeguards for protection of personal information and information of a similar character set forth in any state or federal regulation by which you may be regulated (e.g., Health Insurance Portability Protection Act (“HIPPA”), Gramm Leach Bliley Act (“GLB”), Payment Card Industry Standards (“PCI”),  etc.).

What steps should I undertake to develop a WISP?

The Massachusetts Office of Consumer Affairs and Business Regulation (the “Office”) issued regulations that require you to perform the following.  Note that the following can be used effectively as your guide towards compliance.

(a)    Designate one or more employees to maintain the WISP;

(b)   Catalogue all of the personal information you collect and where it is;

(c)    Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:

1. ongoing employee (including temporary and contract employee) training;
2. employee compliance with policies and procedures; and
3. means for detecting and preventing security system failures.

(d)   Develop security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.

(e)    Impose disciplinary measures for violations of the comprehensive information security program rules.

(f)    Prevent terminated employees from accessing records containing personal information.

(g)   Oversee service providers, by:

1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.

(h)   Implement reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.

(i)     Implement regular monitoring to ensure that the comprehensive WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(j)     Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(k)   Document responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

The Office also has specific computer system security requirements.  Your WISP must cover computers, including any wireless system, which, at a minimum, and to the extent technically feasible, shall have the following elements:

1. Secure user authentication protocols including:
   1. control of user IDs and other identifiers;
   2. a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
   3. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   4. restricting access to active users and active user accounts only; and
   5. blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
   6. Secure access control measures that:
      1. restrict access to records and files containing personal information to those who need such information to perform their job duties; and
      2. assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
      3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
      4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
      5. Encryption of all personal information stored on laptops or other portable devices;
      6. For files containing personal information on a system that is connected to the Internet there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
      7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
      8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The Office of Consumer Affairs and Business Regulation also published “A Small Business Guide; Formulating a Comprehensive Written Information Security Program”.  This is a great template to use as you progress towards compliance.

Cloud computing and data protection are vast topics; each that consumes volumes of books.  When you use another party to store and/or process confidential information, including personally identifiable information, data protection must be a concern.  I will try to introduce you to some of those concerns.  This, is by no means a comprehensive post, but can serve as a good road map to discuss with your legal and technology advisors.  This diagram is from Wikipedia and provides one depiction of the cloud computing landscape.  The diagram illustrates the complexity of moving your business process to the cloud.  It also should illustrate how many organizations may be touching your confidential information and personally identifiable information of your customers and prospects.  This complexity leads to the risk of inadvertent (negligently or recklessly) and deliberate release of confidential information and/or personally identifiable information.  In order to prevent such disclosures, vendors are obligated to comply with applicable laws and are expected to adhere to certain self regulatory standards.  I will try to expose you to a summary of a few of these laws and standards.

The United States does not have a uniform system of data privacy laws, but rather laws of this country are borne out of industry needs.  A few examples are:

(i)    Gramm-Leach-Bliley (applicable to financial institutions);

(ii)  HIPAA (applicable to the protection of health information);

(iii) COPPA (applicable to the protection of data collected online from children under 13);

(iv) USA Patriot Act (may be applicable to foreign companies that work with cloud providers that allow data to reside in or flow through the US);

(v)  Red Flags Rule under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) The Red Flags Rule requires that each “financial institution” or “creditor” implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of “covered accounts.”

(vi) In addition, the United States has many state laws requiring notification in the event of a breach of sensitive information and, in some cases, requiring the implementation of safeguards to protect sensitive information and/or secure disposal of such information.  For instance, Massachusetts Standards for the Protection of Personal Information Residents of the Commonwealth.

By contrast, for example, the European Union has a comprehensive privacy framework, the EU Data Protection Directive.  Each member state has its own unique law implementing the Directive and such laws can be more restrictive.  In fact, several explicitly restrict personally identifiable information from being moved outside of its borders (e.g., Israel and Switzerland).  The EU Directive and member state laws state that, in the absence of specific compliance mechanisms, the EU prohibits the transfer of personal information of EU residents out of the EU to the US and the vast majority of countries around the world.

In addition to the laws above, most federal and state regulations require that you ensure “reasonable security” in the cloud computing context.  If you are an organization that will outsource a process that includes personal information, you need to ensure some form of “reasonable security”.  This will require that you:

1. Conduct appropriate due diligence on providers;
2. Restrict access, use, and disclosure of personal information;
3. Establish technical, organizational, and administrative safeguards;
4. Execute legally sufficient contracts with providers; and
5. Notify affected individuals (and potentially regulators) of a security breach compromising personal information.

While ensuring that each stack has an information security program in place that complies with applicable laws, you will also want to ensure it is certified by an industry standard like:

1. The AICPA’s Service Organization Control Reports (formerly, SAS 70).  Service Organization Control reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.  Cloud computing is considered such a service.
2. ISO/IEC 27001.  This is a formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS)
3. PCI Data Security Standard (applicable to payment card industry);

Please recognize that this post is only scratching the surface of these issues.  I wanted to give you a snap shot of the laws and elements by which you can protect your organization.  I encourage you to use this information with your trusted advisors to optimize the relationships within your cloud relationships.