( Disponible en anglais seulement )
This Article is Part Two of a Two-Part Series
Part One provides an overview of the essential elements of the cloud computing ecosystem and describes what it means to be in the cloud. It concludes by setting out the first few key cybersecurity considerations unique to cloud computing and the legal approaches that have been developed to address them. Part Two continues this discussion.
Managing Cybersecurity Risk in the Cloud – Part 2
In addition to the cybersecurity issues related to Data Security and the Location of Data previously discussed, other key considerations when migrating to the cloud include Privacy and Regulatory, Service Failures and Loss of Control over information.
1. Privacy and Regulatory Considerations. Data uploaded to the cloud is vulnerable to more than data breaches. Any organization sending or processing personal information in a cloud computing environment must comply with privacy law requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. As may often be the case in client contracts, data collected for a specific purpose is to be used only for that particular purpose; accordingly, organizations need to exercise caution when uploading their clients’ data to the cloud, need to obtain appropriate consents to do so, and look to limit the possibility that, or how, such data will be processed.
We further note that with the European Union’s General Data Protection Regulation (“GDPR”) coming into force in May 2018, Canadian organizations will also need to consider compliance with the GDPR as part of their broader privacy and regulatory compliance strategy.
Contracts with cloud providers should specifically restrict access to and use of personal information, identify applicable privacy legislation and regulations, and clearly set out processes and procedures in the event of a breach requiring notification or reporting. Consumers need to seek protections that ensure data is returned or securely destroyed when no longer necessary for the specified purposes and that the obligations of the provider in respect thereof flow down to their subcontractors or third party vendors. Although not yet in force, the Breach of Security Safeguards Regulations set out detailed notification requirements in the event of a security breach. Providers who are unfamiliar with these requirements may find themselves and, in turn, their consumers, exposed to regulatory scrutiny and fines. Carefully crafted language setting out the response timeline and responsibilities of the parties in the event of a breach will assist in mitigating this risk.
2. Service Failure Interruption. Service level agreements with cloud providers must be detailed enough to provide the consumer with an understanding of what to expect when something—inevitably—goes wrong. Unfortunately, these often take the form of only minimal service level assurances. To the extent possible, they should at a minimum provide information as to the uptime, process and timing associated with correcting service failure interruptions, along with the method of notification and follow-up that the customer can expect to receive.
Regardless of an organization’s bargaining power in negotiating a service level agreement, special attention must be given to circumstances which would cause a material service disruption, suspension or termination. Well-drafted agreements will clearly define what constitutes an emergency security issue or failure that results in a suspension or termination and, to the extent possible, provide advance notice accompanied by an opportunity to cure the deficiency. Absent these considerations, the ultimate risk to an organization is that their entire cloud-connected business unexpectedly becomes paralyzed with little or no warning. The costs of such a disruption could be significant and are not typically covered in the indemnity provisions of the cloud services agreement.
3. Loss of Control. One further issue that may arise concerns the loss of control that an organization has over its information in the cloud. Consumers will invariably take on increased enterprise risk as the provision of services, processors, sub-processors and third parties grows. The inability to control where, how and by whom their data is handled opens the door for a host of unforeseen issues.
While it is unlikely—and indeed often undesirable—to limit the involvement of subcontractors and third party vendors of the cloud provider, consumers can take proactive steps by specifying information that is to be expressly carved out from the processing or administration processes that apply to the uploaded data generally. At a minimum, special attention must be drawn to highly confidential information and information governed under PIPEDA or applicable privacy legislation.
While the move to the cloud is an attractive opportunity for organizations to reduce their information technology infrastructure cost, it also brings with it certain risks. Managing those risks will often be specific to each organization, depending on the type of data they intend to move to the cloud, the size of their organization and the industry in which it operates. Nevertheless, steps can be taken to mitigate these risks through contractual means with cloud service providers.
Finally, the increased sophistication of hackers, growth of artificial intelligence, development of quantum computers and the expansion of the “Internet-of-Things” will all contribute to the way we interact with information and data on a daily basis. Cybersecurity concerns will continue to be at the forefront of the cloud computing revolution. Businesses and individuals who are well-apprised of, and counselled on, the evolving risks stemming from this growth in interconnectivity will be best-placed to navigate the next technological wave.
 PIPEDA regulates personal information in the private sector and federal works, undertakings and businesses. PIPEDA also applies to personal information that flows across borders.