Protecting the privacy and security of sensitive customer data in the cloud

Computer Law and Security Review

Volumn 28, Issue 3, 2012, Pages 308-319

  King, Nancy J ^a   Raja, V T ^a  

^a OREGON STATE UNIVERSITY   (United States)

Author keywords

Cloud computing; Data protection; Information privacy; Sensitive data

Indexed keywords

COMPUTING ENVIRONMENTS; COMPUTING INDUSTRY; CONSUMER PRIVACY; CRITICAL CHALLENGES; CUSTOMER DATA; DATA PROTECTION; DATA PROTECTION LAWS; INFORMATION PRIVACY; NEW INDUSTRY; PRIVACY AND SECURITY; REGULATORY FRAMEWORKS; REGULATORY REFORM; SENSITIVE DATAS; SENSITIVE INFORMATIONS;

CLOUD COMPUTING; COMPUTER SYSTEMS;

DATA PRIVACY;

EID: 84861355449     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2012.03.003     Document Type: Article

References (89)

1. Mahony, H., 'EU gets to grips with cloud computing,' euobserver.com (5 Apr. 2011).
2. Security and Resilience in Governmental Clouds, Making an Informed Decision, European Network and Information Security Agency, p. 11 (Jan. 2011) (ENISA Guidelines) (guide for European public agencies about the use of cloud computing).
3. Cloud Computing, Electronic Privacy Information Center (EPIC), at: http://epic.org/privacy/cloudcomputing/default.html (referencing and linking a survey of experts on the privacy and security risks of cloud computing).
4. European Commission: Trade: United States (Bilateral relations), at: http://ec.europa.eu/trade/issues/bilateral/countries/usa/index-en.htm.
5. Opinion 8/2010 on applicable law, Article 29 Data Protection Working Party, 0836/10/EN, WP 179, p. 21 (16 Dec. 2010) (Art. 29 Opinion 10/2010).
6. Editorial, Hong Kong and China: Into the Cloud, LegalBytes, Baker & McKenzie (Mar. 2011); Personal information online code of practice, Information Commissioner's Office, U.K., p. 40 (July 2010) (UK Online Code of Practice).
7. Mell, P. & Grance, T., The NIST Definition of Cloud Computing (Draft), Recommendations of the National Institute of Standards and Technology, U.S. Dept. of Commerce, Special Pub.800-145 (Draft) (Jan. 2011) (NIST Guidance) (providing guidance for use by federal agencies; not applicable to national security systems).
8. For clarification, this paper focuses on the security and privacy challenges of using public cloud computing. It is, however, recognized that the use of Virtual Private Clouds (VPC) may allow organizations to exercise more controls and enhance security in the cloud. See, e.g., Amazon's VPC, at: http://aws.amazon.com/vpc/.
9. "Information security is an essential component of information privacy: it is often said that privacy is not possible without security." Swire, P. & Bermann, S., Information Privacy, the Official Reference for the Certified Information Privacy Professional (CIPP), International Association of Privacy Professionals (IAPP), p. 161 (2007) (Information Privacy). "Information Security describes the systems, policies and controls within a typical enterpriselevel information security operation." Ibid.
10. DeVore, A. C., Presentation: 'Cloud Computing: Privacy Storm on the Horizon?' 20 Albany Law Journal of Science and Technology, p. 365 (2010).
11. Jansen, W. & Grance, T., Guidelines on Security and Privacy in Public Cloud Computing, National Institute of Standards and Technology, U.S. Dept. of Commerce, Draft Special Pub. 800-144, pp. 10-12 (Jan. 2011) (NIST Cloud Computing Guidelines).
12. NIST Cloud Computing Guidelines, note 15, pp. 8-10.
13. See Sandbox feature, 'Security built into Chromebooks from the beginning,' at: http://www.gogle.com/chromebook/featuressecurity.html.
14. Greene, T., 'Researchers find "massive" security flaws in cloud architectures,' Networkworld (Oct. 26, 2011).
15. NIST Cloud Computing Guidelines, note 15, iii (guiding the U.S. federal government's processing of sensitive unclassified information in the cloud); see also, 'Cloud Computing: What are the Security Implications?' U.S. House of Representatives Sub-Committee on Cybersecurity, Infrastructure Protection and Security Technologies (Oct. 6, 2011), at http://homeland.house.gov/hearing/ cloud-computing-what-are-security-implications.
16. Cloud services are available to address special government security objectives, such as a need to limit access to more sensitive data to citizens of a particular country. See, for example, AWS GovCloud (US), at: http://aws.amazon.com/govcloud-us/.
17. Thibodeau, P., 'Congress urged to leave cloud computing alone,' Computerworld (12 Apr. 2011).
18. See generally, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, 23.11.95, art. 17(1) (Data Protection Directive); Directive of the European Parliament and of the Council 2000/31/EC of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular e-Commerce, in the Internal Market, OJ L 178/1,17.07.2000 (E-Privacy Directive).
19. Boyd, V., 'Financial Privacy in the United States and the European Union: A Path to Transatlantic Regulatory Harmonization,'
20. Berkeley Journal of International Law 939, 965 (2006).
21. E-Privacy Directive, note 21, art. 9(1).
22. Angwin, J. 'Proposed Bill Would Put Curbs on Data Gathering,' MarketWatch (10 March 2011) (reporting the proposed federal legislation "would create the nation's first comprehensive privacy law covering personal-data gathering").
23. Children's Online Privacy Protection Act of 1998, 15 U.S.C. xx 6501-6506 (COPPA); Hiller et al., 'POCKET Protection,' 45 American Business Law Journal 417 (2008).
24. Gramm-Leach-Bliley Act of 1999, 15 U.S.C. xx 6801-6809.
25. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified, as amended, in 42 U.S. C. x1936 et seq.).
26. Fair Credit Reporting Act of 1970, 15 U.S.C. x 1681 et seq.
27. Federal Trade Commission Act (FTC Act), 15 U.S.C. x45 (Section 5). Deceptive practices include material misrepresentations or omissions that are likely to mislead reasonable consumers. Unfair practices involve substantial harm to consumers where the harm is not reasonably avoidable by consumers and the benefits of the practices to consumers do not outweigh the harm.
28. (King. N. & Jessen, P., 'Profiling the Mobile Customer,' Part I,' 26-5 Computer Law & Security Review 455-478 (2010).
29. In the Matter of BJ's Wholesale Club, Inc., Federal Trade Commission, Complaint and Consent Decree, FTC File No. 042 3160 (Sept. 2005) (FTC v. BJ) (addressing the company's failure to adequately secure sensitive personal information which allowed hackers to acquire customers' personal data and make fraudulent credit card charges as an unfair trade practice).
30. FTC v. BJ, note 31, pp. 2-3.
31. FTC Guidelines, Federal Trade Commission, 'Self-Regulatory Principles for Online Behavioral Advertising,' pp. 22-23, February 2009 (FTC Guidelines).
32. See also, FTC Report, 'Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and Policymakers,' FTC (Mar. 2012) (FTC Report, March 2012).
33. FTC Guidelines, note 33, pp. 43-44.
34. FTC Guidelines, note 33, pp. 44.
35. Equal Credit Opportunity Act, 15 U.S.C. Section 1691(a)(1)(2012).
36. Fair Credit Reporting Act of 1970, 15 U.S.C. x 1681 et seq.
37. At least eighteen states prohibit sexual-orientation discrimination. Martichuski, D., 'Sexuality and Transgender Issues in Employment Law,' 8 Georgetown Journal of Gender and the Law 505, n.81 (2007).
38. See 'Republican Lawmaker Promises New Online Privacy Legislation,' PCWorld (4 Mar. 2011) (designed primarily to address online privacy issues).
39. H.R. 611 (Best Practices Act), in the House of Representatives of the United States, 112th Congress, lst Session, Sec. 1(8) (Feb. 2011).
40. News Release, 'FTC Seeks Comment on Proposed Revisions to the Children's Online Privacy Protection Rule,' Federal Trade Commission (15 Sept./2011).
41. The eight requirements to process personal data in the EU are: (1) fair and lawful processing; (2) collection and processing only for a proper purpose; (3) that data be adequate, relevant and not excessive; (4) that data be accurate and up to date; (5) that data be retained no longer than necessary; (6) giving the data subject access to his or her data; (7) keeping data secure; and (8) no transfer of personal data to a country that does not provide an adequate level of privacy and personal data protection. Data Protection Directive, note 21, arts. 6 et seq. See also, Speech, Peter Hustinix, European Data Protection Supervisor, 'Data Protection and Cloud Computing Under EU Law,' Third European Cyber Security Day BSA, European Parliament (13 Apr. 2010) (Hustinix Speech) (commenting that data protection regulation applies to cloud services where they process personal data that fall within the scope of EU jurisdiction "regardless of where the data are processed") (emphasis in original).
42. Data Protection Directive, note 21, arts. 6(1)(b) and (c), 7, 12, 17. Article 17 requires data controllers to implement appropriate technical and organizational security measures to protect personal data from destruction, loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing. Such measures must take into account the state of the art, the cost of implementation and ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Currently, except in the telecommunications sector, the security obligation does not include notifying customers of security breaches. See Olson, P., 'Euro Regulators Probe Sony Data Breach,' Forbes blog (29 Apr. 2011), at: http://blogs.forbes.com.
43. Shaffer, G., 'Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of Privacy Standards,' 25 Yale Journal of International Law 1, pp. 13-16 (2000).
44. Pop, V., 'EU privacy rules changing US companies,' euobserver. com (29 June 2010).
45. Data Protection Directive, note 21, art. 19.
46. Prinsley, M., 'Privacy concerns in clouds,' FT.com (7 Mar. 2011) ("processing in 'the cloud' may involve a complex web of parties processing data in a variety of locations around the world"). One challenge of applying the EU's Data Protection Directive to international data transfers in cloud computing is that the current regulation relies on a definition of data transfer from "point to point," while data transfers in cloud computing may be continuous. Hustinix Speech, note 43, p. 4.
47. Data Protection Directive, note 21, art 25(1).
48. Solove, D., Rotenberg, M. and Schwartz, P., Information Privacy Law, pp. 933-935 (2nd ed., 2006) (Solove et al.). Exceptions permit export of personal data to processors outside the EEA when the transfer is to a company that has signed the EU/U.S. Safe Harbour Agreement, is pursuant to standard contractual clauses approved by the European Commission or is covered by binding corporate rules.
49. UK Online Code of Practice, note 8, p. 28; Prinsley, note 50.
50. Art. 29 Opinion 10/2010, note 6, pp. 21-22.
51. Data Protection Directive, note 21, art. 25(1).
52. Federal laws regulating the export of encryption technology for national security reasons are beyond the scope of this article. See, e.g., EAR Controls for Items that Use Encryption, Export Administration Regulations (EARS), U.S. Department of Commerce, at: http://www.bis.doc.gov/encryption/default.htm.
53. Information Privacy, note 12, pp. 32, 37, 43, 46.
54. Information Privacy, note 12, p. 37 (requires administrative, physical and technical safeguards to protect the confidentiality and integrity of PHI).
55. Anderson, H., '10.8 Million Affected by Major Breaches,' Government Information Security Articles (25 Apr. 2011).
56. Geo-location data currently receives limited protection under laws that limit telephone carriers from disclosing customer proprietary data except in certain circumstances. See King, N., 'Direct Marketing, Mobile Phones, and Consumer Privacy: Ensuring Adequate Disclosure and Consent Mechanisms for Emerging Mobile Advertising Practices,' 60-2 Federal Communications Law Journal, 229, 242 (2008) (Exhibit A).
57. Information Privacy, note 12, pp. 69-70. California was the first state to enact a security breach notification law. Commercial entities that do business in California must notify consumers about the breach of any computer system that contains the unencrypted personal information of California residents. As of the data of this writing, at least 46 of the 50 states have enacted breach notification laws.
58. Shaw, A., 'Data Breach: From Notification to Prevention Using PCI DSS,' 43 Columbia J. Law & Soc. Problems 517, pp. 519-520 (2010). Proposed federal legislation requiring breach notification has been introduced into Congress that would criminalize intentionally or wilfully concealing a data breach.
59. Engleman, E., 'Concealing a Data Breach Would Be a Crime Under Leahy Bill,' Bloomberg (7 June 2011);
60. Gruenwald, J., 'Panel Approves Data-Breach Bills Despite Partisan Rancor,' National Journal (22 Sept. 2011) (reporting that the Senate Judiciary Committee has approved three bills aimed at setting national standards for security breaches involving personal data although none have yet come to a vote on the Senate floor).
61. For example, the California Computer Security Act of 2002, defines personal information as an individual's name in combination with their: (1) Social security number; (2) California identification card number; (3) driver's license number; or (4) financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account. Information Privacy, note 12, p. 69-70.
62. Federal financial regulators have also issued a joint security breach notification guidelines interpreting section 501(b) of the Gramm-Leach-Bliley Act. Information Privacy, note 12, p. 70. Settlement agreements between state government regulators and companies that have been investigated for violating state breach notification laws may require companies to adequately secure sensitive data.
63. Mello, J. P., 'States getting tougher on data breaches,' Government Security News (1 Apr. 2011).
64. Davis, W., 'Apple Sued for Violating iPhone, iPad Privacy,' Online Media Daily (16 Feb. 2011) (reporting that Apple has now been sued in four potential class action privacy lawsuits for transmitting the devices' unique identifiers to app developers);
65. Bedoni, S., 'Apple Risks Following Google as Europe Leads Privacy Probes', Bloomberg (28 Apr. 2011).
66. Absent proof of specific harm to consumers such as losses due to identity theft, consumers who have attempted to challenge the failure of private businesses to protect their sensitive personal information have generally been unsuccessful. Consistent with this view, a federal court recently dismissed a consumer privacy lawsuit brought against Apple and eight mobile ad companies. Despite claims in this lawsuit that defendants were sharing personal information about plaintiffs without their consent, the court ruled dismissal was required because plaintiffs failed to allege any tangible injuries from the resulting tracking. However, the court's order dismissing the lawsuit permits plaintiffs to refile their complaint if they are able to amend it to allege tangible injury. See Davis, W., 'Privacy Lawsuit Dismissed Against Apple, Mobile Ad Developers,' MediaPost (22 Sept. 2011).
67. See Goodin, D., 'Lawsuit targeting RockYou data breach gets green light,' The Register (18 Apr. 2011) (reporting that a federal judge has refused to dismiss a lawsuit raising claims of negligence, breach of contract, violations of the federal Stored Communications Act and state unfair competition law that was filed against social-media developer RockYou for exposing personal data of 32 million users to a major breach of its site by hackers).
68. Lawsuits alleging consumer harm caused by security failures that expose sensitive personal data may include claims of violations of federal laws that protect the privacy of electronic communications. However, these laws need to be updated in order to ensure application to cloud computing contexts. See Robison, W. J., 'Free at What Cost? Cloud Computing Privacy Under the Stored Communications Act,' 98 Georgetown Law Journal, 1195 (2010).
69. Since 2001 the FTC has brought at least 23 enforcement actions against companies for failing to protect sensitive consumer information. Prepared Statement of the FTC on Behavioral Advertising, Before the Senate Comm. on Commerce, Science, and Transportation, Washington, D.C., p.8 (9 July 2008).
70. For example, the Federal Trade Commission has said no U.S. laws restrict financial services firms from sending customer data outside the U.S. for processing. Heller, Michele, In Brief: 'Federal Trade Commission: No need to Keep Information in the U.S.,' American Banker (13 May 2004). But see, Boyd, note 22, p. 971 (cautioning that financial institutions that outsource customer data may be sued under state laws if they invade consumers' basic expectations of privacy).
71. U.S. companies may become members of the U.S.-EU Safe Harbour Agreement in order to be able to lawfully transfer personal data from the EU to the U.S. when transfer of the data would otherwise be prohibited under EU law. See U.S.-EU Safe Harbour Overview, at: http://www.export.gov/safeharbor/eu/eg-main- 018476.asp. Members of the Safe Harbour Agreement must comply with seven privacy principles that include: notice, choice, onward transfer, access, security, data integrity and enforcement ("Principles"). Express, opt in consent is required to process sensitive data. To disclose information to a third-party (onward transfer), organizations must apply the notice and choice principles. Transfers to an agent are permitted if the transferring organization makes sure that the third party subscribes to the Principles or is subject to the EU's Data Protection Directive. Ibid.
72. Organizations are advised to treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive. Safe Harbour Privacy Principles, issued by the U.S. Department of Commerce July 21, 2000, at: http://www.export.gov/safeharbor/eu/eg-main-018475.asp.
73. Speech, Neelie Kroes, 'The Digital Agenda: Europe's key driver of growth and innovation,' 2011 Digital Agenda Summit organized by the Lisbon Council, p. 5 (Brussels, Oct. 4, 2011).
74. Thibodeau, P., 'Congress urged to leave cloud computing alone,' Computerworld.com (12 Apr. 2011) (experts express worries about how the world perceives U.S. data security law although current data security policies and initiatives, such as the Safe Harbour program, appear to be working for providers and users of cloud-based applications). Cloud providers who sign a Safe Harbour Agreement make a pledge to follow the EU's data protection principles.
75. See, e.g., 2006 Identity Theft Survey Report, U.S. Federal Trade Commission (November 2007); Boyd, note 22, p. 965 (commenting that most personal data collected by banks and other financial service providers relating to clients is not considered "sensitive" under Article 8(1) of the Directive).
76. Council of the European Union, Council's conclusions on the Communication from the Commission to the European Parliament and the Council e A comprehensive approach on personal data protection in the European Union, 3071st Justice and Home Affairs Council Meeting Brussels, 24 and 25 February 2011. pp. 3-4 (concluding that the Council "expects the special protection of sensitive personal data to remain a core element" of EU data protection).
77. Comments on COE Convention 108, Appendix on Profiling, Electronic Information Privacy Center, Washington, D.C., before the European Committee on Legal Cooperation of the Council of Europe Plenary Meeting - October 11-14, p. 3 (14 Sept. 2010) (sex should be included in definitions of sensitive data to ensure regulation of privacy invasive technologies that target men or women).
78. O'Brien, K.J., 'Cloud Computing Hits Snag in Europe,' The New York Times (19 Sept. 2010).
79. Brewster, T., 'EU to legislate on cloud security,' iTnews.com.au (30 Sept. 2011) (reporting that one possible result of the ongoing regulatory review and revision of the EU's Data Protection Directive may be a requirement that cloud service providers assume liability for any data breaches or losses that occur in their data centres, so called Binding Safe Processor Rules). Since this paper focuses on the need to protect sensitive data as opposed to who should ultimately be liable for data breaches and the EU's regulatory reform related to data protection legislation is ongoing having produced proposed regulations that have not yet been adopted, this topic is not explored further in this article. It will certainly deserve further research and analysis in the EU's regulatory reform process.
80. See Press Release, 'European Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses,' European Commission (25 Jan. 2012).
81. In its current draft, the proposed reform package expands the special categories of data to include genetic data but does not include other categories of sensitive data that this article recommends be protected as sensitive data. See Proposal of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, General Data Protection Regulation, European Commission, Brussels, COM(2012), Art. 9(1) (released 25 Jan. 2012).
82. Data Protection Directive, note 21, art. 2(a).
83. Art. 29 Opinion 10/2010, note 6.
84. Szuskin, L. & Nakano, S., 'Simplified filing requirements for non-EU controllers for processing in France of employee and customer data collected outside France,' LegalBytes, Baker & McKenzie (March 2011) (Legal Bytes) (referencing Decision No. 2011-023 by the French Data Protection Authority (CNIL) (16 Feb. 2011)).
85. Legal Bytes, note 89, p.3.
86. See, e.g., Greene, note 18; Goldman, D., 'Amazon explains its cloud disaster,' CNN Money.com (29 Apr. 2011);
87. Olson, P., 'Euro Regulators Probe Sony Data Breach,' forbes.com (28 Apr. 2011).
88. See generally, FTC Report (Mar. 2012), note 33 and 'Consumer Data Privacy in a Networked World: A Framework for Protecting the Privacy and Promoting Innovation in the Global Digital Economy,' The White House, Washington, D.C. (Feb. 2012).
89. The Safe Harbour program and other negotiated mechanisms to transfer personal data lawfully from the EU to the U.S. may not be adequate to support the growth of the cloud computing industry. Study, 'The US Department of Commerce and International Privacy Activities: Indifference and Neglect,' World Privacy Forum (22 Nov. 2010).