Earlier this year in April, the U.S. Department of Commerce’s International Trade Administration (ITA) released a document to provide guidance on the use of U.S. cloud service providers by those in the European Union (EU) regarding personal data hosting and privacy.
Specifically, the U.S.-EU Safe Harbor set of policy standards facilitates a bridge to close the gap between Europe’s standardized data privacy laws and the U.S.’s more varied data privacy laws, each custom and different per private sector standards (i.e., HIPAA for healthcare; PCI DSS for ecommerce; SOX for financial reporting, etc.).
For a detailed description of the Safe Harbor Privacy Principles, read What is U.S.-EU Safe Harbor?
According to the ITA, Safe Harbor is applicable to cloud service agreements, and cloud service providers are required to enter into a contract, regardless of compliance status and even if they receive personal data only for processing.
The document also addresses another publicly issued opinion released last year by the Article 29 Data Protection Working Party that critiqued the use of Safe Harbor and cloud service provider – a few include:
- Safe Harbor allows for the possibility for data that has originally been transferred to a Safe Harbor compliant data center provider/processor to be transferred to another country. The ITA addresses this by emphasizing that all cloud service provider subcontractors must also sign a written agreement requiring the same level of data protection as the Safe Harbor Privacy Principles.
- Companies that export data shouldn’t merely rely on the data center provider’s word that they have a Safe Harbor certification, but that they should get proof and require evidence that they follow the actual principles. While the ITA provides a list of certified companies on their website, another way to verify ongoing security practices is to check their compliance audit reports – find a full list of which compliance regulations apply to cloud service providers and what they mean in Data Center Standards Cheat Sheet – From HIPAA to SOC 2.
- Other issues that Safe Harbor does not address include data retention policies, loss of governance, insufficient audit trails or isolation failures. However, the ITA recommends that the cloud service provider and client address the technical and security requirements in their contract, and that the Safe Harbor principle framework is not appropriate for said issues.
Essentially, the ITA recognizes that while Safe Harbor is relevant when it comes to cloud computing services and European data/companies, it is not the all-encompassing rule for determining other cloud security responsibilities.
Each industry and individual organization should have custom data security requirements and adhere to cloud security best practices. Conducting a risk analysis assessment for your own organization can help pinpoint your business workflow model and identify critical data and potential vulnerabilities when it comes to data in transit and at rest.
Read the Top 5 Tips for Cloud Computing Security for more about how to ensure your cloud service provider/data center operator takes security seriously to protect your critical data.
Cloud-Based Disaster Recovery
Cloud-based disaster recovery can streamline data backup and recovery times, useful for mission-critical applications and data required to be up and running at all times. Read below for an excerpt about virtualization and disaster recovery from our newest white paper, … Continue reading →
Precautions with the HIPAA Cloud for Healthcare Software as a Service (SaaS) Companies
A recent Google search brought me to a health IT blog, Life as a Healthcare CIO, and the post entitled The Reality of SaaS. The author discusses whether or not SaaS/cloud computing is appropriate for EHR (electronic health record) hosting … Continue reading →
State of Cloud Security: Vetting Applications and Cloud Providers for Compliance and Security
The latest report from the Ponemon Institute, located in Traverse City, Michigan, sought to analyze trends in cloud computing security among organizations that use software as a service (SaaS) and infrastructure as a service (IaaS). Only half of organizations are … Continue reading →