Cloud computing offers many advantages for businesses of all sizes across all industry sectors. One challenge for cloud computing is regulatory compliance. When company data is stored in-house, the business or organization has control of the information. This includes where the data resides, who can access the data, and how it is stored. When the company data is transferred to an off-site data center, challenges arise as to how the data can be protected so it complies with applicable national and foreign regulations.
Common compliance statutes
The following statutes are just some of the many compliance statutes IT professionals need to understand:
HIPAA. The Health Insurance Portability and Accountability Act of 1996 requires that covered entities such as hospitals, medical practices, and the business that support them protect sensitive private electronic health records. Personal health information cannot be disclosed to the public. Healthcare entities need to control physical and technical access and use of the patient’s private data. Health providers and contractors must also keep thorough records of who accesses the data and what security steps are being taken.
EU Protection Directive. The Data Protection Directive of 1995 governs personal identification information, requiring that home addresses, credit card information, bank statements, criminal record history, and other data be properly secured. The EU directive is more sweeping than current US Law. It does apply to American companies that conduct business in the EU and to data centers based on the EU. There is also an e-Privacy directive that applies specifically to the telecommunications industry
PCID DSS. The Payment Card Industry Data Security Standard applies to businesses that accept credit cards. That data collected from the credit card holder must be secured.
Some of the many other US compliance acts include the Fair Credit Reporting Act, Do Not Call lists, the Can-Spam Act of 2003, the Gramm-Leach-Bliley Act of 1992, which applies to the financial industry, the Video Privacy Protection Act of 1988, and the Cable Television Protection and Competition Act of 1992.
Each country has its own set of compliance regulations.
Challenges for off-site data centers
There are different types of problems cloud storage presents. A few of these concerns are:
- Which regulations apply? When data is stored at a company site:
o Does the location of the data center determine what laws apply?
o What if the data center has multiple locations? In different nations?
o Does the location of the business mean for compliance?
- What steps are being taken to keep records of who is accessing the data, when, and by what means?
- What are security steps being taken to prevent access by unauthorized users?
Data center compliance solutions
There may be legal and business solutions to compliance issues. Some of the practical and technical solutions IT departments and data centers are using are:
- Choose a data center that provides cloud services to the same nation or the same region.
- Encrypt the data while it is being sent from the business site to the data center location. It’s better still if the company has local control over the encryption keys.
- “Anonymize” the data so that useful data is stored in the cloud but with a reference number for private personal information, such as a person’s social security number. A token or key, somewhat like a decryption key, is then used to match up the right information with the correct private personal information.
- Create a hybrid solution. Data that needs to be secured can be kept at the business location while data that does not to be protected can be kept at the data center site.
Talk to a skilled compliance security professional today
Failure to comply with applicable compliance laws can mean substantial fines and penalties, plus lawsuits by any customer whose privacy was affected. Businesses need to understand which laws apply to their business by location and by industry type. There are data center and practical solutions that can help your business or organization meet its compliance requirements.