Ensuring Regulatory Compliance in a Cloud Environment

By Cheryl Cooper, Esq. On February 6, 2014 0 Comment

Maintaining regulatory compliance is often a complicated, confusing undertaking. Government and industry regulations and standards are constantly evolving, and if you miss even the slightest detail, it could put your organization at risk of being noncompliant. Nevertheless, regulatory compliance is a necessary evil of operating a business within certain industries.

In the world of retail, you have the Payment Card Industry Data Security Standard (PCI DSS), which is designed to protect cardholder data wherever credit and debit card payments are accepted. In the world of healthcare, you have the Health Insurance Portability and Accountability Act (HIPAA), which is designed to protect patient privacy and medical information. In the world of banking and finance, you have the Gramm-Leach-Bliley Act (GLBA), which is designed to protect customer confidentiality with regards to personal and financial information. These are just a few examples of the many regulations impacting businesses today.

Compliance with these rules becomes even more complex if you utilize cloud computing. In a cloud environment, an organization uses a service provider’s IT infrastructure for storing data and applications, which are accessed via the Internet on desktop and mobile devices. This enables organizations to get out of the business of purchasing and maintaining technology. Those responsibilities shift to the service provider, allowing organizations to focus on core business activities that drive revenue.

Many organizations within these and other industries are turning to the cloud to reduce upfront IT costs, operate more efficiently, and roll out new applications and services more quickly. However, organizations that don’t proceed cautiously to the cloud can open up a regulatory can of worms.

Here’s the biggest issue with compliance when using the cloud. If customer information is compromised, your organization is ultimately responsible, even if the service provider is at fault. As a result, there are important factors to consider before you decide to move any applications and services to the cloud.

You obviously need to know whether compliance is even possible in a cloud environment. If it is, you need to make sure your service provider can meet the requirements. SSAE 16, the Statement on Standards for Attestation Engagements 16, was created to help organizations ensure that a provider is capable of maintaining regulatory compliance. SSAE 16 is a written audit of the provider’s technology, policies, processes and controls that are used to keep your data secure.

You also need to know where data is physically located. A service provider based in Florida could be storing your organization’s data and applications in another state or country. If that’s the case, you’re also subject to that state or country’s rules and restrictions related to data privacy and access. You and your provider must adhere to the rules according to the physical location of your data and the users who access it, not just the location of your organization or provider.

If your company is subject to industry regulations and you’re thinking about moving business applications and data to the cloud, a law firm with firsthand knowledge of cloud computing and how it can impact regulatory compliance can be a valuable asset. Please contact Whitehouse & Cooper to review your service provider agreements and help you understand your responsibilities from a compliance perspective.