Believe it or not there are laws and regulations that govern the use of information. Falling under the banner of regulatory compliance, dealing with these aspects in cloud computing gets murky. Major topics and considerations include:
Fourth Amendment – James Urquhart does an excellent job of exploring this in his article at CNET. He references a scholarly work by David A. Couillard as he traces the complex route the courts have taken in NOT deciding much of anything about Fourth Amendment questions related to whether or not information given up to a third party on the Internet has any right to privacy. Essentially, the law does not keep pace with the rapid evolution of technology. Couillard cites the fact that it was nearly 100 years before the Supreme Court recognized that telephone conversations have a constitutional protection from unreasonable search. The pivotal issue here centers on the Third Party Doctrine which assumes that information turned over to a third party has no reasonable expectation of privacy. Of course it gets much more murky when you start to define the information as either content, or transactional, and when you start to define the containers the information is stored within.
Government Rules – In Article 8 of the Charter of Fundamental Rights of the European Union the organization lays the groundwork for the fundamental right of personal data protection. The organization enters into talks and agreements with governments that are not in the EU to make sure the same protections apply to the citizens’ data even when it is shared with companies, people and governments in other lands. In another instance, Canada has the Personal Information Protection and Electronic Documents Act that governs how electronic documents are used and what private companies can do with personal data. The U.S. Department of Commerce is tasked with the job of “harmonizing data privacy” between the U.S. and other governments that have much stricter privacy laws, like the EU. This is called the Safe Harbor program.
FISMA – This is an effort by the U.S. National Institutes of Standards and Technology (NIST) to protect the nation’s information infrastructure. It does that by promoting the development of standards and guidelines that handlers of information must follow.
HIPAA – The U.S. Department of Health and Human Services issues privacy and security rules relating to health information.
SOX – this is the Sarbanes-Oxley Act passed in 2002 that created new standards for public companies to follow in the wake of several major corporate and accounting scandals, including Enron.
PCI Security Standards Council is a global organization that is developing security standards for account data protection. The founders include the major credit card companies.
SAS 70 Audits (Statement on Auditing Standards) is an auditing standard developed by the American Institute of Certified Public Accountants that includes auditing the controls over information technology.
All of these information security fronts are evolving everyday. Stay tuned as we bring you the latest information and analysis on these important topics.