Privacy Questions around Enterprise Data in the Cloud

The recent controversy around the Apple iPhone CSAM update rollout brings to mind the question – How private is enterprise data in the cloud and what are the legal issues related to data privacy and ownership that need to be considered by every organization? All the public cloud providers including AWS, Microsoft Azure and Google Cloud take data privacy very seriously and have very clear policies on this issue. Yet, it would be in every organization and company’s interest to look at their data and understand what data owned by the company is located in the cloud to mitigate any extreme situations and potential risks to the company or organization that could come up as a result of this data being at a remote location which is managed by another entity. Here are some of the actions that can taken to have a better control of the organization’s data –

1. Data Classification – Typically, data is classified as Public, private and confidential or restricted. Private data is internal to the company and the restricted data could be information such as trade secrets, PII (personally identifiable information) and data that falls under a compliance guideline (under the purview of regulatory agencies such as GDPR). In some cases, companies go through this process before any data is uploaded or made available through the cloud. But in many cases, a thorough study has not been done and organizations go back, and try to retro analyze their existing data located either on the cloud as well as on premises and enterprise wide. Usually, this process is owned by a Data Steward.

2. Data Discovery – A lot of times, the data is in files, documents, and spreadsheets but in other cases it could be embedded in applications and/or saved in databases. If this information is not clearly cataloged and documented, a thorough discovery process is essential for the identification of the different data locations and the accessibility of data.

3. Data Ownership – Most cloud data providers make it clear that the customer is the owner of the data. Even within an organization, the data ownership needs to be clearly defined and responsibilities assigned for the upkeep and access control, so that at any point ownership can be traced and audited.

4. Encryption – Once data is classified, data might have to be encrypted before it is uploaded to the cloud. Encryption is applicable for data-in-transit, data-at-rest, or data-in-use (by the different applications). Cloud providers have services with options to encrypt and decrypt the data. Or there are several third-party tools which can be used as well. There could be some trade off with performance, so these factors must be studied and tested, and encryption might have to be applied to a subset of the data as determined by the analysis.

5. Regulatory Compliance – In recent years there has been many attempts by governments all over the world to sort of rein in and hold companies accountable for the vast amount of personal data about their citizens that technology companies have access to and as to how the data could be used or any restrictions around it. This is one of the most important reasons for companies to know their data very well and make sure they are complying with all the regulatory agencies. The regulation could be industry specific or be applicable across the board to all industries depending on the nature of the data. Some of these regulatory frameworks are GDPR (General data protection regulation) by the European Union, HIPPA (Health Insurance Portability and Accountability Act) for the healthcare industry and PCI DSS (Payment Card Industry Data Security Standard) and SOX(Sarbanes-Oxley) for the financial industry.

6. Mitigate potential Legal Risks – Even though the data is owned by the company, legal authorities depending on their jurisdiction have the right to demand the data from cloud providers through subpoenas or warrants. For example, in the US, certain acts of congress like SCA (the Stored Communications Act) and the Patriot Act could be used by the government to demand or seize data based on the circumstances.

One of the issues seen in a number of organizations is that data governance and control is often seen as a very bureaucratic process and viewed as coming in the way of agile deployment of systems but it is something very important that companies should ignore at their own peril, especially with most of company's data these days residing in remote locations which are managed by third parties as well as the regulatory risks due to enhanced public oversight – there is definitely an appetite amongst the public all over the world for more scrutiny of the data held by technology companies and their usage especially with social media which allows these companies access to so much personal data.

At Pacific Data, we have assisted many of our clients navigate these complex scenarios and helped them understand their data and make sure that the data is secure and fully compliant with the appropriate regulations. We have our proprietary framework – ICSC (Identify, Classify, Secure and Comply) which we have used successfully at many of our clients. In addition, we work with some great partners who have very in-depth knowledge and experience whom we can bring along to address any kind of complex data security and compliance needs.