May 2015 - Issues that businesses in Bulgaria should consider when using cloud computing services

Cloud computing services for business purposes are rapidly gaining popularity. Gartner, an internationally renowned technology consultant, expects 33% of all companies to use cloud-based office systems in 2015. The reason for this growth is undoubtedly the flexibility of the solution: cloud services are generally provided based on the client’s demands and increases in the size of stored data do not generally incur significant incremental costs. Although the cloud computing industry is not as strictly regulated as, for example, telecommunications, the provision of cloud computing services in Bulgaria must comply with certain personal data protection and information security requirements. Proper risk management can help business users and service providers minimise any potential commercial and/or reputational risks related to cloud computing.

The legal dimensions of the technical solutions

What are the key measures that business users and cloud service providers in Bulgaria must take in order to ensure appropriate personal data protection, information security and quality of the service provided? The response can vary substantially, depending on the service model and the deployment method for cloud services, as these allow for different levels of control for the business user over the operations conducted in the cloud. The following chart visualises this correlation in the context of, e.g., a financial institution as the business user.

The different types of cloud computing services (private, hybrid or public cloud) lead to different levels of risk associated with data administration and data storage in the cloud. The risks result, in particular, from the way data is processed and protected from unauthorised access. Business users exercise the highest level of control over processes in private clouds, as they manage and administer such clouds themselves (usually through their own IT team). Business users exert the least control over operations in a public cloud, as in this case the service provider administers and processes the stored data.

These risks can be managed by implementing adequate measures for information security and personal data protection. Regardless of whether the business user stores and processes data on its own infrastructure or on a cloud, it must guarantee the implementation of the appropriate measures. Otherwise the business user (as well as the cloud services provider in some cases) is responsible for any damages caused to third parties due to the unauthorised access to personal data (see below).

The implementation of adequate information security measures and measures for personal data protection is usually secured by the inclusion of certain clauses in the cloud services agreement – either in the main agreement or in an appendix to it (e.g. a service-level agreement, data privacy and information security policies).

Below are the key points that a business user and a cloud service provider need to bear in mind when negotiating the terms of their agreement.

Personal data in the cloud?

  • The first question is whether personal data is being stored in the cloud.
  • If the answer is yes, the next question is whether personal data has been collected and processed in the cloud on valid grounds (e.g. legal, contractual, explicit consent of the affected person)?
  • If the cloud is either hybrid or public, what is the scope of data processing by the service provider?
  • Joint and several liability of the client (business user) and the service provider regarding unlawful data processing and access to data.
  • Does the client control the selection of potential subcontractors of the cloud service provider, given the fact that their actions could also lead to the client’s liability for data breaches?
  • Is the cloud hosted on infrastructure that is physically situated outside Bulgaria? If yes, where exactly is that – in the European Union, in the USA or in a third country? Depending of the exact location, it may be necessary to inform the competent personal data protection authorities of the transfer of data and request their permission to do so.
  • How is the data subject’s right to demand the alteration and/or deletion of the data guaranteed?
  • Is the data stored in compliance with the upcoming European Union Privacy Regulation, including the required minimal approach to data collection, requirements for anonymity and technical protection?

Information security

  • What measures for protection from unauthorised access have been implemented in the cloud? Both Bulgarian and European regulations prescribe certain measures such as identification processes, authentication, session control, encryption, access monitoring, etc. Even though they are all industry standards, they need to function adequately in each specific cloud.
  • If the cloud is hosted in the USA, is the provider certified under the Safe Harbour Principles and, in effect, does it comply with the relevant information security standards?
  • Are there adequate mechanisms created which allow for timely notification of the business user about data breaches in order for misuses of data to be prevented?

Risk management

Risks associated with cloud computing can be effectively managed if:

  • Business users conduct technical and legal due diligence of their cloud service providers as part of the selection procedure;
  • Guaranties are included in the cloud services agreement to the effect that:
    1. The provider implements and supports specific and adequate technical and functional measures  ensuring information security and personal data protection;
    2. The client has control over the selection and actions of the provider’s subcontractors, if any;
    3. The client is entitled to conduct regular technical audits of the security systems and processes for data processing in the cloud;
    4. The provider must not process personal data outside the scope of the agreement;
    5. The provider must inform the client in a timely manner of any data breaches;
  • The scope of the cloud services provider’s liability, when its actions or omission to act cause damages to the client or to third parties, is clearly defined. In cloud service contracts, liquidated damages/penalties due are often capped, especially in cases when technical obligations are breached (e.g. continuity of access and minimal service levels). From a business user’s perspective, it is advisable to resist such caps in cases when there are intentional malicious actions, gross negligence or breach of personal data protection rules by the provider. By doing so, it would be possible to claim any damages in the full amount and to minimise adverse exposure for the business user.