Certain United States laws and regulations raise issues that service providers and customers in cloud computing transactions must consider. They include privacy and data security requirements for personally identifiable information, data security requirements for information technology systems that relate to reporting financial data, potential access to data by the United States government, restrictions on exports of certain technology and data, and requirements to preserve data that is relevant to litigation. Particularly those customers that operate in regulated economic sectors such as health care, financial services and education must recognize that cloud service providers operate in the technology sector rather than in the customer's regulated sector and that service providers often do not have the same legal obligations as customers. Prospective cloud service customers should not assume that all cloud service providers whose services might satisfy their technology needs will, or are capable of, satisfying their compliance needs.
Because few cloud service providers accept responsibility for compliance by their customers with particular laws and regulations, customers must understand the legal requirements that they must satisfy and then undertake due diligence to determine whether cloud computing services they are considering enable them to comply with applicable laws and regulations. If practicable, customers should impose contractual obligations on cloud service providers to provide the services in a manner that will enable the customer to comply with the laws and regulations to which it is subject.
Cloud providers are not subject to the same regulatory obligations as their customers
Privacy and data security requirements in the United States, at the federal level, are targeted and "sectoral" rather than comprehensive. Certain states impose broader regulations for data concerning their citizens. Examples of privacy and data security laws enacted by the United States government that are applicable to specific economic sectors include:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) protect information that concerns health status, provision of health care, or payment for health care that can be linked to an individual.
- The Gramm-Leach-Bliley Act (GLB) governs the collection, disclosure, and protection by financial institutions of consumers' nonpublic personal information.
- The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records.
- The Children's Online Privacy Protection Act (COPPA) protects individually identifiable information about children under the age of 13 that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child.
In addition to privacy and data security laws enacted by the United States government, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted data security breach notice legislation, which requires notice to individuals affected by a breach of personally identifiable information. A few other states, such as Massachusetts, have enacted broad data security requirements for entities collecting personally identifiable information from its citizens.
Companies that collect personally identifiable information in the United States, or for persons in the United States, must determine which of this large collection of laws and regulations apply to their activities or to the information they collect and then comply with those that are applicable. Before placing any personally identifiable information in the cloud, these companies must verify that they will remain in compliance with applicable laws and regulations when the data is in the cloud. Some providers of cloud computing services publish the steps they take to protect the privacy and security of personally identifiable information and the further steps they are prepared to take if they learn that the data has been compromised. Other cloud service providers may disclose these measures if asked, and still other providers resist disclosure of the privacy and data security measures they have implemented.
Cloud providers and Sox compliance
Section 404 of the Sarbanes–Oxley Act of 2002 ("SOX Section 404") obligates companies whose securities are publicly traded in the United States to establish internal controls for financial reporting, including controls for related information technology ("IT") systems, and to document, test and maintain those controls. Many companies in the United States that are not legally required to comply with SOX Section 404 do so voluntarily as a matter of best practices.
For reporting periods ending before June 15, 2011, the obligation to test internal controls was satisfied by conducting audits in accordance with the Statement on Auditing Standards No. 70 (SAS 70) published by the American Institute of Certified Public Accountants (AICPA). For reporting periods ending on or after June 15, 2011, the obligation to test internal controls is satisfied by assessments conducted in accordance with the Statement on Standards for Attestation Engagements No. 16, also published by AICPA.
Before placing financial data in the cloud, whether for processing or storage purposes, or obtaining any cloud services that include the processing of data that will affect financial reporting, a prospective customer that is required to, or otherwise wishes to, comply with the requirements of SOX Section 404 must determine whether the cloud service provider will undertake to conduct SSAE 16 assessments at least annually and for periods that correspond to the customer's fiscal year, provide Type 2 reports, correct deficiencies identified in any report and verify correction of the deficiency.
United States government access to data
Two provisions of the USA Patriot Act, which were recently extended until June 1, 2015, give agencies of the United States government access to data that is stored in the United States or accessible from the United States. Although data of prospective cloud customers in the United States is subject to access by the United States government under the USA Patriot Act, data of cloud customers outside the United States becomes subject to access by the United States government when stored in the United States or in another location that can be accessed by a cloud services provider located in the United States.
Section 215 allows the Federal Bureau of Investigation (FBI) to apply for a court order to produce books, records, papers, documents and other items that may assist an investigation to protect against international terrorism or clandestine intelligence activities. The person or company whose materials the FBI seeks is neither informed of, nor given an opportunity to contest, an FBI request, and the court order need not disclose the reason for the request.
Section 505 of the Act authorizes the United States Attorney General and other United States government agencies, including the Department of Homeland Security and the Central Intelligence Agency, to request so-called "national security letters." These letters are a type of subpoena that compels holders of personal records, including telephone logs, e-mail logs, certain financial and bank records and credit reports, to provide them to the FBI. Issuance of national security letters is not subject to judicial review or oversight.
The United States export control regulations, including the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR), identify certain types of technologies and data that may not be exported without a license or other authorization from the United States government. If controlled technologies or data are stored by a United States company in the cloud, and the cloud includes servers outside the United States and/or cloud service employees who are not United States citizens or permanent residents have access to controlled technology or technical data, the technologies or data have been exported or are "deemed" by the United States government to have been exported (in the case of releases to foreign nationals within the United States). Whether the technologies or data are accessed by a foreign person, or the customer intended, or even knew of, the export generally is not relevant. Civil penalties can be up to US$500,000 per violation (or even higher in certain cases where the maximum penalty amount is equal to twice the value of the transaction). Moreover, individuals and entities responsible for knowing or willful violations can be subject to criminal charges.
Companies are responsible for knowing whether they have any technologies or data that is subject to export controls. Companies that have controlled technologies or data should either avoid uploading it to the cloud or should seek to ensure that the cloud services provider is able to offer adequate access restrictions and compliance measures to prevent unauthorized exports.
Parties to litigation and investigations in the United States are obligated to preserve and prevent the destruction, alteration, or mutilation of evidence that may be relevant when they learn of pending or imminent litigation or reasonably anticipate litigation. The obligation extends to paper-based documents and to electronically-stored information.
A prospective cloud computing customer should first ascertain a cloud service provider's ability to (a) prevent the destruction, alteration, or mutilation of customer data in the service provider's possession in the event of litigation, and (b) request and review the service provider's documentation of customer data stored in its cloud computing service and the means available to the customer to preserve, access, retrieve, search and download relevant customer data. Smaller cloud service providers, in particular, may not have appropriate documentation or even adequate preservation, access, retrieval, search and download capabilities. If practicable, prospective cloud computing customers should seek contract provisions that set forth the cloud service provider's data documentation, preservation and production obligations.