The European Union has amassed what is arguably the most progressive and detailed data protection framework of any global region to date. But setting policy and having companies adhere to it are two very different things. As the U.K. Information Commissioner's Office (ICO) recently found out, a number of companies are still shirking their responsibilities on the way to the cloud.
Dodging data directives
There has been considerable progress in the U.K. business community in recent years in the way of increased awareness for consumer privacy expectations and the implementation of improved in-house data security measures. But according to the ICO, not all companies recognize the fact that the ultimate responsibility for customer information still resides with them – not the cloud service providers who may be managing their workloads. Worse yet, regulators fear that some firms are consciously attempting to pass the buck to their third-party partners and plead ignorance if issues should arise.
"The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe," ICO technology policy advisor Simon Rice explained. "You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility."
Regulators reminded business leaders that they would not hesitate to come down hard on organizations that flouted their recommendations or regarded the implementation of new practices as more of a hassle than a necessity. For example, the Scottish Borders Council was recently on the receiving end of a $405,000 fine after failing to employ proper oversight over a business partner tasked with digitizing pension records.
A more informed approach
To keep customer information safe, and organizational reputations from being dragged through the mud, companies were encouraged to employ a number of new precautions when partnering with cloud service providers.
"Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves," Rice noted. "It takes little imagination to consider that businesses not reflecting those concerns will quickly find themselves losing customers' good will."
According to the ICO, the first step toward progress involves making a more thorough assessment of a cloud partner's data privacy provisions. This includes everything from a review of physical security patrols guarding data centers to advanced malware detection systems. Also, cloud hosts that transmit data internationally should have unique strategies for satisfying the compliance requirements of each jurisdiction.
Once cloud customers have a better understanding of what they can expect from their new business partners, it must be crystallized in explicit policies and service level agreements. As a result, there will be less confusion about the liability each party holds when certain scenarios arise in the future.
Data Security News from SimplySecurity.com by Trend Micro