How to build cloud applications that anticipate your customers' legal constraints?
To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.
Understand the Legal Constraints that Govern your Customers
Companies that use cloud services or cloud based applications remain responsible for fulfilling their legal obligations and compliance requirements. These restrictions and requirements come from federal laws or state laws, and their related regulations, may stem from standards or from preexisting contracts, or may result from foreign laws.
These companies will demand that their cloud service providers be aware of these requirements and design their applications and offerings in such a manner that it provides the customer with the necessary tools to comply with its own legal or contractual obligations.
A savvy cloud architect, designer or developer will anticipate its customers’ needs and design applications that facilitate the customers’ compliance requirements, and help them fulfill their legal obligations.
Consider, for example, the following:
- Federal Laws
Numerous federal laws and their related regulations may apply to the specific category of data that are hosted in the cloud. Several laws and regulations, as well as orders issued by the Federal Trade Commission, require companies to adopt specific privacy and security measures to protect certain categories of data, and to pass along these requirements when entering into a contract with a third party such as a service provider or a licensee.
There are other requirements, such as ensuring the authenticity and integrity of financial records in order to comply with the Sarbanes Oxley Act. On the marketing side, anti-spam and other laws limit the use of personal data for commercial purposes and require the use of exclusion databases to ensure that communications are made only to the appropriate party.
- State Laws
Numerous state laws also create obligations on companies, and these obligations follow the data when these data are entrusted to third parties. For example, there are restrictions on the use of social security numbers or driver license numbers. If your application requires the processing of these data, it should include the required technology to mask the numbers from most users, and block mailings that would disclose these protected numbers, when required by law.
Some state laws require that companies enter into written contracts with their service providers – including of course cloud providers – and these contracts must contain very specific provisions. If you are not prepared to sign these contracts and abide by the related requirements, do not waste time building a cloud application.
Standards such as PCI DSS or ISO 27001 define specific information security requirements that apply to companies, and flow down to subcontractors, in a domino effect similar to that of federal or state laws.
- Foreign Laws
Cloud customers will also want to know in which country their data will be hosted, because the location of the data directly affects the choice of the law that will govern the data. If the data reside in a foreign country, it is likely that that country’s laws will govern at least some aspects of access to the servers where the data are hosted. For example, that country’s law may permit the local government to have unlimited access to the data stored in its territory whereas you may be more familiar with the stricter restrictions to access to US stored data by US law enforcement.
- Crossborder Transfer Prohibitions
When servers are located abroad, there is also a significant obstacle: the prohibition against the cross border transfers of personal data. This is for example the case throughout the European Union, where the data protection laws of all member states have implemented in their national laws the 1995 EU Data Protection Directive prohibitions against transfers of personal data out of the European Economic Area to countries that do not offer an adequate level of protection for personal data and privacy rights.
As part of your Compliance by Design endeavor, you should anticipate that your customers might be concerned about where the personal data of their employees or clients will be hosted or located, because foreign data protection laws may impose restrictions on these data. And you should design your offering accordingly.
Ensure Personal Data Protection
A substantial amount of data that might be held in the cloud will be personal data. In the US and abroad, personal data are protected by a growing number of privacy and data protection laws. In general, these laws put on the entity that originally collected the data and has become the custodian of these personal data, an obligation to protect the privacy rights of the individuals to whom these data pertain.
In a cloud environment, each entity or data steward must continue to be able to fulfill the legal requirements to which it is subject and to meet the promises and commitments that it made to the third parties from whom it collected the personal data. It must also ensure that individuals’ choices about their information continue to be respected, even when the data are processed in a cloud environment. For example, individuals may have agreed only to specific uses of their information. Data in the cloud must be used only for the purposes for which they were collected, whether the data were collected in or through the cloud, or otherwise.
Anticipate the Need to Provide for Access, Modification, and Deletion of Personal Data
In addition to the above, the applicable law or privacy notice may allow individual data subjects to have access to their personal data, and to have this information modified or deleted if inaccurate or illegally collected. In this case, the cloud service provider must design its application in anticipation of the fact that the application will have to allow, easily and conveniently, for the exercise of these access, modification and deletion rights to the same extent and within the same timeframes, as it would in an off-cloud relationship.
Ensure Adequate Information Security
You should also be prepared to address your customer’s security needs. All data entrusted to you will require a reasonable level of security, whether they are the photos of the company picnic, or the secret formula for that special product for which your customer is famous. In addition, many categories of data that might be hosted in the cloud, such as personal data, financial data, customer purchases and references, or R&D data are sufficiently sensitive to require being protected through more extensive security measures.
The obligation to provide adequate security for personal data stems from numerous privacy and data protection laws, regulations, standards, cases, and best practices. For some categories of data, such as personal data or company financial data, specific laws or security standards require the use of specific security measures to protect these data. These laws and standards include, among others, the Sarbanes Oxley Act, GLBA, HIPAA, Data Protection Laws in Europe or Asia, as well as the PCI DSS and the ISO 27001 security standards. Further, the common law of information security created by the FTC or State Attorney General rulings also requires that adequate security measures be used to protect sensitive data. The obligation to maintain a reasonable level of security may also result from contracts or other binding documents where the cloud customer has previously committed to a third party that it would use adequate security measures.
You should design the security foundation and architecture of your cloud offering to address the applicable security requirements of the market that you wish to reach. You should also be prepared to commit to your client that you will use specified information security measures to protect the personal data processed through your cloud application.
Be Prepared to Disclose Security Breaches
Security incidents are prone to occur. The US States and an increasing number of foreign countries have adopted security breach disclosure laws that require the custodian of specified categories of personal data to notify individuals whose data might have been compromised in a breach of security. Frequently, the local State Attorney General, Data Protection Supervisory Authority, or other government agency must be notified, as well.
If a security incident occurs in the cloud, the customer – who usually has the primary contact with the concerned individuals –, expects to be informed of the incident, so that it can, in turn, notify the affected business contacts, employees or clients of the occurrence of the breach. To do so, the cloud customer must have been informed promptly of the occurrence, nature, and scope of the breach of security.
Thus, as a cloud service provider you should have in place the processes necessary to identify a security breach, and to promptly notify your customers of the occurrence of the breach. Just like your own customers, you should have in place a security incident response plan to address the security breach thoroughly and expeditiously, promptly stop any leakage of data, eliminate the cause of the breach of security, identify who and which category of data were or might have been affected, and interact with your customers to mitigate the effect and consequences of the breach.
Ensure Business Continuity
Your customers and prospects may also be required by law or by contract to ensure the continuity of their operations and uninterrupted access to their data. This is the case, for example, under the HIPAA Security Safeguards. A hospital that provides technology or medical information database services to the physicians on its staff must provide continued access to patient information in order to ensure proper patient care. This requirement applies as well to the business associates that provide services to the hospital. The PCI DSS standard also requires companies to have an incident response plan that includes business recovery and continuity procedures.
When these applications are hosted in a cloud, the customers or prospects will want to ensure that the cloud service provider has in place proper business continuity and disaster recovery capabilities because they are essential to ensure the viability of their own operations and in some cases because this is required by applicable law. Thus, if you design a cloud offering, be sure to plan and implement appropriate disaster recovery and business continuity measures, so that you can help your customers meet their own business continuity requirements.
Be Prepared to Assist your Client with its E-Discovery Obligations
If there is a civil suit in which the cloud service customer is a party, or if there is an investigation by a government agency, the cloud service provider is likely to receive a request for access to the information that it holds as the hosting entity. This request may come directly from the customer, for the benefit of the customer, or it may come from third parties who wish to have access to evidence against the customer.
You should anticipate your customers’ request for assistance in implementing a litigation hold or responding to a request for documents. You should be ready to respond to inquiries from your prospects or potential customers about how you will work and cooperate with them to address compliance with the requirements of the E-Discovery provisions of the Federal Rules of Civil Procedure and the State equivalents to these laws. You should plan and agree ahead of time on each other’s roles and responsibilities with respect to litigation holds, discovery searches, the provision of witnesses to testify on the authenticity of the data, and the provision of primary information, metadata, log files and related information.
Anticipate Requests for Due Diligence and Monitoring
Whether it is required to do so by law, by contract, or otherwise, your customer or prospect will also want to conduct due diligence before entering into the contract, and will also want to be able to periodically monitor the performance and security of your applications. Consider, for example the monitoring and testing requirements under the Security Safeguards under HIPAA or GLBA, or those in the orders issued by the Federal Trade Commission or the State Attorneys General.
Be prepared to respond to these requests for due diligence, monitoring, or inspection and provide for the cloud customer’s ability to conduct its investigation in a manner that satisfies the customer’s needs while not disrupting your operations. For example, develop a security program that is consistent with industry standards, provide for easy to access logs for access to data, and put in place controls that prevent the modification of data.
Ensure a Smooth Termination
No one wants to lose a good customer. Be realistic, however, and accept that termination might occur. Do not be an obstacle to the termination of a contract, or your reputation will suffer. Show your prospective clients that they can trust you, and that they will not be kept hostage if they want to move on.
Accept that, in case of termination of the contract, the cloud customers must be able to retrieve their data, or to have destroyed data that are no longer needed. Make it easy for them to do so; show respect for, and awareness of your customers’ own constraints. Be prepared to respond to a customer’s request for the return, transfer, or destruction of the data, assess in advance the costs associated with it, and have in place technology, processes and procedures to be used to address the special needs resulting from termination.
Planning for termination will reduce disputes and the resulting disruptions. If termination is not planned properly, problems might occur. The data might have been commingled with other customers’ data to save space or for technical reasons. This entanglement might make it difficult, time consuming, expensive, or perhaps impossible to disentangle the data.
If you want your cloud offering to be successful, put yourself in your customers’ shoes. Anticipate their needs. Help them comply with their obligations. Design a cloud offering that will allow them to continue to comply with their own obligations in the same way as they did when their data, files, trade secrets, and other crown jewels were in their direct control.