By Neil S. Ende
This is Part I of this article. Don’t miss Part II, on cross-border concerns, coming soon.
Increasingly, service providers are relying upon the cloud to provide their data storage, management, and processing services. While end users can obtain numerous benefits from their use of the cloud, such as the reduction of costs and facilitated access to stored information by a broad user base, the increased use of the cloud has increased the risks and harms to which service providers and end users are exposed and that they must recognize, anticipate and address.
What Can Users of Cloud Computing Services Do to Better Protect Themselves?
As the recent hackings of insurance giant Anthem and retail giant Target demonstrated, information stored in the cloud is inherently at risk of disclosure. Yet, most end users purchase their cloud services through click-wrap, form contracts provided by the service providers.
Of particular concern are clauses that detail (or fail to detail) the specific measures that the service provider must take to ensure information remains private and secure, address the remedies for any failures by the service provider to sufficiently undertake these measures, and allocate the risk between the end user and service provider for any privacy or security violations.
Other clauses appearing in Cloud service provider agreements that end users must pay attention to include payment terms, termination and service suspension terms, including the grounds for such termination and suspension, and any quality of service guarantees. Despite claims by service providers that such Cloud services contracts are not subject to revision, this is often not the case and amendments are regularly made, especially where the provided contract clearly fails to or inadequately addresses the aforementioned critical terms.
Federal Government Enforcement against Information Disclosures
Cloud service providers now face increased enforcement by the United States government of privacy and security regulations, especially to the extent the Cloud provider also provides telecommunications services.
For example, in October 2014, the FCC, took action against telecommunications providers TerraCom, Inc. and YourTel America Inc. for their failures to properly protect the confidentiality of their consumer’s personal information, including the failure to employ reasonable data security practices, when they made such information available online in two publicly accessible folders without password protection or encryption.
The FCC also entered, earlier this month, into a $25 million settlement with AT&T Services regarding the unauthorized disclosure of the customer proprietary network information of nearly 280,000 customers when employees in Mexico, Colombia and the Philippines accessed such information and provided it to third parties. The FCC has also recently joined the Global Privacy Enforcement Network, an international group of privacy enforcers, which seeks to facilitate cross-border privacy law enforcement co-operation.
While such enforcement actions to date have been primarily directed towards ensuring telecommunications carriers uphold their duties to protect consumer privacy, these FCC actions demonstrate a growing trend towards government enforcement action absent demonstrable consumer harm. Indeed, the FCC has openly suggested that deterrence, rather than remedying harms that have already occurred, is a critical component in protecting privacy.
This is Part I of this article. Don’t miss Part II, on cross-border concerns, coming soon.
For more information, please give us a call at 202-895-1707. For the latest telecom news and access to valuable original content, please follow Technology Law Group on twitter @TechLawGroup.