Page 12 - CCCA64_2012
P. 12
CCCA_V6No4_Dept-Privacy-FIN_CCCA_V6No4 11/26/12 2:57 PM Page 12 Privacy Cloud Computing: Plan for Storms By Timothy M. Banks The Promise and the Challenge Organizations are able to leverage reliable internet connectivity to access quickly scalable computing power, platforms and software owned and managed by special- This creates a number of challenges to (i) sophisticated partitioning; (ii) a ist third parties. the cloud computing arrangement: robust alert and auditing process for The opportunities presented by these • Ownership. Negotiating uncontested unauthorized access, deletion or modifi- cloud computing technologies were ownership to the data provided by the cation of data; (iii) the capability to recently acknowledged by the European organization should not be problematic establish the integrity of the cloud serv- Commission in its paper Unleashing the (at least as between the organization and ices in order to satisfy Canadian laws Potential of Cloud Computing in Europe the provider), although a cloud service with regards to the admissibility of elec- (available at http://ec.europa.eu). In that provider may need to license use of the tronic records as evidence. paper, the European Commission stated data for certain additional services being that it “aims at enabling and facilitating provided. However, ownership of deriv- • Loss. The cloud environment intro- faster adoption of cloud computing atives of that data created through the duces new variables, such as: (a) hacking throughout all sectors of the economy” cloud services (including analytics), as by a tenant sharing the system; (b) the (public and private) in order to accelerate well as usage statistics and transaction introduction (deliberately or inadver- productivity growth and competitiveness. histories of users and other metadata cre- tently) of malicious code by another There are, however, organizational risks ated by the cloud computing arrange- tenant; (c) insolvency of the provider; to outsourcing the processing and storage ment, may prove more complicated. The and (d) inadequate third-party disaster of data to third parties. In addition, cross- organization’s privacy obligations and recovery. An organization should there- border transfers may involve exposure to intellectual property rights with regard fore: (i) consider data encryption in access by foreign governments, which may to any data to which the cloud service transit and at rest (i.e. when stored); (ii) pose particular concerns with respect to provider has rights to use or retain inde- maintain a robust authentication pro- public sector bodies. pendently of providing the services to gram and encryption/decryption key the organization must also be analysed. management system that limits the Contract Considerations cloud provider’s access to an organiza- In its most complete form, the platform, • Integrity. A shared, multi-tenant envi- tion’s data; and (iii) ensure a sophisticat- software, processing and storage of data is ronment introduces new data integrity ed disaster recovery plan and contin- provided in a multi-tenant environment risks, including (a) commingling of data gency plan in the event of supplier owned and operated by one or more third from different organizations; and (b) vis- insolvency, taking into account that the parties on servers distributed in more than ibility of data or usage patterns by data may be in foreign jurisdictions one location around the world. A cloud another organization. Working with a and/or in a multi-tenant environment. service provider may also provide addi- provider who has been certified to ISTOCKPHOTO.COM tional services, such as analytics and data internationally accepted standards may • Lifecycle. Cloud computing may com- mining services, for the organization. assist in ensuring that the system offers plicate an organization’s data retention 12 CCCA Canadian Corporate Counsel Association WINTER 2012
