Companies looking to reduce their IT costs and complexity by tapping into cloud computing services should first make sure that they won't be stepping on any privacy land mines in the process, according to a report released this week by the World Privacy Forum.
The report runs counter to comments made last week at an IDC cloud computing forum, where speakers described concerns about data security in cloud environments as overblown and "emotional." But the World Privacy Forum contends that while cloud-based application services offer benefits to companies, they also raise several issues that could pose significant risks to data privacy and confidentiality.
"There are a whole lot of companies out there that are not thinking about privacy" when they consider cloud computing, said Pam Dixon, executive director of the Cardiff, Calif.-based privacy advocacy group. "You shouldn't be putting consumer data in the cloud until you've done a thorough [privacy] review."
According to the World Privacy Forum's report (download PDF), the data stored in cloud-based systems includes customer records, tax and financial data, e-mails, health records, word processing documents, spreadsheets and PowerPoint presentations. The list of potential privacy issues cited in the report include the following:
Breaking the rules. Organizations could find themselves on the wrong side of privacy regulations if they aren't careful, the report said. For example, a federal agency that uses a cloud service to host personal data may be in violation of the Privacy Act of 1974, especially if it doesn't have provisions for protecting the data in its contract with the cloud provider, according to the report. In addition, it said, federal records management and disposal laws may limit the ability of agencies to store official records in the cloud.
Similarly, the privacy rules in federal laws such as HIPAA and the Gramm-Leach-Bliley Act restrict companies from disclosing personal health care or financial data to nonaffiliated third parties unless specific contractual arrangements have been put in place, the report said. In another example, it noted that IRS rules prohibit tax preparers from using third parties such as cloud service providers to host returns. "Companies could be loading data into the cloud illegally without their knowing it," Dixon said.
Surprises in the fine print. Companies need to understand that the data-disclosure terms and conditions set by cloud vendors and the storage and access rights they include in contracts can have a significant effect on privacy, the report claimed. And the privacy risks can be magnified, Dixon said, if a cloud vendor retains the ability to change its terms and policies at will. Users should make sure, she added, that they're protected against attempts by cloud providers to access or use data for any secondary purposes -- for instance, using personal health information to deliver targeted marketing messages to consumers.