Information Security in the Time of Covid-19 – Moving to the Cloud as a Cost-Cutting Measure Does Not Lessen Compliance Obligations
Moving to the Cloud to Save Money
The Covid-19 pandemic has created profound challenges for almost every organization. As these challenges mount, companies are dramatically cutting their soft costs, including information security. Many companies are reducing their information security and privacy compliance spending by moving to the cloud. This is good, right? Maybe, and only if the move is managed in a well-informed way. Not asking the right questions up front can lead to serious consequences.
It is crucial to keep in mind that no information security or privacy law in existence today views being in the cloud, in and of itself, as constituting reasonable information security. Nor does any information security or privacy law view the cloud as a mitigating factor in the context of data breaches.
Increasing Reliance on Cloud Computing
The use of cloud platforms has grown exponentially. One of the results of the work-at-home mandate, which will persist even as work restrictions are relaxed, is the continuing move to cloud computing, both because of the benefits of scalability and the dedicated IT and IS resources afforded by cloud vendors and also the need to conserve financial resources. It is difficult and expensive to maintain onsite information technology and information security operations and staff. Cloud computing reduces costs and increases accessibility.
Moving to the cloud, however, does not eliminate all risks – some hazards go away but others are introduced. Cloud environments are vulnerable if end-users fail to observe proper security hygiene – vulnerabilities at the end-user level will create vulnerabilities in the cloud environment. It is imperative as well that the cloud vendor has appropriate information security and privacy compliance measures in place. Many smaller cloud vendors and service providers who use the cloud have deficient information security and privacy compliance frameworks, assuming they have any in place at all. Many organizations, especially small and medium sized businesses, seldom evaluate whether their vendor’s cloud is a safe place to be.
Getting the move to a cloud environment right is crucial. The security and availability of an organization’s data is important for both operational and business continuity reasons. Moving to a cloud is no excuse for taking eyes off of information security or for lax privacy compliance.
Questions to Ask When Considering a Move to the Cloud
Recurringly, organizations fail to ask themselves the most rudimentary questions before moving to cloud platforms, and they suffer as a result. They think, for example, that deploying Office 365 will solve all their productivity and data management challenges yet never address the fact that they still remain responsible for data breaches and for maintaining network performance and security. They also never imagine that their managed services provider may be storing their data with a cloud vendor whose operations are subpar. And as safe as the Amazon, Azure and Google clouds may be, none of them insure the security of your data from risks that arise on the customer side. Ask at least these questions when considering a move to a cloud environment:
- Is the cloud vendor compliant with any of the leading information security frameworks – NIST 800-53, ISO 27001, CIS Twenty Critical Security Controls – and will the vendor share its compliance documentation with you?
- Is the cloud vendor compliant with the privacy laws that apply to your organization, notably the California Consumer Privacy Act, and will the vendor share its compliance documentation with you?
- Has the cloud vendor ever experienced a serious data breach? And was it significant enough to raise questions about the vendor’s information security practices and processes?
- Can the cloud vendor support the applications you’re moving to the cloud without compromising your own information security plan?
- Do you understand the allocation of legal and operational responsibilities for information security and privacy risks as between your organization and the cloud vendor?
These are only a few of the many questions that should be addressed in connection with any move to a cloud platform, regardless of the size and sophistication of the cloud environment. If you have not asked these questions and gotten satisfactory answers, your move to the cloud may expose you to serious legal compliance and operational risks.
Regulatory Compliance and the Cloud
The current pandemic has forced changes in the way we work and has seen nasty new exploits from hackers. The privacy compliance and enforcement landscape, however, has not changed. Some privacy regimes have been relaxed – HIPAA for example, to facilitate telemedicine. But there is no indication that other privacy laws will be ignored or relaxed and, especially in California, all indications are to the contrary. The California Attorney General is set to enforce the California Consumer Privacy Act on schedule, beginning in July of this year. In particular, the CCPA-imposed duty to have reasonable information security processes and practices in place remains in effect. Companies are subject to private rights of action with statutory damages if they experience a data breach and do not have reasonable information security in place.
Keep Cloud Risks Front and Center
Moving to the cloud to save money may be a good business and financial strategy. If managed properly it can even be a good information security and privacy strategy. But moving to the cloud creates its own set of risks, some of them potentially existential. These risks can only be controlled if the right questions are asked before the move.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.