ISO/IEC Publishes First International Standard for Privacy Protection in the Cloud

In July 2014, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) published ISO/IEC 27018 (ISO 27018), the first international standard for the protection of personally identifiable information (PII) by public cloud services providers. Cloud services generally comprise an outsourcing of data storage and/or processing to a third party provider. A customer of cloud services (Customer) relies on the hardware and IT services of the cloud services provider (Provider), benefitting from the time and money saved by having someone else manage their IT infrastructure. Once migrated to the cloud, a Customer will usually access, store and/or process their data on the servers of the Provider via the web. Businesses are becoming Customers of cloud services at such a rate that by 2018, 76 percent of all data centre traffic is predicted to come from the cloud. Naturally, a significant concern relating to cloud services is data security. One reason is that commercial organizations are subject to privacy laws in most jurisdictions requiring that they protect the personally identifiable information of others in their possession or custody. In some jurisdictions, including Canada, this includes PII transferred to a third party for processing (see, eg, the Canadian Personal Information Protection and Electronic Documents Act at Section 5 and Principle 4.1.3 of Schedule 1). Depending on where the Customer has offices and where the Provider stores the data, privacy obligations may arise out of different, and sometimes divergent, local privacy laws. The previously published ISO/IEC 27001 and 27002 standards relate to information security practices for how a company manages its own sensitive information. ISO 27018 builds on these standards by providing (i) guidance on how they apply in the context of the public cloud computing environment (where a company’s sensitive information is managed by another); and (ii) a new set of security controls particular for the public cloud computing environment. New controls introduced in ISO 27018 include that a Provider of cloud services will:

• enable a Customer to fulfill its own obligations relating to its clients’ PII, including by facilitating access for correction and deletion of their clients’ PII;
• process PII only as instructed by the Customer;
• encrypt PII prior to any transmission;
• use PII for marketing and advertising only with the Customer’s express consent;
• adhere to policies governing the transfer and destruction of PII;
• notify the Customer of any request for disclosure made by law enforcement (unless otherwise prohibited);
• disclose PII to law enforcement only to the degree the Provider is required by law;
• provide notice to the Customer of any data breach, including information required by the Customer to meet its own notice obligations relating the breach;
• in the event of a data breach, document the data compromised, the consequences of the breach, and all notification steps taken; and
• disclose and document any location where PII of the Customer may be stored.

An express objective of ISO 27018 is to assist in the negotiation of cloud service agreements. The topic of data security is often the most onerous to negotiate because it is the chief risk measure for any potential Customer considering a move to the cloud. ISO 27018 introduces an optional set of controls that may serve as a useful starting point for addressing data security in the negotiation of a cloud services agreement. Summary by: John Lucas