In July 2014, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) issued a new security standard – ISO 27018 – which attempts to outline best practices for public cloud service providers on how to better protect personally identifiable information. Although the standard expressly only applies to public cloud providers, it’s instructive to any cloud provider –public or private.
Like all ISO standards, compliance with ISO 27018 is voluntary, and certification under the standard is not required by any law. However, over time, more and more cloud service contracts are requiring compliance with or certification to this standard. Adhering to the ISO 27018 standard can help build a foundation of trust between a cloud provider and its customers. During the contract negotiation stage, the standard can serve as a very beneficial framework for providing assurances that most customers can understand and rely on. Customers moving to the cloud are giving up control of their sensitive data and relying on the cloud provider to maintain adequate safeguards to protect it. New cloud adopters may be nervous, and the cloud provider will likely need to provide assurances and manage their customer’s qualms in order to get the customer under contract.
The standard requires, among other things, that PII be processed according to the customer’s instructions, that there be a prohibition on demanding consent for use of customer information for marketing purposes as a condition of service, and that there be limitations on disclosure of information to third parties. Processors of PII will also be required to have knowledge of disclosures of personal information to any sub-processors. Essentially, the standard encourages greater transparency when it comes to the handling and storing of sensitive data. This greater transparency calls for enhanced communication with customers and allows for them to have more control as to how their data can be utilized.
Although the ISO standard is not required by law, nor is it an exhaustive framework, it may ultimately come to be seen as a “de facto” best practice, and future customers may come to expect it as a baseline. Cloud service providers should take a deep dive into the ISO framework and assess how their corporate policies and procedures measure up. If a provider is storing data from overseas, and any firm that manages data for European citizens, should also take into consideration that the EU calls for even stricter privacy protections than the United States. Thus, additional controls are required to ensure the protection of international data transfers.
Overall, providers should consider developing an action plan to more closely align with the ISO 27018 standard. Most importantly, providers should prepare themselves for a day in the future when many customers will start to assume that ISO 27018 compliance is necessary and won’t sign on the dotted line without certification.
Janine Bowen,janinebowen@leclairryan.com