Companies are rapidly doing away with their own internally managed data centers in favor of “Infrastructure as a Service” or IaaS. This means that sensitive company information used by managers, ranging from employee records, customer profiles, reports on plant operations or real-time operational information, which many companies typically stored on company servers overseen by in-house IT staff, are now increasingly being stored outside company walls with third-party vendors. The true location of stored data can sometimes be difficult to trace.
Manufacturers, especially those with multiple locations, may see potential for significant cost savings and increased operational efficiency. While this burgeoning new industry has, in many ways, improved the way manufacturing companies are managed, it has also brought with it a myriad of new domestic and international regulations.
As the legal climate surrounding IaaS continues to change, manufacturing executives can ask themselves a few questions to ensure that in making their business case for an investment in moving to “the cloud,” they factor in legal compliance and risks in the overall analysis:
Question 1: Does your company understand the domestic and global data security and privacy landscape?
As more companies join the data storage trend, there is an increased level of government scrutiny on the protection of data. These efforts to guard privacy and prevent theft or security breaches, while important, have substantially increased the amount of effort needed to demonstrate adequate data security and controls, and have increased the overall compliance risk associated with the use of IaaS.
In the U.S., privacy and security law is defined by industry sector where types of data are deemed to be particularly sensitive. The corresponding laws, rules and regulations are widely known by the legislators who sponsored them or acronyms (Gramm-Leach-Bliley in financial services, HIPAA and HITECH in healthcare, and Sarbanes-Oxley in securities reporting).
Globally, many countries use a standardized approach to enforcing data privacy and security that is uniform across industries. The European Union nations and Switzerland have passed expansive legislation in compliance with EU and Swiss directives on privacy, security, eCommerce, distance selling, and the use of “cookies” and other devices that impact the privacy of personal information across industries. Other nations including Canada, Australia, Mexico and the major industrialized nations of Asia have enacted stringent privacy and security laws and regulations or guidelines that apply to all cross-border data transmissions.
One consequence of the laws, rules and regulations imposed on companies seeking to share data across an international enterprise or via third-party data centers is the conflict that companies face when considering the U.S. industry-specific regulations and international country-based regulations at the same time.
For example, the recommended security standards under HIPAA and HITECH in the United States are the standards published by the U.S. National Institute of Standards and Technology, while the recommended security standards under the data security laws of the European Union and Switzerland are the International Organization for Standardization (ISO) 27000 standards. This means that many companies must be aware of two or more sets of rules, and must prepare to be compliant with both sets.
Question 2: Is your company adequately protected from legal risks and contract breaches?
Manufacturing executives who opt for IaaS are able to contractually shift some of the risk in managing critical infrastructure, such as liability for data loss or theft, to their third-party vendor. Therefore, in order to maintain compliance with government regulations, and to avoid fines in some cases, companies must also be confident that their vendors are in compliance with applicable laws, which as described, can be complex when dealing across borders.
Cloud-based data storage has grown into a global industry with a variety of vendors supporting all types of customers. Many companies including market leaders Amazon Web Services, Microsoft Azure, Terramark, Savvis, CSC, Dimension Data, Rackspace, Tier 3, SAP/Success Factor and IBM/Sterling Commerce, as well as lesser known regional players, and specialized players such as Lexis Data and Equifax Information Services in the financial services sector, have entered the marketplace offering IaaS and data warehousing services. At the international level, companies such as AT&T, IBM, Datapipe, Hosting.com, Tata Communications and Virtacore Systems have become recognized participants.
An illustrative example for manufacturers of an international compliance challenge comes from the so-called “Mega Rule” under HIPAA and HITECH, a recently passed extension of U.S. health care regulations that requires companies of all types to safeguard their employee health information. Companies that use IaaS for the storage of employment data should specifically be aware of this rule. Companies need to understand the full details of the Mega Rule and to ensure their IaaS vendors are Mega Rule-compliant. Some are, but many are not.
Another example arises under the federal Sarbanes-Oxley Act. Companies registered with the SEC are required to certify annually that the proper controls are in place, which ensure the accuracy of financial data in their public filings. Companies that manage their financial data across locations and utilize cloud services will need to demonstrate that their information and processes are secure.
Many contracts involving vendors now include clauses that specify HIPAA/HITECH compliance on the part of the vendor as part of the terms. When it comes to Sarbanes Oxley, a publicly-traded company utilizing an IaaS service may be able to include in a contract a periodic security audit of a vendor, and require that the vendor provide indemnity for data security lapses and breaches. Before selecting a vendor, companies may wish to request a thorough explanation of this security audit process.
In addition, companies are able to shift some of the risk inherent in managing critical infrastructure to third party IaaS vendors contractually through service level, disaster recovery and other provisions, reduce manpower needs for infrastructure maintenance and support or shift workers to other critical projects, and achieve increased levels of critical infrastructure redundancy and geographic diversity than they might otherwise may not be able to achieve without IaaS.
Question 3: Has your company included compliance in the business case for 'the cloud?'
The business case for IaaS may look clear on the surface, and all companies will see the advantages, but a closer look at the complex domestic and foreign legal environment reveals that a compliance strategy must be developed at the same time to obtain the clearest picture.
The benefits of an outsourced model for infrastructure and data storage remain the same – cost and efficiency. IaaS provides companies large and small the ability to utilize the availability, scalability and cost savings inherent in third-party IaaS offerings.
Asking questions in the vendor selection process can also help frame an agreement that addresses your company’s needs. We often provide a checklist to help clients address all areas of concern. Major questions include: What are the vendor’s policies and procedures for managing non-compliance with information security? How does the vendor dispose of or remove data from recycled systems and devices? Does the vendor have employee background check procedures and compliance agreements in place? How are employees trained on security awareness?
Companies looking to charge forward into more expansive use of cloud-based, business-process outsourcing must do so with their eyes wide open to the issues and risks associated with a legal environment that is not always in step with the many positive attributes of the cloud. Working with legal counsel to conduct a risk and compliance assessment can lead to creation of a more precise business case that includes an evaluation of the costs or risks associated with security breaches or non-compliance, along with an understanding of the internal process required to implement controls.
Michael Stovsky is chair of the Innovations, Information Technology & Intellectual Property (3iP) Practice Group at the Cleveland office of international business law firm Benesch. For more information visit www.beneschlaw.com.