Cloud Computing

Opinion

Cloud computing: You can't outsource your compliance obligations

Even if your cloud provider is at fault should your company fall out of compliance, the law will come after you.

By Thomas J. Trappler

May 21, 2012 12:15 PM ET

Computerworld - When it comes to moving functions to the cloud, there's no such thing as being too thorough.

Trappler honored

Thomas Trappler was recently named a "Cloud Luminary" by CA Technologies, along with Vivek Kundra, Nicholas Carr, Timothy Chou and others. Computerworld congratulates him for receiving this honor.

Say you've got an application that's been running in-house but is now nearing end of life. You find a cloud service that can achieve the same result. You evaluate the vendor's infrastructure and security mechanisms, processes and procedures and determine that they're sufficient to meet your needs. You're looking forward to outsourcing this to the cloud and relieving yourself of all the associated responsibilities. It's all smooth sailing ahead, right?

Maybe, but unfortunately, there's one more thing: You can't outsource your compliance obligations to a cloud vendor.

If you move a function to the cloud that's governed by legal or regulatory requirements and later your company falls out of compliance due to an error on the cloud vendor's part, the law won't go after the vendor - it will come after you. So you need to ensure that the cloud vendor can fully comply on your behalf.

What kinds of laws might apply in a cloud scenario? Two recent clients of my "Contracting for Cloud Computing Services" seminar offer good examples.

The first is in the healthcare industry and was contemplating using a cloud service that would involve personal health information. Of course, such information is covered by the Health Insurance Portability and Accountability Act (HIPAA), which mandates standard practices to ensure security, confidentiality and data integrity for healthcare-related data. Under HIPAA, the use of a cloud service is viewed as disclosing information to a third party. Any cloud vendor that handles your organization's HIPAA information should be subject to a business associates contract, under which the vendor essentially affirms that it will handle the data in compliance with HIPAA.

The other client, an institution of higher education, was investigating using a cloud service for a function involving student data. In such cases, the applicable regulation is the Family Educational Rights and Privacy Act (FERPA). FERPA is intended to protect the privacy of student education records by limiting how and to whom they can be disclosed. Under FERPA, the use of a cloud vendor can also be viewed as inappropriately disclosing information to a third party. One solution is to contractually identify the cloud vendor as a "school official" and state its obligation to ensure that data is handled in compliance with FERPA.

Other laws or external regulations that frequently come into play with the cloud include:

Other columns by Thomas Trappler

Opinions

Comments ()

Today's Top Stories

Additional Resources

WHITE PAPER

How Cloud Communications Reduce Costs and Increase Productivity

Small and midsize businesses are moving to the cloud to host their communications capabilities. Learn how enterprise-quality phone benefits, online management, conferencing, auto attendant, and ease of use are built into a system that is half the cost of a PBX.

Read now.

Free Insider Guide

IT Certification Study Tips: Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.

Cloud Computing Resources

The Total Economic Impact of Mimecast's Unified Email Management (UEM) Solution This research provides a framework to evaluate the potential financial impact of unifying your email management in the cloud. Learn More.
The Total Cost of Email In this white paper, we'll explore the true costs of fragmented email management and uncover how to reduce those costs with a cloud-based...
Clearing the Clouds for Midmarket Businesses The 10-point checklist included in this expert brief has been developed to help small and midsize businesses select the cloud model and cloud...
Application Integration in the 21st Century World of Mobile, Social, Cloud and Big Data This paper will discuss the new IT landscape as it relates to the new integration, and the need for a new comprehensive integration...

Live Webcast
Virtustream (Vayence) video taking a 3000-Seat SAP Environment to the Cloud

How can public cloud services help your organization reduce costs and increase security for your mission

Virtustream (Vayence) video taking a 3000-Seat SAP Environment to the Cloud How can public cloud services help your organization reduce costs and increase security for your mission
Innovation in the Cloud Managing HR and financial information in the modern business requires efficient business practices and technology.

All Cloud Computing White Papers

Webcasts

IT Salary Survey 2013

IT gets its groove back

Rising salaries boost IT optimism, though not everyone is feeling upbeat. Our survey of 4,000+ IT workers shows who's riding the wave and why. Use our interactive tool and compare your own paycheck. Read more...

IT Jobs

See All Jobs Post a job for $295

Jobs by SimplyHired

Cloud Computing White Papers | All Cloud Computing White Papers