What if the Cloud disappears

What if the Cloud disappears?

This week Google lost power resulting in users not being able to access G-mail and other Google services for a period of time.   Internet traffic was down 14%.   This got me thinking.  What if the cloud just disappeared?   Then, what?

As more businesses turn to cloud computing for efficiency and functionality, and all major players rushing into the cloud computing sphere, there are still a number of unanswered legal and practical questions that will need to be addressed prior to the explosion of cloud computing.   Privacy and security implications will be fundamental elements of user’s trusting the “cloud.”  Otherwise, the “cloud” will evaporate.

It will be necessary for policy leaders to address a number of vital questions.  Who has access to a user’s data?   Can a user’s data be bought and sold?  Can a host deny access to a customer’s date?  What happens if the host company goes out of business, what happens to a user’s data?  How does the host protect and secure your data?  What legal standards apply?  Is it the American standard of privacy protection applicable in the “cloud” or the European model?  Both, neither?  Perhaps, we need a privacy code of conduct for the “cloud”?

Cloud computing has the potential to revolutionize the way we think about computing.  It is efficient, cheap and in a connected world extraordinarily practical.  But it will only succeed if the” cloud” remains protected and secure.  Power outages will happen—think of a winter storm shutting out the lights.  Users will expect interruption in services from time to time.  But what users will not accept is an unrestricted trade-off of privacy for practicality.  Privacy implications will need to be addressed to allow for safe usage and the ultimate growth of the cloud.  Otherwise cloud computing will just be an abnormality in the sky on a bright, sunny day. 

Partner Now: IT and Privacy Professionals

Isn’t it time that you partnered with privacy professional?  How many times are you asked in your business about privacy rules, laws and regulations?  Isn’t it time to expand your business by adding privacy consulting to your services?

Security of information is not complete without a review of the privacy implications.  Laws such as HIPPA, the FTC Red Flag Rules and the new Massachusetts regulations call for not only technological safeguards but for on-going privacy regulatory compliance.   In these days of economic depression, there are strengths in numbers and IT security professionals should partner with privacy professionals to deliver a full services menu of consulting services to clients.

In my April article in the Privacy Advisor, I advocated for the combination of privacy with security offices to provide for greater protection of personal information and suggested using the state of California as a model.  (To read the article, go to www.barachlaw.com)  This government model allows for a holistic approach to information management by delivering security and privacy services within one office.  This approach is an exemplary example of how IT professionals can work with privacy pros to deliver full-service to customers and clients.

Data breaches continue to cause significant harm to the bottom line.   The Associated Press reported today that the Heartland Payment Systems security breach contributed to a first-quarter loss of 2.5 million for the company.  Expenses related to the breach accounted for $12.6 million and counting. 

As a result of the breach, Heartland is developing an end-to-end encryption system.  The technological solution will allow Heartland to prevent future data breaches, but without a continued emphasis on privacy training, compliance and regulations Heartland will only tackle half of the problem.  And therein lies the opportunity for IT and privacy professionals.  By providing a full slate of consulting services, privacy and security pros can help businesses prevent data breaches and increase not only their client’s bottom line, but their own bottom line as well.  A win-win.

The Red Flags Rules are coming, the Red Flags are coming – NOT

The Red Flags are coming. The Red Flags are coming. The Red Flags are here! Well, after further review, they are not here and they might not be coming at all, at least in their present form.

The FTC announced today that they “will grant a three-month delay of enforcement of ‘Red Flags’ Rule requiring creditors and financial institutions to adopt identity theft prevention programs.” Read the FTC announcement. The enforcement of the FTC Red Flag rules was to begin today, May 1, 2009, and this is the second time the FTC has delayed enforcement of the rules.

The FTC has given their reason delaying the rule enforcement as the need “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.” However, it is believed that the real reason for the latest extension for compliance with the rules is due to the on-going debate of their broad based application As FTC Chairman Jon Leibowitz said. in the press release, “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members… and give Congress time to consider the issue further.”

The FTC has also promised to release a template which will assist companies who have a low risk of identity theft to easily comply with the rules.

So, what is going on here? First let’s take a quick look at what the Red Flag Rules are and what they might meant to your business. The rules apply to financial institutions and creditors. We all understand what financial institutions are, but the trouble lies in the definition of a “creditor.”‘

The FTC has put forth a definition of a “creditor” that is very broad, includes businesses and organizations that regularly defer payment for goods or services. Examples of creditors include non-profits and government agencies. Think government owned utilities and student loan programs. (You might want to check-out http://www.ftc.gov/redflagsrule) A creditor is essentially a business that extends credit to a customer. Is this your business?

As a result of this definition of a creditor, some major industries are crying foul. The American Medical Association, in a letter to the FTC, has strongly objected to the FTC staff’s interpretation that physicians are “creditors,” under these rules. The AMA has also expressed concern that “If physicians are forced to collect monies up front from their patients to avoid being called creditors and being subjected to an unfunded, costly, burdensome mandate that duplicates existing requirements under the Health Insurance Portability and Accountability Act (HIPAA), the Red Flag Rule will undoubtedly undermine health care reform and our nation’s access to health care services.”

Given the debate, and Chairman’s Leibowitz specific reference to Congress, it is likely that further examination of the Red Flag Rules will begin. It is likely that the definition of a creditor might undergo some modification. Perhaps, health care providers will be excluded from the definition of a “creditor,” or the size of the business will be taken into account when determining if a business meets the definition of a creditor.

But do not think for a moment that your organization can breathe a sigh of relief from the second delay of enforcement of these rules. Identity theft and privacy compliance will continue to be a major issue in the information world. It is likely that the Obama administration will continue to focus on enforcement of privacy compliance due to heightened concerns about identity theft.

Moreover, despite today’s delay of enforcement by the FTC, the rules are already in effect; it is only the enforcement of the rules that has been delayed. As an FTC attorney pointed out to me this week, the rules themselves are not that difficult, you need to think like a potential ID thief and then guard your business accordingly.

Best practices for any business that handles personal information will be to develop written identity theft prevention plans now before the enforcement of the rules begin as well as, train employees about identity theft prevention, and continue to stay current on privacy laws and regulations.