Page 38 - Cyber Warnings
P. 38
Compliance with specific laws: If your organization is governed by specific privacy
laws, especially when governmental agencies evaluate the activities of third parties, you
may choose to require compliance with these laws, such as applicable EU privacy laws.
Location limitations: Cloud providers may implement an infrastructure that transfers
your organization’s data to additional locations or subcontractors. If your cloud provider
transfers personal information for a country requiring localization (such as Russia) to
another location, your organization may face legal challenges. Additionally, if your cloud
provider transfers personal information for a country requiring sufficient security controls
(such as members of the European Union) to a country that has not met a sufficiency
determination, your organization may also face legal challenges. It is critical to
understand the location of personal data and specifying data center location within the
agreement.
Additional addendums: Some laws will require additional details in the agreement. For
example, some international laws may require the use of specific addendums, such as
the EU’s requirement for model contractual clauses when a third party does not meet
sufficiency requirements. Under the Health Insurance Portability and Accountability Act
(HIPAA), organizations providing services that involve the storage or transmission of
protected health information (PHI) should execute a Business Associate Agreement
(BAA) with cloud providers receiving PHI. Organizations should work closely with legal
counsel to determine when such addendums apply.
Conclusion
Organizations should strongly consider developing standard language when working with any
third party, especially cloud service providers. With growing cloud service adoption and
increased awareness to the financial repercussions of poor security, every organization has an
opportunity to effectively manage third party risk, at least in part, through strong contractual
terms.
About The Author
Charlotte A. Tschider is an Affiliated/Adjunct Professor at Mitchell Hamline School of Law for the
Cybersecurity and Privacy Law Program, the Owner/Principal of Cybersimple Security, a
corporate security and privacy consulting company, and a member of the International
Association for Privacy Professionals (IAPP) Training Advisory Board. For the past fifteen years,
Tschider has led teams at Fortune 50 and Fortune 500 companies, applying privacy and
information security principles to the manufacturing, banking, health, and retail sectors. In her
corporate roles, Tschider served as Director of Information Security Management for Carlson
Wagonlit Travel, a market-leading global corporate travel company, and in various roles at
Target Corporation. Tschider writes on information policy, including information security,
privacy, and intellectual property laws and business practices. Charlotte can be reached at
[email protected], on Twitter at @cybersimplesec, or through the
Mitchell Hamline Cybersecurity Program Website, http://mitchellhamline.edu/cybersecurity/.
38 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
