Microsoft Adopts International Cloud Privacy Standard

Adams and Reese LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Public cloud computing services-- computing resources (such as networks, storage, applications, and services) purchased from another company (a “cloud services provider”)-- offer many potential benefits for businesses, among them economies of scale, lower capital costs, and improved accessibility.

However, cloud computing is not without risk. Various data protection laws require businesses to safeguard and protect the privacy of personal information stored in the cloud. As a result, businesses must assess and address information security and privacy risks before becoming a customer of a cloud services provider and entrusting personal information to that provider.

On August 1, 2014, the International Organization for Standardization (ISO) issued ISO/IEC 27018- a standard for protecting personal information stored in the cloud. To learn more about ISO/IEC 27018 and its personal information protection requirements, click here.

As we wrote previously, ISO 27018 may be a helpful tool for businesses to use in evaluating a cloud service provider’s capabilities to protect personal information stored in the cloud.

On February 16, 2015, Microsoft announced that that it had become the first major cloud provider to adopt ISO/IEC 27018. ISO/IEC 270018 requires Microsoft to take the following steps (among others) to protect the privacy of personal information stored in the Microsoft Cloud:

  • Process personal information only as instructed by the customer;
  • Never process personal information for advertising and marketing purposes without the customer’s express consent;
  • Reject requests for personal information that are not legally binding; consult the customer when legally permissible before making any disclosure of personal information; and accept any requests for disclosures of personal information authorized by a customer;
  • Notify the customer of any request for disclosure of personal information by a law enforcement authority, unless that disclosure is otherwise prohibited;
  • Notify the customer promptly of any unauthorized access to personal information or loss, disclosure or alteration of personal information;
  • Help the customer meet its obligations in the event of a data breach; and
  • Require all individuals with access to personal information to be bound by a confidentiality agreement.

Privacy protections are increasingly the focus of existing and proposed state and federal laws here in the United States, and mandated by various jurisdictions around the world. As a result, ISO/IEC 27018 may emerge as a commonly utilized standard for cloud service providers to follow in order to protect personal information in the cloud.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Adams and Reese LLP | Attorney Advertising

Written by:

Adams and Reese LLP
Adams and Reese LLP
Contact
more
less

Adams and Reese LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide