The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
WWW.ILTANET.ORG 43 WHAT'S NEW In 2014, an additional voluntary standard within the 27000 series, ISO/IEC 27018, was adopted to govern the processing of personally identifiable information (PII) by public cloud service providers (CSPs). ISO/IEC 27018 is the first international privacy standard for the cloud. This new standard incorporates controls that reflect PII considerations specifically for cloud services. It will help a CSP demonstrate that its cloud privacy policies and practices are robust and in line with best industry practices. While ISO/IEC 27001:2013 addresses IT security, and in most respects aims to lower risks that unauthorized third parties will gain access to customer information, ISO/IEC27018:2014 specifically addresses what a service provider must do to protect the privacy of that data. This has particular importance in jurisdictions that might have weak or nonexistent data protection regulations or laws. Other economies could have data privacy laws that are not applicable to government entities; the standard might improve this as well. The massive increase in data that flows across the Internet poses an additional challenge to data owners (or controllers) related to the privacy of customer information. This challenge is related to appropriate constraints that should be placed on a party (such as a cloud service provider) that may access customer data for certain purposes, but only those purposes. Important considerations to protect PII beyond its approved use or end of life include retention policies for PII data and transparent parameters for the return, transfer and secure disposal of personal information. Wide adoption of this standard will enable customers and providers to evaluate what protections are in place and, more important, what is needed to protect PII. The recently released text of the Trans Pacific Partnership also addresses this issue in Chapter 14. STANDARDS OF PROTECTION This summary has only highlighted a few of the many details within the 32 pages of the ISO27018 description. It is a suitable reference for globally operating CSPs to demonstrate their data protection/privacy compliance instead of having to cope with different national standards in various jurisdictions. With data losses increasing, all companies that handle data need sound advice on how they construct comprehensive internal privacy policies and contracts with service providers and outside vendors. This provides significant business opportunities for lawyers to advise their clients on mitigating data loss and liability. The world is far more connected now than at any time in history. The need to protect personal information and data from criminal, deliberate or accidental access or loss has never been greater. ISO27018, when correctly implemented and combined with a comprehensive contract for services, goes a long way toward achieving that goal. About the Author Michael (Mike) R K Mudd is the Managing Partner of Asia Policy Partners LLC (APP), an IT strategy and trade policy advisory firm. He is an appointed technical expert to JTC-1 of the ISO and is a member of the Government of Hong Kong's Expert Group on Cloud Computing, specifically the Working Group on Cloud Security and Privacy. Contact Mike at mmudd@asiapolicypartners.com. Eliminate the ROT by Howard Russell of RBRO Solutions Law firms are paying increasing amounts of attention to the issue of security. Many surveys, and the theme of this issue of Peer to Peer, speak to the importance of this subject for everyone. Yet, in all the discussion about security, little is mentioned about ROT: redundant, obsolete and trivial data. As much as these three words seem to indicate "no value" or "no risk," nothing is trivial to hackers attempting to find information they can exploit. In a recent AIIM survey, respondents reported only 42 percent of their electronically stored information is useful to the business. Only 12 percent were confident they were storing only what needed to be stored. 41 percent listed a failure in information governance as generating a risk of excess litigation cost or damage. Many have information governance policies in place; however, we have to ask whether they can be enforced. Law firms should work to eliminate ROT by finding ways to make it easy for users to interact fully with all content in the context of the firm's document management system (DMS). Ensure that all applications that consume data can interact directly with the DMS to avoid staging of content on network shares. By making it easy for your users to maintain all content in a secure DMS, you'll reduce the storage costs associated with ROT, gain the ability to audit all activity, reduce risks related to redundant content and more accurately apply retention policies to all information — even the trivial stuff!