Archive for the ‘privacy’ Category

Data Leak Prevention Technology – Top DLP EFSS Solutions 2020

Data leak prevention technology


Data Leak Prevention Technology:

Data leak prevention technology keeps sensitive corporate data secure by identifying potential data breaches and helping to eliminate them. DLP software classifies, regulates confidential business data, and identifies data violations typically driven by regulatory compliance such as Federal laws, HIPAA, FINRA, and EU-GDPR. Once the violation or data breach is identified, DLP enforces immediate remedial measures such as alert messages, access restriction, and other measures that prevent end-users from sharing data that could put the organization in jeopardy.

What Is Data Leak Prevention?

Data leak prevention (DLP) combines the power of security tools and strategic processes to ensure that company’s confidential data is not lost, misused, or accessed by unauthorized users. Simply put, Data leak prevention is a strategy that makes sure that end users are not able to intentionally or accidentally destroy or steal the company’s data. The enterprise must have a data leak prevention policy so that all the access control are predefined and linked to the data.

This prevention strategy should be covered by the EFSS solution which you use to store and share organization files. With the correct data protection policies and systems, you will be able to reduce or eliminate data leak incidents.

Top Data Leak Prevention Solutions 2020


FileCloud offers 360° protection with smart data leak prevention technology to ensure accidental data leakage. FileCloud’s real-time data prevention capabilities control user actions (login, download, share) based on the IP range, team groups, user types, email domain, folder paths, metadata and many more rules. FileCloud also integrates with existing security information and event management (SIEM) tools to provide more stringent data leak prevention. FileCloud’s evaluates user actions in real-time and logs rule violation reports for future auditing.

FileCloud helps enterprises comply with HIPAA, FINRA, ITAR, EU-GDPR, and other data privacy regulations. Smart DLP can be extended to the on-premise server as well as the cloud server, thereby offering flexibility to businesses in selecting the right fit for them.


Dropbox offers a data leak prevention technology solution in collaboration with Symantec. The security to the Dropbox cloud is provided by Symantec CloudSOC that safeguards organization against data loss and threats that targets cloud accounts. The Cloud Access Security Broker (CASB) technology by Dropbox protects businesses against any threats that may impose danger. The post data analysis of user activity helps in identifying the potential threat that an insider could pose to the confidential data.


Box data leak prevention technology helps with data security, access control and mitigates security challenges. Box DLP helps in avoiding the deletion or exposure of confidential data stored on company networks and servers. Box offers granular access permissions, and activity monitoring and significantly reduces data security risks associated with malicious activity and unauthorized sharing.


Egnyte DLP solution helps in identifying, classifying, and protecting your business data. Egnyte takes a proactive approach in content governance and provides insights into detecting unusual file behavior. File access control in real-time ensures that businesses can be strategic in their approach while deciding the security rules. The intuitive self-service experience that Egnyte offers help in protecting your business data and keep you compliant with latest business regulation.


Citrix’s ShareFile data leak prevention technology is offered in partnership with Digital Guardian and Code Green Networks. This solution mitigates the risk of data leakage by leveraging ShareFile’s APIs to move or revoke access to the files that contained sensitive information. You can classify and restrict data flow thereby having more control over the security aspect of the storage and data transfer. This allows you to find a sweet spot between security and usability that best fits your organization.


Microsoft OneDrive’s DLP policy identifies sensitive information including financial data and personally identifiable information. The sensitive information is monitored and protected from accidental sharing. It helps in staying compliant with the global guidelines without interrupting the data workflows. Also, you can view the DLP reports that help you make better security decisions. With OneDrive’s DLP you can restrict the sharing of sensitive data, define actions that must be taken in case of a data breach, audit incident reports, and set priority for user accounts.

How FileCloud Data Leak Prevention Technology Safeguards Your Data

  • Detects threats in FileCloud accounts: Using advanced data science and machine learning technology we analyze the user activity and identify risks that pose a threat to your business data.
  • Protects data in FileCloud accounts with Smart DLP: Protect your business data in FileCloud with the same policy frameworks and workflows that your company uses across your organization.
  • Network control and flexibility in inter-operability: Empower organizations to limit the use of unauthorized personal accounts on networks while allowing access to company-managed accounts using access control settings.
  • Detects risky user activity: User activity Analytics identifies potentially risky user activity and enables automated policy controls to secure your business data and accounts.
  • Powerful encryption technology to protect user data:  Protecting your organization data with automated policies and encryption to prevent accidental or malicious sharing of data.
  • 360 ° analysis of user activity: Quickly assess activity that may impact your FileCloud accounts with detailed information and extensive log filtering capabilities.

Advantages of FileCloud’s Data Leak Prevention:

  • Data protection from external and internal threats: DLP can detect files that contain confidential data and prohibit them from leaving the network. The sensitive data transfers can be instantly blocked using Smart DLP in case of a data breach. Apart from this, DLP policies also provide for quarantine or encryption of data in real-time in response to events.
  • Auditing capabilities and compliance with regulations: Accountability in terms of collection, storage, and sensitive data needs a mechanism for the compliance and auditing capability fills that gap. Consequences of non-compliance can include fines or complete cessation of business operations. DLP sought out a path that provides control, policy template, automate compliance, and the collection and reporting of metrics.
  • Forensic data and E-discovery: DLP technology allows for capturing and archiving of evidence for forensic data analysis. Monitoring via DLP can include email, instant messaging, keystrokes, documents accessed, and application used. Also, in case of a lawsuit or investigation, the forensic data can be used as evidence when data is sought in electronic format.
  • Automate corporate governance: DLP capabilities help you in the enforcement and automation of corporate policies and processes. This can bring in technical and organizational efficiencies, promote compliance, and bring in transparency in information governance. Automate corporate governance enables for selecting an appropriate policy template on your system that will help in bringing in more accountability.
  • Complementary data controls: DLP comes with complementary data controls such as data classification and data tagging, encryption, security information and event management, and incident response system. These features ensure that your complete data is safe on the cloud storage system. Complementary control along with DLP ensures that no data is accidentally exposed. DLP can monitor data in transit, at rest, and ensure that it is safeguarded and protected.

Use Case: Limiting the Web login to a Specific Group of Users

With FileCloud’s Smart DLP you can limit certain external users to log in only through a web interface and no other means for accessing the account. You can create a Smart DLP rule that allows login to FileCloud account through a web browser only. These rules are easy to implement and provide flexibility in the security of the data. FileCloud’s Smart DLP is your goto solution for making the cloud ecosystem more transparent, accountable, and protected.

Protecting Remote Work Data From Cyber Threats

The COVID-19 pandemic has created many challenges for enterprises across the world who have adopted remote work culture full time. Certain statistics out in the public domain suggest that working-from-home culture is not new to many organizations. Across the world, many organizations were already following this, either fully or in parts. Many employees have had the flexibility to work from home at least once a  week or so. Of course, there are many sectors where this would not be true, but in most IT and enabled sectors, this certainly holds true.

What has changed though with the COVID-19 crisis is the choice to work from home or office. Many governments across the world have made it mandatory that organizations provide work from home options to their employees, wherever applicable. Thus, the COVID-19 situation has resulted in a great jump in the remote work statistics, as compared to a few months back. While for a few companies, it was just a matter of institutionalizing their already existing work from home policies, for many others, it meant exploring options to make it possible. Either way, business continuity plans of enterprises are changing, to include considerations and challenges around the remote work culture.

The Statistics

A State of Remote Work 2019 survey published by OWL Labs based on respondents in the US, suggests that ‘54% of respondents work remotely at least once per month, 48% work remotely at least once per week, and 30% work remotely full-time’. The survey covered respondents across all levels of people like individual contributors, team managers, consultants, directors, VPs, and more. It also covered industries like Healthcare, Education, Retail, Financial Services, Manufacturing, Technology/Internet, Government, Hospitality, and more.

Considering the scenario of last year, it is safe to assume that these numbers would have jumped by leaps and bounds owing to the COVID-19 situation. And it would be the same across the globe, as governments are trying to curb the spread of the disease by minimizing the people to people contact. Workplaces with centralized air conditioning were a cause of major worry as chances of one person infecting many others were high. So, it appears as if remote work is here to stay and all challenges around it need to be addressed by the organizations, on priority.

The Challenges

Almost all issues surrounding the remote work mode are about security. Within secure corporate environments, data is protected by means of necessary precautions put in place. So, there is not much onus on employees to worry about the security aspect. Since they will be working with company-issued laptops, that will have company authorized software that also includes security aspects, there is a sense of safety. This scenario changes drastically when the employees start working remotely, as they could be working from home or elsewhere.

Problems range from using public Wi-Fi, not being aware of scams and phishing that happen in the cyber world, and a simple thing like just leaving your laptop open when moving around. Issues come in the form of a snooping housemate, to cyber attack experts who will be on the prowl. It is assumed that people working from home will be slightly lax on the security front, (knowingly or unknowingly) and they will take their chances.

Why is Cybersecurity Important?

Cybersecurity is of prime importance, and many organizations have learned this at a great cost. According to a report published in the Cyber Defense magazine quoting multiple sources, 43% of the cyber attacks were targeted at small businesses. 31% of organizations have experienced cyber attacks on operational infrastructure and malware is the most common type of cyber attack. The same report further states that the annual cost of cybercrime damages is expected to hit $5 trillion this year (2020).

A very interesting statistic put up here is that 95% of data breaches have causes attributed to human error! This is why awareness training for employees is important. Hackers are certainly becoming better at identifying and manipulating vulnerabilities in IT systems. This has also lead to an increase in cybersecurity budgets of organizations, and in the current situation perhaps, more so.

The Organizational Changes

From an organizational point of view, it is important to ensure that every employee working remotely is made aware of the risks involved.  Comprehensive training covering all aspects, including probable cyber threats and how they happen, should be conducted. Also, it is important to make people aware of the consequences, so that maximum caution is applied while working remotely. The IT environment should be strengthened in such a way that people can work from elsewhere securely.

All end-point devices should be safe, should be monitored for any mischievous activity, and the device and identity should be protected to make sure misuse cannot happen. Multiple factor authentication using strong passwords, 2FA, etc. should be adopted. If the enterprise is already using Cloud services, then the security policies may be revisited to ensure all necessary compliances are in place. Also, in such cases, employees should be given access to collaboration and office productivity tools to make sure all communication remains within the gambit of defined security measures.

The Suggestions

There are some simple steps that can be taken to ensure a reasonably good level of security for remote work. The main among these perhaps is something that most organizations would have already put in place. This is to ensure anti-virus software on employee laptops. Depending on the mode using which the employees access the corporate network, this can ensure the basic security at the end-point.

An important thing to remember is to ensure updates of anti-virus or any other security solutions across. These solutions are being updated to detect more vulnerabilities on a day to day basis. Hence, unless the updates are synced across the organizational devices, the benefits won’t be seen. Public Wi-Fi or even the home Wi-Fi can be easily hacked. Using public Wi-Fi should be avoided totally and home Wi-Fi should be protected with strong passwords that are changed often. The Wi-Fi settings should be changed to enable the highest possible encryption.

Using VPNs may be a good option to ensure a secure connection to the corporate resources. Since every enterprise is dealing with confidential information exchange, the laptops should never be left unattended and open. Breaches have and can happen unintentionally by this simple oversight also. Employees should be trained to follow all corporate communication policies and should only use official communication channels. No local copies of documents and reports should be maintained unless absolutely essential and permitted to do so.

Another safeguarding measure that employees should adopt is to report any untoward activity, mail, or suspicious documents and links, immediately to the IT/security department. This can ensure any breach is caught immediately. One of the alarming aspects of breaches has been that it is usually too late (as much as six months) by the time they are reported and found. Employees being aware and vigilant can contribute a lot to the organizational security policy.

In conclusion, a secure IT environment with aware and empowered employees, and good supporting security and collaboration tools can ensure protection from cyber threats.

Reference for the Suggestions:

Data Privacy in A Digital Age

Privacy has always been a crucial aspect of human existence. But as more data becomes digitized, and more information is shared online, data privacy is becoming more important.  Data privacy denotes how information should be managed based on its perceived importance. It isn’t just a business concern; individuals have a lot at stake when it comes to the privacy of their data. The more you are aware of it, the better you’ll be able to shield yourself from multiple risks. In this digital age, the concept of data privacy is mainly applied to critical personal information, also refereed to as personally identifiable information (PII) and personal health information (PHI). This typically includes financial data, medical and health records, social security numbers, and even basic yet sensitive information like birthdates, full names, and addresses.

For a business, data privacy transcends the PII of its customers and employees. It also encompasses the information that helps it operate, whether it’s propriety research and development data or financial information that shows how money is spent within the company. Recent history has shown that when data that should remain private gets into questionable hands, bad things follow.

It’s a Data Driven Economy

User data is an extremely valuable asset in this information age. It not only helps organizations understand their customers, but also enables them to ‘track’ customers and target them with ‘relevant’ ads. Marketing is just one of the ways companies leverage user data to strengthen their position in the market and increase their revenues. There are other more harmful ways. In 2018, Facebook founder Mark Zuckerberg was called to testify before the United States Congress, following the Cambridge Analytica Scandal. Questioning during the hearings unearthed several details of a data privacy crisis for companies like Facebook that are dependent on data manipulation and harvesting.

More and more user groups, regulators and non-profits have begun demanding for a legally enforceable ‘right to privacy’. Speaking at a privacy conference in Brussels, Apple CEO, Tim Cook, called for improved privacy laws. At a time when the data practices of industry titans like Facebook and Google are being put into question, Cook is pushing Apple in the opposite direction, by not only talking up data privacy, but also embracing new regulations. Cook has also criticized companies that base their business models on the harvesting of personal data for advertising, while highlighting that his company tires to collect as little of it as possible.

The Service Affordability Tradeoff

Many in the tech industry are disinclined to support privacy regulations due to its potential to hold back innovation.  Mark Zuckerberg defended his company’s advertising-based model by pointing out that it enabled its services to “be affordable to everyone”. “Instead of charging users, we charge the advertisers”, he added. Google’s Senior VP for Global Affairs, Kent Walker, echoed the same sentiment by saying ads allow them to deliver search to users of all income levels across the globe for free. However, both executives also acknowledged that security and privacy has to be a principal consideration, even if it impacts profitability. Its impossible to ignore the fact that all this personal data can lead to interferences and intrusions with people’s private lives. This can have a damaging and distressing effect on individuals.

Data Privacy Should be a Basic Human Right

Though the US has relatively few regulations that govern the gathering and use of personal data, in several other places around the globe, data privacy is considered a basic human right. Within the European Union, the recently enacted General Data Protection Regulation (GDPR), sets stringent legal standards for the handling of personal data. While ‘privacy’ may sound like a nebulous concept, it’s not a new idea in human rights law. The right to privacy safeguards an individual’s dignity by protecting their personal information from public scrutiny. This right is typically protection by statutory law.

The UN’s human rights office inferred that governments should respect the right to privacy by regulating how private organizations – not just intelligence agencies and the police – treat personal data. Human rights courts have also acknowledged that the collection, use, storage, and sharing of personal data can balk privacy. Those actions should therefor be limited to what is unquestionably necessary and relative to a justifiable goal.

“All of us will have to think about the digital experiences we create to treat privacy as a human right”

– Satya Nadella, CEO of Microsoft

The GDPR Is Charting the Way

The EU enacted GDPR will improve privacy and should propel other countries to enhance the protection of people’s personal information. The new regulation that became legally binding across the EU’s 28 member states on May 25, 2018, is one of the most comprehensive and strongest attempts globally to regulate the collection and use of personal data by both the government and the private sector. Despite the fact that the GDPR has prompted multiple other nations to strengthen their cyber laws, none offer residents the right to data privacy. Courts and regulators have to work attentively to ensure that corporations and governments don’t try to exploit ambiguities in data protection laws.

Several companies have begun exploring how they can enhance the protection of users’ data and play a role in the continuing conversation about privacy as a human right. Those that are yet to do so have to develop the necessary tools and processes needed to track the source of the data they collect, making sure that data collected for a specific purpose is not exploited for another. They will also have to develop new policies outlining how data is collected and used in a clear, concise language, not legalese.

GDPR Presents Opportunities for MSPs

In today’s digital world, the issue of data privacy is provoking constant debates with large corporations and even governments being objurgated for invasions of privacy. According to online statistics firm Statista, only about a third of internet users in the United States are concerned about how their personal is data is shared. However, that number is likely to rise as privacy compliance becomes a ubiquitous business concern due to the growing number of regulations formulated to curb the unauthorized access and use of personally identifiable information. The GDPR is one such legislation. No other legislation measures up to the inherent global impact of the EU’s General Data Protection Regulation (GDPR).

Gartner’s prediction that more than half of companies governed globally by the GDPR will not be fully compliant by the end of 2018 has come to fruition. With less than a month to go, a survey of 400 companies conducted by CompTIA inferred that 52 percent were still assessing how GDPR applies to their business. The research also showed that only 13 percent were confident that they are fully compliant. GDPR will without a doubt be a disruptive force in the global marketplace that cannot be ignored. This presents prodigious business opportunities for MSPs to leverage their experience in network security offerings, class analytics solutions, and their own experiences implementing strategies around this new development.

1. An Opportunity to Become GDPR Compliant

As an MSP, it makes sense to protect your business from any reputational and financial consequences by becoming GDPR compliant. It is said that charity starts at home, it would therefore be incongruous for an MSP that is yet to achieve full GDPR compliance to offer guidance in the same aspect. The experiences you gain in your journey to compliance will be of great value to both current and potential customers.

2. An Opportunity to Engage and Educate Your Clients

Most non-European businesses are yet to establish whether the GDPR will apply to them. And for those that are aware, their MSP will likely be the first place they turn to for help; whether its to set up reporting tools, work on data encryption, conduct audits, or implement new data management practices. MSPs should ensure that their clients fully understand the extent and impact of the regulations, and prepare them for GDPR. Since they are already aware of their client’s internal practices and processes, managed service providers are better suited to architect solutions that incorporate GDPR compliance and governance.

MSPs will have to re-onboard clients to make sure their prescribed SaaS offering will meet GDPR requirements. Gather resources and links that can help educate your clients. The use of informative marketing campaigns, or a resource center on your site will help create channels for dialogue – which may subsequently lead to new business projects.

3. An Opportunity to Understand Your Clients Data

Data is a crucial asset, however, most MSPs know very little about the data their clients possess. The only way an MSP can offer guidance and services related to GDPR is by understanding what data your clients have and the location of said data. MSPs should be ready to make an extra effort beyond protecting business applications to protecting personal data. The only way to accomplish this is by analyzing your client’s existing data. Through this process, you will be able to identify any security gaps and create customized security offerings to fill them. Additionally, the data discovery will allow you to adjust your pricing accordingly and push your customers towards more secure technologies or sell additional services that mitigate the risks their current business systems present.

4. An Opportunity to Offer Compliance and Security Related Services

MSPs tend to act as virtual CIOs for their customers. In most cases, the line between packaged service and free consultation tends to get blurred somewhere along the line. GDPR guidance could easily follow the same track – unless the value you offer is presented as a bundle that can be allotted a price tag. Compliance and security services are a potential gold mine for service providers who have acquired the management expertise to satisfy and simplify the complexities associated with the General Data Protection Regulation. Since having a designated Data Protection Officer (DPO) is a mandatory requirement under GDPR regardless of the size of the company; MSPs can use that as an opportunity to establish a DPO as a service model geared towards SMEs that may lack the resources to recruit costly, in-house compliance staff.

5. An Opportunity to Expose Your Brand

Marketing a compliance culture with transparency builds greater relevance and trust among current and potential customers. Companies looking to achieve full GDPR compliance are likely to align themselves with a service provider that has a demonstrated track record. Publicly documenting your GDPR compliance milestones on blogs, social media and your website confirms your familiarity with the subject. Once achieved, full GDPR compliance will act as a quality standard that can be placed on marketing channels to attract and reassure prospective clients.

In Closing

As the weight of the General Data Protection Regulation continues to impact the globe, sagacious MSPs will have an opportunity to assist their customers prepare and gain incremental revenues while supporting the European Unions effort to create a digitally secure global marketplace. Despite the current rush to beat the May 25th deadline, compliance isn’t a one off activity. Companies will always have a budget for comprehensive strategies aimed at achieving and maintaining privacy compliance.

image curtesy of freepik



Author: Gabriel Lando

International Traffic in Arms Regulations (ITAR) Compliance in the Cloud



ITAR was enacted in 1976 to control the export of defense-related articles and services. It stipulates that non-US persons are not allowed to have logical or physical access to articles modulated by International Traffic in Arms Regulations; which is administered by the Directorate of Defense Trade Controls – DDTC, a sub-division of the State Department. The articles covered by ITAR are listed on the United States Munitions List – USML, and generally, encompass any technology that is specifically designed or intended for military end-use. ITAR was also contrived to govern the import and export of any related technical data that consists of describes, supports, or accompanies the actual exported service or goods unless exemptions or special authorization is created.

The goal of ITAR is to prevent the transfer or disclosure of sensitive information, typically related to national security and defense, to a foreign national. In most cases, non-compliance usually translates to the loss of assets and professional reputation. However, with ITAR, lives may possibly be at stake. This is why the International Traffic in Arms Regulations is a strictly enforced United States government regulation and carries some of the most austere criminal and civil penalties that not business or individual would want to be on the receiving end of.

ITAR is not applicable to information that is already available in the public domain, or that is commonly taught in school under general scientific, engineering or mathematical principles.

Who is required to be ITAR compliant?

The law essentially applies to defense contractors who manufacture or export services, items or other information on the United States Munitions List. However, any company that is in the supply chain for such items must make ITAR compliance a priority. ITAR has a fairly complicated set of requirements, and since the repercussions of non-compliance are severe, companies should not hesitate to seek legal clarifications of their obligations if they even suspect the regulation applies to them – better safe than sorry. The vague categories of the USML make it difficult to intelligibly understand what exactly falls under the purview of military equipment.

The list is inclusive of most technology used for spaceflight, along with a vast range of technical data such as product blueprints, software and aircraft technology. Most of these items were initially developed for military purposes but were later on adapted for mainstream purposes – in aviation, maritime, computer security, navigation, electronics and other industries. It is crucial for firms that offer products and services to government consumers to fully grasp this distinction, to avoid expensive legal violations. ITAR may also likely impact large commercial enterprises, universities, research labs, and other institutions who are not directly involved in the defense industry.

The Repercussions of Non-compliance

Violating ITAR could lead to both criminal and civil penalties. The imposed fines are virtually unlimited – typically, organizations are prosecuted for hundreds of violations at once. The penalties for ITAR violations, both criminal and civil, are substantial. Criminal penalties may include fines of up to a million dollars per violation and 10 years’ imprisonment while civil fines can be as high as half a million dollars per violation. Failure to comply with ITAR may also damage an organizations reputation and ability to conduct business. The State Department maintains publicly available records of all penalties and violations dating back to 1978. Organizations and individuals run the risk of being completely debarred from exporting defense-related services and items.

Challenges in the Cloud

ITAR compliance and the adoption of cloud platforms presents unique challenges. Uploading technical data to the cloud carries with it a huge risk of penalties and violations. There are a lot of questions in regards to whether or not regulated technical data can be stored in a public cloud. The intrinsic quandary in that cloud vendors use distributed and shared resources that will likely cross national borders, and this dispensation of resources is not entirely transparent to the end-user. Data back-up and replication are common security measures when sharing files and collaborating via the cloud, but they can inadvertently lead to unlicensed exports in the event data is sent to servers located outside the United States. Once technical data goes beyond U.S borders, the risk of non-US persons having access to it increases exponentially.

In 2016 for example, Microwave Engineering Cooperation settled an ITAR violation with the State Department after technical data related to a defense article was exported to a foreign person without authorization. So if giving a foreign person access to technical data, or placing it on a server in a foreign nation is deemed and export. What guidance does ITAR give to ensure the entire process is done in a legal manner? Or is cloud storage simply off the table?

The State Department maintains that technical data can be stored on servers outside the U.S, provided that the of the ITAR license exemption conditions are met, and adequate measures are taken to obviate non-US individuals from accessing technical data. In most cases, the measure typically involves ensuring that any data sent to a server beyond U.S borders, or that is potentially accessible by a foreign person within or outside the U.S has to be properly encrypted. It is important to note that by law, cloud providers aren’t considered exporters of data, however, your organization might be. So the burden of ensuring ITAR compliance when handling technical data falls squarely on the people within the organization. Organizations dealing with defense-related articles in any capacity have to exercise extreme caution when using any commercial file sharing and sync service.


Author: Gabriel Lando

Personal Data Breach Response Under GDPR

personal data breach

Data security is at the heart of the upcoming General Data Protection Regulation (GDPR). It sets strict obligations on data controllers and processors in matters pertaining data security while concurrently providing guidance on the best data security practices. And for the first time, the GDPR will introduce specific breach notification guidelines. With only a few months to go until the new regulations come into effect, businesses should begin focusing on data security. Not just because of the costs and reputational damage a personal data breach can lead to; but also because under the GDPR, a new data breach notification regime will be applied to statute the reporting of certain data breaches to affected individuals and data protection authorities.

What Constitutes a Personal Data Breach Under GDPR?

GDPR describes A personal data breach as – a security breach that leads to the unlawful or accidental loss, destruction, alteration, or unauthorized disclosure of personal data stored, processed or transmitted. A personal data breach is by all means a security incident; however, not all security incidents require the same strict reporting regulations as a personal data breach. Despite the broad definition, it is not unusual in data security laws that require breach reporting. HIPAA, for example, makes the same distinctions at the federal level for medical data. It aims to prevent data protection regulators from being overwhelmed with breach reports.

By limiting breach notifications to personal data (EU speak for personally identifiable information – PII), incidents that solely involve the loss of company data/ intellectual property will not have to be reported. The threshold to establish whether an incident has to be reported to a data protection authority is dependent on the risk it poses to the individuals involved. High risk situations are those that can potentially lead to the significant detrimental suffering – for example, financial loss, discrimination, damage to reputation or any other significant social or economic disadvantage.

…it should be quickly established whether a personal data breach has occurred and to promptly notify the supervisory authority and the data subject.

– Recital 87, GDPR

If an organization is uncertain about who has been affected, the data protection authority can advise and, in certain situations, instruct them to immediately contact the individuals affected is the security breach is deemed to be high risk.

What Does The GDPR Require You to Do?

Under GDPR, the roles and responsibilities of processors and data controllers have been separated. Controllers are obliged to only engage processors who are capable of providing sufficient assurances to implement appropriate organizational and technical measures to protect the rights of data subjects. In the event of a data breach that affects the rights and freedoms of said data subjects, the organization should report it, without any delay and, where practicable, within 72 hours of becoming aware of it.

The data processor is mandated to notify the controller the moment a breach is discovered, but has no other reporting or notification obligation under the GDPR. However, the 72-hour deadline begins the moment the processor becomes aware of the data breach, not when the controller is notified of the breach. A breach notification to a data protection authority has to at least:

  1. Have a description of the nature of the breach, which includes the categories and number of data subjects affected.
  2. Contain the data protection officer’s (DPO) contact information.
  3. Have a description of the possible ramifications of the breach.
  4. Have a description of steps the controller will take to mitigate the effect of the breach.

The information can be provided in phases if it is not available all at once.
If the controller determines that the personal data breach can potentially put the right and freedoms of individuals at risk, it has to communicate any information regarding the breach to the data subjects without undue delay. The communication should plainly and clearly describe the nature of the personal data breach and at least:

  1. Contain the DPO’s contact details or a relevant contact point.
  2. Have a description of the possible ramifications of the breach.
  3. Have a description of measures proposed or taken to mitigate or address the effects of the breach.

The only exception in this case is if the personal data has been encrypted, and the decryption key has not been compromised, then there is not need for the controller to notify the data subject.

The most ideal way for companies to handle this GDPR obligation is to not only minimize breaches, but also, establish policies that facilitate risk assessment and demonstrates compliance.

The GDPR stipulates that all the records pertaining the personal data breach, regardless of whether the breach needs to be reported or not. Said records have to contain the details of the breach, any consequences and effects, and the follow up actions taken to remedy the situation.

Should Ransomware Attacks Be Reported?

Ransomware typically involves the ‘hijacking’ of cooperate data via encryption and payment is demanded in order to decrypt the ransomed data. Under GDPR, Ransomware attacks may be categorized as a security incident but it does not necessarily cross the threshold of a personal data breach. A Ransomware attack would only be considered a personal data breach if there is a back up but the outage directly impacts user’s freedoms and rights, or if there is no back up at all. Ideally, a Ransomware attack where the ransomed data can be quickly recovered does not have to be reported.

What Are the Consequences of Non-Compliance?

A failure to comply with the GDPR’s breach reporting requirements will not only result in negative PR, constant scrutiny, and possibly loss of business; but will also attract an administrative fine of up to € 10 million or up to two percent of the total global annual turnover of the preceding financial year. Additionally, failure to to notify the supervising authority may be indicative of systematic security failures. The would show an additional breach of GDPR and attract more fines. The GDPR does have a list of factors the supervising authority should consider when imposing fine; chief among them being the degree of co-operation by the data controller with protection authority.

In Closing

Data breach notification laws have already been firmly established in the U.S. These laws are designed to push organizations to improve their efforts in the detection and deterrence of data breaches. The regulators intentions are not to punish but to establish a trustful business environment by equipping organizations to deal with with security issues.

Author: Gabriel Lando

image courtesy of freepik

Personal Data, PII and GDPR Compliance



The countdown for the European Union’s General Data Protection Regulation (GDPR), which will go into full effect in May 2018, is coming to a close. GDPR aims to solidify the data privacy rights of EU residents and the requirements on organizations that handle customer data. It introduces stern fines for data breaches and non-compliance while giving people a voice in matters that concern their data. It will also homogenize data protection rules throughout the EU. The current legislation, the EU Data Protection Directive was enacted in 1995, before cloud technology developed innovative ways of exploiting data; GDPR aims to address that. By enacting strict regulations and stiffer penalties the EU hopes to boost trust within a growing digital economy.

Despite the fact that GDPR came into force on 24th May 2016, organizations and enterprises still have until the 25th of May 2018 to fully comply with the new regulation. A snap survey of 170 cybersecurity pros by Imperva revealed that While a vast majority of IT security professionals are fully aware of GDPR, less than 50 percent of them are getting everything set for its arrival. It went on to conclude that only 43 percent are accessing the impact GDPR will have on their company and adjusting their practices to comply with data protection legislation. Even though most of the respondents we based in the United States, they are still likely to be hit by GDPR if they solicit and/or retain (even through a third party) EU residents’ personal data.

Remaining compliant with GDPR demands, among several other things, a good understanding of what constitutes ‘personal data’ and how it differs from ‘personal identifiable information’ or PII.

What is Personal Data In the GDPR Context?

The EU’s definition of personal data in GDPR is markedly broad, more so than current or past personal data protection. Personal data is defined as data about an identifiable or identified individual, either indirectly or directly. It is now inclusive of any information that relates to a specific person, whether the data is professional, public or private in nature. To mirror the various types of data organizations currently collect about users, online identifiers like IP addresses have been categorized as personal data. Other data such as transaction histories, lifestyle preferences, photographs and even social media posts are potentially classified as personal data under GDPR. Recital 26 states:

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

This personal data term directly applies to all the 28 states in the European Economic Area (EEA)

Is Personally Identifiable Information (PII) the Same as Personal Data?

The term ‘Personally Identifiable Information’ doesn’t appear anywhere in the GDPR; however, it does have a definite meaning in US privacy law. Therefore the term in itself is likely to cause confusion to anyone seeking to comply with GDPR. For a concept that has become ubiquitous in both technological and legal colloquy, PII is surprisingly hard to define. In a nutshell, PII refers to any information that can be used to distinguish one individual from another. This includes any information that can be used to re-identify anonymous data. This can solely refer to data that is regularly used to authenticate/identify an individual, this may be averse to information that violates the privacy of on individual, that is, reveal sensitive information regarding someone. The US interpretation of the term is undeniably incongruous with what is relevant for a proper GDPR assessment since it pre-selects a set of identifying traits.

To put it bluntly, all PII can be considered personal data but not all personal data is Personally Identifiable Information. Developing a solid GDPR compliance program demands that IT architects and marketers move beyond the restricted scope of PII to examine the full spectrum of personal data as defined by the EU.

Handling Personal Data in Accordance With GDPR

The first step to GDPR compliance in matters pertaining personal data is undoubtedly the risk assessment of how existing data is being stored and accessed, the level of risk attached to it, and whether it contains any PII. The data might be stored on server file systems, databases or even on an end user’s physical storage or cache. Becoming GDPR compliant will mean that you are not only protecting more data types in the future but will also involve dissipating more effort in the identification of existing data that initially wasn’t considered personal data. It is important to note that you cannot limit your scope to the data you hold as if it were a closed system. Nowadays, people typically interact with interconnected systems, and GDPR mirrors that. In such scenarios, organizations should focus outward, and infer who in their ecosystem can connect with an attribute to another, from the multiple varying paths to re-identification within their ecosystem.

Additionally, GDPR requires that a document ‘opt-in’ consent must be provided by each individual. The consent has to explicitly pinpoint the data collected, how it is going to be used and how long it will be retained. Organizations also have to provide participants with an option to remove their consent at any given time and request their personal data be permanently deleted. Participants should have the ability to get factual errors amended, and even request their personal data for review and use.

FileCloud Can Help You Comply With GDPR

The General Data Protection Regulation sets a new standard in the protection of personal data. Its efforts aim to grant data subjects more control over their data while ensuring the transparency of operations. FileCloud provides a set of simple features that can help organizations meet GDPR requirements.

Click here for more information.

Author: Gabriel Lando

Image courtesy of

GDPR – Top 10 Things That Organizations Must Do to Prepare

May 25, 2018 – that’s probably the biggest day of the decade for the universe of data on the Internet. On this date, Europe’s data protection rules –  European General Data Protection Regulation (GDPR) – becomes enforceable. In 2012, the initial conversations around GDPR began, followed by lengthy negotiations that ultimately culminated in the GDPR proposal. At the time of writing this guide (Sep 2017), most European businesses have either started making first moves towards becoming compliant with GDPR, or are all set to do so. Considering how GDPR will be a pretty stringent regulation with provisions for significant penalties and fines, it’s obvious how important a topic it has become for tech-powered businesses.

Now, every business uses technology to survive and thrive, and that’s why GDPR has relevance for most businesses. For any businessman, entrepreneur, enterprise IT leader, or IT consultant, GDPR is as urgent as it is critical. However, it’s pretty much like the Y2K problem in the fact that everybody is talking about it, without really knowing much about it.

Most companies are finding it hard to understand the implications of GDPR, and what they need to do to be compliant. Now, all businesses handle customer data, and that makes them subject to Data Protection Act (DPA) regulations. If your business already complies with DPA, the good news is that you already have the most important bases covered. Of course, you will need to understand GDPR and make sure you cover the missing bases and stay safe, secure, reliable, and compliant in the data game. Here are 10 things businesses need to do to be ready for GDPR.

Top 10 things that organizations should do to prepare and comply with GDPR

1.      Learn, gain awareness

It is important to ensure that key people and decision makers in your organization are well aware that the prevailing law is going to change to GDPR. A thorough impact analysis needs to be done for this, and any areas that can cause compliance issues under GDPR needs to be identified. It would be appropriate to start off by examining the risk register at your organization if one exists. GDPR implementation can have significant implications in terms of resources, particularly at complex and large organizations. Compliance could be a difficult ask if preparations are left until the last minute.

2.      Analyze information in hand

It is necessary to document what personal data is being held on hand, what was the source of the data, and who is it being shared with. It may be necessary for you to organize an organization-wide information audit. In some cases, you may only need to conduct an audit of specific business areas.

As per GDPR, there is a requirement to maintain records of all your activities related to data processing. The GDPR comes ready for a networked scenario. For instance, if you have shared incorrect personal data with another organization, you are required to inform the other organization about this so that it may fix its own records. This automatically requires you to know the personal data held by you, the source of the data and who it is being shared with. GDPR’s accountability principle requires organizations to be able to demonstrate their compliance with the principles of data protection imposed by the regulation.

3.      Privacy notices

It is important to review the privacy notices currently in place and put in a plan for making any required changes before GDPR implementation. When personal data is being collected, you currently need to provide specific sets of information such as information pertaining to your identity and how you propose to use that information. This is generally done with a privacy notice.

The GDPR requires you to provide some additional information in your privacy notices. This includes information such as the exact provision in the law that permits asking for that data and retention periods for the data. You are also required to specifically list that people have a right to complain to the ICO if they believe there is a problem with the way their data is being handled. The GDPR requires the information to be provided in the notices in easy to understand, concise and clear language.

4.      Individual rights

You should review your procedures to confirm that they cover all the individual rights set forth in the GDPR. These are the rights provided by the GDPR.

  • To be informed
  • Of access
  • To rectification
  • To erasure
  • To restrict processing
  • To data portability
  • To object
  • To not be subject to automated profiling and other such decision-making

This is an excellent time to review your procedures and ensure that you will be able to handle various types of user requests related to their rights. The right to data portability is new with the GDPR. It applies:

  • To personal data provided by an individual;
  • When processing is based on individual consent or to perform a contract; and
  • Where processing is being done by automated methods.

5.      Requests for Subject access

You would need to plan how to handle requests in a manner compliant with the new rules. Wherever needed, your procedures will need to be updated.

  • In most of the cases, you will not be allowed to charge people for complying with a request
  • Instead of the current period of 40 days, you will have only a month to execute compliance
  • You are permitted to charge for or refuse requests which are apparently excessive or unfounded
  • If a request is refused, you are required to mention the reason to the individual. You are also required to inform them that they have the right to judicial remedy and also to complain to the correct supervising authority. This has to be done, at the very latest, within a month.

6.      Consent

It is important to review how you record, seek and manage consent and if any changes are required. If they don’t meet the GDPR standard, existing consents need to be refreshed. Consent must be specific, freely given, informed, and not ambiguous. A positive opt-in is required and consent cannot be implied by inactivity, pre-ticked boxes or silence. The consent section has to be separated from the rest of the terms and conditions. Simple methods need to be provided for individuals to take back consent. The consent is to be verifiable. It is not required that the existing DPA consent have to be refreshed as you prepare for GDPR.

7.      Aspects related to children

It would be good if you start considering whether systems need to be put in place in order verify the ages of individuals and to get consent from parents or guardians for carrying out any data processing activity. GDPR brings in specific consent requirements for the personal data of children. If your company provides online services to children, you may need a guardian or parent’s consent so as to lawfully process the children’s personal data. As per GDPR, the minimum age at which a child can give her consent to this sort of processing is set to 16. In the UK, this may be lowered to 13.

8.      Aspects related to data breaches

You should ensure that you have the correct procedures necessary to investigate, report, and detect any breaches of personal data. The GDPR imposes a duty on all companies to report specific types of data breaches to the ICO, and in some situations, to individuals. ICO has to be notified of a breach if it is likely to impinge on the freedoms and rights of individuals such as damage to reputation, discrimination, financial loss, and loss of confidentiality. In most cases, you will also have to inform the concerned parties directly. Any failure to report a breach can cause a fine to be imposed apart from a fine for the breach by itself.

9.      Requirements related to privacy by design

The GDPR turns privacy by design into a concrete legal requirement under the umbrella of “data protection by design and by default.” In some situations, it also makes “Privacy Impact Assessments” into a mandatory requirement. The regulation defines Privacy Impact Assessments as “Data Protection Impact Assessments.”’ A DPIA is required whenever data processing has the potential to pose a high level of risk to individuals such as when:

  • New technology is being put in place
  • A profiling action is happening that can significantly affect people
  • Processing is happening on a large set of data

10.  Data protection officers

A specific individual needs to be designated to hold responsibility for data protection compliance. You must designate a data protection officer if:

  • You are a public authority (courts acting in normal capacity exempted)
  • You are an institution that carries out regular monitoring of individuals at scale
  • You are an institution that performs large-scale processing of special categories of data such as health records or criminal convictions

Many of GDPR’s important principles are the same as those defined in DPA; still, there are significant updates that companies will need to do in order to be on the right side of GDPR.

Author: Rahul Sharma




Sharing Large Medical Images and Files – Factors to Consider


According to data collected by the HHS Office for Civil Rights, over 113 million individuals were affected by protected health information breaches in 2015. Ninety-nine percent of these individuals were victims of hacking, while the remaining 1 percent suffered from other forms of breach such as theft, loss, improper disposal, and unauthorized access/disclosure. A quick look at the trend from 2010 shows that health information data breaches are on the rise. An even deeper look at this report shows that network servers and electronic medical records are the leading sources of information breaches, at 107 million and 3 million, respectively.

Sadly, security is not the only issue that medics face when sharing medical records. A 2014 article in the New York Times explains the difficulty medics face when trying to send digital records containing patient information. While the intention is noble—to improve patient care coordination—doctors are facing problems with their existing large file sharing options.

To help doctors share files such as medical images in an easier and safer way, we will explore four factors that should be considered.

HIPAA Compliance

Medical records are sensitive and confidential in nature. This means that handling them should be guided by set industry policies, in this case, Health Insurance Portability and Accountability Act (HIPAA), for example. HIPAA is actually a response to security concerns surrounding the transfer and storage of medical records, in this case, images.

HIPAA places responsibility on medics and healthcare providers in general to secure patient data and keep it confidential. As a result, non-compliance could lead to legal action, which can be costly. Usually, HIPAA makes sure that all Personal Health Information (PHI) is covered, outlining more stringent rules on electronic PHI, mainly because a security breach is more likely to affect a larger number of patients, all at once.

It is a medic’s responsibility to ensure that the selected EFSS solution is HIPAA-compliant if you want to maintain patient trust, keep positive publicity, and avoid steep HIPAA fines imposed after a breach. In fact, the first time you commit an offense, HIPAA will charge approximately $50,000, a figure that escalates accordingly with each subsequent offense.


This is the second level of security you should consider before settling on a large file sharing solution. As much as an EFSS service provider is HIPAA-compliant, you need to ensure that measures outlined in HIPAA are taken.

When you read about patients’ rights as outlined in HIPAA, specifically the ‘Privacy, Security and Electronic Health Records’, you will notice that information security is emphasized. For this reasons, medics should ensure that patient data is encrypted in order to prevent it from being accessed by rogue colleagues or professional hackers.

It is entirely important that all hospital departments—ranging from cardiology, imaging centers and radiology, among others—encrypt medical images and files to further protect patient privacy. Better still, encryption should be both at rest and on transit, and files should only be shared with authorized specialists and physicians as well as the patients themselves.

To further tighten security, these files should be encrypted with non-deterministic encryption keys instead of fixed ones, whose passwords can be hacked. The best thing about this technique is that even when faced with a security breach on the server side, hackers cannot access the encryption keys. Additionally, you can opt for EFSS solutions that offer client-side encryption alone, barring the service provider and its employees from accessing this information.

File Scalability

Compared to other medical records, medical images present a great challenge with regards to file size. It is actually reported that a significant number of sequences and images are an average of 300MB. Additionally, average file size for a standard mammography image and a 3D tomography image are 19MB and 392 MB, respectively. While these file sizes already seem too large, Austin Radiological Association (ARA) predicts that by 2024, annual data from its 3D breast imaging files will reach 3 petabytes. These facts expose the storage challenges that medics face.

A glance at the process of finding medical images for active cases, storing them, and archiving those of inactive cases shows the immense need for medics to find a reliable and convenient large file sharing solution that caters to these storage needs.

A weak server could get overwhelmed with data, progressively becoming inefficient and inept as more files are uploaded into the system. The best way to solve this issue is by using cloud-based services that automatically scale your files according to your needs. This way, you will upload more files in the server, significantly reducing hardware costs by approximately 50 percent, especially when this is done on the cloud as opposed to in-house. In addition to these perks, the cloud will allow you to share these images faster and more conveniently, saving both time and storage.

Technology Increases the Likelihood of Medical Errors

While technology helps solve issues such as security and storage, over-reliance could actually lead to medical errors, incidents that are dreadful to patients and medics as well. As reported by Eric McCann of Healthcare IT News, medical errors cost America a colossal $1 trillion each year, and 400,000 Americans die annually due to these preventable mistakes.

Even though the cloud has been paraded as a solution to reduce incidences of medical error, the need to be watchful and keen can never be overstated. Take, for example, the erroneous click of a mouse and mislabeling of data. A case study on Kenny Lin, MD, a family physician practicing in Washington, D.C., which is detailed in his 2010 piece in the U.S. News & World Report, shows us how easy it is to make a mistake with technology. Dr. Lin nearly made a wrong prescription by accidentally clicking on the wrong choice in his EMR system.

Now, what if you mislabeled a patient’s radiology report? Wouldn’t that start a series of misdiagnosis and treatment? Could you imagine the damage caused? It is for this reason that even when technology makes it easier to share large, sensitive files like medical images, you should counter-check and make sure that the file is labeled correctly and sent to the intended, authorized recipient.

The Way Forward

The sensitivity of medical files is eminent, and with data breaches on the rise, it is vital to ensure the privacy of all medical documents, including large medical images and files. To reduce the possibility of a data breach, any EFSS solution used to share these files should guarantee a reasonable level of file security and HIPAA compliance. In addition to that, its capacity to efficiently handle file sizes and offer easy access to these files should not be ignored. Lastly, as you remain cautious when feeding data into the system, create a safe backup for your data just in case of a data breach. By taking such precautions, medical files can be shared between all necessary parties easier and more safely.

Author: Davis Porter

Image courtesy:, stockdevil

Data ownership in the cloud – How does it affect you?

The future of the cloud seems bright, Cisco predicts that by 2018, 59% of cloud workloads will be created from Software As A Service (SaaS). While these statistics are optimistic, we cannot ignore a few concerns that stifle cloud adoption efforts, such as data ownership.

Most people would be inclined to say that they still own data in the cloud. While they may be right in some sense, this is not always the case. For instance, let us look at Facebook, which many people use as cloud storage to keep their photos. According to the Facebook end-user-agreement, the company stores data for as long as it is necessary, which might not be as long as users want. This sadly means that users lose data ownership. Worse still, the servers are located in different locations, in and out of the United States, subjecting data to different laws.

According to Dan Gray, as discussed in ‘Data Ownership In The Cloud,’ the actual ownership of data in the cloud may be dependent on the nature of the data owned and where it was created. He states that there is data created by a user before uploading to the cloud, and data created on the cloud platform. He continues to say that data created prior to cloud upload may be subject to copyright laws depending on the provider, while that created on the platform could have complicated ownership.

In addition to cloud provider policies, certain Acts of Congress, although created to enhance data security and still uphold the nation’s security, have shown how data ownership issues affect businesses. Two of these, the Stored Communications Act (SCA) and the Patriot Act show the challenges of cloud data ownership and privacy issues, with regards to government access to information stored in the cloud.

The Stored Communications Act (SCA)

Usually, when data resides in a cloud provider’s infrastructure, user owner rights cannot be guaranteed. And even when users are assured that they own their data, it does not necessarily mean that the information stored there is private. For example, the United States law, through the Stored Communications Act (SCA), gives the government the right to seize data stored by an American company even if it is hosted elsewhere. The interpretation of this saw Microsoft and other technology giants take the government to court, claiming that it was illegal to use the SCA to obtain a search warrant to peruse and seize data stored beyond the territorial boundaries of the United States.

Microsoft suffered a blow when a district court judge in New York ruled that the U.S government search powers extend to data stored in foreign servers. Fortunately, these companies got a reprieve mid-2016, when the Second Circuit ruled that a federal court may not issue a criminal warrant to order a U.S cloud provider to produce data held in servers in Ireland.  It is however, important to note that this ruling only focused on whether Congress intended for the SCA to apply to data held beyond U.S.A territory, and did not touch on issues to deal with Irish data privacy law.

The Patriot Act

The Patriot Act was put into place in 2001 as an effort by George Bush government to fight terrorism. This act allowed the Federal Bureau of Investigation (FBI) to search telephone, e-mail, and financial records without a court order, as well as expanded law enforcement agencies access to business records, among other provisions. Although many provisions of this Act were set to sunset 4 years later, the contrary happened. Fast-tracking to 2011, President Barrack Obama signed a 4-year extension of 3 key provisions in the Act, which expanded the discovery mechanisms law enforcement would use to gain third-party access. This progress brought about international uproar especially from the European Union, causing the Obama administration to hold a press conference to quell these concerns.

The situation was aggravated when a Microsoft UK director admitted that the Patriot Act could access EU based data, further disclosing that no cloud service was safe from the ACT, and the company could be forced to hand over data to the U.S government. While these provisions expired on June 1 2015, due to lack of congressional approval to renew, the government found a way to renew them through the USA freedom Act.

The two Acts show us that data owned in the cloud, especially public cloud, is usually owned by the cloud providers. This is why we are seeing the laws asking cloud providers to provide this information, and not cloud users.

What To Do In Light Of These Regulations

Even if the SCA has been ruled illegal as not to be used to get warrants to retrieve data stored in the cloud, and the USA freedom Act is purported by some parties as a better version of the Patriot Act, we cannot ignore the need for cloud users to find a way to avoid such compulsions.

One idea users could have is escaping the grasp of these laws, which is unfortunately impractical. To completely outrun the government, you would have to make sure that neither you nor the cloud service used has operations in the United States. This is a great disadvantage because most globally competitive cloud providers are within the United States jurisdiction. Even when you are lucky and find a suitable cloud provider, it is may still be subject to a Mutual Legal Assistance Treaty (MLAT) request. Simply, put, there is no easy way out.

Instead, understand the risks and let your clients know. For example, if the Patriot Act extension attempts were successful, financial institutions would be obliged to share information with law enforcement agencies on suspicion of terrorist activities. In such a case, a good financial institution would warn its clients of these risks before hand. Alternatively, you can find a way of storing data in-house, forcing the feds to go through you and not the cloud provider.


Truthfully, data ownership in the cloud is a complicated issue.  Determined by both government and company policies, data ownership in the cloud is not always retained.  Gladly, depending on data policies and how they categorize data in the cloud, a user could be granted full ownership. In the event that this doesn’t happen, prepare for instances of third-party access and infringement of complete privacy, hence rethink your business strategy. In short, as a cloud services client, please pay attention to the contract that you sign with your provider and understand the laws under which the provider operates.