After Year of Cyber Breaches, International Standard Emerges (Perspective)

Photographer: Daniel Acker/Bloomberg

Editor’s Note: The author of this post works in-house for Microsoft and is based in Chicago. 

By Dennis Garcia, Assistant General Counsel, Microsoft Corporation

As we look back on 2016, it was another “year of the data breach.”

From the “Panama Papers” leaks involving the Mossack Fonseca law firm to cyber attacks upon the Democratic National Committee to the revelation by Yahoo that hackers previously stole data from more than one billion customer accounts, lawyers and their business clients were once again reminded of the negative consequences and loss of trust that result from data breaches.

As cybercriminals become smarter and bolder and the European Union’s General Data Protection Regulation (and its hefty fines for non-compliance) goes into effect in 2018, one of the most important 2017 New Year’s resolutions that law firms and companies can make is a commitment to embrace stronger cybersecurity.

Increasingly, organizations are realizing that the traditional way of protecting their data “on-premises” is probably not as safe and reliable as entrusting their data to a cloud computing provider that has a secure, robust and compliant data center infrastructure. However, since there are so many cloud providers to choose from nowadays, selecting a trustworthy cloud provider can be a challenging and time-consuming process.

Fortunately, a few months ago the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) issued Cloud Computing Service Level Agreement Framework, also known as ISO/IEC 19086-1 – the first of a new four-part international standard that establishes a methodology and terminology for cloud service level agreements. The ISO is an independent non-governmental organization and the world’s largest developer of voluntary international standards and the IEC is the world’s leading organization for the preparation and publication of international standards for electronic, electrical, and related technologies.

ISO/IEC 19086-1 provides a common set of cloud provider-neutral considerations for evaluating and contracting with cloud providers that lawyers and their business clients can use to help their organizations make thoughtful decisions regarding cloud adoption. While the ISO/IEC 19086-1 standard is 37 pages in length, here’s an overview of these considerations in bulleted format, that are grouped within these key areas:

Performance

  • Accessibility: List accessibility standards, policies and regulations met by the service.
  • Availability: The percentage of time the service is available and usable.
  • Capability: The number of simultaneous connections, maximum capacity of resources, the number of inputs processed over a time period and the amount of data transferred over a time period.
  • Elasticity: How fast and precise the service can adjust to the amount of allocated resources.

Service

  • Service monitoring: The parameters and mechanisms to monitor the service.
  • Response time: The maximum, average, and variance in response time.
  • Service resilience/fault tolerance: The methods used to facilitate resilience and fault tolerance.
  • Disaster recovery: The maximum time required to restart a service outage, the maximum time prior to a failure during which changes may be lost and the recovery procedures to restore service and data.
  • Processes for backup and restoration of data.
  • Cloud service support: The available support plans and scope, specific contacts and methods for service support and incident support scope.

Data Management

  • Cloud service provider and customer data: Define cloud service provider data, customer data and usage terms.
  • Intellectual property rights: Describe any intellectual property rights the cloud service provider claims on customer data and vice versa.
  • Data portability: Data portability capabilities including methods, formats and protocols.
  • Data deletion: Define minimum and maximum times to completely delete customer data. Describe the data deletion process and notification policy.
  • Data location: List the geographic locations that data may be processed and stored, and if the customer can specify location requests.
  • Data examination: Describe how the cloud service provider examines customer data.

Governance

  • The roles and responsibilities for the parties.
  • Personally identifiable information (PII) and information security: The PII protection and information security standards met by the cloud service provider.
  • Service termination: The process of notification of service termination, including the length of time that data and logs are retained after termination, the process of notification and the return of assets.
  • Law enforcement access: The policy for responding to law enforcement requests of customer data.
  • Attestation, certification and audits: List/define the standards, policies, regulations, and applicable certifications attested to by the cloud service provider.

Be sure to leverage the ISO/IEC 19086-1 standard as a tool to help you and your business clients engage in meaningful cloud provider due diligence and become more cybersecure in 2017 and beyond.