How Cloud Service Providers can Breach the Personal Data of their Users?

Prerequisite:- Cloud Security

The definition of privacy can be different according to the countries, their jurisdiction, their people’s point of view, etc. Privacy is generally shaped by the legal interpretation of public expectations, so its concise and worldly acceptable definition might not be possible.

• Rights of privacy are related to user’s data, storage, and destruction of personal data.
• It also relates to how an organization uses the data of their user, if they are violating the rules of their jurisdiction or using inappropriate data then it’ll be subject to legal jurisdiction.

Personal Data

According to “Organisation for Economic Cooperation and Development” any information relating to an identified or identifiable individual will be known as personal data.

Below are some privacy considerations that should be taken care of:-

Access

Data stored in cloud computing is subjected to know what kind of personal information is held, This is important with regard to marketing activities as in some administrations market authorities are subject to additional regulations. In the cloud, the organization is itself responsible for providing the individual access to all its personal information and how they will use that personal information if the user wanted not to share that information they can ask the cloud service provider to delete their data or not to share it.

Compliance

Who is responsible for maintaining compliance and what laws that are applicable, standards, and regulations that will be governing this information? How is existing information impacted by the move to the cloud? Cloud services can cross multiple jurisdictions. For example:- The data can be stored in different regions(countries) where the cloud services are used.

Storage

Where does the cloud store all the data(personal information)? Are they transferring the data to another data center that is in another country? Several countries impose certain limitations on the ability of organizations on transferring the personal information of their residents. when the data is stored in the cloud the data transfer can take place without the knowledge of authorities and hence, can result in a violation of local laws.

Retention

How long the personally identifiable information is retained in the cloud? What is the retention policy that administers the data? Does the organization or the cloud service provider own the data? How are retention policies managed and who enforces them in the cloud?

Destructions

How does the cloud service provider destroy the personally identifiable information at the end of the retention period and How do they get assured that the personally identifiable information is destroyed? How do the customers of the cloud ensure that copies of their personally identifiable information are not kept by the cloud service providers?

Cloud storage providers generally replicate the data across multiple systems and ensure the availability of their services. This benefit becomes challenging when the organizations want to destroy the data. Is personally identifiable information truly deleted from the cloud or do the service providers just make them inaccessible to the users?

Audit and Monitoring

How are the organizations monitoring the cloud service providers and ensuring that their user’s personally identifiable information is secured in the cloud?

Privacy Breaches

How a customer will know if a privacy breach has occurred, how the cloud service provider will notify its users if a breach has occurred, and who will be responsible for managing the breach notification process? If contracts include the liabilities for the privacy breaches that occurred due to negligence of the cloud service provider then how is the contract enforced and how can they determine who’s responsible for this breach?

Many of these concerns are not specific to personally identifiable information, but all types of information and a broader set of compliance requirements are discussed.