Cloud service providers are on notice: you are HIPAA business associates, even if you are unable to access the HIPAA protected information in your cloud. The Department of Health and Human Services Office for Civil Rights released guidance making clear that cloud service providers that create, receive, maintain, or transmit electronic protected health information are covered by HIPAA.
The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek. In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS misrepresented its security practices and failed to reasonably secure its router software, citing the company’s alleged failure to address vulnerability reports as one of the Commission’s primary concerns. The settlement reiterates the warnings contained in the FTC’s recent Start with Security Guide and prior settlements with HTC America and Fandango: the FTC expects companies to implement adequate processes for receiving and addressing security vulnerability reports within a reasonable time.
Hogan Lovells today published an update to the White Paper A Sober Look at National Security Access to Data in the Cloud, which compares national security access to data stored with Cloud service providers in a number of countries. The White Paper adds analyses of the laws of Brazil, Italy, and Spain, and reflects the April 2014 opinion of the European Court of Justice invalidating the EU Data Retention Directive. The updated paper now compares the national security access laws of the United States, Australia, Brazil, Canada, France, Germany, Italy, Spain, and the United Kingdom.
Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.
With the focus this summer on nation-states’ collection of electronic data, an important question went unanswered – what rights do individuals have to challenge government access to their data? We set out to answer that question in the fourth installment in Hogan Lovells’ White Paper series examining government access to data held by service providers. In the White Paper, available through this blog post, we compared the ability of citizens and non-citizens to challenge government access to data in the U.S., France, Germany, the UK, and Australia, concluding that of the countries surveyed, the right of redress appears strongest in the United States.
Hogan Lovells today published the next installment in a series of White Papers examining government access to data held by service providers. Today’s publication, An Analysis of Service Provider Transparency Reports on Government Requests for Data, examines the most recent transparency reports published by Google, Microsoft, Skype, Twitter, and LinkedIn concerning law enforcement requests for data in multiple countries, concluding that when the numbers are adjusted for population sizes and the number of Internet users in each respective country, they reveal that the U.S. government requests information from these providers at a rate comparable to — and sometimes lower than — that of several other countries, including many European Union member states.
Recent work done by Hogan Lovells on EU national security access to data shows that the American intelligence-gathering framework imposes at least as much, if not more, due process and oversight on foreign intelligence surveillance than other countries afford in similar circumstances. In a detailed analysis of the misconceptions related to U.S. government intelligence-gathering for the IAPP Privacy Perspectives blog, Chis Wolf outlines “A Sober Look at National Security Access to Data in the Cloud,” a recently published Hogan Lovells white paper comparing U.S. intelligence-gathering under the FISA Amendments Act to the practices of five European countries.
Hogan Lovells has published a White Paper demonstrating that, contrary to recent reports, the limitations applied to U.S. law enforcement access to data stored in the Cloud during national security and foreign intelligence investigation surpass in many cases restrictions applied during similar investigations in other countries. “A Sober Look at National Security Access to Data in the Cloud,” written by Christopher Wolf and Winston Maxwell, lawyers in Hogan Lovells’ Privacy and Information Management Practice based out of the Washington D.C. and Paris offices, was released today at a panel of the authors which was presented by the OpenForum Academy in Brussels. The authors also will discuss the paper tomorrow in Paris at a roundtable discussion comparing U.S. and French government access to data in the cloud presented by the American Chamber of Commerce in France.
CSO Magazine has published an article authored by Hogan Lovells privacy lawyers Winston Maxwell and Christopher Wolf entitled “Dangerous Assumptions About Clouds,” which debunks common assumptions about ‘local clouds’, the Patriot Act, and (many) governments’ access to data.
On the 1st July, the Article 29 data Protection Working Party adopted an opinion on cloud computing. The Working Party Opinion analyses the “hot topics” on data protection arising from cloud computing services .It also provides guidelines for providers of cloud computing services and their clients. The Opinion is summarized (and linked to) in this blog entry drafted by Hogan Lovells privacy lawyers in London and Madrid.
Hogan Lovells has published a White Paper with the results of a study about governmental access to data in the cloud around the world. The White Paper debunks the frequently-expressed assumption that the United States is alone in permitting governmental access to data for law enforcement or national security reasons. The White Paper concludes that businesses are misleading themselves and their customers if they believe that restricting Cloud service providers to one jurisdiction better insulates data from governmental access. It is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies. The White Paper examines the laws of the ten countries, including the United States, with respect to governmental authorities’ ability to access data stored in or transmitted through the Cloud, and documents the similarities and differences among the various legal regimes. The paper was written by Christopher Wolf, co-director of Hogan Lovells’ Privacy and Information Management practice, and Paris Office partner Winston Maxwell. It was released today at a program presented by the Openforum Academy in Brussels at which both Wolf and Maxwell spoke. This blog post links to a copy of the White Paper and summarizes its findings.
Hogan Lovells Privacy and Information Management practice leader Chris Wolf recenrtly moderated a panel on cloud computing in Washington, DC featuring government and industry leaders. This blog entry points to a report containing a full-length video of the session.
The German data protection authorities on September 26, 2011 adopted an “Orientation guide – cloud computing.” The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services and cloud computing serving providers. It highlights the customer’s responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.
An announcement came this week from EC Digital Agenda VP Neelie Kroes of an EU Cloud Strategy (described in this blog entry), for which the former US CIO Vivek Kundra will be an advisor, and it once again raises questions about the application of the EU Directive in the cloud. This is an issue that will be explored through a Moot Court problem at IAPP’s Navigate in Dallas on September 14, also described and shared in this entry.