Cetrom in Accounting Today: The Wild West of Data Privacy and the Cloud

This article originally appeared at AccountingToday.com here. By Christopher Stark, Cetrom, June 18, 2015

The first time the country was connected coast-to-coast, it was with the wood and steel of railroad tracks into the Wild West that redefined the frontier, and the nation. Today, we use fiber-optic cable to join the frontiers of the information superhighway, which are accessed increasingly via the cloud.

Regulatory standards and laws are necessary to handle any new path of business. For the railroad system, federally mandated laws introduced structure to the industry. In the 21st century, we are once again ill-prepared to handle the altered landscape of technological advancements due to a lack of regulatory laws for data privacy.

The cloud has reshaped the business world, giving businesses and workers the luxury of accessing and integrating the tools and data necessary to complete their workday. We enjoy the uninterrupted ability to innovate, create, access, store, and share information anytime, anywhere. Though the cloud is safe and secure, serious questions persist regarding privacy and responsibility. Information is traveling too fast, across too many “borders” to continue our present regulatory course. The situation is eerily similar to the days of the Wild West with ad hoc laws and speculative regulation.

Each of these advancements brought the country closer together—one by quickly moving goods and services across state borders, while the other moves data across physical and virtual borders instantaneously. The railroad system operated largely free from regulation, with only a patchwork of disparate rules, likely created by individual entities. This caused tremendous confusion and frustration as companies and individuals tried to navigate the evolving landscape.

At present in the United States, individual companies, states and industry organizations have created their own rules and guidelines for implementing cloud environments, but nothing is standardized federally. How businesses choose to approach data privacy varies. Most companies tend to adhere to the laws and regulations of the state in which they are headquartered. The American Bar Association notes, however, that each state has a law related to data privacy and confidentiality that is worded and interpreted differently. This has a complicated impact on the cloud. Cloud service providers routinely spread data across several data centers and fiber-optic lines nationwide. Those centers and lines of transmission route data to its destination, protecting users and their privacy, and companies’ abilities to provide uninterrupted access to data, regardless of their physical location.

In the event an issue occurs, a myriad of legal and regulatory questions arise. Who has control of the data? Where is it stored? Who can get to it? When this happens, we find ourselves facing ambiguity while grasping for answers. Absent of guidelines, companies are frequently lost to the whim of whomever handled the data last, who has the tightest liability shield, or with whom the data originated. All options could be applicable just as easily as none could be.

Some industries have attempted to establish their own regulations for data privacy that add to state law, while others have gravitated toward adopting regulations for their own purposes under the assumption they must be comprehensive. Accountants with SOC 2, healthcare and HIPAA, etc., are all admirable attempts at regulating who has access to data, and each contributes to the confusion, especially when data is handled through a service provider.

The primary hesitation companies experience when it comes to confidentiality is determining who is in control of sensitive data and where the assumptions of protection and liability stand. Some may assume that the data is held on the cloud provider’s server so the cloud computing provider is liable. Cloud providers take proactive measures to ensure private data will not be exposed, but ultimately the data belongs to their client and the cloud provider cannot control who accesses the data from the client side.

Many cloud computing providers offer a master service level agreement (MSLA) that clarifies this relationship, but it is only a piece of the regulatory mosaic. A line must be drawn somewhere. Like the railroad industry before it, the cloud needs federal regulations to tie the law and the country together. The Wild West nature of varied local laws is chaotic for both sides. As a result, CPA firms lack the means to fully compare cloud providers to one another on security, privacy and best practices. The time for us to enact regulations and privacy laws on the information superhighway was years ago, yet we still operate under rules established during the dial-up days. Until federally mandated regulations are in place, there will continue to be a unique set of rules that are specific to particular states and industries. This leaves everyone wondering which regulations apply to them.

Adopting a wait-and-see attitude of which one prevails leaves a mismatch of misfit regulations. The issue is too important to merely hope for the best. There should be—must be—federally mandated regulations. (Read more on the full article PDF : 2015-06-18 Accounting Today)