Last
week a new set of privacy principles regarding the
handling of personal information came into effect. The changes relate to how
businesses handle, use and store personal information.
While there are significant changes with a number of benefits for individuals,
there have been some misconceptions in the industry with regards to privacy in
the cloud that I’d like to address. Here are the top 5 myths that I’ve seen
about privacy in the cloud.
1.
Use of cloud computing is the biggest privacy risk factor
The notion that the
use of cloud computing is the biggest Privacy risk factor that Australian
businesses need to worry about is simply untrue. Ponemon Institute’s Survey on
Data Security Breaches revealed that 69 per cent of serious data leaks were due
to employee activities or errors.
So a lack of
internal policies and controls, direct marketing activities, poorly trained
staff, stolen laptops and offshore call centres are all bigger risks than cloud
computing.
While Australian
companies need to be wary of the new legislation and how it affects their IT
infrastructure, the direct business benefits of cloud far outweigh these
alleged risks.
2.
It is unclear which jurisdiction my data is held in
This is a common
misunderstanding among businesses. The word “cloud” suggests to some that your
data is floating around in some unknown location, implying transborder data
risks under the Privacy Act. The reality is your data is still yours, and it’s
still on a server in a data centre. The data centre just happens to be owned by
someone else. Cloud providers are overwhelmingly transparent about where your
data is stored and would never move it across regions without your permission.
If you’re unsure, a simple call to your provider will quickly clarify any
concerns.
3.
I can’t control third party access to my data in the cloud
The suggestion that
you can’t control third party access to your data in the cloud is another myth.
In most cases, the security services and accreditations that cloud providers
offer are significantly better than internal IT can deliver. With the use of
data encryption and support from your cloud partner, the technology risks are
easily mitigated. And of course, technology and human risks exist whether you
are hosting your data internally or externally.
4.
Australian privacy law is tougher than elsewhere
Understandably,
there are lots of businesses that are concerned about just how tough the new
privacy laws are. In particular, they are worried about the cost of compliance
and potential for significant fines (up to $1.7 million).
It’s important to
remember that most developed economies have had strong privacy laws for some
time. The EU established one of the more comprehensive with the 1995 Privacy
Directive covering 27 countries, with Spain and Germany having issued many
stiff fines. Many South American countries, including Peru, Uruguay, Argentina,
Costa Rica and Mexico have issued Privacy laws to open trade with the EU. In
Asia, Singapore passed a privacy law last year that protects personal data for
ten years after a person’s death, while South Korea’s privacy law even covers a
person’s image or voice.
5.
I don’t need to worry about it
Despite my other
comments, complacency remains the most dangerous myth! Businesses that think
they don’t need to worry about security and privacy in their cloud are dead
wrong. The risks may be similar to hosting data internally, but they still exist.
Larger organizations may struggle to effectively audit their own use of cloud
services, particularly when they have been adopted within departments, rather
than corporate IT. On the other hand small, companies may struggle to
understand the risks or establish privacy statements and policies. That said,
simple steps can ensure that a company’s use of cloud is not a high risk factor
in terms of its overall privacy compliance, when compared to the alternatives
available.
No comments:
Post a Comment