Privacy in the Clouds: When Can a Business Share Information with a Cloud Provider?

Report home | Read the report (PDF) | Previous section | Next section

 

The United States has several privacy laws applicable to particular types of records or businesses. Some of these laws establish privacy standards that have bearing on a decision by a business to use a cloud provider. Others laws do not. Some laws specifically allow a business to share personal information with another company that provides support services to the business. Specific statutory references to the use of a service provider have no apparent pattern in privacy laws. Some privacy laws have them; some do not.

For example, the Gramm-Leach-Bliley Act[1] restricts financial institutions from disclosing a consumer’s personal financial information to a non-affiliated third party. Disclosure to a service provider is generally not restricted. However, the terms under which information is disclosed and the rights acquired by service providers could make a difference to the legality of the disclosure or subsequent use.

The same conclusion applies to video rental records protected by the Video Privacy Protection Act[2] and to cable television subscriber records protected by the Cable Communications Policy Act.[3] These particular laws may not directly prevent the use of a cloud provider.

Other laws, however, do limit the use of a cloud provider. The next section analyzes the consequences of laws affecting decisions about using cloud computing for business data. Both procedural and substantive barriers to the use of cloud computing exist for some records and some businesses.

HIPAA and Business Associate Agreements

For most health records, procedural requirements apply to the disclosure of health records subject to the federal health privacy rule[4] issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA privacy rule establishes a comprehensive scheme regulating the use and disclosure of individually identifiable health information by covered entities. (Covered entities are principally health care providers and health plans.)

Before a covered entity may transfer protected health information to a service provider, the entity and the provider must enter into a business associate agreement.[5] While a business associate is not directly subject to the HIPAA rule currently, the agreement between the business associate and the covered entity would essentially require the business associate to comply with the same standards that apply to the covered entity.

A hospital subject to HIPAA could not decide to store patient records in a storage facility offered by a cloud provider without a business associate agreement with the cloud provider. In some cases, the substantive requirements of HIPAA will directly conflict with a cloud provider’s terms of service. A service provider cannot use or disclose health records in a way that conflicts with the HIPAA standards.[6] Thus, a HIPAA-covered entity could violate HIPAA by storing patient records at a cloud provider with a terms of service that allow the provider to publish any information stored on its facilities.

Tax Preparation Laws

Customers of tax preparers enjoy some statutory and regulatory privacy protections. These customer protections in turn limit the ability of a tax preparer to use a cloud provider. It is difficult to see how a tax preparer could comply with the IRS rules and still disclose tax return information to a cloud provider. A tax preparer could not use a foreign cloud provider without taxpayer consent, and even then, disclosure of a Social Security Number (SSN) could well be impossible.

For companies that offer tax return preparation services through online facilities with online storage of taxpayer information, Internal Revenue Service rules expressly limit disclosure of tax return information.[7] Disclosure of tax return information by a tax preparer to another person in the same firm as the preparer is permissible.[8] However, disclosure by one tax return preparer to another tax return preparer outside the United States requires taxpayer consent.[9] Disclosure to a contractor of the tax preparer for specified activities is permissible as long as employees of the contractor receive notice of the tax law’s rules for the use and disclosure of tax return information.[10] Disclosure of a taxpayer’s Social Security Number to a return preparer outside the United States is prohibited even with taxpayer consent, subject to an exception not likely to be practical for a cloud provider.[11]

Violence Against Women Act

The statutory scheme regulating domestic violence service providers under the 2005 amendments to the Violence Against Women Act[12] appears to prohibit all disclosures not compelled by statute or a court, except disclosures with the consent of the data subject.[13]  Disclosure to a cloud provider or to any service under any terms or conditions appears prohibited by this strict non-disclosure standard.

Legally Privileged Information

When information is legally privileged, the sharing of that information with a cloud provider might affect the validity of the privilege. The law of privilege is complicated and varies from privilege to privilege (e.g., doctor-patient, lawyer-client, priest-penitent) and from state to state. For some privileges, the communication of privileged information to a third party can undermine or vitiate the privilege. For example, if a reporter stores notes or drafts of a story at a cloud provider’s website, any privilege that the reporter had may be undermined.

Whether the storage of a privileged communication or document with a cloud provider actually affects privilege may depend in part on the terms under which the service is offered. If the cloud provider merely stores data and disclaims the right or ability to look at the stored information, the argument for privilege notwithstanding the disclosure may be stronger.

However, if the cloud provider has the right to read, disclose, or transfer information entrusted to it, the argument for privilege may be hard to make. If the provider has the ability to use the content of documents to make decisions about the user (e.g., which advertisements to serve to the user), the argument for privilege may be even harder to sustain.

For example, if a physician or patient shares a record containing a confidential communication with a cloud provider and the cloud provider uses the information in that record to serve an advertisement to the patient, the viability of the privilege may be fatally undermined.

Professional Secrecy Obligations

A person who has a fiduciary or professional obligation to a client may have limitations on disclosure that extend far beyond the conditions necessary to qualify for privilege. This could include a lawyer, doctor, broker, or other professional. For example, as reflected in the American Bar Association Model Rules of Professional Conduct, part of a lawyer’s duty is to protect information relating to the representation of a client. It applies to “virtually all information coming into a lawyer’s hands concerning a client.”[14]

None of the exceptions to the non-disclosure obligation appears to cover disclosure to a cloud or other service provider.[15] The ABA rule allows disclosures impliedly authorized in order to carry out the representation, but whether a lawyer’s use of a cloud provider would qualify under this standard is debatable. The cloud provider’s terms of service might make a significant difference to the interpretation of the professional obligation. If the provider can use or disclose the lawyer’s record, any sharing may breach the professional obligation.

 

 

 


Endnotes
[1] 15 U.S.C. § 6802.
[2] 18 U.S.C. § 2710.
[3] 47 U.S.C. § 551.
[4] 45 C.F.R. Part 164.
[5] Id. at §§ 164.502(e), 164.504(e). A covered entity that hires a third party to act merely as a conduit for protected health information (e.g., the US Postal Service or a private courier) does not need a business associate agreement. A conduit transports information but does not access it except infrequently as necessary for the performance of the service, or as required by law. In theory, a cloud provider could possibly be a conduit for HIPAA purposes, but much depends on the terms of service. If the cloud provider reserves any rights to review, use, disclose, or post information submitted by a user, the provider will not qualify as a conduit.
[6] Other health privacy laws may also impose limits on information sharing. See, e.g., Confidentiality of Alcohol and Drug Abuse Patient Records Regulation, 42 C.F.R. Part 2. Whether any of these disclosure restrictions would be triggered if the patient information were encrypted is beyond the scope of this analysis.
[7] 26 U.S.C. §§ 6713, 7216; 26 C.F.R. § 301.7216.
[8] 26 C.F.R. § 301.7216-2(c)(2).
[9] 26 C.F.R. § 301.7216-2(c)(3).
[10] 26 C.F.R. § 301.7216-2(d)(2).
[11] 26 C.F.R. §  301.7216-3(b)(4).
[12] Public Law 109-162 as amended by Public Law 109–271.
[13] 42 U.S.C. § 13925(b).
[14] Hazard & Hodes, The Law of Lawyering §9.7  (2003 & Supp. 2004) (3rd edition).
[15] ABA Model Rules of Professional Conduct, Rule 1.6(b)(1)-(6). Disclosure with client consent would be permissible.

 

 

Roadmap: Privacy in the Clouds - Risks to Privacy and Confidentiality from Cloud Computing: Part II – When Can a Business Share Information with a Cloud Provider?