Full Text

"Cloud computing" is a catch-phrase for accessing IT resources such as software, application development, and infrastructure over the Internet. The cloud promises easy, on-demand access to powerful technology at less cost than homegrown IT systems. The former U.S. chief information officer likened it to the running water of the information age (Kundra 2010). But moving to the cloud is essentially outsourcing. And as in any outsourcing arrangement, cloud computing carries a range of business and legal risks (see, e.g., Porter and Larner 2011). This article focuses on just one: privacy and data security compliance.

The bottom line is that moving to the cloud in no way alters an institution's privacy and data security obligations, but it does force an institution to rely on the cloud provider for compliance. Because U.S. privacy and data security law is a patchwork, the first step is to identify the institution's obligations with regard to the information moving to the cloud. Institutions then should attempt - and in some cases will be required by law - to obtain sufficient contractual guarantees that the cloud provider will comply with any such requirements. However, cloud providers may be reluctant to provide such guarantees or may do so only at a price, perhaps undermining some of the clouds benefits. Particularly in those cases, whether to move to the cloud comes down to a cost-benefit analysis. Developing a process-based approach will help institutions make good decisions.

The first part of this article explains the basics of cloud computing and U.S. privacy and data security law; the second part focuses on cross-cutting cloud computing privacy and data security risks and provides a more in-depth analysis of the Family Educational Rights and Privacy Act (ferpa); the final section provides a list of cloud computing do s and don'ts. The chart at the end of the article summarizes the cloud implications of...