Additionally, once the company hands over its data to the service provider, the customer has limited control over who has access to the data. From a security perspective, that is no doubt of great concern. In addition to requiring strong security controls, companies with export-controlled data must implement measures to prohibit foreign nationals from having access to their export-controlled data.
Companies wary of turning over their data to public clouds have been considering private cloud models, in which the cloud service provider constructs a cloud solely for one organization, or hybrid clouds, which enable data and application portability between a private cloud and a public cloud (so more sensitive data can be kept in the private environment).
Any scenario in which a third-party service provider has access to your company’s export-controlled data introduces risk of improper disclosure to that third party for which your company could be liable.
To minimize the risk of improper disclosure of your export-controlled data, following are some key questions to ask the cloud provider:
How is the cloud service set up to comply with U.S. export controls?
Where in the world will your data be stored?
How is sensitive data segregated and controlled?
Would any foreign nationals have access to your data?
Does an auditable trail exist?
It's important for IT departments to have answers to these questions as they evaluate cloud services.
Marsha McIntyre is an attorney at Hughes Hubbard & Reed LLP who focuses on export controls and sanctions. Prior to joining Hughes Hubbard & Reed, McIntyre worked at the U.S. Department of State, Office of the Legal Adviser, providing guidance on international trade issues.