Andrea Danti - Fotolia

Are U.S. cloud vendor data protection controls secure?

Does using a U.S. cloud vendor put data at risk? One expert weighs in with advice for European companies; however, U.S. companies would do well to take note.

Both U.S. companies and European companies rely on myriad technology vendors to run their businesses. But these user companies in the United States and Europe have very different levels of trust in the data protection controls of vendors. In the United States, companies see the issue largely as a matter of self-regulation by the technology vendors. In Europe, where people remember vividly the abuse by totalitarian regimes, user companies are very careful that their data is not misused by government or corporate interests.

National regulations or practices sometimes demand that HR data be held in the country where employees reside. For example, if a vendor is U.S.-based, a European company may request a data center in Europe if it believes data in the United States doesn't benefit from the same level of protection as in Europe.

The NSA scandal made Europeans even more wary of U.S. vendors' data protection controls and of having their data held by these vendors if they cannot guarantee full protection. The demise of the so-called Safe Harbor agreement, which was neither safe nor a harbor, although it was intended to provide a single set of data protection requirements, has not helped to engender trust in U.S vendors.

Secure data protection controls have important implications for the HR department. An HR system holds many key confidential data such as social security numbers or even medical records. Any party that accesses that data will be able to access further information related to an employee's personal file. Moreover, companies' business information is at risk of being accessed by competitors, for example, the compensation information housed by the HR system. Would Europe-based Airbus be happy to know that salary and bonus information of its top salespeople could be made available in the United States, home of its only competitor, Boeing? Of course not, that is a risk too high for any company to want to take.

My advice: Have use cases about what your minimum expected protection level should be and test your vendor's system against it. If it fails, discuss the issue with the vendor and maybe select another one. In addition, ask your U.S. vendor to ensure it has a data center in Europe, or, even better, in your own jurisdiction -- for example, the United Kingdom, Germany or the Netherlands. Or make sure it has several data centers. If it currently does not, ask about future plans.

If you are convinced your vendor is doing the right thing and taking your concerns seriously, then you can do business with the company. But, remember, prevention is better than a cure.

Next Steps

Understanding cloud compliance responsibilities

Notes for the CFO on data security

Issues with mobile payment systems

Dig Deeper on HR compliance software