Security Concerns of the Cloud-Patriot Act Section 215, HIPAA and other issues

I’ve been thinking about choice and freedom frequently during the past few months. For those of you who don’t know me, I like pretty much everybody and don’t have any particular political agenda, nor is this blog a place for such discussion. As my personal mission statement of more than 30 years states, I’m most interested in helping people accomplish their goals more easily by leveraging technology.

The U.S. accounting profession has around 20 (18 by my count) regulations that might have to be followed based on the nature of the data from the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the SEC, the IRS, and more. Some of these laws or regulations require that data stay within U.S. borders, including all backups. Having geographically restricted data usually requires:

1. A premium be paid to the hosting company.
2. Data centers to be in the country of origin.
3. Special encryption or access methods are in place to prevent the use of the data outside the country.

Giving these regulations “teeth” are fines that can easily reach $50,000.00 or more for small businesses. For example, you can expect more requests to sign “business associate agreements” this year since the U.S. Department of Health & Human Services (HHS) has stepped up HIPAA enforcement. The current interpretation of HIPAA data includes patient collection records or reimbursement through accounts payable that might be recorded in accounting software. Most SaaS products aren’t HIPAA compliant, and many hosted versions of desktop accounting products aren’t implemented with a HIPAA-compliant strategy. Likewise, accounting firms that do pension and benefit audits or 401(k) audits are now considered to have HIPAA data. Again, if the HHS agent is a stickler, a business associate agreement can be required.

One of the laws that concerns me regarding client confidential information is the USA PATRIOT Act of 2001, Section 215, which received more notoriety after the National Security Agency (NSA)/Edward Snowden incident of 2013. Of particular note is the Foreign Intelligence Surveillance Court (FISA), which authorizes access to data hosted in public data centers. This access takes place without notification being given to the owner of the data (you or your client), and according to some sources, almost no request is denied. What probably got me thinking about choice and freedom was learning that in the NSA/Snowden incident:

1. More than 4,200 QuickBooks files were requested for a “fishing expedition” for the IRS to look for potential fraud.
2. The number of FISA orders was significant.
3. SaaS vendors had to provide backdoor administrative logins for compliance.
4. Large companies, including Microsoft, Apple, Google, Yahoo, and others with significant amounts of business and personal data, had to comply.
5. Canada has a similar law – the Canadian Anti-terrorism Act, Bill C-36.
6. Reports from the Guardian, New York Times, and others that RSA 4096-bit encryption was broken or backdoors were installed.
7. Part of compliance included a gag order preventing the companies involved from disclosing, to the owner of the data or publicly, that access had been requested and permitted.

It’s clear that data centers can do a better job related to the security of data than small businesses can. For example, the typical data center has:

1. Redundant communication lines.
2. Generators for backup power.
3. Service level agreements (SLAs) for 99.999(9)% availability.
4. Physical security and control.
5. Command centers to watch for attacks, weather, and other threats.
6. Service Organization Control (SOC)/Statement on Standards for Attestation Engagement (SSAE) 16 certifications (often inherited).
7. Probable Business Continuity and Disaster Recovery (BC/DR) preparedness.

Our current rule is that if a data center is used, it should be in your home country. If you’re part of the “English colonies,” you can have your data in another United Kingdom–friendly country. However, all of the 5,000 or so data centers or colocation facilities in the United States fall under the PATRIOT Act Section 215, meaning that data stored in these centers has to be surrendered under a FISA court order without notification, even if there’s no wrongdoing. I might call this “guilty until proven innocent,” and the data is simply being taken for review and subsequent action. The current attitude is more similar to the Second Red Scare of 1947 to 1954 in the United States, where many believe the approach is 100% needed and correct and others believe the protections of Section 215 are completely unneeded. President Obama has requested a modification of Section 215. This isn’t likely to happen, but I believe this, or a complete elimination of Section 215, is needed for cloud-related business activity to continue in a secure manner.

Additionally, the increased threat and level of spam, viruses, distributed denial of service (DDoS) attacks, and professional hacker attacks (see the real-time map here), including foreign espionage and corporate espionage, is appalling. Brian Dye, senior vice-president for information security at Symantec, told the Wall Street Journal that antivirus software “is dead.” To this alarming statement, Dye added, “We don’t think of antivirus as a moneymaker in any way.”

While this makes me think protection software won’t help us much anyway, I did take comfort in the May 24 Economist report of a brilliant, new “multicompiler” protection strategy created by computer scientist Michael Franz from the University of California, Irvine. I think Dr. Franz is really onto something, and he has a prototype working with both Linux and Firefox.

If you have client confidential data or your data contains intellectual property, you should never store data in a free data-sharing service. And if you’re concerned about client privacy under the PATRIOT Act Section 215, you should be cautious about using data center–based services. On the other hand, if you believe all of these attacks, threats, and queries don’t affect you and your clients, then you can proceed much like I did originally – naïve that people would want accounting data from honest businesses and people.

Randy Johnston and his NMGI team provide IT consulting services and recommendations. If you have questions on any hardware, software, procedures, or IT strategies for your firm, contact helpdesk@nmgi.com with your questions or to schedule a time to speak.