One insurance company executive says compliance with the standard is a positive factor in cloud contracts. "If a provider is certified under this standard, we'd prefer to see that, and terms and conditions would reflect that," says Eric Cernak, cyber practice leader for Munich Re U. S. Operations. Because of the newness of the standard, however, relief from high rates won't be immediate he adds, "We would need to have some experience to see if that warrants a lower premium."
Contractual and legal protection. Although it's too early for the establishment of legal precedents, complying with the ISO 27018 standard should give cloud providers and their customers a favorable position with regard to meeting the conditions of a contract with regard to information privacy.
ISO 27018 covers a wide variety of subjects and provides standards that hold up against audits, customer inquiries and government reviews, notes Zick. Adherence enables a cloud service provider (CSP) to show that its privacy policies and practices are reasonable and in conformance with prevailing standards.
"This provides safe harbor from a legal standpoint in case of a breach," says Zick.
The concept of safe harbor means that a cloud provider may not be judged to be negligent or reckless with PII because it has taken the trouble to gain certification. A cloud customer gains a similar benefit. "If you have that standard to fall back on, you can say it's the bad guy's fault and don't blame me," Zick adds. And compliance should pay dividends globally. "Regulators like it because they see it as assurance of compliance with their own country's data protection rules," notes Zick.
With all these benefits, what's holding cloud providers back? There appear to be two major factors: the cost and time commitment to obtain certification and the lack of user outcry demanding compliance.
"We have not had any customer demanding it," says Frank Balonis, senior director of technical services at Accellion, a CSP focusing on file sharing, particularly for mobile users.
Both Microsoft and Dropbox are large cloud providers with deep pockets and much to gain in competitive differentiation from compliance. Smaller CPSs are in a different boat. "Most likely it will be a burden for smaller cloud providers," says Cernak. But over time, he says, they may have no choice. "Will this be part of the price of admission to be a cloud provider?"
Balonis says Accellion expects to gain a competitive edge when it completes its ISO 27018 audit by early 2016. "It gives an additional layer of assurance to hospitals and legal firms – those customers who put a premium on PII," he says.
Although compliance will always require effort and expense, once the certificate is granted, annual certification should go much easier and be less costly, experts agree. Most also agree that without customer demand for compliance, many cloud providers will hold back.