April 5, 2023
The Federal Trade Commission (FTC) and Department of the Treasury (DOT) have taken steps to provide guidance and oversight for businesses using cloud services, signaling increased scrutiny from federal regulators on the use of cloud services. These initiatives have significant implications for regulated industries, including the financial services sector, which must navigate a complex landscape of compliance requirements and security concerns as they seek to take advantage of the benefits of the cloud.
The FTC recently issued a request for information (RFI) asking users of cloud services, academics, civil society groups, industry participants, and other stakeholders to comment on business practices of cloud computing providers. In particular, the FTC is “seeking information about the competitive dynamics of cloud computing, the extent to which certain segments of the economy are reliant on cloud service providers (CSPs), and the security risks associated with the industry’s business practices.”
The FTC’s RFI comes after the agency’s recent enforcement actions against Drizly and Chegg, which failed to implement basic security safeguards to protect data stored on third-party cloud computing services. Chegg Inc. stored personal data on its cloud storage databases in plain text and employed outdated and weak encryption, while Drizly failed to implement basic security measures and neglected to monitor security threats, resulting in data breaches. While generally applicable to the FTC’s understanding of reliance on CSPs in the broader U.S. economy, the FTC is also interested in the impact of cloud services on specific industries (including regulated industries), such as healthcare, finance, transportation, e-commerce, and defense.
The FTC’s RFI and enforcement actions dovetail with a recent report from the DOT and the Financial and Banking Information Infrastructure Committee (FBIIC) on challenges facing financial institutions when adopting cloud services. Businesses should be aware of these risks when deploying cloud services in a “safe, secure, and responsible” manner:
To address the challenges identified in this report, the DOT plans to establish an interagency Cloud Services Steering Group to coordinate on issues raised in this report, conduct follow-up tabletop exercises involving CSPs and the financial sector, and develop options or approaches with respect to interagency coordination and collaboration, common definitions and terms, sector-wide measurement, incident response, and financial institution risk management practices for cloud services. The DOT will also continue to support the development of international standards, principles, and recommendations, as appropriate, and improve international coordination with key partners. Additionally, the DOT will consider fostering industry consensus and strengthening avenues for communication with the private sector.
The DOT’s efforts are primarily focused on industry trends and the overall impact of cloud services on the financial services sector rather than individual financial institutions. The DOT recognizes that each organization’s cloud strategy is individualized and must take into consideration a variety of inputs including risk tolerance, user base, business objectives, and budgetary constraints. While the DOT report recognizes the risks and challenges faced by adopting cloud services, it is still up to individual financial institutions to address the risks identified in the report.
The recent enforcement actions taken by the FTC against companies using CSPs, the FTC’s RFI, and the recent report released by the DOT indicate a growing awareness and scrutiny by federal regulators regarding the impact of CSPs on the broader economy, especially regulated industries (including healthcare and financial services).
Nelson Mullins has an experienced team when it comes to advising companies on managing the risks associated with cloud services and negotiating agreements for complex services with CSPs. Our team works closely with key stakeholders to assess risk management frameworks and develop effective cloud adoption strategies that align with their specific business needs and objectives. We also help organizations navigate the complexities of cloud contracts and identify effective security controls and risk management practices. If you are interested in learning more about our practice, please reach out to one of the authors.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.