On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.
The HFSA expressly reminds the management, IT internal audit, compliance and legal departments of financial institutions that if the company is willing to use cloud computing services, they shall pay particular attention to the following.
- Obtaining cloud services is considered as “outsourcing” under the Hungarian sector-specific regulations which results in the application of certain additional rules; e.g., notification to the HFSA, specific data processing obligations.
- It is important to continuously monitor the changes in the regulations of the EU affecting cloud computing services, practices and best practice recommendations.
- It is also essential to keep an eye on the Hungarian and EU data privacy provisions and practices—in particular to practices and resolutions concerning cross-border data transfers or data transfers to third countries.
- The relationship between the master services agreement to be concluded and the related SLAs shall be harmonised.
According to the HFSA, it is important to classify the data processed by the financial institution before determining which data can be transferred to the cloud at all. The circular states that it is not recommended to process bank secrets, personal data or other sensitive data in the public cloud and reminds that the physical storage or place of procession of data in the public cloud in particular, e.g., outside of the European Economic Area or the Safe Harbor, substantially influence the possibility of compliance with the EU data protection regulations.
Before the conclusion of the relevant contract, the HFSA recommends studying the so-called "Sopot Memorandum" publication of the International Working Group on Data Protection in Telecommunications and the documents of ENISA.
In addition, the HFSA requests financial institutions—on the basis of the minimum security requirements of BSI (German authority of information security)—to consider at least the following risks.
- There are technological means of defence that are not yet able to provide the same security level in the virtual environment, on which the cloud computing services are based, as their physical counterparts could; e.g., virtual network protection, complete confidentiality for the data processed in the cloud.
- Digital forensic and incident management may be difficult regarding clients belonging to public CSP; e.g., accessibility and integrity of log files, possible deletion of the virtual computer and the log files, failure in archiving by the CSP has, according to the HFSA, a snapshot encrypted as a file could be an appropriate proof. This can be stored digitally signed.
- It is not recommended to outsource a process, which cannot be maintained with adequate controls by the financial institution itself, without adequate controls to a CSP.
- The service provider shall provide the possible sites of data processing. This is important because of the legal environment of the transferee’s country. If it is possible, data transfer outside the EU or the Safe Harbor shall be avoided.
- The transfer and storage of data shall be executed by modern encryption, and the remote access to data—typically though the Internet—shall be based on modern identification technology; e.g., two-factored identification with strong cryptography.
- Safety logging is expected as to the location definition, copy, deletion and other kinds of access to data.
- Data deletion shall be executed by safe methods; e.g., by multiply overwriting of the spot of deleted data with random data.
The HFSA reminds financial institutions that the cloud service contract shall remain the key of confidence with customers and the transparent, safe operation of the enterprise; therefore, the formulation of its content is particularly important.
The circular lists the following issues to consider in the pre-contracting phase:
- Options for the financial institution to continuously monitor the master agreement and the SLA(s);
- Uniform use of definitions and terminology in the master agreement and the SLA;
- Using standard form contracts and general terms and conditions is not recommended—in particular those not governed by Hungarian law;
- Defining conditions in the contract which do not hinder the change of the service provider in order to avoid “lock-in,” the possibility to terminate the contract, to secure all-time free access to the data in such a form which enables the data portability;
- Ensuring high-availability controls; e.g. geographically separated, incident-tolerantly configured, bunched servers, data storage units as the host of the virtual servers, and excellent DRP deployment—realistic disaster recovery plans and their authentic tests which matches to the business continuity plan of the client, definition of responsibility of tests;
- Providing strong incident management processes—immediate and as comprehensive information to the client as possible;
- Flexibility of the CSP in changing capacity needs; e.g., fast resource allocation during periodic overloads or on the contrary flexible pricing at descending needs;
- Regulation, practical application and supervision of change management controls; e.g., the definition of changes affecting the quality of service of which the client shall be informed immediately;
- Independent audits with regard to the CSP's business and security interests and which contents are available to the client; e.g., vulnerability tests, unauthorized access test from outside and inside, also among the clients, and safety certificates; e.g., ISO 27001, SAS70v2:ISAE3402, PCI DSS;
- Implementing dispute resolution provisions—applicable law and competent forum—and procedures to follow in the case of requests from authorities—conditions of release of clients' data, and
- Detailed preparation of enforceable safeguards and liability provisions with a view to the Hungarian legal system—clarification of responsibilities, avoiding limitation of liability clauses, liability insurance and/or bank guarantee from the service provider, etc.
The issuance of the circular is a remarkable first step in analysing the legal issues of cloud computing from a Hungarian law point of view and it may also be a stark reminder to financial institutions and maybe other businesses to exercise caution when engaging cloud services. However, the contents of the circular only address general legal questions and risks at this stage. The findings of the HFSA raise further wide-ranging issues and the issuance of the circular is also an important opportunity for the HFSA or the Hungarian Data Protection Supervisory Authority to advise businesses regarding cloud computing in a more detailed and specific manner in the future.
As mentioned above, the HFSA also recommends listing the location(s) of the data processing in the cloud service contract, and that financial institutions should avoid data transfer outside the EU or a Safe Harbor. Whilst data transfer outside the EU is a sensitive issue in cloud computing services, especially in the case of financial data, the HFSA should support other legal measures which are also accepted in the Hungarian practice to ensure the adequate protection of the personal data in third countries, like EU Model Clauses or specific data transfer agreements.
It is also important to note that the circular does not expressly address the allocation of liability between the financial institution and the cloud provider. Under the rather strict rules of Hungarian data privacy law, the data controller shall be liable vis-à-vis third parties for damages occurred due to the breach of the data protection rules by its data processor. The data controller shall be exempted from such liability only if it can prove that the breach is caused by a reason falling outside the scope of the data processing. In 2012, the Hungarian Data Protection Supervisory Authority (NAIH) already imposed notable fines on financial institutions—approx. €6,600 in one case—for the breach of data security obligations. Therefore, it is strongly advisable for financial institutions to regulate the allocation of their liability with the cloud provider in the cloud service contract. For example, an appropriate indemnity clause would mitigate the financial institution’s damages if its statutory liability arises due to the fault of the cloud provider and as the result of a data breach by the cloud provider, the financial institution would be obliged to reimburse the damages of its clients or fined by the NAIH.
Until further recommendations from the authorities, financial institutions should review their existing or prospective cloud service contracts to assess whether they comply with the circular and make the necessary amendments, if needed. The legal compliance of the technical and contractual details of the implementation may be verified by the HFSA during its onsite audits. In order to constantly monitor the data privacy regulations and recommendations in the EU and in Hungary, as proposed in the circular, it may be useful for financial institutions to prepare and continuously update an internal document on their findings, in order to prove that they did their best to comply with the recommended practice of the HFSA.