In my previous post I wrote about Los Angeles’ decision to consider Google Apps for email and other applications. Although it gets attention for cost savings, there are some real concerns with email in the cloud, especially in government organizations that are required to comply with security and privacy policies and regulations.

The World Privacy Forum’s letter to the Mayor of LA went into some detail about why they don’t think it’s a good idea. Let’s take a look at some of the major points in WPF’s letter. The first four points address medical and health-related information, domestic violence and sexual assault information, substance abuse information, and sensitive information in general. The Google/LA deal doesn’t address any of these areas, or any of the regulations such as HIPAA, Violence Against Women Act, or 42 CFR Part 2 (a California law that regulates confidentiality of substance abuse program clients). The legalities related to compliance with these sorts of statutes when using cloud computing for sending and storing data are still fuzzy, and could leave the city government open to liability.

The letter also addresses “classified data.” There may be conflicts with federal laws regarding classified data, if such data is held by the city for any purpose and is then stored in the cloud–and so federal law needs to be taken into account as well.

The letter also notes that different types of data may have different security requirements; for example, health information, defense information, and tax information, all have their own security rules. The security offered by the cloud provider may have to accommodate multiple rules with different requirements.

Another point says that Google is allowed to store the data wherever it maintains facilities, even in a foreign country–and if so, that data may become subject to the laws of a foreign country. And another curious point is that of ownership of data. Although the contract provides for giving the city a copy of the data if the contract is terminated, it doesn’t require the cloud provider to eliminate the data from its servers–any cloud contract should include such a clause.