Department of Commerce Seeks Comment on Regulation of IaaS Providers
Regulations will mandate more robust customer identity verification procedures and special measures to combat malicious cyber activities.
On September 24, 2021, the Department of Commerce ("Commerce") published an Advance Notice of Proposed Rulemaking ("ANPRM") concerning new regulations relating to U.S. Infrastructure as a Service ("IaaS") providers—companies that offer processing, storage, networks, or other fundamental computing resources, typically using hardware that consumers do not manage or control. The new rules will require IaaS providers to enhance customer identity verification procedures and to implement special measures concerning foreign persons involved in, or located in foreign jurisdictions associated with, malicious cyber activities. The ANPRM is a response to Executive Order 13984 ("EO"), which directs Commerce to implement regulations to combat malicious cyber actors' use of U.S. cloud infrastructure to steal sensitive data and target critical infrastructure.
The EO requires Commerce to set minimum standards for IaaS providers' verification of the identity of foreign account holders. The ANPRM seeks comment on, among other things: (i) factors to consider in determining customer due diligence requirements; (ii) industry practices concerning customer verification, documentation, and information collection; and (iii) data protection implications to consider when imposing new recordkeeping requirements regarding foreign account holders—such as the impact of laws like the GDPR.
In addition, the EO states that Commerce can require U.S. IaaS providers to implement special measures to prohibit or impose conditions on accounts of foreign persons (a) if reasonable grounds exist to conclude that they offer or obtain U.S. IaaS products that are used for malicious cyber activities; or (b) if the foreign persons are located in foreign jurisdictions that harbor "any significant number of foreign persons" engaged in this wrongful conduct. Comments sought by the ANPRM in this regard include: (i) sources of information on which to base the decision to impose special measures; (ii) the duration and potential publication of special measures; and (iii) factors to be considered in making a reasonable grounds finding.
Issued just days after the U.S. Department of Treasury's Office of Foreign Assets Control ransomware guidance, the ANPRM represents the latest example of the federal government's effort to combat cybersecurity threats through new regulations.
