Privacy in the cloud - Addressing the risks of cross-border data flows when choosing your provider
Upcoming SlideShare
Loading in...5
×
 

Privacy in the cloud - Addressing the risks of cross-border data flows when choosing your provider

on

  • 2,816 views

Privacy in the cloud ...

Privacy in the cloud
Addressing the risks of cross-border data flows when choosing your provider

Presented by Dentons Canada LLP's Timothy Banks and Nymity, Inc.'s Lauren Reid on November 6, 2013, this presentation discussed the following:

• Cloud Computing: a Primer
• Special Risks and Issues
• Addressing the Risks - assurance, drafting considerations, and Deep dive on the breach notification provision

Statistics

Views

Total Views
2,816
Slideshare-icon Views on SlideShare
1,033
Embed Views
1,783

Actions

Likes
0
Downloads
19
Comments
0

11 Embeds 1,783

http://www.datagovernancelaw.com 962
http://www.privacyanddatasecuritylaw.com 636
http://www.dentonsblog4.com 116
http://www.datagovernancelaw.com. 22
http://feeds.feedburner.com 17
http://www.feedspot.com 13
http://www.staging.datagovernancelaw.com 10
http://www.kashifali.ca 4
http://cloud.feedly.com 1
http://translate.googleusercontent.com 1
http://banks766.rssing.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Frequently, the service providers at the higher layer of the cloud computing stack (SaaS being the highest) will have more responsibilities for privacy-related controls than those at lower layers. In the lower layer, IaaS providers may have minimal privacy-related control responsibilities (particularly if they only have access to encrypted data), while, at the higher layer, SaaS providers may find that they are responsible for a significant number of privacy-related controls.

Privacy in the cloud - Addressing the risks of cross-border data flows when choosing your provider Privacy in the cloud - Addressing the risks of cross-border data flows when choosing your provider Presentation Transcript

  • Privacy assurance in the cloud Addressing the risks of cross-border data flows when choosing your provider Timothy M. Banks, Partner, Dentons Canada LLP Lauren Reid, Director, Compliance Solutions, Nymity, Inc. November 6, 2013
  • Privacy Law & Compliance | Toronto, ON | November 6, 2013 Privacy Assurance in the Cloud Addressing the risks of cross-border data flows when choosing your provider Timothy M. Banks Partner, Dentons Canada LLP timothy.banks@dentons.com 416-863-4424 www.datagovernancelaw.com @TM_Banks Lauren Reid Director, Compliance Solutions, Nymity, Inc. Lauren.Reid@nymity.com 647-260-6230 x259 www.nymity.com @Lauren_Privacy
  • Agenda • Cloud Computing: a Primer • Special Risks and Issues • Addressing the Risks • Assurance • Drafting Considerations • Deep Dive on the Breach Notification Provision
  • Cloud Computing: a Primer
  • What is “Cloud Computing”? Leveraging reliable Internet connectivity to access quickly scalable computing power, platforms and/or software owned and managed by specialist third parties. Key Characteristics: over the Internet on-demand pooled IT resources; scalable usage-based billing
  • Cloud Terminology Service Models Hosting Models • SaaS – Software as a Service • Public Cloud outsourcing the software applications so that the entire computing environment is outsourced • PaaS – Platform as a Service outsourcing the platform (operating system, application execution environment and database) on which the organization can run software applications of its choosing • IaaS - Infrastructure as a Service outsourcing computing power and storage capacity applications and data hosted by third party and available to more than one organization • Hybrid some applications and/or data run on public cloud environment while other applications or data are internally hosted • Private Cloud typically internal to the organization or solely dedicated to the organization (similar risks to a traditional outsourcing model)
  • Some Touted Benefits Security Processes • Data not on device • Leverage off of expertise • In some cases, security is greater in the cloud • Convenient access • Leverage off of other processes Costs • Decrease hardware and maintenance • Decrease support costs Benefits
  • Risk = Vulnerability • • • • • • • • • • • Network reliability and availability Multi-tenant host Public Internet transmission Endpoint protection (browser contamination) Visibility into safeguards reduced Visibility into location of data reduced Visibility into disaster recovery reduced Integrity of data Portability assurance Breach detection and notification Ownership Threat • Insolvency • Host and host employee behaviour • Subcontractors and subcontractor employee behaviour • User behaviour • Inadequate retention (litigation holds) • Inadequate destruction • State-sponsored attacks • National security surveillance • Malicious hacking of host • Foreign laws and law enforcement • Interception of data • Inadequate disaster recovery/ destruction Expected Loss • • • • Data Goodwill Cost of breach Regulatory fines & investigations
  • Special Risks and Issues
  • Public Sector Data Considerations • Blocking statutes • BC: Freedom of Information and Protection of Privacy Act • NS: Personal Information International Disclosure Protection Act • Prohibits storage, access or disclosure outside of Canada, with limited exceptions • BC OIPC Investigation Report F13-04 • Investigation into alleged sharing of personal information between Government and Liberal Party (unfounded) • But evidence of use of personal email services, such as Gmail & Yahoo, for government business • Likely unauthorized storage and disclosure outside of Canada in contravention of BC FIPPA
  • NSA / PRISM / USA Patriot Act • USA Patriot Act • National security investigation into terrorism or for foreign intelligence activities • Simplifies access procedure to electronic communications and business records • Can be used against any organization with sufficient ties to US irrespective of location of data • Typically requires court order, albeit secret FISA court • However, National Security Letters, while not requiring a court order, can only obtain subscriber information / metadata
  • Canada, eh? National Defence Act • Private communications • Obtaining foreign intelligence, where interception is directed at foreign entities located outside Canada • Protecting Canadian government’s computer systems or networks from mischief, unauthorized use or interference • Written authorization by Minister of Defence to the Canadian Communications Security Establishment Criminal Code • Private communications, which include communications by telephone, internet, or other technology • Investigation of Criminal Code offence • Police officer obtains a warrant (except in certain situations where there is an urgent risk of bodily harm) Canadian Security Intelligence Act • Any information, record, document or thing • National security / Foreign intelligence • CSIS obtains a warrant from a judge Proceeds of Crime (Money Laundering) and Terrorist Financing Act • Any information or documents Aeronautics Act • Specified information, including personal information about passengers • Investigating a threat to national security • CSIS obtains approval of the Minister of Public Safety and Emergency Preparedness, and obtains a disclosure order from a judge • Transportation security • Airlines must disclose personal information about all passengers to designated authorities
  • Addressing the Risks
  • Addressing the Risks Cloud computing privacy risks are both operational and legal, and therefore require a comprehensive approach to addressing them Operational risks addressed through assurance Independent Attestation Self Assessment Legal risks addressed through contractual agreements
  • Assurance: Attestation - Overview • Service Organization Controls (SOC) Reports • SOC-2/SOC-3 are designed to address operational controls • SOC-1 (formerly SAS-70) was designed to address controls over financial reporting • SOC-2/SOC-3 utilize standard control objectives: Trust Services • Security (relatively consistent with ISO 27001) • Privacy (AICPA/CPA Canada’s Generally Accepted Privacy Principles (GAPP) • Also available: Confidentiality, Processing Integrity, Availability • Performed by a qualified professional: CPA or CA and designed to be an Auditor-to-Auditor communication • Require User Entities to implement “User Control Considerations”
  • Assurance: Attestation - Report Format Security Principle: The system is protected against authorized access (both physical, and logical). 3.0 Procedures: The entity uses procedures to achieve its documented system security objectives in accordance with its defined policies.
  • Assurance: Attestation - User Control Considerations
  • Assurance: Self Assessment – Overview • Self assessments are often questionnaire based and standardized, for example: • Cloud Security Alliance (CSA) CAI questionnaire • Santa Fe Group’s Standard Information Gathering (SIG) Questionnaire • May or may not include supporting documentation • Some cloud providers publish them on the CSA Security, Trust & Assurance (STAR) Registry
  • Assurance: Self Assessment – Example 1
  • Assurance: Self Assessment – Example 2
  • Assurance: Selecting an Approach Attestation (SOC 2) Self-Assessment Greater level of assurance provided with independent audit Lower level of assurance provided by the cloud provider self reporting on controls Standard criteria (Trust Services) Standard format but flexible and can be customized Audit performed by CA or CPA – opinion provided on the design and effectiveness of controls Results interpreted by the organization – may require Subject Matter Expertise Audit covers a point or period in time – backward looking Designed to reflect current practices and be updated ongoing May not be available from all service providers due to cost involved Open source templates are available free online (e.g. CSA, SIG) Sometimes seen as North American focused Global User Entity must implement user control considerations User Entity must implement user control considerations The right approach may be a hybrid, and many major cloud providers make both options available.
  • Drafting Considerations
  • Scope and Service Levels Type of Provision Issues to Consider Scope of Work • Understand who is responsible for what aspects of the cloud service • Security to the cloud service firewall • Local client responsibilities? • Firewall • Browser & browser security • Managing / retiring User IDs • Other modifications to system? Service Level Agreements (SLAs) • • • • • • Know what you are getting What are the measurement criteria? Who will measure? What are the exceptions? Covenants or targets? Remedies if not met? (Rebates, termination?)
  • Security Type of Provision Issues to Consider Physical Security • • • Essential element to establishing accountability and safeguarding of data Physical security requirements Workload location restrictions Administrative Security • • • • Employee screening Approval of subcontractors Administrative controls relating to access to premises Controls on passwords Technical Security • • • • • • Firewalls Anti-virus Encryption in transit Encryption at rest Intrusion testing Data integrity testing (separation of data) Source of Standards • • • Payment Card Industry – Data Security Standards ISO 27001 / ISO 27002 Gramm-Leach-Bliley (US) / NIST / OSFI Guidance
  • Access and Legal Demands Type of Provision Issues to Consider Access Requests Notification • Who will be responsible for and who will control response to access requests? • Assistance form cloud service provider? • Whose cost? • Service Level Agreement (assurance?) to meet timelines? Legal Demands Notification • Report search warrants, orders for assistance and subpoenas unless prohibited? • Process for handling these legal requests • Whose cost? Regulatory Investigations & Litigation • Capacity to comply with litigation holds? • Assistance in responding to inquiries • Ability to establish data integrity for evidentiary purposes • At whose cost
  • Incidents & Audit Type of Provision Issues to Consider Data Breach Notification • Threshold for notification (actual, suspected, extent of risk) • Who will control notification to Privacy Commissioners / other regulators? • Who will facilitate individual breach notification? • At whose cost? • Consider likelihood of multi-tenant breach Threat Notification • Reporting of threats that do not amount to documented breaches? • What level of threat? Audit & Assurance • Who conducts audit? • At whose cost? • To what standard? Disaster Recovery & Business Continuity • Sufficiency of plan • Tests? • Audits?
  • Ownership, Portability & Destruction Type of Provision Issues to Consider Ownership • Restrict uses of data • Purposes for which service provider may access data • If additional services (e.g. analytics) provided, who owns product? Termination Assistance • • • • Secure Destruction • What is to be destroyed and when? • What will be retained and for how long posttermination • Method of destruction • Standard to which data is to be destroyed • Audit and assurance? Plan for end of contract Assistance in transferring data Useable formats At what and whose cost?
  • Termination Events Type of Provision Issues to Consider Force Majeure • Events outside the control of the service provider • Consider ensuring narrow in scope Insolvency • Contingency planning to ensure uninterrupted access to data • Consider jurisdictions in which servers are kept • Consider subcontractors Termination • Reasons for permissible termination (data breach may or may not be one of them) • Sufficient notice • Termination assistance irrespective of cause of termination
  • Representations & Warranties Indemnities & Limitations Type of Provision Issues to Consider Representations • Care to avoid over reliance on “compliance with Applicable Laws” Warranties • Consider specific standards • Insurance Indemnities • Intellectual property infringement • Violations of data privacy laws • Violation of standards set by regulators or industry such as Payment Card Industry – Data Security Standards • Data breach suits • Regulatory investigations • Adequate resources Limitations • Caution regarding consequential losses carveouts
  • Deep Dive on the Breach Notification Provision
  • Breach Notification Sample #1: For Discussion Purposes – Not a Precedent • 10.1 Contractor shall notify Client in writing of any material unauthorized or unlawful access to, use of, or disclosure of Client Data or any other compromise of Client Data (“Breach Incident”). • 10.2 Contractor shall investigate and report in writing to Client on the causes of the Breach Incident. • 10.3 Contractor shall cooperate with Client and shall indemnify Client with respect to any notifications, if any, that are required to individuals affected by the Breach Incident. • 10.4 The provision of any notification to individuals and the content of any such notification shall be at the sole discretion of the Client.
  • Breach Notification Sample #2: For Discussion Purposes – Not a Precedent • 10.1 In this section 10, “Security Incident” means any event, circumstance or condition giving rise to, creating a material risk of, or reasonably suspected to involve unauthorized access to, modification of, use of, or disclosure of Data not permitted by this Agreement or Canadian Privacy Laws. • 10.2 Contractor shall implement training, policies and processes for the detection and reporting of any Security Incident. Contractor shall upon Client’s request provide written documents containing training material, policies and processes. • 10.3 Contractor shall notify Client of a Security Incident forthwith following discovery by Contractor. • 10.4 In the case of any Security Incident arising out of or relating to the Services or the Equipment, Software or Works provided by the Contractor, and without limiting Contractor’s obligation in section 10.3 Contractor shall, at its own expense: • implement commercially reasonable measures to contain the Security Incident; • prepare and deliver a written report to Client, within 48 hours of the discovery of a Security Incident by or reported to Contractor, which report shall contain information regarding the nature of the Security Incident, measures taken to contain the Security Incident, the estimated number of individuals affected, the types of Data believed to be involved, the location of the server and the function believed to be involved, the time period during which the Security Incident occurred, and the date of discovery of the Security Incident; • assist Client in preparing reports to and responding to inquires from any Privacy Commissioner or other regulator; • provide such supplementary written information as required by Client for Client to evaluate the risk of harm to affected individuals and the measures taken by Contractor to contain the Security Incident; • assist Client in preparing notification to and responding to any affected individual, including gathering information and preparing and delivering individual notices;
  • Breach Notification Sample #2 continued: For Discussion Purposes – Not a Precedent • 10.5 In the case of any Security Incident arising out of or relating to the Equipment, Software or Works provided by the Client, Contractor shall, at the rates provided for in Schedule 10.5: • use commercially reasonable efforts to assist client in implementing measures to contain the Security Incident; • assist client in the gathering information regarding the nature of the Security Incident, measures taken to contain the Security Incident, the estimated number of individuals affected, the types of Data believed to be involved, the location of the server and the function believed to be involved, the time period during which the Security Incident occurred, and the date of discovery of the Security Incident; • assist Client in preparing reports to and responding to inquires from any Privacy Commissioner or other regulator; • provide such supplementary written information as required by Client for Client to evaluate the risk of harm to affected individuals and the measures taken by Contractor to assist Client in containing the Security Incident; • assist Client in preparing notification to and responding to any affected individual, including gathering information and preparing and delivering individual notices; • 10.6 Without limiting any other remedy provided herein, Contractor shall indemnify and save harmless Client from all costs, damages and liabilities (including legal costs) in connection with any Security Incident arising out of or relating to the Services or the Equipment, Software or Works provided by the Contractor. Without limiting the foregoing, Contractor shall reimburse Client for the costs associated with providing credit monitoring for up to 5 years for any individual affected by such Security Incident if the Data involved includes information that could pose a risk of financial harm to individuals affected by the Security Incident. • 10.7 The provision of any notification to individuals and the content of any notification to individuals affected by the Security Incident or any reports to any Privacy Commissioner or regulator shall be at the sole discretion of the Client unless: • the Parties agree otherwise; • the Contractor is required by applicable Privacy Laws; • the Client has neglected or refused to make such report or individual notification and Contractor has received independent legal advice advising that such report or individual notification is required by applicable Privacy Laws.
  • Resources Resource Description Link Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Full version of the Consensus Assessment Initiative (CAI) Questionnaire shown in the example https://cloudsecurityalliance.o rg/star/ AICPA/CPA Canada Generally Accepted Privacy Principles (GAPP) 10 Privacy Principles, 73 Criteria, and Illustrative Controls http://www.cica.ca/resourcesand-memberbenefits/privacy-resourcesfor-firms-andorganizations/gen-acceptedprivacyprinciples/item61833.pdf Trust Services Principles and Criteria Trust Services Criteria, Principles and Illustrative Controls for Security, Availability, Processing Integrity, and Confidentiality http://www.webtrust.org/princi ples-andcriteria/item27818.pdf