Legal issues in the cloud renzo marchini & gene landy


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Legal issues in the cloud renzo marchini & gene landy

  1. 1. Legal issues in the Cloud Renzo Marchini, Dechert LLP, London, UK Gene K. Landy, Ruberto, Israel & Weiner, PC Boston, MA, USA Portions © 2010 Dechert LLP. Portions © 2010 Ruberto, Israel & Weiner, PC.
  2. 2. Attorneys and Authors
  3. 3. Cloud Overview • What is Cloud Computing? – Setting the scene • Data Protection and Information Security – Who is responsible for data protection compliance? – What are the security requirements? – Does it matter where the data is? • Issues in Cloud Contracts – Comparison with other IT models – Service changes – Service level agreements – Liability for data – Ownership/use of data • Other Cloud Legal Issues
  4. 4. Concepts of Cloud Computing Cloud computing is a simple idea with a huge impact. Instead of running your apps yourself, they run on a shared data center that’s managed by the service provider. You just log in, customize, and start using an app. Source: What [cloud computing] has come to mean now is a synonym for the return of the mainframe, … and the mainframe is a set of computers. You never visit them, you never see them. But they're out there. They're in a cloud somewhere. They're in the sky, and they're always around. That's roughly the metaphor. Source: Google CEO Eric Schmidt
  5. 5. Why “Cloud”?
  6. 6. Many Business and Consumer Cloud Services • Business Services – e.g. Net Suite • Media Services – e.g. Bright Cove • Online Application Add-Ins – e.g. Google Maps • Social Media – e.g. Facebook, Twitter • Small Business Services – e.g. Constant Contact • Consumer Services – Gmail • Development Platforms – Microsoft Azure
  7. 7. Cloud Digital Media Issues • Search Engine Issues – Excerpts and thumbnails – Google News Cases / Google Book Litigation and Settlement • Notice and Takedown Rules – Viacom v. YouTube • Cartoon Network v. CSC Holdings, 536 F.3d 121 (2nd Cir. 2008)
  8. 8. Entrepreneurship in the Public Cloud • “No Server” startups. • Scaling up and scaling down in the cloud. • Functionality that works best in the cloud. • Operational advantages and challenges. • The Customers: Consumer. Small business. Enterprise.
  9. 9. Some Types of Cloud Services Software as a Service (SaaS) (eg Platform as a Service (PaaS) (eg Microsoft Azure) Infrastructure as a Service (IaaS) (eg Amazon EC2) Storage Servers Networks Virtualisation
  10. 10. Typical SaaS Business Solution • Hosted and Accessed Remotely via Internet or Mobile • Specially Built for SaaS • Web Technology • Multi-Tenanted
  11. 11. Typical Cloud Solution - A Complex Environment Browser Mobile Client Presentation Data, Security Media, or Services Directory Other Process Services Services Third Party Services Business or Consumer Services Chart Adapted Data / File from Media System Databases Microsoft®
  12. 12. Key Data Protection Issues • Who is responsible for data protection compliance? – Who is the controller? • What are the security requirements? – Can that be delegated to the cloud provider? • Does it matter where the data is? – Cross border issues
  13. 13. Controller or Processor? • Directive 95/46 on protection of personal data • data controller: “person … which alone or jointly with others determines the purposes and means of the processing of personal data” • data processor: “person … which processes personal data on behalf of the controller” • Controllers have obligations under the Directive; processors (in most member states) have none. – of course, controllers take responsibility for processors – controllers/processors may well want indemnities
  14. 14. SWIFT US Government Data Controller Bank Bank Data Controller
  15. 15. SWIFT • Irrelevant what contract says • SWIFT determined – what personal data was processed. – functionality eg determining standards as to the form and content of messages. – security standard – the location of its data centres • SWIFT decided to negotiate with the US authorities in relation to the warrants. • Article 29 Working Party (February 2010) – technical decisions can be delegated – but not “the essential elements of the means” – ISP providing hosting services is ”in principle” a “processor”
  16. 16. Who is the Data Controller in the Cloud? • Services may be presented almost on a “take it or leave it” basis • Purpose behind cloud is to shift data to locations where resources are available • According to working party criteria: doesn’t this sound like a controller? • Still a risk that a cloud provider (an SaaS) will be found to be a controller. • Perhaps less so for an IaaS provider
  17. 17. What if the provider is a controller? • The provider has no contractual relationship with the individuals Individuals (eg employee/customer) • How can it comply with Directive obligations? – Of course, it may be outside of the EU, but if not …. Cloud Customer • Article 7 – legitimisation of processing • Article 11 – Information to be provided to the data subject SaaS Provider (eg • Article 12 – Rights of Access • …. and so on.
  18. 18. Key Data Protection Issues • Who is responsible for data protection compliance? – Who is the controller? • What are the security requirements? – Can that be delegated to the cloud provider? • Does it matter where the data is? – Cross border issues
  19. 19. Article 17 – Security of Processing • “.. the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access …. • Data controller must: – carry out diligence – take reasonable steps to ensure compliance with those measures – written contract under which (i) processor acts only upon instructions from controller and (ii) equivalent security obligation accepted by processor
  20. 20. Security in practice in the cloud (1) • Due Diligence – cloud providers inundated by questionnaires – being more and more open; increasing use of FAQs • Security Policy – Physical Security - policy on access restrictions – Network Security - firewalling technology and so on – Server Security - how servers have been hardened against attack, policies for continuing improvement. – Data Segregation policies • multi-tenancy implies that no physical segregation • …… but how is logical segregation achieved • user (client) authentication policies, etc. – Encryption - what algorithms and what strength • data at rest • data in transit
  21. 21. Security in practice in the cloud (2) • Audit/Certification – How can you undertake diligence of audit, when you don’t know where the data is? – Will regulators accept certification by accredited third parties as an alternative • ISO 27001 (and series) – Security standard – Careful with “Conforms with” – this is self-assessment – Ensure it is “certified by” a recognised, third party accredited body • SAS 70 – Statement on Auditing Standards No. 70 (SAS 70) – Accounting standard, not a security standard – Need to see actual report (ensure it is a “Type II” report) – Need to examine the controls which are in place and have been described and commented on.
  22. 22. Key Data Protection Issues • Who is responsible for data protection compliance? – Who is the controller? • What are the security requirements? – Can that be delegated to the cloud provider? • Does it matter where the data is? – Cross border issues
  23. 23. Transborder Issues – Transfers out of the EEA • Article 25 of Directive 95/46: – “The Member States shall provide that the transfer to a third country of personal data … may take place only if … the third country in question ensures an adequate level of protection” • Adequate countries – Argentina, Canada, Switzerland, and Jersey, Guernsey and the Isle of Man, Faroe Islands – Soon Andora and Israel • Fundamental point here is that you need to know where the data is.
  24. 24. What to do if Transferee Country not Adequate? • US – Safe Harbor • Model Contracts – Controller to Controller (two sets) – Controller to Processor (the new set – makes it easier for outsourcing) • BCRs – not applicable – except for “private clouds” perhaps • Self-assessment – OK – in the UK
  25. 25. Problems of onward transfers IaaS Customer SaaS Provider Provider (in Europe) (in a third country) (in a third country) • US Safe Harbor: onward transfers allowed to sub-processors under written contract. • Model Clauses for controller to controller (set II): allows onward transfers to processors (with no additional formality) • Model Clauses for controller to processor (new set): allowed if sub-processor signs own contract ! (and many other hoops)
  26. 26. US Data Protection Issues – Many Different Laws • Federal Trade Commission Cases • Children’s Online Data Privacy Protection Act (COPPA) • State Data Breach Notification Acts. • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 • Federal Trade Commission “Red Flag Rules” regarding personal financial and payment data. • Massachusetts Data Privacy Regulations
  27. 27. Comparison – SaaS and Software Licensing Software as a Service Software Licence Provider Infrastructure Customer’s Server Remote Access Physical Delivery (Media or Download) Subscription Based License Fee Continuous Update Release Schedules Data with Provider (or Data with Customer Provider’s Hosting Provider)
  28. 28. Comparison – SaaS and Managed Services Software as a Service Managed Service Provider Infrastructure/ Provider Infrastructure/ Remote Access Remote Access Data with Provider Data with Provider Usage Based Fees Negotiable Normally Virtualised Fixed Infrastructure (may be Virtualized) Scalable On-Demand Normally not Dynamically Scalable
  29. 29. Contracting Issues – Pricing Models • Google Maps Commercial Service – Per User – Per Access – Per Transaction • Try and Buy • Terminable at Will? • Configuration and Customization? • Acceptance?
  30. 30. Service Level Agreements (SLAs) • Aspects of SLAs – Downtime – Response / Fix – Remedies
  31. 31. Contracting Issues - Liability for Data • One breach might affect several or all customers because of multi-tenancy • Customer wants (but likely cannot get) indemnity for cost of breach of security including: – Investigation and repair of data – Notification of data subjects – Advertising / public relations – Customer ID theft insurance – Help desks, etc. – Claims from customers or shareholders • Is security transparent and auditable?
  32. 32. Contracting Issues - Liability for Data, cont’d • Provider Normally Accepts no Liability for: – Loss of data – Breach of security of data – Integrity of data • US Provider may have SAS 70 Certification (Statement on Auditing Standards No. 70: Service Organizations of the AICPA) or the hosting provider may have this certification. • Backup and Recovery – Manner and frequency of backing-up? Access to data backups. – Data recovery site – Fail-over protection?
  33. 33. Contracting Issues – Access to Data • Data retrieval / migration to new vendor on termination (and “lock in”). Customer • Where is the data? – Customer contracts with a SaaS provider – who in turn contracts with a PaaS provider Software as a Service – who in turn contracts with an IaaS Platform as a Service provider • What happens if the SaaS provider is insolvent? Infrastructure as a Service • Third party access to data via “Data is somewhere” compulsory legal process. • The software escrow conundrum.
  34. 34. “Bad” User Data • Infringing, libelous, obscene, threatening, stolen, restricted, etc. supplied by customer or users • Mass mailings of unsolicited mail – Spam • Can provider use self-help without prior notice?
  35. 35. Issues in Partnering Between SaaS Vendors • User data in multiple places in the cloud • Additional security/data breach failure points • Technical / business dependencies / more failure modes • Integration - Do APIs exist or do they have to be built? At whose cost? • Bottom line: need a workable technical and contingency strategy that is documented in the agreement
  36. 36. Other Cloud/Legal Issues to Note • Taxation / Investment – Expense vs. capital investment • Continuous Improvement Model – Shifting definition of the SaaS service, defined by online documentation that is continually updated. • Multi-SaaS Vendor Solutions – Who has service responsibility? • IP / Infringement Risk – Shift from Customer to Cloud Vendor. • Open Source (Copy Left) Problems – Providing cloud services can be a “magic bullet” solution. • Trade Secret Protection – Much easier if the vendor never ships the code. Reverse engineering rights don’t apply. • Vendor’s Contractual Rights to Use Data. The value of data aggregation.
  37. 37. Questions?
  38. 38. Want to Know More? Just Contact: Renzo Marchini Dechert LLP 160 Queen Victoria Street London EC4V 4QQ 020 7184 7563 Gene Landy Ruberto Israel & Weiner, PC 100 No. Washington Street Boston MA USA 617 742 4200