MHC_LG Cloud Computing Legal Considerations. M Cohen
Michael H. Cohen Michael H. Cohen Law Group 468 N. Camden Dr. Beverly Hills, CA 90210 (310) 844-3173 www.michaelHcohen.comProvisors—IT Affinity GroupJune 26, 2012
• “If you know your enemies and know yourself, you will not be imperiled in a hundred battles.• “If you do not know your enemies but do know yourself, you will win one and lose one.• “If you do not know your enemies nor yourself, you will be imperiled in every single battle.”
• Some Key Legal Issues (*sample contract language) 1. Disclaimer of warranties & Limitation of liability 2. Ownership of data 3. Privacy & security• Risk Mitigation
• Warranty: a promise by one party that particular statement of fact is true and may be relied by another party.• Disclaimer of Warranties: A section in the agreement where the vendor disclaims (denies legal responsibility for) any warranty.
• The Large print giveth, the fine print taketh away
• An implied warranty of merchantability is an unwritten and unspoken guarantee to the buyer that goods purchased conform to ordinary standards of care and that they are of the same average grade, quality, and value as similar goods sold under similar circumstances.• An implied warranty of fitness for a particular purpose is a promise that, if a seller knows or has reason to know that a buyer will use property for a specific purpose, the property is suitable for that purpose.
• Apple shall use reasonable skill and due care in providing the Service, but, TO THE GREATEST EXTENT PERMISSIBLE BY APPLICABLE LAW, APPLE DOES NOT GUARANTEE OR WARRANT THAT ANY CONTENT YOU MAY STORE OR ACCESS THROUGH THE SERVICE WILL NOT BE SUBJECT TO INADVERTENT DAMAGE, CORRUPTION, LOSS, OR REMOVAL IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT, AND APPLE SHALL NOT BE RESPONSIBLE SHOULD SUCH DAMAGE, CORRUPTION, LOSS, OR REMOVAL OCCUR. It is your responsibility to maintain appropriate alternate backup of your information and data.
• Apple reserves the right to modify or terminate the Service (or any part thereof), either temporarily or permanently. Apple may post on our website and/or will send an email to the primary address associated with your Account to provide notice of any material changes to the Service. It is your responsibility to check your iCloud and/or primary email address registered with Apple for any such notices. You agree that Apple shall not be liable to you or any third party for any modification or cessation of the Service. If you have paid to use the Service and we terminate it or materially downgrade its functionality, we will provide you with a pro rata refund of any pre-payment.
• APPLE DOES NOT GUARANTEE, REPRESENT, OR WARRANT THAT YOUR USE OF THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, AND YOU AGREE THAT FROM TIME TO TIME APPLE MAY REMOVE THE SERVICE FOR INDEFINITE PERIODS OF TIME, OR CANCEL THE SERVICE IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT.
• Vendor contracts will disclaim all warranties.• At minimum, they should warrant that the service: • Will perform in accordance with its specifications (which should be detailed). • Does not infringe 3rd-party IP rights.
• “Special and consequential damages” not ordinarily recoverable for breach of contract.• However: “if the special circumstances under which the contract was actually made were communicated by the plaintiffs to the defendants, and thus known to both parties, the damages resulting from the breach of such a contract, which they would reasonably contemplate, would be the amount of injury which would ordinarily follow from a breach of contract under these special circumstances so known and communicate.” (Baron Alderson, Hadley v. Baxendale (1854).• Business interruption losses could be recoverable if both parties could forsee these damages when they entered into the contract.• Solution: disclaim consequential damages.
YOU EXPRESSLY UNDERSTAND AND AGREE THAT APPLE AND ITS AFFILIATES,SUBSIDIARIES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, PARTNERS ANDLICENSORS SHALL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL,SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITEDTO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, COST OFPROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLELOSSES (EVEN IF APPLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES),RESULTING FROM: (I) THE USE OR INABILITY TO USE THE SERVICE (II) ANY CHANGESMADE TO THE SERVICE OR ANY TEMPORARY OR PERMANENT CESSATION OF THESERVICE OR ANY PART THEREOF; (III) THE UNAUTHORIZED ACCESS TO ORALTERATION OF YOUR TRANSMISSIONS OR DATA; (IV) THE DELETION OF,CORRUPTION OF, OR FAILURE TO STORE AND/OR SEND OR RECEIVE YOURTRANSMISSIONS OR DATA ON OR THROUGH THE SERVICE; (V) STATEMENTS ORCONDUCT OF ANY THIRD PARTY ON THE SERVICE; AND (VI) ANY OTHER MATTERRELATING TO THE SERVICE.
• Who owns the data?• Helpful language: • “Vendor acquires no rights or licenses (including without limitation IP rights to licenses) to use the data for its own purposes by virtue of the transaction.”
• “For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”
• “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.”
• Health information 1. Any information created or received by a healthcare provider 2. That relates to the past, present, or future physical or mental health or condition of an individual.• Individually identifiable health information (IIHI) • Health information that can be used to identify the individual.• Protected health information (PHI) • IIHI that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium (whether electronic or hardcopy). • Includes charts, faxes, emails, and oral communication.• Electronic protected health information (ePHI) • PHI that is transmitted electronically or maintained electronically.
• PHI includes: • name • address • telephone numbers • Birthday • Medicaid ID number and other medical record numbers • social security numbers • name of employer.• Does not include: • employment information (such as sick leave medical information, held by an employer rather than as a health care provider) • information from which the identity has been removed by removing, coding or otherwise eliminating or concealing all individually identifiable information.
• Privacy Rule • “Covered entities” must protect individuals’ electronic PHI (ePHI)• Security Rule • Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
• HITECH (Health Information Technology for Economic & Clinical Health Act) • Makes the Privacy Rule & Security Rule applicable to “Business Associates” and their Subcontractors. • Subjects CE’s, BA’s and Subs to civil and criminal penalties for violations. • Imposes breach notification requirements.
• Examples of Business Associates: • A third party administrator that assists a health plan with claims processing. • A CPA firm whose accounting services to a health care provider involve access to protected health information. • An attorney whose legal services to a health plan involve access to protected health information. • A consultant that performs utilization reviews for a hospital. • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. • An independent medical transcriptionist that provides transcription services to a physician. • A pharmacy benefits manager that manages a health plan’s pharmacist network.• And their Subcontractors (IT consultants, vendors, etc.)
• Security Breach Notice - Civil Code sections 1798.29, 1798.82, and 1798.84. This law requires a business or a State agency that maintains unencrypted computerized data that includes personal information, as defined, to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The type of information that triggers the notice requirement is an individuals name plus one or more of the following: Social Security number, drivers license or California Identification Card number, financial account numbers, medical information or health insurance information. The notice must contain specific information, and any agency, person, or business that is required to issue a breach notice to more than 500 California residents must electronically submit a single sample copy to the Attorney General.
• If you store ePHI “in the cloud,” is it: • Private • Secure• Choose one: No way I highly doubt it Even if they promise it’s secure, I have to test that promise with an IT security assessment. Even if they provide some IT and legal documentation, I am nonetheless liable for a data breach and their promise is unreliable. HIPAA and other standards are useful for risk mitigation in case of a data breach.
• Data/information not involving PHI—privacy and security breaches can still create liability. • Example: lawsuit for misappropriation of trade secrets.• Vendor form contracts usually promise only “reasonable” security for your data.• Ideally, your contract should: • Include promise to conform to specific standards (eg PIC DSS). • Provide for audits. • Offer back-up documentation (e.g., to “prove” compliance). • Require vendor to give immediate notice of any security/data breaches, prior to notifying users.
• Company provides online health education and information, plus “connection” between users and physicians. • Legal: Perform legal risk assessment. Craft a HIPAA compliance plan and HIPAA policies & procedures. • IT Security: Identify weakness and risks to data; propose and implement best security practices. • Insurance: Provide a risk management plan, including cyber-liability insurance in case of breach.
• Business interruption: • Vendor disclaims any warranty or promise. • Vendor limits liability for consequential damages.• Intellectual property risks: • Vendor claims to own all your data. • Vendor does not warrant their right to the IP they use, so you could be liable to a 3rd party for misappropriation.• Privacy and security: • You could be liable for data breaches. • Vendor does not have to notify you in case of a data breach. • Vendor may not be HIPAA compliant (if HIPAA is invoked). • Vendor may only offer “reasonable security,” or may require you to have “reasonable security,” but does not indemnify you for liability.
IT Security Assessment and Risk Mitigation Plan Secure Coding PracticesLegal Risk Assessment Risk AssessmentReview of Contracts E&O and other insuranceContract drafting Cyber-liability insurance
• “Cyber-crime is a great business … if you’re morally challenged.”• “To know that you do not know is the best. To pretend to know when you do not know is a disease.”• “Stopped they must be; on this all depends.”