Legal Framework for Cloud Computing Cebit May 31 2011 Sydney


Published on

Legal Framework for Cloud Computing
CeBIT 2011

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Of all the trends currently shaping the ICT sector, Cloud Computing has the greatest potential to change the way we live, work and interact Before it was the largest corporations or government agencies that can afford high performance infrastructure or sophisticated applications Now, we can exploit a wide range of online functionality; academics and researchers can access the platforms they need to perform highly complex computations; and companies of all sizes can utilise systems and platforms in a cost effective manner Before it was the largest corporations or government agencies that can afford high performance infrastructure or sophisticated applications
  • Our laws today are essentially geographical and tied to national interests and boundaries
  • Risks assessment include the specific arrangements underlying the services offered the service provider the location from which the services are to be provided criticality and sensitivity of the IT assets involved Also Example - Commonwealth of Australia Government Contract for IT Services expressly prohibits suppliers from transmitting or storing their customer data outside of Australia
  • Preserving evidence of your Organisational activities When you create a record you are documenting your organisation: a map, written report, email, film or sound recording Format of the record you create doesn’t matter What is important is that evidence of your activities is recorded in a way that supports your organisational needs Records in your records management systems: can be proven to be genuine are accurate and can be trusted are complete and unaltered are secure from unauthorised access, alteration and deletion can be found when needed are related to other relevant records
  • Consider warm and/or cold sites A secondary data backup site
  • Data is never anywhere, but always somewhere
  • Complexity arises where “data is in motion” as it winds its way across the internet transitioning through a number of servers located in different countries – which countries’ laws apply? conflict of laws may occur
  • Microsoft will buy internet phone service Skype for the grand total of US$8.5 billion Buying Skype gives Microsoft access to a user base of people who log in to Skype every month, using the Internet and Skype usernames as a complement to the traditional phone network and its phone numbers Shares of social network LinkedIn more than doubled in price after launching on the New York Stock Exchange in a tech stock feeding frenzy reminiscent of the infamous dot-com boom. Shares of the online professional social networking company closed at $US94.25, 109 per cent above their $US45 initial public offering price. They rose as high as $YS121.97, in their first day of trading LinkedIn brings together people online to cultivate and manage their careers and business networks. It has more than 100 million members in over 200 countries and territories, with 44 million in the United States -SMH May 20, 2011
  • Given that the internet is not bound by geographical boundaries, the issue of offshore transfers of personal information has special relevance to cloud computing. EU Data Protection Directive generally restrict the transfer of personal data to a country outside the European Union (EU) unless certain requirements are met: the other country ensures an 'adequate' level of data protection; the parties have an appropriate contractual relationship; or the individual has given consent Australian Privacy Act does not meet the EU “adequate level of protection” , primarily because of the small business, employee records and direct marketing exceptions European Union’s Data Protection Directive offers an example of the importance of location on legal rights and obligations
  • Draft revised privacy legislation The Australian Government's draft legislative changes, reflecting its response to the ALRC's privacy inquiry, are currently being considered by the Senate Finance and Public Administration Committee with a final reporting date of 1 July 2011. The draft legislation is to be released and subject to the Committee's scrutiny in 4 stages: The Australian Privacy Principles provisions (released June 2010) Credit reporting provisions Health and research provisions Provisions relating to the powers of the privacy powers of the Australian Information Commissioner
  • Cover Report “Protecting the Brand …” "IP's new role in the knowledge economy“ Asia Today International April/May 2011
  • Legal Framework for Cloud Computing Cebit May 31 2011 Sydney

    1. 1. Anthony Wong MACS CP President, Australian Computer Society Chief Executive, AGW Consulting
    2. 2. Cloud Computing <ul><li>Potential to transform the way we live, work and interact </li></ul><ul><li>Shapes the ICT sector and </li></ul><ul><li>the way enterprises provide </li></ul><ul><li>and use IT services </li></ul><ul><li>Helps to level the playing </li></ul><ul><li>field by minimising up-front </li></ul><ul><li>investment in technology </li></ul><ul><li>Changes business agility through “pay-as-you-use” for access to bandwidth and technology functionality </li></ul>
    3. 3. Examples of Cloud Computing Source: NBN Co
    4. 4. Reasons for adopting cloud computing <ul><li>Outsource services to cloud suppliers </li></ul><ul><li>Ability to up and down scale when required </li></ul><ul><li>Reduction of internal technical support constraints </li></ul><ul><li>Outsource technical management </li></ul><ul><li>Provide more options and flexibility </li></ul><ul><li>Deployment and adoption </li></ul><ul><li>of new technologies </li></ul><ul><li>Access to special expertise </li></ul><ul><li>Desire to reduce costs </li></ul>
    5. 5. Legal framework of Cloud Computing <ul><li>Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges: </li></ul><ul><ul><ul><ul><ul><li>Legal compliance issues </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Service levels and performance </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cross-border issues </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Data protection, rights and usage </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Privacy and security </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Termination and transition </li></ul></ul></ul></ul></ul>
    6. 6. Legal compliance issues <ul><li>There is no ‘Law of Cyberspace’ for the Internet, however, i n Australia, there are a number of specific laws that apply: </li></ul><ul><ul><li>Electronic Transactions Acts </li></ul></ul><ul><ul><li>Archives Act, FOI Act </li></ul></ul><ul><ul><li>Copyright Amendment (Digital Agenda) Act 2000 (Cth) - intellectual property </li></ul></ul><ul><ul><li>Privacy Act 1988 & Privacy Amendment (Private Sector) Act 2000 (Cth) </li></ul></ul><ul><ul><li>Cybercrime Act 2001 (Cth) </li></ul></ul><ul><ul><li>Spam Act 2003 </li></ul></ul><ul><ul><li>Telecommunications (Interception) Act 1979 (Cth) </li></ul></ul>
    7. 7. Legal compliance issues <ul><li>Legal requirements for organisations to consider: </li></ul><ul><ul><li>Have you reviewed your corporate governance and industry regulation requirements? </li></ul></ul><ul><ul><li>Are you able to comply with mandatory disclosures and financial reporting? </li></ul></ul><ul><ul><li>Are there special standards and compliance for your industry? </li></ul></ul><ul><ul><li>Can you comply with data retention requirements and </li></ul></ul><ul><ul><li>eDiscovery request during litigation? </li></ul></ul><ul><ul><li>Burden is on you to understand your compliance obligations </li></ul></ul>
    8. 8. Legal compliance issues <ul><li>Example of regulated industry </li></ul><ul><ul><li>Financial services companies must first notify Australian Prudential Regulatory Authority (APRA) of data offshore transfer </li></ul></ul><ul><ul><li>Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: </li></ul></ul><ul><ul><ul><li>a financial institution’s ability to continue operations and meet core obligations, following a loss of cloud computing services </li></ul></ul></ul><ul><ul><ul><li>confidentiality and integrity of sensitive (e.g. customer) data/information </li></ul></ul></ul><ul><ul><ul><li>compliance with legislative and prudential requirements </li></ul></ul></ul>
    9. 9. Legal compliance issues <ul><li>Data and Records Preservation & Retention </li></ul><ul><ul><li>Ensure supplier’s data retention and destruction policies comply with your requirements </li></ul></ul><ul><ul><li>Your requirements depend upon nature of the activities and regulatory environment in which your organisation operates </li></ul></ul><ul><ul><li>And kinds of documents that your organisation has </li></ul></ul><ul><ul><li>No single record retention requirements will be the same for each organisation </li></ul></ul><ul><ul><li>It has been asserted there are over 450 separate Acts of Parliament in Australia contain provisions dealing with retention of records </li></ul></ul><ul><ul><li>Courts are not likely to be understanding because your data is in the Cloud </li></ul></ul>
    10. 10. Legal compliance issues <ul><li>What is the process in response to a legal request/search for information? </li></ul><ul><ul><li>FBI agents seized multi-tenant server from data centre to gather evidence in an ongoing investigation </li></ul></ul><ul><ul><li>Unintended consequence of disrupting the continuity of other businesses whose data and information are hosted on the same server </li></ul></ul><ul><ul><li>*&quot;Since the FBI seized its computer equipment earlier today, Liquid Motors has been unable to operate its business.” </li></ul></ul>*Networkworld April 22, 2009 Search and seizure at Data Centre
    11. 11. Service levels and performance <ul><li>Some considerations for SLAs </li></ul><ul><ul><li>Cloud computing is dependent on the Internet – any disruption will interrupt services </li></ul></ul><ul><ul><li>Validate cloud services against your objectives and understand how the services are provided </li></ul></ul><ul><ul><li>Many traditional software licensing and outsourcing contractual considerations come to play </li></ul></ul><ul><ul><li>Cloud models often rely on multiple third party providers or subcontractors </li></ul></ul><ul><ul><li>How important are locations of servers? Can the provider change server locations without any notice? </li></ul></ul>
    12. 12. Service levels and performance <ul><li>Factors to consider as a customer: </li></ul><ul><ul><li>Review the agreement (including standard form) and provider’s terms of service </li></ul></ul><ul><ul><li>Consider the range of services provided/required against service levels critical to your business </li></ul></ul><ul><ul><li>Be prepare to drive SLAs up (or down) to meet your needs </li></ul></ul><ul><ul><li>Ask for performance guarantees (if critical) </li></ul></ul><ul><ul><li>Include the right to audit provider’s operational and financial viability </li></ul></ul><ul><ul><li>Check the responsibilities of any sub-providers </li></ul></ul><ul><ul><li>Ensure that your provider remains legally responsible for obligations, notwithstanding sub-providers </li></ul></ul>
    13. 13. Service levels and performance <ul><li>Most standard agreements trigger a ‘force majeure’ clause that relieves the affected party of its obligations when disaster occurs: </li></ul><ul><ul><li>Is that acceptable for your requirements? </li></ul></ul><ul><ul><li>Who is responsible for continuity of service when there are multiple players and integrated transactional systems based in different geographical regions? </li></ul></ul><ul><ul><li>How long can you function without the contracted cloud services? </li></ul></ul><ul><li>Develop a detailed Business Continuity Plan: </li></ul><ul><ul><li>Consider the events most likely to occur in your business </li></ul></ul><ul><ul><li>Know which disasters your supplier can cope with </li></ul></ul><ul><ul><li>Depending on (b), you might consider a ‘Plan B’ </li></ul></ul>
    14. 14. Cross-border issues <ul><li>In a dispute or a conflict situation, which country’s court system will settle the dispute? </li></ul><ul><ul><li>Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality </li></ul></ul><ul><ul><li>Local laws may override contractual agreements between cloud provider’s and customers </li></ul></ul><ul><ul><li>Location of servers may not be apparent from the provider’s terms of service </li></ul></ul><ul><ul><li>Consider the situation where Data may be stored in multiple locations (countries) at the same time </li></ul></ul><ul><ul><li>When do conflicts of laws occur? </li></ul></ul>
    15. 15. Cross-border issues <ul><li>Data stored in the U.S. is subject to U.S. law, for example: </li></ul><ul><ul><ul><li>US Patriot Act – US government’s authority extends to compel disclosure of records held by cloud providers </li></ul></ul></ul><ul><ul><ul><li>Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances </li></ul></ul></ul>
    16. 16. Cross-border issues <ul><li>Jurisdiction is dependent on the sovereignty of a government </li></ul><ul><ul><li>Concept of jurisdiction evolved in relation to geographical boundaries or territories </li></ul></ul><ul><ul><li>Premise that each state or country has absolute power to control persons and things located within its boundaries or territories </li></ul></ul><ul><li>Internet challenges these territorially based principles </li></ul><ul><li>The law in regards to jurisdiction in cyberspace is unsettled </li></ul>
    17. 17. <ul><ul><ul><li>Consider Case Scenario: </li></ul></ul></ul><ul><ul><ul><li>Identifying the location of the offence/breach </li></ul></ul></ul><ul><ul><ul><li>Identifying the location where the harm resulted (e.g. victim’s location or computer’s location) </li></ul></ul></ul><ul><ul><ul><li>Deciding which sovereign nation and court should have jurisdiction over the dispute </li></ul></ul></ul>Cross Border Jurisdiction Issues Customer and User Server breached & compromised
    18. 18. Cross-border issues <ul><li>In order for a court to adjudicate in a case, the court must have authority over: </li></ul><ul><li>the subject matter in dispute ( subject matter jurisdiction ); and </li></ul><ul><li>parties before the court ( personal jurisdiction ) </li></ul>
    19. 19. Data protection, rights and usage <ul><li>It is critical for organisations to understand how their data will be stored, used, managed and protected: </li></ul><ul><ul><li>Consider issues of ownership of information and intellectual property created using cloud technology </li></ul></ul><ul><ul><li>Specify and define your “data” (including metadata) and your ownership rights </li></ul></ul><ul><ul><li>Consider what happens when your supplier “goes belly up” </li></ul></ul><ul><ul><li>Otherwise, consider making payments to your supplier for the return of data and materials which “you thought you owned” </li></ul></ul>
    20. 20. Data protection, rights and usage <ul><li>Monetisation of Data Assets – is this the new currency of the future? </li></ul><ul><li>Customer participation and information/data are valuable assets, for example: </li></ul><ul><ul><li>Recent sale of Skype (400+ million users) for $8.5 billion </li></ul></ul><ul><ul><li>Doubling of LinkedIn’s (100+ million members) share price </li></ul></ul><ul><ul><li>Successful b usiness models including Facebook and other social media companies </li></ul></ul>
    21. 21. Privacy and security <ul><li>Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud </li></ul><ul><li>Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: </li></ul><ul><ul><li>Privacy Act 1988 National Privacy Principle 4 (Data Security) provides that an organisation must &quot;take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure” </li></ul></ul>
    22. 22. Privacy and security <ul><li>Regulatory landscape in Australia: </li></ul><ul><ul><li>Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth) </li></ul></ul><ul><ul><li>Equitable and common law duties regarding confidential information </li></ul></ul><ul><ul><li>State privacy legislation (State laws) and health privacy laws </li></ul></ul><ul><ul><li>Security and Information Management Standards and Practices </li></ul></ul><ul><ul><li>Other Codes of Conduct, Industry Standards and Guidelines </li></ul></ul>
    23. 23. Privacy and security <ul><li>Not all types of cloud services raise the same privacy and confidentiality risks: </li></ul><ul><ul><li>Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks </li></ul></ul><ul><ul><li>Risks vary with the terms of service and privacy policy established by your provider </li></ul></ul><ul><ul><li>Can your cloud provider change the terms and policies at will? </li></ul></ul><ul><ul><li>Do you have to comply with privacy legislation restricting processing and transfer of data offshore? </li></ul></ul><ul><ul><li>Should your agreement restricts services and data storage to agreed locations? </li></ul></ul><ul><ul><li>What are the rights of the supplier to operate in other locations? </li></ul></ul><ul><ul><li>Define the scope of your confidential information – which will vary depending on the nature of your business </li></ul></ul>
    24. 24. Trans-Border Data Privacy <ul><li>Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries </li></ul><ul><li>Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive </li></ul><ul><li>Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if: </li></ul><ul><ul><li>the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles </li></ul></ul><ul><ul><li>the individual consents to the transfer </li></ul></ul><ul><ul><li>the transfer is necessary for the performance of the contract between the individual and the organisation or for the benefit of the individual </li></ul></ul>
    25. 25. Privacy and security <ul><li>Things to consider: </li></ul><ul><ul><li>Whose privacy policy will apply at different stages of the data transfer? </li></ul></ul><ul><ul><li>What security mechanisms are in place to manage data transfers between parties? </li></ul></ul><ul><ul><li>What are the consequences of security and privacy breaches? </li></ul></ul><ul><ul><li>How will you know if there is a breach? </li></ul></ul><ul><ul><li>Is your cloud service provider required to provide assistance in the investigation of security breaches? </li></ul></ul><ul><ul><li>Is there an audit trail for data? </li></ul></ul>
    26. 26. Privacy and security <ul><li>Privacy Reform </li></ul><ul><ul><li>Privacy Act 1988 is being modernised to strengthen Australia’s privacy protection </li></ul></ul><ul><ul><li>2008: ALRC report released, For Your Information: Australian Privacy Law and Practice </li></ul></ul><ul><ul><li>2009: Government’s released its position on 197 of the ALRC’s recommendations, including: </li></ul></ul><ul><ul><ul><li>develop a single set of National Privacy Principles </li></ul></ul></ul><ul><ul><ul><li>strengthen and clarify the Privacy Commissioner’s powers and functions </li></ul></ul></ul><ul><ul><li>2010: exposure draft of the new Privacy Act was released by the Government </li></ul></ul>
    27. 27. Termination and transition <ul><li>What assistance services do you need to change over to a new provider? </li></ul><ul><ul><li>Consider the payment required for transition services </li></ul></ul><ul><li>Current architecture of cloud systems and lack of standards may hamper cloud interoperability and transition services </li></ul><ul><ul><li>Make compatibility and interoperability an issue </li></ul></ul><ul><li>Seek clarity on limitations of liability in contracts </li></ul><ul><ul><li>Including exclusions of indirect, special and consequential loss and direct losses </li></ul></ul><ul><ul><li>And disclaimers and warranties </li></ul></ul>
    28. 28. Conclusion <ul><li>There is no one size fits all for cloud computing - laws are unsettled </li></ul><ul><li>Not all cloud services are created equal and not all cloud services should be subject to the same terms </li></ul><ul><li>Few legal precedents regarding liability in the cloud </li></ul><ul><li>Undertake due diligence as you need to fully understand the risks associated with cloud computing and adopt a risk-mitigation approach to cloud adoption </li></ul><ul><li>Service agreements need to specify those areas the cloud provider is responsible for </li></ul><ul><li>Read the fine print of the cloud computing agreement carefully </li></ul><ul><li>Specify locations for data storage and processing - know the governing law of the cloud computing agreement </li></ul>
    29. 29. Conclusion <ul><li>Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow </li></ul><ul><li>You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability </li></ul><ul><li>Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level </li></ul><ul><li>For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate </li></ul>
    30. 30. Thank You <ul><li>“ A global approach is the only way to deal with the Internet” </li></ul><ul><li>Francis Gurry, Head of the World Intellectual Property Organisation (WIPO) </li></ul><ul><li>and so for Cloud Computing… </li></ul>Source: &quot;IP's new role in the knowledge economy“ Asia Today International April/May 2011 [email_address] This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.