What is cloud computing?• technologies that provide computation, software, data access and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services (Wikipedia)• delivered over a network (typically, the Internet)
Categories• Infrastructure as a Service (“IaaS”) and Storage • Delivers computer infrastructure, along with storage and networking• Software as a Service (“Saas”) • Delivers software without the need to install and run applications• Platform as a Service (“PaaS”) • Allows the development and deployment of applications without the need to purchase specific hardware or software
Benefits• Cost• Scalability• User mobility• Customizability• Reliability?• Performance?• Security?
Key Obligations• Disclosure • must disclose every relevant document in possession, control or power • “document” is broadly defined• Preservation • must preserve all relevant documents• Serious consequences for breach
E-Discovery• Electronic documents increase scope, complexity and cost of discovery process• Courts aware of importance of electronic documents
Cloud Computing and Discovery• Disclosure and preservation obligations still apply• Court does not care if you store data in your building or in the cloud – only cares whether you have possession or control
Cloud Computing and Discovery• Consider risks: • lost data • non-compliant data preservation practices • platform not easily searched • sub-outsourcing
Cloud Computing and Discovery• Cloud computing contract is key• Maintain legal control over data• Due diligence on cloud provider• Ability to retrieve data in any circumstance
• When you think about Cloud Computing, consider it as “mega-outsourcing”
• Regular outsourcing is when you store your data on your own servers, but you send certain data to an outside service provider or a service, so they can perform a function with the data and provide a product (e.g. send personalized cheques to your customers or process your payroll and arrange for direct deposits for your employees).
• Cloud computing means you don’t have your own servers anymore – you’ve “out-sourced” that whole infrastructure
• The key privacy law compliance issue is security of personal information
• Geographic location of personal information is a significant privacy law issue, especially for public bodies in British Columbia (and service providers to public bodies) but the concern with geographical location of data really boils down to a security issue
Public Bodies in B.C.: Section 30.1 of FOIPPA• A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, [unless a specific exception applies]• Breach of s. 30.1 of FOIPPA is an offence• Some cloud service providers are aware of this requirement and offer cloud services that meet this requirement
Québec – Private Sector Privacy Legislation• If using service provider outside Québec to store or process personal information, must take all reasonable steps to ensure that the personal information will not be used for purposes not relevant to the object of the file or communicated to third persons without consent• If cannot be satisfied that the personal information will be properly protected, must not communicate the information outside Québec (s. 17)
• What about professionals (e.g., doctors, lawyers, accountants, etc.) and businesses handling highly sensitive personal information (e.g. banks, credit unions, insurance companies)?• Ethical and contractual obligations around confidentiality may also require specialized cloud computing solutions• Community Cloud or Private Cloud may work (e.g. Law Society Cloud for lawyers is being considered)
• Private Sector - still have obligation under PIPEDA, PIPA, the Québec Private Sector Privacy Legislation (and, possibly, contractual obligations) to make reasonable security arrangements to protect personal information from risks such as unauthorized access, disclosure, destruction, etc.• Standard Cloud Computing contracts may not sufficiently protect customer/employee personal information• Requirement for transparency/notification (customers/employees have a right to know)
Security issues:• What geographic locations could be involved? Rule some out or stipulate acceptable jurisdictions• Reputation/history of cloud provider• What other data will be mingled with your organizations data? Concern re: concentration of high-risk data• Will your organization be able to access audit logs?
• How quickly could you be required to produce a copy of your organization’s records? will your organization be able to meet that timeframe?• What obligations does the cloud provider have in the event of an information security breach? • Immediate notification to your organization? • Indemnity for any damages and professional fees?
• What happens if the cloud provider goes bankrupt? backup/escrow might not be sufficient without access to the application software necessary to decode the stored data• Does the contract provide for a method for your organization to audit the cloud provider’s compliance with its contractual security obligations?
• Insurance – does your organization’s insurance coverage for information security breaches or data loss apply if your data is “in the clouds”?
Thank You Tamara Hunter Associate Counsel, Head of Privacy Law Group, Vancouver email@example.com 604.643.2952