Cloud computing has revolutionized computing, providing organizations with the opportunity to outsource their computing capability to a third party provider of networks, servers, storage, applications or services located in multiple jurisdictions. This webinar explored the global legal and regulatory developments in cloud computing that have occurred during 2012
2. ♦Introduction:
The Cloud
♦Key Developments in 2012:
Development 1: Development 2:
Demystification The Evolving
Customer of the Cloud Cloud Supplier
Drivers Drivers
Development 3:
Regulatory Change
♦Cloud Mitigation Strategies 2
4. Introduction: Why the Cloud?
Approximate Technology Cost of Cost of Cloud Ratio
Costs Enterprise Data Center
for Data Center
Enterprise Network $95 /Mpbs/ $13 / Mpbs / 7.1
Data Center month month
with 1K
Servers
Storage $2.20 / GB / $0.40 / GB / 5.7
vs
month month
Cloud base Administration 140 servers / 1,000 servers / 7.1
100K Server Admin Admin
Center
http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/
4
5. Introduction: Why the Cloud?
♦ “Switch” Data Center 2,200,000 square fee
♦ (http://www.makeuseof.com/tag/5-worlds-biggest-data-centers-stats-pics/)
♦ Average Cloud Data Center 11.5 X the size of a football field
♦ (http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/)
♦ Acquisitions of Terremark by Verizon for $1.4B
♦ Acquisition of Savvis for 2.5B by Century Link (Qwest)
5
6. Introduction: Cloud Definition
Characteristics Service Models Deployment Models
On-demand self- Software as a Private cloud
service Service (SaaS)
Broad network Platform as a Community cloud
access Service (PaaS)
Resource pooling Infrastructure as a Public cloud
Service (IaaS)
Rapid elasticity Cross Platform? Hybrid cloud
♦ http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
6
8. Introduction: The Problem with the Cloud
♦ 1. Service Confusion
Software Network
Providers Providers
Technology Information &
Manufacturers Service Providers
8
9. Introduction: The Problem with the Cloud
♦ 2. Jurisdictional Confusion
Contract Regulatory
Cloud Data
Customer Location?
Location?
US PATRIOT Breach
Act Notification
Cloud Data
Provider Subject
Location? Location?
Intellectual
Property Data Protection
Rights
9
10. Introduction: The Problem with the Cloud
♦ 3. Security Confusion
Phishing /
Trojans /
Botnets Denial of
Accidental
Service /
Disclosure
DDOS
Security Cyber Attack /
Flaw Terrorism
Information Security:
Accessibility
Integrity
Data Confidentiality Certification
Damage or Authority
Destruction Breach
Fraud /
Data Loss Theft /
ID Theft
Poor Data
Protection
Compliance
10
11. Introduction: The Problem with the Cloud
4. Expectations Confusion
Software vs. Subscription
Commodity
Service
Outsourcing vs.
Commodity
Leverage Assets
Individualized
Service Levels
Provable Data
Security / Privacy
Virtualization
Control
11
13. Development 1: Demystification of the Cloud
Data & Security Demystifying Ownership & Control
Cloud
1. New Privacy Risks? Computing 1. Extraterritorial?
2. More Data Sharing? 2. Local Retention?
3. More Security Risks? 3. Access & Audit?
4. More International? 4. Loss of Control?
Political
1. Business Models
2. Employment Protection
3. Risk Allocation
13
14. Development 2: The Evolving Cloud
♦ Traditional Outsourcing –vs– Cloud Computing
• Service Driven
• Data Controllers /
Data Processors
Traditional
Outsourcing
• Standalone Bespoke Services
• Agents
• Pushed Service Levels
• Static Location
• Service Scope
• Service Levels
• Charges
• Security Driven
• IaaS / PaaS / SaaS
• Standardized Environment
Cloud • Shared Infrastructure
Computing • Self-service
• Pulled Service Levels
• Dynamic Location
14
15. Development 2: The Evolving Cloud
♦ The Cloud Contract: The Need for Change
The Cloud Contract
Regulation & Differences Changers Legal Issues Large
Consumer Negotiated
Law Deals
Access Government Enforceability
Shared Industry Validity
Commodity Landmark Deals Non-Compliant
Structure Insurers Data Breach
15
16. Development 2: The Evolving Cloud
♦ Cloud Contracting: Non-Cloud versus Cloud
IACCM Most Negotiated Cloud Most Negotiated
1. Limitation of Liability 1. Limitation of Liability
2. Indemnities 2. Indemnities
3. Charges 3. Data Integrity
4. Intellectual Property 4. Service/Service Levels
5. Payment 5. Regulatory Compliance
6. Liquidated Damages 6. Confidentiality/Access
7. Service/Service Levels 7. Security/Audit
8. Delivery/Acceptance 8. Lock-in/Exit/Term
9. Applicable Law 9. Service Change
10. Confidentiality/Access 10. Intellectual Property
16
17. Development 2: The Evolving Cloud
♦ Cloud Contracting: Negotiation Checklist
1. Structure 2. Service 3. Data 4. Regulation
•Type (IaaS, •Services •Information •DP/Privacy
PaaS, SaaS) Security
•Service •Other
•Subcontractor Levels •Access
•Change
•Service •Audit
Credits •Breach
•Business
•Price Continuity/DR
5. IPR 6. Termination 7. Liability 8. Other
•Ownership •Term •Warranties •Jurisdiction
•Rights of Use •Termination •Indemnities •Change
•Exit •Exclusions •Insurance
•Portability •Limitations •Certification
17
18. Development 3: Regulatory Change
♦ HIPAA ♦ PIPEDA
♦ HITECH Act
♦ GLB ♦ FTC
♦ Subpoena/Rule 34 FRCP
♦ FACTA ♦ In re NTL Inc. Sec. Litig., 244 F.R.D.
♦ FCRA 179 (S.D.N.Y. 2007)
♦ Fair Debt Collection Practices ♦ State Regulations
Act ♦ SOX
♦ ECPA
♦ FERPA ♦ SCA
♦ COPPA
♦ PCI
♦ ITAR/Export Compliance
♦ FFIEC
♦ Banking Requirements
18
19. Development 3: Regulatory Change
♦ Transparency
EU Article 29
♦ Control
Data Protection
♦ Sharing
Working Party
♦ Sub-Contracting
Opinion 1 July
2012 ♦ Data Portability
♦ Outside of EEA
EC Strategy for ♦ Interoperability
"Unleashing the ♦ Data Portability
potential of ♦ Reversibility
cloud computing ♦ Certification
in Europe" 27 ♦ 'Safe and Fair' Contract Terms
September 2012 ♦ European cloud market
♦ What data to put into the cloud?
UK ICO ♦ Performance monitoring
Guidance on ♦ Written contract
Cloud ♦ Security assessment
Computing 27 ♦ Security measures
September 2012 ♦ Using cloud services from outside the UK
♦ Multi-tenancy environment
19
21. Cloud Mitigation Strategies
♦ Insurance
♦ Does Customer Understand Data?
♦ Robust Dispute Resolution
♦ Self Help
♦ Backup
♦ Migration Plan
♦ Privacy pre-Audit
♦ Data Map
♦ “Leverage” Awareness
21
22. Cloud Mitigation Strategies
♦ SAS70Type II; SSAE No. 16 Type 2, ISO 27001; TRUSTe;
SysTrust; Verisign
♦ Safe Harbor / EU Data Protection Compliance
♦ Be Aware of Chat Boards/Internet Search/News
♦ Transparency of Procedures
♦ Multi/Single Jurisdiction of Data Centers?
22
23. Cloud Mitigation Strategies
♦ Multi-tenancy
♦ Escrow
♦ Data Map
♦ Audit of Customer Needs Upfront
♦ Contingency Planning
♦ Migration
♦ Return of Data
♦ Termination Services
23
24. Conclusion &
Questions?
Michael Bennett Richard Graham Mark Schreiber
Partner Partner Partner
Edwards Wildman Palmer LLP Edwards Wildman Palmer LLP Edwards Wildman Palmer LLP
Chicago London Boston
+1 312.201.2679 +44 (0) 20.7556.4418 +1 617.239.0585
mbennett@edwardswildman.com rgraham@edwardswildman.com mschreiber@edwardswildman.com
www.edwardswildman.com/mbennett www.edwardswildman.com/rgraham www.edwardswildman.com/mschreiber
24