Slide share cloudx_counsel ppt

Copyright © 2015CloudXCounsel pllc. All Rights Reserved. Any
commercial use or distribution without the express written
consent of CloudXCounsel pllc is strictly prohibited 1

It would not be a CLE presentation without the requisite DISCLAIMER:
- Nothing in this presentation shall be construed as legal advice.
- The information and opinions expressed in this presentation are solely my own
and not those of The Knowledge Group or the other speakers.
- Copyright © 2015CloudXCounsel pllc. All Rights Reserved. Any commercial use
or distribution without the express written consent of CloudXCounsel pllc is
strictly prohibited.
2

Director, Senior Legal Counsel, IT Offerings, Avanade Inc.
Special Legal Counsel, Adobe Systems, Inc. (NASDAQ: ADBE)
Director of Legal Affairs, Amdocs, Ltd. (NYSE: DOX)
General Counsel, DTI, Inc.(formerly Electronic Evidence Discovery)
General Counsel, Over-The-Air Wireless, Inc.
General Counsel, DocuTouch, Inc. (now DocuSign)
Special Counsel, ClassMates.com and Vulcan (a Paul Allen company)
Co-inventor U.S. Patent: “System, Method for Managing Transferable Records”
Copyright © 2015CloudXCounsel pllc.
All Rights Reserved. Any commercial use or distribution without the express written consent of CloudXCounsel pllc is strictly prohibited. 3

Goal of Presentation
Understand that success for online services whether already
operating within, or moving to the Cloud will require a different
skill set and understanding.
In the Cloud DATA may very well be Intellectual Property
Three (3) Components of Review
All Rights Reserved. Any commercial use or distribution without the express written consent of CloudXCounsel pllc is strictly prohibited.
4

Component No.1
Know Your Data: Elements
(and the CLOUD)
Operating in the “Cloud” has tremendous benefits, but the
benefits are at the expense (loss) of data sovereignty (control).
5

Data: Two (2) Perspectives…
1. Data Elements: What makes up Data?
• Beyond the Bits & Bytes and Ones and Zeros
• Personal information (name, address, DMV, SSN)
• Private or Confidential information (identified by your company or industry)
• Regulated information (healthcare or financial)
• Unique information (passwords, identifiers)
• Data protected as intellectual property
2. Data Handling: What happens to Data?
• Beginning Point (upload/input): Who, Where, How, Why
• Stored: for how long; in what condition; location?
• Access, who and for what purpose (add-value, aggregate, anonymize, license, analytics)
• Sold, licensed, shared, transferred, transmitted
• Service Level (maintenance and support)
All Rights Reserved. Any commercial use or distribution without the express written consent of CloudXCounsel pllc is strictly prohibited. 6

the “CLOUD”
 “a visible mass of condensed water vapor floating in the atmosphere, typically high above the ground.”
 “a state or cause of gloom, suspicion, trouble, or worry.”
 “a general term for the delivery of hosted services over the Internet requiring hardware and software
services and resources from a provider on the Internet (the "cloud"). Cloud computing comprises "software
as a service" (SaaS), "infrastructure as a service" (IaaS) and "platform as a service" (PaaS).”
Cloud: 3 Distinguishing Features:
1. (Scalability) Cloud computing servers can be quickly configured to process more data or to handle larger,
workloads;
2. (Speed) Cloud providers are connected to the Internet via multiple Tier 1 backbones for fast response times and
fault tolerance; and
3. (Self Service) The customer (end user or IT professional) can sign up online, activate and use applications and
services from start to finish without phoning a provider to set up an account.
7

EXAMPLE: Contextual Data Analytics
Context as a Service (CaaS) is a concept where several external data inputs
(location, temperature, brightness, motion) and internal (calendar, email)
from a user’s mobile device are collected and analyzed to provide a richer
understanding for mobile marketing purposes.
User w/iPhone at the beach every day between 2-3PM. CaaS enables the
collection/analysis of data elements including: location, time, temperature,
sound, motion (lack of) which provides a marketing opportunity for swim
wear, sun tan lotion …
The collected data points individually do not raise a concern, but as a
contextual analysis is completed, is there a privacy issue?
8

Component No.2
Data Mapping: Transmission and Handling
Operating in the “Cloud” has tremendous benefits, but the
benefits are at the expense (loss) of data sovereignty (control).
9

10
Data Mapping – A Best Practice
“Computer Science”
Data Type: Identifying data is a computer science concept which classifies data as various types; real, integer
or Boolean determining the possible values and the operations which can be done given that data type.
Data Mapping: Is a computing management concept typically used to map two distinct data models. Data
mapping is used as a first step for a wide variety of data integration tasks including: Data transformation or
data mediation between a data source and a destination, or moving data between 2 data bases.
____________________________________________________________________________________________________________________________________________________________________________________________________________________________
“LEGAL”
Data Type: Identifying those elements which make up the subject matter data; data owner, input, subject
matter, security and privacy obligations, storage, access and transmission. Example: consumer data which is
also PHI regulated by HIPAA.
Data Mapping: The process of following the data trail from beginning to end. How does it get into the
system, does something happen to it, (aggregated, anonymized, encrypted), where can it be accessed and by
whom (licensing), where is it stored and managed.

Platforms and Infrastructure:
11
Oh … those acronyms: SaaS / IaaS / PaaS …
SaaS Software as a Service delivers the entire application to end user, relieving organization of hardware and software
maintenance. Examples: Web-based e-mail, Google Apps and Salesforce.com.
IaaS Infrastructure as a service (IaaS) provides the servers and operating systems.
PaaS Platform as a Service adds [to IaaS] databases, runtime engines and necessary software for customer to deploy its application
MBaaS Mobile Backend as a Service provides web and mobile app developers backend cloud storage and software/APIs.
XaaS Anything [Everything] as a Service. Term for any on demand service and applications
AaaS Attorney as a Service
OnPrem. Private (corporate) infrastructure
Public
Cloud
A form of cloud computing where company relies on a third-party cloud service provider for services such as servers, data
storage and applications, delivered to the company through the Internet.
Private
Cloud
Cloud computing platform is implemented within the corporate firewall, under the control of IT department.
Hybrid
Cloud
Mix of private and public clouds - critical data resides in corp. private cloud other data is stored in and accessible from public
cloud. Goal: Deliver advantages of scalability, reliability, rapid deployment with the security, increased control and
management of private clouds.

12
Examples: Data Type and Description
TYPE ID type of Data: Corporate, operational, customer, third-party, children, enterprise, consumer, healthcare,
financial, PHI/PII, subject matter (legal, sales, HR), meta-data, regulated (EU) data.
OWNER ID owner of Data: Who owns, who has the rights (access, use) , locate all points data is introduced into
Platform or used by Software. At each point ask, whose data is it? What kind of data is it?
CONTROLLER ID controller of Data: The individual, company or government in control and responsible the data.
PROCESSOR ID processor of Data: The person or company who processes/transmits data on behalf of the Controller.
DATA ACCESS ID all parties with access to data: What is being done to the data (uploaded, deleted, transmitted, viewed,
processed or stored) and by whom (Customers, end-users, third-party vendors, licensees, operational
resources)?
VERACITY Data Subjects must be given access to information, and the ability to correct or delete such information if
it is inaccurate.
LICENSE Identify the license (use) rights and restrictions at all points in data's lifecycle; allow mapping and tie-back
license rights to a commercial terms/paper. Vendors and third-party providers adding value and
functionality to underlying Service may go unidentified resulting in liability (HIPAA/BAA regulations).

13
Data Path: Transmission; Storage and Use
Entry: upload How is data introduced into the system/service? (company, user, other); describe how it is uploaded
(constraints)?
Transmission:
Access; Onward
Transfer
ID and describe transmission path of data and the protections/security efforts applied to data at all points of
transit. ID all access points, and those with rights to access. Private data transferred to third-parties, only if
the third-party follows adequate data protection principles.
Security &
Management
ID security standards and how managed: Encryption process / where it occurs - Encryption (depending on
type) is the ‘standard’ for protecting data
Delete;
Retention
Define delete? Define Retention. If data is deleted what is schedule? Is it part of a Data Destruction
(Disaster Recovery) Policy? What types of data are deleted (corporation vs., customer data)?
Notice Data Subjects must be given notice to opt-out of the collection and forward transfer of data to a third-party.
Data Security Data Controllers and Processors must make reasonable efforts to prevent loss or unauthorized use or access
of private data.
Data Integrity Data must be relevant and reliable for the purpose collected, which must be clear to the data Subject and
must not change without notice.

Component No.3
The LAW in the CLOUD
Now with an understanding of the data elements and the path
which data takes through the Cloud; we can apply the law.
14

Data in the Cloud: A Compliance Challenge
• Data resides and is handled using 3rd party equipment, infrastructure and
resources. This means that others may be adding value to the services
you are contracting for – Do you know who has access and under what
terms? Does this access result in a compliance violation (HIPAA)?
• Data is used in a multi-tenant manner (by more than a single user). This
means the services may not be tailored to satisfy a regulatory standard
that is unique to a service.
• Data is borderless, nationless and user agnostic and at times separately
regulated. If electronic signatures are invalid in a country there is no
technology restriction, to prohibit electronic signatures.
• Data may be subject to changing terms and conditions concerning
support, maintenance and protection.
15

16
When ‘thinking’ about the law and your Cloud services do so under the three (3) concepts:
(1) First Concept: Know your data
(2) Second Concept: What happens to your data (transmission, access, etc.)
(3) Third Concept: Relevant laws, policies and regulations determined by knowing (1) and (2)
Individual Who is the user/consumer? Corporate/enterprise, consumer, regulated business.
Contract Are there contract terms with users, and third party vendors? ID terms and conditions between company offering
the services and those adding value or using the services (customers, enterprise users (SaaS or Master Services
agreement); are there terms of use and privacy terms which create legal obligations?
Industry /
Technology
Are you operating or offering a service in a regulatory industry? Healthcare, and finance are heavily regulated
industries (HIPAA and GLBA). Are you using electronic or digital signatures (ESIGN)?
State What state laws and regulations impact the services? Example: Data privacy breach notices statutes vary between
states. State AG (and class action attorneys) frequently target companies violating laws which may not be widely
known. See Auto Renewal Statue example.
Federal Federal laws may overlap with both industry and state laws (HIPAA/GLBA/ESIGN)
Global See EU Directive: US-Safe Harbor Example.

17
EXAMPLE: No.1 SAFE HARBOR
What happened? The Court of Justice of the European Union issued a ruling effectively invalidating the Safe
Harbor option, (in place since 2000), as an option to transfer personal data outside the European Economic Area.
What’s the impact? Safe Harbor, the most used of the options, approved as ensuring an “adequate” level of data
protection has directly enabled the proliferation of technology and data services enhancing our professional and
personal lives. With the ruling, companies must now figure out a way to proceed in order to avoid destroying
businesses and/or being fined. The Binding Corporate Rules (“BCR”); Standard Contractual Clauses (“SCC”);
Data Subject Consent options are still available.
Now what? You must know your DATA and WHAT HAPPENS TO IT! Companies must fully understand their
cross-border data flows (data mapping) identifying data; type, character, license, owner, status as well as how is it
collected, used, transmitted, processed, accessed stored and secured. Understanding your data and its flow will
enable an appropriate response as the regulatory (privacy) landscape continues to change and take shape while
allowing businesses to consider alternative data transfer methods during this uncertain time-period.

18
EXAMPLE: No.2 AUTO RENEWAL
Class Action Notice: Your online service client just got hit with a ‘notice’ for settlement or class action.
California Auto-Renewal Law (“CARL”) Section 17602 protects CA consumers from companies targeting
them through online transactions. CARL has been a focus of litigation, triggering class action cases (against large
well known companies) offering automatically renewing subscription services.
Damages: Restitution = 100 percent of gross revenues received pursuant to a non-compliant automatic renewal
term, whether or not the consumer actually wanted and used the service, even if the consumer was not actually
deceived and otherwise lacks damages. The concept of the subscriptions considered a “gift” has also been offered.
Compliance (CARL):
• Clear and Conspicuous Terms and Presentation (continue/term, how to cancel, font proximity)
• Consent (affirmative consent prior to charge) and Acknowledgement of Receipt (in form to be retained)
• Contact Information for consumer to contact and Notice of Changes, must be conveyed
Take Away: Operating in the Cloud subjects the business/service to laws, regulations and policies that are state
specific, industry specific and globally relevant. Be aware, even the smallest concepts (auto-renewal) can trip up
an online service!

19
DATA PRIVACY DATA SECURITY
Data privacy is defined as the appropriate use of data.
When companies and merchants use data or information
provided or entrusted to them, the data should be used
according to the agreed purposes. The Federal
Trade Commission enforces penalties
against companies that have failed to ensure
customer privacy.
Data security is commonly explained as the
Confidentiality, Availability, and Integrity
of data. All of the practices and processes in place to
ensure data isn't being used or accessed by unauthorized
individuals or parties. Data security ensures data is
accurate, reliable and available when those authorized
need it.
The Relationship Between Data Security and Data Privacy.
Data security ensures data privacy. You protect data (privacy) through strong data security measures put in place
and documented in a Data Security Policy. To accomplish securing data, and ensuring privacy you must (1) know
your data; (2) know how it is being used, accessed, stored, transmitted; and (3) the laws and regulations that
impact you data.

Y2K REVISITED
Liability Up The Chain = Checking All The Boxes
Remember when the Y2K bug scared and clouded the judgments of so many businesses,
causing them to seek out all sorts of offered solutions, allowing ‘vendors’ claiming to have a
magic bullet to make all sorts of money, betting on the fact there would be no impact?
FAST FORWARD 25 years later … business are scared about data breaches. With
executives facing potential liability they are reacting with instructions check all the boxes;
ISO, PCI, Pen Tests, Bounties, etc.
The unintended result is high expense, resource drain, conflicting compliance actions, risk of
failed vendor work and unnecessary complexities in trying to manage the various
compliance policies.
20

Mark G. Sanders
809 Olive Way, 1704 Seattle, WA 98101
(o) (206) 556-4310 / (m) (425) 422-9480
msanderslaw@cloudxcounsel.com
www.cloudxcounsel.com
http://www.linkedin.com/in/msanderslaw
21

Slide share cloudx_counsel ppt

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to Slide share cloudx_counsel ppt

Similar to Slide share cloudx_counsel ppt (20)

Recently uploaded

Recently uploaded (20)

Slide share cloudx_counsel ppt