Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Patrick X. Fowler, Esq.Snell & Wilmer LLPPhoenix, Arizona602.382.6213 | pfowler@swlaw.comCloud Computing:What You Don’t Kn...
Today’s Topics• What is cloud computing?• Common cloud computing applications• How does it work?• Cloud computing concerns...
What is Cloud Computing?• Using the internet…• to access remotely-located computer servers…• for scalable, on-demand softw...
Common Cloud Applications• Webmail – Gmail, Hotmail, AOL• Productivity – Microsoft Office 365, GoogleDocs• Data Sharing – ...
Most Common Use of the Cloud?• Social Networking – By Far© 2012 Snell & Wilmer L.L.P 5
“Official” Government DefinitionNational Institute ofStandards and TechnologyResponsible for developingstandards and guide...
Why Are We Moving to the Cloud?• It’s much cheaper to rent than to own.◦ Outsourcing to the cloud reduces corporate datast...
How Does Cloud Computing Work?• Major cloud providers:◦ Amazon◦ Google◦ Microsoft◦ Apple• Major cloud providers have multi...
Cloud Data Center Locations• Amazon:◦ North America (CA, OR)◦ EU (Ireland)◦ Asia (Singapore, Tokyo)◦ South America (Brazil...
How is Data Stored in the Cloud?Per Google’s web site:• Data is not stored on a single machine or set ofmachines; data fro...
Cloud Computing Concerns• Data Ownership & Access• Data Location and Security• Data Privacy• What Law Governs?• E-Discover...
Data Ownership & Access© 2012 Snell & Wilmer L.L.P 12
Cloud Data Ownership & Access• Who owns the data once it has been uploaded?◦ Short Answer: Should not be the cloud provide...
Cloud Data Ownership & Access• If you terminate the agreement with the cloudprovider, what happens to your data?◦ How long...
Data Storage Location &Security© 2012 Snell & Wilmer L.L.P 15
Data Storage Location & Security• In what countries are the cloud data centerslocated that will store your data?◦ Evaluate...
Data Storage Location & Security• What physical and digital security standardsdoes the cloud provider adhere to? Will it t...
Data Storage Location & Security• Physical security measures:◦ Non-descript facilities, restricted physical access,video s...
Data Storage Location & Security• Digital security measures:◦ Is your data securely stored when “at rest” andsecurely move...
Data Storage Location & Security• What if your data is corrupted, lost or stolen?◦ Caveat emptor. Let the buyer beware.◦ T...
Choose your cloud provider wisely!• If you have little or no leverage in negotiatingterms with the cloud provider…◦ Is the...
Data Privacy© 2012 Snell & Wilmer L.L.P 22
Data Privacy Issues• Data in the cloud is subject to differentprotections than information stored in-house;◦ Data in the c...
Data Privacy Issues• Existing laws can compel disclosure of clouddata to the government.◦ Electronic Communications Privac...
Data Privacy Issues• Current rules imposing data security and/orbreach notification obligations, including:◦ Sarbanes-Oxle...
Data Privacy: New Regulations?• Significantly expanded data privacy regulationschemes proposed in early 2012:◦ White House...
Data Privacy: New Regulations?White House Proposal – Feb.2012On-line Consumer Privacy Billof RightsEnforceable Codes of Co...
Proposed “Consumer Privacy Bill of Rights”• Intended goals are:◦ Preserve online consumer trust in the interneteconomy,◦ W...
Proposed “Consumer Privacy Bill of Rights”• Individual Control by consumers of the datacollected by companies and how thos...
Proposed “Consumer Privacy Bill of Rights”• Access and Accuracy including the right ofconsumers to access and correct pers...
Proposed “Consumer Privacy Bill of Rights”• The White House proposes voluntary adoptionof a binding code of conduct incorp...
Proposed EU Data Protection RegulationsProposed January 25,2012Significant expansionof current EU dataprivacy schemeData p...
Proposed EU Data Protection Regulations• Would apply to almost all data collection andprocessing activities regarding EU “...
Proposed EU Data Protection Regulations• Provides increased consumer control of data◦ With few exceptions, data subjects m...
Thank youPatrick X. Fowler, Esq.Snell & Wilmer LLPPhoenix, Arizona602.382.6213 | pfowler@swlaw.com© 2012 Snell & Wilmer L....
Upcoming SlideShare
Loading in …5
×

Cloud Computing: What You Don't Know Can Hurt You

211 views

Published on

An introduction to some of the legal issues surrounding cloud computing

Published in: Technology
  • Be the first to comment

Cloud Computing: What You Don't Know Can Hurt You

  1. 1. Patrick X. Fowler, Esq.Snell & Wilmer LLPPhoenix, Arizona602.382.6213 | pfowler@swlaw.comCloud Computing:What You Don’t Know CanHurt You© 2012 Snell & Wilmer L.L.P 1
  2. 2. Today’s Topics• What is cloud computing?• Common cloud computing applications• How does it work?• Cloud computing concerns◦ Data Ownership and Access◦ Data Location and Security◦ Data Privacy in the US and EU© 2012 Snell & Wilmer L.L.P 2
  3. 3. What is Cloud Computing?• Using the internet…• to access remotely-located computer servers…• for scalable, on-demand software applications,computing power and data storage…• that you might pay a fee for, but don’t own.© 2012 Snell & Wilmer L.L.P 3
  4. 4. Common Cloud Applications• Webmail – Gmail, Hotmail, AOL• Productivity – Microsoft Office 365, GoogleDocs• Data Sharing – Dropbox, GoToMeeting• Data Storage – iCloud, Amazon, Carbonite• Social Media – Facebook, LinkedIn, YouTube• Retailing – Amazon, Apple, eBay• Banking – Chase, Bank of America• Government – www.apps.gov© 2012 Snell & Wilmer L.L.P 4
  5. 5. Most Common Use of the Cloud?• Social Networking – By Far© 2012 Snell & Wilmer L.L.P 5
  6. 6. “Official” Government DefinitionNational Institute ofStandards and TechnologyResponsible for developingstandards and guidelines forproviding information securityfor all federal gov’t agenciesand assets.NIST Special Publication 800-145 (September 2011)© 2012 Snell & Wilmer L.L.P 6
  7. 7. Why Are We Moving to the Cloud?• It’s much cheaper to rent than to own.◦ Outsourcing to the cloud reduces corporate datastorage costs by 80%, and requires a smaller IT staff• It’s more flexible/scalable/elastic.◦ Quickly expand and contract storage and computingneeds, based on demand.◦ Faster access to improved technology.• It’s more secure – in some respects.◦ Remote, redundant data back-ups in case of disaster© 2012 Snell & Wilmer L.L.P 7
  8. 8. How Does Cloud Computing Work?• Major cloud providers:◦ Amazon◦ Google◦ Microsoft◦ Apple• Major cloud providers have multiple, distantdata centers (i.e. server farms) where data isredundantly stored/processed.© 2012 Snell & Wilmer L.L.P 8
  9. 9. Cloud Data Center Locations• Amazon:◦ North America (CA, OR)◦ EU (Ireland)◦ Asia (Singapore, Tokyo)◦ South America (Brazil)◦ Future: Buried in Siberian permafrost?• Google:◦ USA (SC, NC, GA, OK, IA, OR)◦ Finland, Belgium◦ Hong Kong, Singapore, Taiwan◦ Future: Cargo ships powered & cooled by the sea?© 2012 Snell & Wilmer L.L.P 9
  10. 10. How is Data Stored in the Cloud?Per Google’s web site:• Data is not stored on a single machine or set ofmachines; data from all Google customers is distributedamongst a shared infrastructure composed of manycomputers located across Google’s many data centers.• Data is chunked and replicated over multiple systems sothat no one system is a single point of failure. Datachunks are given random file names and they’re notstored in clear text, so they’re not humanly readable.Source: http://www.google.com/about/datacenters/inside/data-security.html#© 2012 Snell & Wilmer L.L.P 10
  11. 11. Cloud Computing Concerns• Data Ownership & Access• Data Location and Security• Data Privacy• What Law Governs?• E-Discovery ObligationsIf possible, yourcontract with thecloud providershould addressthese issues.© 2012 Snell & Wilmer L.L.P 11
  12. 12. Data Ownership & Access© 2012 Snell & Wilmer L.L.P 12
  13. 13. Cloud Data Ownership & Access• Who owns the data once it has been uploaded?◦ Short Answer: Should not be the cloud provider!• Who owns the servers where the data is stored?◦ Is it the party with whom you contracted? A thirdparty? How many links in the contract chain?• How often will the data be accessible?◦ Industry custom is 99.99% of the time.• What happens if access is interrupted?◦ Are fee credits provided?© 2012 Snell & Wilmer L.L.P 13
  14. 14. Cloud Data Ownership & Access• If you terminate the agreement with the cloudprovider, what happens to your data?◦ How long will your data remain on the cloud servers?◦ Is it then deleted from the cloud provider’s servers?- Important when dealing with customer data, credit cardinformation, HIPAA data, etc.• What if the cloud provider goes bankrupt or isshut down by a government?◦ Example: MegaUpload seized by DOJ in January ’12• E-discovery obligations?© 2012 Snell & Wilmer L.L.P 14
  15. 15. Data Storage Location &Security© 2012 Snell & Wilmer L.L.P 15
  16. 16. Data Storage Location & Security• In what countries are the cloud data centerslocated that will store your data?◦ Evaluate the data privacy laws where the datacenters are located.◦ Consider potential jurisdictional and choice of lawissues.• Is the data required to be maintained within acertain country?◦ E.g., Government records, national defensematerials.© 2012 Snell & Wilmer L.L.P 16
  17. 17. Data Storage Location & Security• What physical and digital security standardsdoes the cloud provider adhere to? Will it tellyou?• How do they compare to the securityprocedures used by Amazon, Google andMicrosoft?• Do outside auditors certify the proper storageand use of data by the cloud provider?© 2012 Snell & Wilmer L.L.P 17
  18. 18. Data Storage Location & Security• Physical security measures:◦ Non-descript facilities, restricted physical access,video surveillance, biometric clearance;◦ Fire detection and suppression, uninterrupted powersupply, climate and temperature control;◦ Redundant data storage in different locations;◦ A business continuity and disaster recovery plan toensure service is maintained & to recover any dataloss.© 2012 Snell & Wilmer L.L.P 18
  19. 19. Data Storage Location & Security• Digital security measures:◦ Is your data securely stored when “at rest” andsecurely moved between locations?◦ Does the cloud provider have rights to access yourdata? If so, why?◦ Is your data stored in aggregate with othercustomers? If so, how good is the disaggregation?◦ How does the cloud provider decommission oldstorage devices that once held your data?© 2012 Snell & Wilmer L.L.P 19
  20. 20. Data Storage Location & Security• What if your data is corrupted, lost or stolen?◦ Caveat emptor. Let the buyer beware.◦ Terms of service typically disclaim all warranties andexclude liability for any damages.• Example:◦ “WE AND OUR AFFILIATES OR LICENSORS WILLNOT BE LIABLE TO YOU FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL,CONSEQUENTIAL, OR EXEMPLARY DAMAGES(INCLUDING DAMAGES FOR LOSS OF PROFITS,GOODWILL, USE OR DATA), EVEN IF A PARTYHAS BEEN ADVISED OF THE POSSIBILITY OFSUCH DAMAGES….”© 2012 Snell & Wilmer L.L.P 20
  21. 21. Choose your cloud provider wisely!• If you have little or no leverage in negotiatingterms with the cloud provider…◦ Is the cloud provider reputable & reliable?- How transparent is the cloud provider willing to be?- Quality vs. price – you probably get what you pay for.- Is the cost savings worth the risk of data loss/interruption?◦ What contingency plan do you have if the servicefails?- Separate, independent digital back-up?- Hard copy back-up?◦ What remedies, if any, do you have against the cloudprovider if there is data loss or service failure?© 2012 Snell & Wilmer L.L.P 21
  22. 22. Data Privacy© 2012 Snell & Wilmer L.L.P 22
  23. 23. Data Privacy Issues• Data in the cloud is subject to differentprotections than information stored in-house;◦ Data in the cloud = held by a third-party• Currently: there is a patchwork of Federal andState data privacy laws;• US and EU data privacy rules significantly differ;◦ EU has more protections and regulations• US and EU have recently proposed expandeddata privacy regulations.© 2012 Snell & Wilmer L.L.P 23
  24. 24. Data Privacy Issues• Existing laws can compel disclosure of clouddata to the government.◦ Electronic Communications Privacy Act (ECPA)◦ Stored Communications Act (SCA)◦ USA Patriot Act- National Security Letters- Foreign Intelligence Surveillance Act (FISA) Warrants◦ Warrants and subpoenas generally© 2012 Snell & Wilmer L.L.P 24
  25. 25. Data Privacy Issues• Current rules imposing data security and/orbreach notification obligations, including:◦ Sarbanes-Oxley◦ Family Educational Rights and Privacy Act (FERPA)◦ Health Insurance Portability & Accountability Act(HIPAA)◦ Health Information Technology for Economic andClincal Health (HITECH) Act◦ Gramm-Leach-Biley Act (GLBA)◦ FTC Act, Section 5 (for companies that storecustomer information on the cloud)◦ State Laws and Regulations© 2012 Snell & Wilmer L.L.P 25
  26. 26. Data Privacy: New Regulations?• Significantly expanded data privacy regulationschemes proposed in early 2012:◦ White House: Consumer Privacy Bill of Rights◦ EU: New General Data Protection Regulations© 2012 Snell & Wilmer L.L.P 26
  27. 27. Data Privacy: New Regulations?White House Proposal – Feb.2012On-line Consumer Privacy Billof RightsEnforceable Codes of ConductExpanded FTC Role Re DataPrivacy Rights EnforcementIncreased “GlobalInteroperability” re variousconsumer data privacy regs© 2012 Snell & Wilmer L.L.P 27
  28. 28. Proposed “Consumer Privacy Bill of Rights”• Intended goals are:◦ Preserve online consumer trust in the interneteconomy,◦ While providing Internet companies with theregulatory certainty needed to permit innovation inon-line commerce.• Available on-line:◦ http://www.whitehouse.gov/sites/default/files/privacy-final.pdf© 2012 Snell & Wilmer L.L.P 28
  29. 29. Proposed “Consumer Privacy Bill of Rights”• Individual Control by consumers of the datacollected by companies and how thosecompanies use such data;• Transparency regarding privacy and securitypractices;• Respect for Context to ensure that companiesuse data consistently with the context in whichthe consumer provides the data;• Security in handling personal data;© 2012 Snell & Wilmer L.L.P 29
  30. 30. Proposed “Consumer Privacy Bill of Rights”• Access and Accuracy including the right ofconsumers to access and correct personaldata;• Focused Collection through reasonable limitson collection and retention by companies ofpersonal data; and• Accountability to ensure that companieshandling data adhere to the Consumer PrivacyBill of Rights.© 2012 Snell & Wilmer L.L.P 30
  31. 31. Proposed “Consumer Privacy Bill of Rights”• The White House proposes voluntary adoptionof a binding code of conduct incorporating theprivacy principles in the bill of rights…thusmaking it enforceable under Section 5 of theFTC Act.• Alternatively, the White House proposes thatCongress pass a law incorporating the privacybill of rights.• Unlikely that Congress will pass legislation thisyear.© 2012 Snell & Wilmer L.L.P 31
  32. 32. Proposed EU Data Protection RegulationsProposed January 25,2012Significant expansionof current EU dataprivacy schemeData privacy already afundamental right, perthe EU ConstitutionPotential implicationsbeyond EU borders© 2012 Snell & Wilmer L.L.P 32
  33. 33. Proposed EU Data Protection Regulations• Would apply to almost all data collection andprocessing activities regarding EU “datasubjects”◦ Would cover controllers and processors located inthe EU◦ Would also cover controllers and processerslocated outside of the EU if they offer goods orservices to data subjects in the EU or monitor theirbehavior• Increased protections must be assured beforeconsumer data may be moved outside the EU© 2012 Snell & Wilmer L.L.P 33
  34. 34. Proposed EU Data Protection Regulations• Provides increased consumer control of data◦ With few exceptions, data subjects must give“informed consent” (generally through an “opt-in”process) before their personal data may beprocessed;• Internet users would have “The Right to beForgotten”◦ Data subject would be entitled to have personal dataerased, even if the data has been made public!• Available on-line:http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf© 2012 Snell & Wilmer L.L.P 34
  35. 35. Thank youPatrick X. Fowler, Esq.Snell & Wilmer LLPPhoenix, Arizona602.382.6213 | pfowler@swlaw.com© 2012 Snell & Wilmer L.L.P 35

×