2. 2 Your Presenter Janine Anthony Bowen, Esq. Janine’s practice focuses on strategic commercial transactions involving technology and intellectual property. Such transactions include licensing and acquisition of technology; issues surrounding the protection and exploitation of Internet-based assets; privacy and information security; and technology export compliance. McKenna Long & Aldridge LLP 525 Attorneys and Public Policy advisors A national, general practice firm focused on transactional, litigation, and government/regulatory matters 9 US-based offices, 1 international office (Brussels, Belgium) 2
3. 3 Agenda I.Cloud Computing – What Is It? Definition of Cloud Computing Essential Characteristics Delivery and Deployment Models Distinguishing Cloud from Outsourcing and ASPs II. The Various Cloud Contracting Models License Agreements vs. Services Agreements Click wrap Agreements vs. Standard Contracts The Importance of Privacy Policies and Terms and Conditions III. Sampling of the Legal Issues Data Privacy and Security Jurisdictional Issues
4. 4 Agenda Commercial and Business Considerations Methods to Minimize Risk Viability of the Cloud Provider Impediments (or not) to Using Clouds for Mission-Critical Applications and Data Other Factors to Consider When Selecting a Vendor V. Special Topics The Government’s Role in Advancing (or Inhibiting) Adoption of Cloud Computing Litigation Issues/e-Discovery The Impact, if any, of Industry Standards VI. Take Away Messages
5. 5 Cloud Computing – What Is It? Cloud Computing: Adoption and Hype Definitions of Cloud Computing Essential Characteristics Delivery and Deployment Models Distinguishing Cloud from Outsourcing and ASPs 5
6. 6 Adoption of Cloud Computing “As enterprises seek to consume their IT services in the most cost-effective way, interest is growing in drawing a broad range of services (for example, computational power, storage and business applications) from the "cloud," rather than from on-premises equipment. The levels of hype around cloud computing in the IT industry are deafening, with every vendor expounding its cloud strategy and variations, such as private cloud computing and hybrid approaches, compounding the hype.” Gartner, August 11, 2009 Press Release
8. 8 Cloud Computing Plain English Definition From the User’s Perspective Data processing and storage, application development, and software hosting over the Internet instead of on a personal computer or over a business’ network Available on an ‘on demand’ basis Location of information stored ‘in the cloud’ is potentially unknown at any given point in time Relatively inexpensive
9. 9 National Institute of Standards & Technology’s Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
11. 11 Essential Characteristics: Broad Network Access OfficeDesktop Home Computer Laptop Service Provider Smartphone Or PDA Tablet Computer Netbook Apple MAC
14. 14 Three Service Models SaaS (Software as a Service) The consumer uses the provider’s applications running on a cloud infrastructure. (e.g. Google Apps) PaaS (Platform as a Service)The consumer has control over the deployed applications and possibly application hosting environment configurations. (e.g. Force.com) SoftwareAs A Service PlatformAs A Service IaaS (Infrastructure as a Service) The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3) Infrastructure As A Service
15. 15 Service Model Relationships 15 Gerard Briscoe, London School of Economics and Political Science, Alexandros Marinos, Faculty of Engineering & Physical Sciences, University of Surrey, “Digital Ecosystems in the Clouds: Towards Community Cloud Computing” March 2009
20. 20 Integration Considerations The nature of the cloud deployment will determine whether there is any need to integrate existing systems with the cloud architecture Hybrid cloud may require Integration between multiple public or community cloud services Integration within the corporate data center Integration between the corporate data center and the public cloud services
22. The Various Cloud Contracting Models License Agreements vs. Services Agreements Click wrap Agreements vs. Standard Contracts The Importance of Privacy Policies and Terms and Conditions
25. 25 Cloud Contracting Models:Terms of Use & Privacy Policy The Privacy Policy and Terms of Use specify the privacy protections in place as well as the terms under which the services are offered Mini Case Study – Google’s Terms and Privacy Policy User grants content license – Google can modify the content to deliver the service User’s use of services is ‘as is’ and ‘as available’ No liability for user’s damages, including for deletion, corruption, or failure to store a user’s data Effect on a Gmail user is one consideration, but what about a Google Apps (PaaS) user?
26. A Sampling of the Legal Issues Data Privacy and Security Jurisdiction Issues
27. 27 Legal Issues:Data Privacy Data Privacy and Security Data Breach Gramm Leach Bliley HIPAA/HITECH Act FTC Safeguards Rule FTC Red Flags Rule USA PATRIOT Act European Union Data Privacy Directive 27
28. 28 Data Breach Data Breach is the loss of unencrypted electronically stored personal information Significant financial and reputational harm to the breached company when a breach occurs Risk of ID theft for the individual whose data is compromised Data in the cloud is treated no differently than any other electronically stored information The company holding the data and the company putting the data in the cloud have compliance obligations
29. 29 Federal Legislation Gramm-Leach-Bliley Act Requires financial institutions to implement procedures to protect personal financial information HIPAA/HITECH Acts Requires “covered entities” to notify affected persons in the event of a breach of unencrypted health records USA PATRIOT gives the government access to electronically stored information upon certification Applies to all entities holding personal information
30. 30 Federal Trade CommissionRules FTC is charged with protecting consumer’s personal information Safeguards Rule Applies to financial institutions’ treatment of customer information Requires a written security plan Red Flags Rule Applies to institutions that hold credit accounts Requires a written identity theft program Cloud providers and cloud users putting this information into the cloud are both responsible for compliance
31. 31 EU Data Privacy Directive Any geography to which EU data is sent must implement controls to protect against unauthorized disclosure or access of written, oral, electronic, and Internet-based data that resides in the EU Not limited to EU residents – but to data in the EU Both the parties that own and process the data must comply The cloud user must understand how the cloud provider is treating internationally stored data
32. 32 Legal Issues: Jurisdiction Jurisdictional Issues Virtualization and Multi-tenancy considerations Confidentiality Government Access to Data Subcontracting
33. 33 Jurisdiction: A Few Definitions Jurisdiction Refers to a courts authority to judge acts committed in a certain territory (e.g. GA courts deal with what happens only in GA, not TN). Virtualization One physical server simulates being multiple servers. Each simulated server is called a virtual machine. Multi-tenancy Refers to the cloud provider’s ability to deliver software-as-a-service to multiple client organizations (each a tenant) from a single, shared instance of software. Information is virtually separated, not physically separated.
34. 34 Jurisdiction: Virtualization & Multi-Tenancy Considerations Virtualization can occur across a single or multiple data centers Difficulty in knowing where data resides at any given time Multi-tenancy presents the potential for one user to access data of another May be difficult to backup and restore data Data Protection concerns ability for data to be in multiple locations – once data is in a location it is subject to the laws of that location May create conflicts with law of, or terms of the contract
35. 35 Jurisdiction: Confidentiality & Government Access to Data Scenario The contract provides for the confidential treatment of information The cloud provider houses the data in multiple countries Are confidentiality provisions in the contract enforceable? Can the government of the country that the data sits in get access to the data?
36. 36 Jurisdiction: Subcontracting &Brokering of Capacity Scenario Cloud provider subcontracts with a third party to handle some of the processing (e.g. disaster recovery storage) Cloud provider utilizes excess capacity of other providers in periods of peak demand (e.g. for seasonal surges in demand) All of this is invisible to the cloud user Something breaks – whose risk and problem is it?
37. 37 Commercial & BusinessConsiderations Methods to Minimize Risk Viability of the Cloud Provider Impediments (or not) to Using Clouds for Mission-Critical Applications and Data Other Factors to Consider When Selecting a Vendor
38. 38 Commercial & Business Considerations: Minimizing Risk Methods to Minimize Risk Data Integrity – ensuring that data at rest is not subject to corruption Look for contractual obligations regarding data integrity Service Level Agreements (SLAs) – the cloud provider’s contractually agreed to level of performance What is the SLA and what happens if it is not met? Disaster Recovery – ability to recover from a catastrophic event Is there any way to learn more about the cloud provider’s DR strategy? If your information is lost due to a catastrophe at the cloud provider, can you recover? Mini Case Study: T-mobile, Gmail 38
39. 39 Commercial & Business Considerations: Viability of the Cloud Provider Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example: Integrating cloud services into business processes Migrating data from its environment Lack of standardization makes moving to a new cloud provider difficult What happens to a cloud user’s data in the event of: Bankruptcy M&A Escrow
40. 40 Viability of the Cloud Provider: Bankruptcy Cloud Provider files for Bankruptcy Data is treated as a non-intellectual asset and is subject to different rules Privacy Policy will provide first indication of what a Provider will do with the data Depending on the data’s sensitivity a “consumer privacy ombudsman” may determine what happens with personally identifiable information
41. 41 Viability of the Cloud Provider:M&A Cloud provider merges with or is acquired by another company Cloud user will likely get no notice (unless size of transaction is news worthy) Privacy policy will indicate disposition of personal information Click wrap or terms of use may specify termination option available to user
42. 42 Viability of the Cloud Provider: Will Escrow Help? Software Escrow Provision of a copy of the source code by the owner or licensor with a neutral third party for the benefit of a user. Escrow is released in certain situations (e.g. bankruptcy) Helpful? Maybe in SaaS contexts – neither PaaS nor IaaS lends themselves to escrow If available to the user – does the user have the resources to implement the code?
43. 43 Commercial & Business Considerations: Potential Impediments to Adoption Potential Impediments to Using Clouds for Mission-Critical Applications and Data Contracting Models Data Security/Privacy Government Access
44. 44 Commercial & Business Considerations: Other Factors to Consider Other Factors to Consider When Selecting a Vendor Experience vs. Functionality Longevity vs. Early stage players
45. Special Topics The Government’s Role in Advancing (or Inhibiting) Adoption of Cloud Computing Litigation Issues/e-Discovery The Impact, if any, of Industry Standards
46. Special Topics:Government’s Role Government acknowledges the potential value of the cloud Federal CIO is advocating the federal government’s use of cloud technologies NIST is actively working in the space 46 46
47. 47 Special Topics:e-Discovery E-Discovery is the production of electronically stored information in the course of litigation Cloud user will have the responsibility to produce information housed with a cloud provider Depending on the magnitude of the discovery, a separate agreement with the provide may be required Cross border e-Discovery may be particularly challenging
48. 48 SpecialTopics:Industry Standards What standards applicable to cloud computing exist? Payment Card Industry Data Security Standards A set of requirements for enhancement of payment account data security ISO 27000 Series Standards An information security standard that provides best practices for those implementing an information security management system Open Cloud Manifesto Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integration
49. Take Away Messages Don’t be in a hurry – the clouds aren’t going anywhere. Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable. Have a plan to deal with mistakes that will happen in the cloud. What happens if your data is lost, can you still run your business? Work with your key internal and external advisors to think through your cloud strategy. 49