Uploaded byJNicholson
518 views

BCBSA Summit - Cloud Computing Issues (Dec 2012)

The document discusses critical considerations for healthcare organizations, referred to as 'blue plans,' contemplating the transition to cloud computing. Key topics include the definition of cloud computing, its service models, security concerns regarding data storage and management, and the contrasting contract negotiation processes between traditional outsourcing and cloud services. It concludes that while blue plans are actively exploring cloud benefits, significant hesitance remains around storing sensitive personal health information in the cloud due to potential financial liabilities.

Related topics:
Health Care•

Embed presentation

Downloaded 17 times
Cloud Computing: Key Issues for Blue Plans to address before moving to the Cloud Joseph E. Kendall Partner Pillsbury Winthrop Shaw Pittman John L. Nicholson Counsel Pillsbury Winthrop Shaw Pittman December 4-7, 2011 Sheraton Chicago Hotel and Towers Chicago, Illinois PRESENTATION TITLE
Agenda • What is the Cloud ? • Blue Plans and Cloud Computing – Today and the Future • How secure is data in the Cloud? • Contracting for Cloud services • Specific contract issues - Cloud vs Outsourcing Contracts • e Discovery and Subpoenas in the Cloud • Best practices for data in the Cloud CLOUD COMPUTING 2
What is the Cloud? CLOUD COMPUTING 3
What is the “Cloud”? • Cloud Computing is: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - National Institute of Standards and Technology CLOUD COMPUTING 4
Essential Characteristics On-demand, Self- Ubiquitous Network Rapid Elasticity Measured Service service Access Resource Pooling Elasticity is defined as In a measured service The on-demand and Ubiquitous network Resource pooling allows the ability to scale aspects of the cloud self-service aspects of access means that the a Cloud Provider to resources both up service are cloud computing mean Cloud Provider’s serve its consumers via and down as controlled and that a consumer can capabilities are a multi-tenant model. Physical and virtual needed. To the monitored by the use cloud services available over the resources are assigned consumer, the cloud Cloud Provider. This is as needed without network and can be and reassigned appears to be infinite, crucial for billing, any human accessed through according to demand. and the consumer can access control, interaction with the standard There is a sense of purchase as much or resource optimization, Cloud Provider. mechanisms by both location independence in as little computing capacity planning and thick and thin clients that the customer power as they need. other tasks. generally has no control or knowledge over the exact location of the resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). CLOUD COMPUTING 5
Service Models Infrastructure as a Service Platform as a Service Software as Service (IaaS) (PaaS) (SaaS) The consumer uses ”fundamental The consumer uses a hosting The consumer uses an application but computing resources" such as environment for their applications. The does not control the operating system, processing power, storage, networking consumer controls the applications that run hardware or network infrastructure on components or middleware. The consumer in the environment (and possibly has some which it's running. can control the operating system, storage, control over the hosting environment), but deployed applications and possibly does not control the operating system, * Note: Business Process as a Service is networking components such as firewalls hardware or network infrastructure on the furthest evolution of SaaS Cloud and load balancers, but not the cloud which they are running. The platform is Services, but is nascent in the marketplace. infrastructure beneath them. typically an application framework. Amazon EC2 Bungee Connect Microsoft Office 365 Sun Etelos Oracle SaaS platform Micrsoft’s Network.com Coghead Salesforce SFA HP Flex. Computing Svcs. Google App Engine NetSuite IBM Blue Cloud HP Adaptive IaaS GoogleApps OpSource Force.com Workday Human Capital Mgmt. Jamcracker LongJump Uses: Ad hoc development / testing Taking custom applications to the cloud Commodity applications (email) Cover volume fluctuations Developing new, cloud-based apps Non-proprietary business processes CLOUD COMPUTING 6
Deployment Models Public Cloud Hybrid Cloud Private Cloud In simple terms public cloud services A hybrid cloud is a combination In a private cloud-based service, are characterized as being available of a public and private cloud that data and processes are managed to clients from a third party interoperates. In this model users within the organization without the service provider via the Internet. typically outsource non-business- restrictions of network bandwidth, The term “public” does not always critical information and processing security exposures and legal mean free, even though it can be to the public cloud, while keeping requirements that using public cloud free or fairly inexpensive to use. A business-critical services and data services might entail. In addition, public cloud does not mean that a in their control private cloud services offer the user’s data is publically visible; public provider and the user greater cloud vendors typically provide an control of the cloud infrastructure, access control mechanism for their improving security and resiliency users. Public clouds provide an because user access and the elastic, cost effective means to networks used are restricted and deploy solutions. designated. Private clouds can be built on a company's own infrastructure (“internal clouds”) or on the backbone of public clouds. CLOUD COMPUTING 7
Realistic Cloud Deployment Source - http://www.saasblogs.com/saas/which-part-of-the-public-vs-private-cloud-elephant-are-you-touching/ CLOUD COMPUTING 8
Blue Plans and the Cloud CLOUD COMPUTING 9
What can the Cloud mean to Blue Plans? Microsoft’s Office 365 Cloud Service provides the following: • Word (Word Processing) • Excel • Calendar • Mail (25GB) • PowerPoint • SharePoint intranet for co-authoring documents • Premium antivirus / anti-spam filtering • Instant Messaging • Voice Chat (VoIP) • Online customer support • Build/host web site CLOUD COMPUTING 10
Where do Blue Plans stand today with respect to Cloud Computing? • Blue CIOs are motivated to look for ways to use the Cloud because: – Opportunities to reduce cost – Speed to Deployment • Blue Plans exploring how to benefit from the Cloud – Blue Plans exchange info / ideas on Cloud usage – Use of IaaS to address Resource Spikes (Proof of Concept) • Some production use – Blue Plan running proprietary app on SalesForce (PaaS) – Blue Plan using Microsoft Office 365 – Blue Plan using cloud based solution to access CMS database • Conclusions: – Blue Plans are actively looking at how they can benefit from the Cloud – Preliminary and Limited adoption of Cloud services to date CLOUD COMPUTING 11
How secure is data in the Cloud? Cloud Data Centers are easier to secure: • Software / Patches are up do date • Limit devices on the network • Use of repeatable processes and best practices Perceived risks of Cloud Computing: • Multi-tenant use of Cloud Resources – Answer: Data encrypted - only Blue Plan has encryption keys • Network – data flows over same physical cable – Answer: Hybrid approach - Combine Cloud computing and VPN to make it more secure • People - Cloud Staff can access data from multiple companies – Answer: Run “dark” data centers CLOUD COMPUTING 12
How secure is data in the Cloud? Survey of 127 Cloud Providers by Ponemon Institute, April 2011 • Most Cloud Providers believe Customers buy Cloud services because of lower cost and faster access to Cloud resources, and not Security • Majority of Cloud Providers believe it is their customer’s responsibility to secure the Cloud and not their responsibility • Most Cloud Providers do not believe their services substantially protect and secure confidential information of their customers • Most Cloud Providers do not have dedicated Security personnel • But, 1/3 of Cloud Providers considering Security solutions in next 2 years CLOUD COMPUTING 13
How secure is data in the Cloud? • Summary and Predications: – Cloud data centers do not have many of the security issues that are inherent to non-cloud data centers – Cloud Providers focus on the cost and speed aspects of their services, not security – But Security issues are being addressed – As Cloud solutions mature, Cloud Providers will begin to invest more in security as way to differentiate themselves from their competitors – In 2-3 years, Cloud data centers will be as secure as any non-cloud or Blue Plan Data Center CLOUD COMPUTING 14
How can you measure/require security in the Cloud? • ISO 27001 Certification – Be sure to review the Statement of Applicability • Check against Cloud Security Alliance Cloud Controls Matrix – Contract should include rep & warranty that certification will be maintained • Service Organization Controls (“SOC”) 2 Audit – Customers used to require SAS 70 Type 2, which has been replaced by SSAE 16 Type 2 (also known as SOC 1) – SOC 1 tests controls at a service organization relevant to user entities internal control over financial reporting, but it used to be the only option – SOC 2 tests controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy CLOUD COMPUTING 15
The Future of Blue Plans in the Cloud • Blue Plans will take advantage of Cloud benefits where security is not a priority and where PHI is not implicated • If Cloud Providers offer same Security as Blue Plans can achieve, will Blue Plans place PHI / PII in the Cloud ? – Limited amounts of PHI / PII – Possibly Yes • For example, in the Sales area, the sale of a policy might require placing some health insurance information in the Cloud regarding the purchaser (name, SS#, address) • Benefits of a Cloud based solution may outweigh some breach risk – Substantial amounts of PHI – No • Blue Plan systems with large amounts of PHI (e.g., Claims and Membership) will not be placed in the Cloud, even if security at the Cloud Provider is the same as Blue Plan provides CLOUD COMPUTING 16
The Future of Blue Plans in the Cloud • The potential financial liability from a data breach will prevent Blue Plans from trusting PHI to most Cloud Providers – In order for Blue Plan to trust the Cloud Provider with PHI, Cloud Provider must assume financial responsibility for data breaches – But Cloud Providers will not agree to substantial liability for data breaches because they are not getting paid enough to assume that risk • Breach could wipe out profits, revenue or the Cloud Provider • Many Cloud Providers are “start-ups” without ability to make Blue Plan whole – Contrast with Outsourcing Providers, which will agree to substantial liability provisions because the profit / revenue is sufficient to justify the risk CLOUD COMPUTING 17
The Future of Blue Plans in the Cloud • Cyber Liability Insurance – Same party should control both data security and data breach liability • Alignment of interests will reduce breaches – Recovery under policies is not guaranteed • Policies not uniform – wide variance • Policies very complex / negotiable • Gaps – Coverage for “Blue Plan’s breach of duty to maintain privacy of PHI” – Breach = “unauthorized acquisition, access, use or disclosure of PHI” • Strongly Recommend legal review of policy • Do not rely on obligation in contract that Cloud Provider will obtain policy CLOUD COMPUTING 18
Contracting for Cloud Services CLOUD COMPUTING 19
Cloud Provider’s Typical Contract Template This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not This AGREEMENT contains lots of really fine print and we really do feel like negotiating any of it. This AGREEMENT contains lots of really not feel like negotiating any of it. This AGREEMENT contains lots of fine print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. This AGREEMENT contains lots of really fine not feel like negotiating any of it. This AGREEMENT contains lots of print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not This AGREEMENT contains lots of really fine print and we really do feel like negotiating any of it. This AGREEMENT contains lots of really not feel like negotiating any of it. This AGREEMENT contains lots of fine print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. This AGREEMENT contains lots of really fine not feel like negotiating any of it. This AGREEMENT contains lots of print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not* * * This AGREEMENT contains lots of really fine print and we really do feel like negotiating any of it. This AGREEMENT contains lots of really not feel like negotiating any of it. This AGREEMENT contains lots of fine print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. CLOUD COMPUTING 20
Guiding Principles for Contracting with Cloud Providers • Must understand Cloud Provider’s business model – Standard service to all customers – Consistent, repeatable processes • Customers must accept a standard delivery model to take advantage of the cost savings • Cloud Providers insist on their own contract template – They want standardized contracts to match their standardized delivery model • But there ARE terms to negotiate ! CLOUD COMPUTING 21
Outsourcing vs. Cloud contracting Topic Outsourcing Cloud Services Contract Template Use Customer’s template Cloud Providers insist on their contract documents Each deal customized Contract Negotiation Almost everything negotiable Provisions impacting uniformity and scalability of the cloud service are not Service delivery solution customized negotiable. Service delivery solution standardized Contract Leverage Size of deal matters. Competition matters. Size and competition matter much less Contract Negotiation Timing 4-8 months, but can be 12 months or more Generally < 3 months and frequently faster Term 5-7 years, with Renewal Options 1-3 years, with evergreen extension unless either party terminates 30 days before anniversary CLOUD COMPUTING 22
Outsourcing vs. Cloud contracting Topic Outsourcing Cloud Services Contract Modification Modified only via written contract Governed by online terms (service amendment descriptions) or “then current” policies found on web pages (security and privacy) Control Over Supplier Key Supplier Positions, background checks, Largest contracts may include one Key Personnel and ability to remove personnel Supplier Position, but little else Subcontractors Significant restrictions on use of No restrictions - Subcontractors may be subcontractors essential to the provider’s ability to deliver the services Security Fully negotiable (for a price) Non-negotiable Governance Detailed, multi-committee governance None structure CLOUD COMPUTING 23
Outsourcing vs. Cloud contracting Topic Outsourcing Cloud Services Service Levels Customized and numerous Standardized and very few Service Level Credits Customized. Based on percentage of Can be significant – even up to 100% of monthly revenue – generally 5-15% monthly charges (but dollars are smaller and credits tied to the charges for the failed service) Data Location Customer knows where its data is Customer does not know where data is Limits on moving data center Fewer restrictions on data center location Charges Complex combination of transition Minimal transition cost (if any). Charges charges, plus ongoing fixed and variable based on simple metric such as “per user” or charges “per seat” or similar units Audits Extensive audit rights, particularly in None (although Supplier may agree to dedicated environments provide SSAE 16) CLOUD COMPUTING 24
Outsourcing vs. Cloud contracting Topic Outsourcing Cloud Services Limit of Liability General 12 months of charges Need to negotiate to make it mutual Numerous exceptions to direct and consequential damage limits – indemnities, breach of confidentiality, wrongful 12 months of charges also, but tied abandonment, failure to provide disengagement to the particular service causing the assistance, gross negligence, intentional misconduct damages Stipulated direct damages – error correction, cost of work- More limited carve-outs, especially around, overtime, government fines and penalties, cost to for consequential damages recreate data Data Breach Liability Separate liability bucket, ranging from 1 – 12 additional Generally none, but if pressed, they months of charges (may depend on whether data will agree to separate liability encrypted) bucket, and acknowledge notice and credit monitoring costs are Stipulated direct damages - Cost of data breach notices, recoverable credit monitoring, call center, identity restoration services, consulting and attorney fees Be wary of commitment to perform “as required by law” CLOUD COMPUTING 25
Outsourcing vs. Cloud contracting Topic Outsourcing Cloud Services Customer’s Termination Rights Cause, Service Level Failures, Change of For Supplier’s material breach (cause and other) Control of Customer, Change of Control of Supplier, Force Majeure Events, Change in Laws, Increase in Taxes, Supplier’s Liability Cap, Regulatory Approval, Business Associate Addendum, Insolvency Supplier’s Termination Rights Limited to: Failure to pay 2 month’s Starting position is Supplier may terminate or and Right to Suspend charges and Breach of Confidentiality suspend “for any reason” or for “breach of Acceptable Use Policy” or if Provider believes No right to suspend Customer’s use threatens providers network or ability to provide services Can limit termination right to “Customer’s material breach”, and add cure rights Can limit right to suspend only “to the extent” necessary to address the breach of the AUP, or to address the breach CLOUD COMPUTING 26
Outsourcing vs. Cloud contracting Topic Outsourcing Cloud Services Termination for Convenience Yes, but must make Supplier whole Yes, after initial commitment on 30 days notice without cost Also, if Supplier changes terms that adversely affects Customer, without cost Termination Assistance Requires fairly extensive cooperation Need to negotiate between customer, existing service provider and replacement service provider Very limited cooperation required 12-18 months of assistance, with right to Existing Cloud Provider provides a copy of all acquire hardware, software, contracts and data resident in cloud environment for people transfer to replacement service provider No right to acquire assets CLOUD COMPUTING 27
In sum . . . By understanding: (1) where a Cloud Provider can negotiate, and (2) where the cloud model precludes negotiation, you can balance your risk reduction efforts against the Cloud Service benefits, to achieve best results for the Blue Plan. CLOUD COMPUTING 28
e-Discovery and Subpoenas in the Cloud CLOUD COMPUTING 29
Access to Cloud Data • Subpoenas for data in the US – Not a lot of case law directly addressing discovery of corporate email held by Cloud Providers – Instructive analogs found in: • Cases involving 3rd-party email providers under Stored Communications Act ("SCA") and • Cases addressing the concept of "control" under US Federal regulations • US Civil Subpoenas – Basic test under FRCP: “possession, custody, or control” – U.S. courts construe “control” broadly • Party often deemed to have control if it has the legal right, authority or practical ability to obtain the materials sought upon demand – However, courts generally presume 3rd parties cannot be compelled to disclose electronic communications pursuant to a civil subpoena – Courts tend to focus on whether email account holders who are parties in the underlying litigation can be ordered to authorize access to their email accounts, despite the SCA CLOUD COMPUTING 30
Stored Communications Act Cases Thayer v. Chiczewski (N.D. Ill. Sept. 11, 2009) • Civil rights suit against Chicago • City served a subpoena on AOL seeking production of several of plaintiff's emails • Contrary to general practice, the court granted the motion over the objections of both the plaintiff and AOL. • Court first acknowledged SCA usually prevents enforcement of civil subpoenas against 3rd parties: – "The Court agrees that, although decisions analyzing the SCA have defined its parameters in sometimes competing ways, most courts have concluded that third parties cannot be compelled to disclose electronic communications pursuant to a civil-as opposed to criminal-discovery subpoena." CLOUD COMPUTING 31
Stored Communications Act Cases (cont.) Thayer v. Chiczewski (N.D. Ill. Sept. 11, 2009) - continued • Court stated that because plaintiff would be required to produce relevant emails if he were in possession of them, and AOL would be obliged to produce the emails at plaintiff's request, the emails were under the plaintiff's "control" for discovery purposes • Court noted that plaintiff authorized production of at least one email and had put his mental state at time of relevant events at issue (which arguably would be shown by contemporaneous emails), thus, court assumed that plaintiff had authorized disclosure CLOUD COMPUTING 32
Stored Communications Act Cases (cont.) Chasten v. Franklin (No. C10-80205 MISC JW (HRL), 2010 WL 4065606 (N.D. Cal. Oct. 14, 2010)) •Defendant in civil rights case served subpoena on Yahoo seeking plaintiff's emails •Plaintiff argued SCA prohibited Yahoo from disclosing his emails •Court agreed and quashed subpoena stating: – "Because no exception applies, compliance with the [third-party] subpoena would be an invasion of the specific interests that the SCA seeks to protect." •Unlike Thayer, Chasten court did not examine whether plaintiff could/should be ordered to consent to Yahoo producing emails •Court's failure to discuss whether account holder could be forced to consent to disclosure was unique CLOUD COMPUTING 33
Discovery Obligation Comes Back to You • The fact that court does not force a Cloud Provider to turn over your information simply brings the issue to your doorstep • U.S. discovery system encourages extensive production of information • Having data held by a Cloud Provider can make compliance with discovery obligations more challenging CLOUD COMPUTING 34
Inadvertent Loss/Destruction • What happens if a Cloud Provider loses / inadvertently deletes your information? • Currently uncommon for a cloud agreement to reference e-discovery type requirements – Difficult to claim Cloud Provider is responsible if there’s nothing in the contract on point • Legal analysis for a “spoilation claim” normally focuses on “possession, custody or control” over the data, which would generally point back to you – even for hosted services – Cloud Provider is not (normally) party to the litigation; court will typically focus its efforts on the parties appearing in court • If court finds you responsible (i.e., it did not produce information in its possession, custody or control) then court can order sanctions – Sanctions can range from fines to a terminating order that ends the case in the other party’s favor CLOUD COMPUTING 35
Inadvertent Loss/Destruction • If the data was lost due to the Cloud Provider’s actions (or inactions), you will need to argue that you were not at fault – Trying to establish this fact would likely require going far beyond merely establishing who deleted the data – You need to show you acted diligently in selecting Cloud Provider, negotiating terms, putting controls in place and notifying the provider in a timely manner — and that despite all of those efforts, data was lost through no fault of yours – Even so, minimal (if any) case law guidance on whether this argument would be adequate – More likely, if the other party has been prejudiced by the loss of data, a sanction of some type is likely to balance the playing field • Recovery of fines from Cloud Provider unlikely – Based on standard limitation of liability approaches in most cloud contracts, you may not be able to recover damages from Cloud Provider CLOUD COMPUTING 36
The “Democratization” Wrinkle • Employees may be using cloud services without the knowledge of the company (e.g., Google docs, Dropbox) or social media (e.g., Facebook) • When employees leave, Plans may lose access to those password protected accounts • BUT, if you end up in litigation you may have had a duty to preserve that information and/or produce it – Cloud Providers may not store information in easily accessible, legally compliant (i.e., “reasonably usable”) format – Facebook and other social media services are not e-discovery friendly – Obtaining information without employee’s password/cooperation may require litigation against that Cloud Provider CLOUD COMPUTING 37
The International Wrinkle • What happens if a lawsuit is in the US but the other party’s headquarters is in another country? Or what if the data is in a country where the rules are different? • U.S. Supreme Court has held that U.S. courts may order production of documents governed by foreign blocking laws • Violation of French blocking statute to deliver documents in the U.S. has resulted in criminal sanctions in France • AccessData Corp. v. ALSTE Technologies GMBH, 2010 WL 318477 (D. Utah Jan. 21, 2010) – ALSTE argued German privacy laws prevented collection of company emails located in Germany – U.S. court held German law did not bar disclosure of information relevant to the litigation – U.S. court required ALSTE to proceed with e-discovery – Failure to produce the data after the court’s ruling would likely result in severe sanctions – However, German Data Protection authorities have sanctioning powers, as well • Companies with data spread across different jurisdictions may have to make difficult choices if cloud-based data is implicated in litigation CLOUD COMPUTING 38
Best Practices for Data in the Cloud CLOUD COMPUTING 39
Best Practices for Data in the Cloud When drafting your RFP / evaluating potential Cloud Providers / negotiating with the selected Cloud Provider 1. Know where Blue Plan data is/will be stored - Request data center locations and consider including in contract - Request geographic limits (e.g., “stored in the US”) 2. Protect Blue Plan data - ISO 27001 certification, SOC 2, Cloud Security Alliance Cloud Controls Matrix 3. Ensure Blue Plan can use its data - Make sure Blue Plan has right to access its data at all times (and the Cloud Provider cannot hold your data “hostage” in a dispute) - Make sure that Blue Plan can export it in a useable format - Cloud Provider should be obligated to provide Disengagement Assistance CLOUD COMPUTING 40
Best Practices for Data in the Cloud 4. Determine if Cloud Provider can comply with Blue Plan data retention/destruction policies - Including litigation holds 5. Subpoena / e-Discovery Requirements - Require notice of subpoenas received by Cloud Provider that could impact your data - Ensure that Cloud Provider will assist with e-Discovery efforts and specify costs 6. Ensure there is financial responsibility for data breaches - Separate liability bucket - Do not accept “as required by law” language - Costs of notice, credit monitoring, call center should be recoverable (not consequential) - Cyber Liability Insurance - Legal review is important ! CLOUD COMPUTING 41
Questions & Answers / Thank you! Joseph Kendall Partner Pillsbury Winthrop Shaw Pittman LLP +1 202.663.8350 joseph.kendall@pillsburylaw.com John Nicholson Counsel Pillsbury Winthrop Shaw Pittman LLP +1 202.663.8269 john.nicholson@pillsburylaw.com CLOUD COMPUTING 42

More Related Content

PDF
Ms Cloud Basics Private Cloud
byStas Kolbin
 
PDF
Effective storagemanagementforcloudcomputing
byIBM India Smarter Computing
 
PDF
Understanding the Cloud Computing Stack
byRackspace
 
PDF
ClassCloud: switch your PC Classroom into Cloud Testbed
byJazz Yao-Tsung Wang
 
PDF
NEC Carrier Cloud
byNECIndia
 
PDF
Cloud: CDN Killer?
byInternap
 
PPTX
Cloud computing
byMed Zaibi
 
PDF
iStart hitchhikers guide to cloud computing
byHayden McCall
 
Ms Cloud Basics Private Cloud
byStas Kolbin
 
Effective storagemanagementforcloudcomputing
byIBM India Smarter Computing
 
Understanding the Cloud Computing Stack
byRackspace
 
ClassCloud: switch your PC Classroom into Cloud Testbed
byJazz Yao-Tsung Wang
 
NEC Carrier Cloud
byNECIndia
 
Cloud: CDN Killer?
byInternap
 
Cloud computing
byMed Zaibi
 
iStart hitchhikers guide to cloud computing
byHayden McCall
 

What's hot

PDF
Cloud architecture and deployment: The Kognitio checklist, Nigel Sanctuary, K...
byCloudOps Summit
 
PDF
Managing A Cloud Environment: How To Get Started And Which Way To Go
bytalemadi
 
PPTX
Move your Data Center to the Cloud
byRedZone Technologies
 
PDF
20090921 Risacher To Ncoic Cloud Storefront
byGovCloud Network
 
PDF
Rackforce the cloud
bysdeconf
 
PDF
Cloud computing ppt_0
byBishnupriya Dash
 
PDF
Simplifying Cloud Implementation
byMorphlabs
 
PDF
Towards a Federated Cloud Ecosystem
byClovis Chapman
 
DOCX
Business implementation of Cloud Computing
byQuaid Sodawala
 
PDF
Clearing the air on Cloud Computing
byKarthik Sankar
 
PDF
Lenovo: The Cloud Over BYOD
byLenovo Education
 
PPT
Cloud computing
bysaralaanuj
 
PDF
Texas Cloud Brokerage - A Success Story
byIlyas Iyoob, Ph.D.
 
PDF
Improving Utilization of Infrastructure Cloud
byIJASCSE
 
PDF
Cloud Computing & DCIM
byGreenField Software Private Limited
 
PDF
KAMP
byCisco Case Studies
 
PPTX
Mhta.private.cloud.final.16.9
byVirteva Inc.
 
PDF
OMG DDS Tutorial - Part I
byAngelo Corsaro
 
DOC
Cloud computing security_perspective
bysolaigoundan
 
PDF
Open Source Paving the Future of Cloud and Big Data Strategies
bySKALI Group
 
Cloud architecture and deployment: The Kognitio checklist, Nigel Sanctuary, K...
byCloudOps Summit
 
Managing A Cloud Environment: How To Get Started And Which Way To Go
bytalemadi
 
Move your Data Center to the Cloud
byRedZone Technologies
 
20090921 Risacher To Ncoic Cloud Storefront
byGovCloud Network
 
Rackforce the cloud
bysdeconf
 
Cloud computing ppt_0
byBishnupriya Dash
 
Simplifying Cloud Implementation
byMorphlabs
 
Towards a Federated Cloud Ecosystem
byClovis Chapman
 
Business implementation of Cloud Computing
byQuaid Sodawala
 
Clearing the air on Cloud Computing
byKarthik Sankar
 
Lenovo: The Cloud Over BYOD
byLenovo Education
 
Cloud computing
bysaralaanuj
 
Texas Cloud Brokerage - A Success Story
byIlyas Iyoob, Ph.D.
 
Improving Utilization of Infrastructure Cloud
byIJASCSE
 
Cloud Computing & DCIM
byGreenField Software Private Limited
 
KAMP
byCisco Case Studies
 
Mhta.private.cloud.final.16.9
byVirteva Inc.
 
OMG DDS Tutorial - Part I
byAngelo Corsaro
 
Cloud computing security_perspective
bysolaigoundan
 
Open Source Paving the Future of Cloud and Big Data Strategies
bySKALI Group
 

Similar to BCBSA Summit - Cloud Computing Issues (Dec 2012)

PDF
484 488
byEditor IJARCET
 
PDF
Accenture 6 questions_executives_should_ask_about_cloud_computing
byNgy Ea
 
PPT
Cloud computing
byPallavi Rai
 
PPTX
Cloud Computing : Security and Forensics
byGovind Maheswaran
 
PDF
Cloud computing
byNitin Verma [nitin.verma@dbydx.com]
 
PPT
Cloud Computing Webinar
bySaif Ahmad
 
PDF
Cloud Computing Tutorial - Jens Nimis
byJensNimis
 
PPTX
Cloudcomputing Nivo Consultancy 26 Mei 2009 Versie 1
byRuud Ramakers
 
PDF
Resarch paper i cloud computing
byBharat Gupta
 
PDF
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
byptaglephd
 
PPTX
Cloud Computing - Foundations, Perspectives &amp; Challenges
byPrasad Chitta
 
PPTX
Cloud Computing 101
byKamal Arora
 
PPT
Cloud computing
bykarthiklreddy
 
PDF
understanding and Leveraging Cloud Xcomputing
byIBM India Smarter Computing
 
PPTX
Introduction to cloud computing
byJithin Parakka
 
PDF
121 124
byIjarcsee Journal
 
PDF
Cloud computing: new challenge to the entire computer industry
byStudying
 
PPTX
Tareq Alemadi - Developing enterprise cloud computing strategy
byGlobal Business Events
 
PDF
Trend and Future of Cloud Computing
byhybrid cloud
 
PPT
IAPP Atlanta Chapter Meeting 2013 February
byPhil Agcaoili
 
484 488
byEditor IJARCET
 
Accenture 6 questions_executives_should_ask_about_cloud_computing
byNgy Ea
 
Cloud computing
byPallavi Rai
 
Cloud Computing : Security and Forensics
byGovind Maheswaran
 
Cloud computing
byNitin Verma [nitin.verma@dbydx.com]
 
Cloud Computing Webinar
bySaif Ahmad
 
Cloud Computing Tutorial - Jens Nimis
byJensNimis
 
Cloudcomputing Nivo Consultancy 26 Mei 2009 Versie 1
byRuud Ramakers
 
Resarch paper i cloud computing
byBharat Gupta
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
byptaglephd
 
Cloud Computing - Foundations, Perspectives &amp; Challenges
byPrasad Chitta
 
Cloud Computing 101
byKamal Arora
 
Cloud computing
bykarthiklreddy
 
understanding and Leveraging Cloud Xcomputing
byIBM India Smarter Computing
 
Introduction to cloud computing
byJithin Parakka
 
121 124
byIjarcsee Journal
 
Cloud computing: new challenge to the entire computer industry
byStudying
 
Tareq Alemadi - Developing enterprise cloud computing strategy
byGlobal Business Events
 
Trend and Future of Cloud Computing
byhybrid cloud
 
IAPP Atlanta Chapter Meeting 2013 February
byPhil Agcaoili
 

BCBSA Summit - Cloud Computing Issues (Dec 2012)

  • 1.
    Cloud Computing: Key Issues for Blue Plans to address before moving to the Cloud Joseph E. Kendall Partner Pillsbury Winthrop Shaw Pittman John L. Nicholson Counsel Pillsbury Winthrop Shaw Pittman December 4-7, 2011 Sheraton Chicago Hotel and Towers Chicago, Illinois PRESENTATION TITLE
  • 2.
    Agenda • What is the Cloud ? • Blue Plans and Cloud Computing – Today and the Future • How secure is data in the Cloud? • Contracting for Cloud services • Specific contract issues - Cloud vs Outsourcing Contracts • e Discovery and Subpoenas in the Cloud • Best practices for data in the Cloud CLOUD COMPUTING 2
  • 3.
    What is theCloud? CLOUD COMPUTING 3
  • 4.
    What is the“Cloud”? • Cloud Computing is: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - National Institute of Standards and Technology CLOUD COMPUTING 4
  • 5.
    Essential Characteristics On-demand, Self- Ubiquitous Network Rapid Elasticity Measured Service service Access Resource Pooling Elasticity is defined as In a measured service The on-demand and Ubiquitous network Resource pooling allows the ability to scale aspects of the cloud self-service aspects of access means that the a Cloud Provider to resources both up service are cloud computing mean Cloud Provider’s serve its consumers via and down as controlled and that a consumer can capabilities are a multi-tenant model. Physical and virtual needed. To the monitored by the use cloud services available over the resources are assigned consumer, the cloud Cloud Provider. This is as needed without network and can be and reassigned appears to be infinite, crucial for billing, any human accessed through according to demand. and the consumer can access control, interaction with the standard There is a sense of purchase as much or resource optimization, Cloud Provider. mechanisms by both location independence in as little computing capacity planning and thick and thin clients that the customer power as they need. other tasks. generally has no control or knowledge over the exact location of the resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). CLOUD COMPUTING 5
  • 6.
    Service Models Infrastructure as a Service Platform as a Service Software as Service (IaaS) (PaaS) (SaaS) The consumer uses ”fundamental The consumer uses a hosting The consumer uses an application but computing resources" such as environment for their applications. The does not control the operating system, processing power, storage, networking consumer controls the applications that run hardware or network infrastructure on components or middleware. The consumer in the environment (and possibly has some which it's running. can control the operating system, storage, control over the hosting environment), but deployed applications and possibly does not control the operating system, * Note: Business Process as a Service is networking components such as firewalls hardware or network infrastructure on the furthest evolution of SaaS Cloud and load balancers, but not the cloud which they are running. The platform is Services, but is nascent in the marketplace. infrastructure beneath them. typically an application framework. Amazon EC2 Bungee Connect Microsoft Office 365 Sun Etelos Oracle SaaS platform Micrsoft’s Network.com Coghead Salesforce SFA HP Flex. Computing Svcs. Google App Engine NetSuite IBM Blue Cloud HP Adaptive IaaS GoogleApps OpSource Force.com Workday Human Capital Mgmt. Jamcracker LongJump Uses: Ad hoc development / testing Taking custom applications to the cloud Commodity applications (email) Cover volume fluctuations Developing new, cloud-based apps Non-proprietary business processes CLOUD COMPUTING 6
  • 7.
    Deployment Models Public Cloud Hybrid Cloud Private Cloud In simple terms public cloud services A hybrid cloud is a combination In a private cloud-based service, are characterized as being available of a public and private cloud that data and processes are managed to clients from a third party interoperates. In this model users within the organization without the service provider via the Internet. typically outsource non-business- restrictions of network bandwidth, The term “public” does not always critical information and processing security exposures and legal mean free, even though it can be to the public cloud, while keeping requirements that using public cloud free or fairly inexpensive to use. A business-critical services and data services might entail. In addition, public cloud does not mean that a in their control private cloud services offer the user’s data is publically visible; public provider and the user greater cloud vendors typically provide an control of the cloud infrastructure, access control mechanism for their improving security and resiliency users. Public clouds provide an because user access and the elastic, cost effective means to networks used are restricted and deploy solutions. designated. Private clouds can be built on a company's own infrastructure (“internal clouds”) or on the backbone of public clouds. CLOUD COMPUTING 7
  • 8.
    Realistic Cloud Deployment Source- http://www.saasblogs.com/saas/which-part-of-the-public-vs-private-cloud-elephant-are-you-touching/ CLOUD COMPUTING 8
  • 9.
    Blue Plans andthe Cloud CLOUD COMPUTING 9
  • 10.
    What can theCloud mean to Blue Plans? Microsoft’s Office 365 Cloud Service provides the following: • Word (Word Processing) • Excel • Calendar • Mail (25GB) • PowerPoint • SharePoint intranet for co-authoring documents • Premium antivirus / anti-spam filtering • Instant Messaging • Voice Chat (VoIP) • Online customer support • Build/host web site CLOUD COMPUTING 10
  • 11.
    Where do BluePlans stand today with respect to Cloud Computing? • Blue CIOs are motivated to look for ways to use the Cloud because: – Opportunities to reduce cost – Speed to Deployment • Blue Plans exploring how to benefit from the Cloud – Blue Plans exchange info / ideas on Cloud usage – Use of IaaS to address Resource Spikes (Proof of Concept) • Some production use – Blue Plan running proprietary app on SalesForce (PaaS) – Blue Plan using Microsoft Office 365 – Blue Plan using cloud based solution to access CMS database • Conclusions: – Blue Plans are actively looking at how they can benefit from the Cloud – Preliminary and Limited adoption of Cloud services to date CLOUD COMPUTING 11
  • 12.
    How secure isdata in the Cloud? Cloud Data Centers are easier to secure: • Software / Patches are up do date • Limit devices on the network • Use of repeatable processes and best practices Perceived risks of Cloud Computing: • Multi-tenant use of Cloud Resources – Answer: Data encrypted - only Blue Plan has encryption keys • Network – data flows over same physical cable – Answer: Hybrid approach - Combine Cloud computing and VPN to make it more secure • People - Cloud Staff can access data from multiple companies – Answer: Run “dark” data centers CLOUD COMPUTING 12
  • 13.
    How secure isdata in the Cloud? Survey of 127 Cloud Providers by Ponemon Institute, April 2011 • Most Cloud Providers believe Customers buy Cloud services because of lower cost and faster access to Cloud resources, and not Security • Majority of Cloud Providers believe it is their customer’s responsibility to secure the Cloud and not their responsibility • Most Cloud Providers do not believe their services substantially protect and secure confidential information of their customers • Most Cloud Providers do not have dedicated Security personnel • But, 1/3 of Cloud Providers considering Security solutions in next 2 years CLOUD COMPUTING 13
  • 14.
    How secure isdata in the Cloud? • Summary and Predications: – Cloud data centers do not have many of the security issues that are inherent to non-cloud data centers – Cloud Providers focus on the cost and speed aspects of their services, not security – But Security issues are being addressed – As Cloud solutions mature, Cloud Providers will begin to invest more in security as way to differentiate themselves from their competitors – In 2-3 years, Cloud data centers will be as secure as any non-cloud or Blue Plan Data Center CLOUD COMPUTING 14
  • 15.
    How can youmeasure/require security in the Cloud? • ISO 27001 Certification – Be sure to review the Statement of Applicability • Check against Cloud Security Alliance Cloud Controls Matrix – Contract should include rep & warranty that certification will be maintained • Service Organization Controls (“SOC”) 2 Audit – Customers used to require SAS 70 Type 2, which has been replaced by SSAE 16 Type 2 (also known as SOC 1) – SOC 1 tests controls at a service organization relevant to user entities internal control over financial reporting, but it used to be the only option – SOC 2 tests controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy CLOUD COMPUTING 15
  • 16.
    The Future ofBlue Plans in the Cloud • Blue Plans will take advantage of Cloud benefits where security is not a priority and where PHI is not implicated • If Cloud Providers offer same Security as Blue Plans can achieve, will Blue Plans place PHI / PII in the Cloud ? – Limited amounts of PHI / PII – Possibly Yes • For example, in the Sales area, the sale of a policy might require placing some health insurance information in the Cloud regarding the purchaser (name, SS#, address) • Benefits of a Cloud based solution may outweigh some breach risk – Substantial amounts of PHI – No • Blue Plan systems with large amounts of PHI (e.g., Claims and Membership) will not be placed in the Cloud, even if security at the Cloud Provider is the same as Blue Plan provides CLOUD COMPUTING 16
  • 17.
    The Future ofBlue Plans in the Cloud • The potential financial liability from a data breach will prevent Blue Plans from trusting PHI to most Cloud Providers – In order for Blue Plan to trust the Cloud Provider with PHI, Cloud Provider must assume financial responsibility for data breaches – But Cloud Providers will not agree to substantial liability for data breaches because they are not getting paid enough to assume that risk • Breach could wipe out profits, revenue or the Cloud Provider • Many Cloud Providers are “start-ups” without ability to make Blue Plan whole – Contrast with Outsourcing Providers, which will agree to substantial liability provisions because the profit / revenue is sufficient to justify the risk CLOUD COMPUTING 17
  • 18.
    The Future ofBlue Plans in the Cloud • Cyber Liability Insurance – Same party should control both data security and data breach liability • Alignment of interests will reduce breaches – Recovery under policies is not guaranteed • Policies not uniform – wide variance • Policies very complex / negotiable • Gaps – Coverage for “Blue Plan’s breach of duty to maintain privacy of PHI” – Breach = “unauthorized acquisition, access, use or disclosure of PHI” • Strongly Recommend legal review of policy • Do not rely on obligation in contract that Cloud Provider will obtain policy CLOUD COMPUTING 18
  • 19.
    Contracting for CloudServices CLOUD COMPUTING 19
  • 20.
    Cloud Provider’s TypicalContract Template This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not This AGREEMENT contains lots of really fine print and we really do feel like negotiating any of it. This AGREEMENT contains lots of really not feel like negotiating any of it. This AGREEMENT contains lots of fine print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. This AGREEMENT contains lots of really fine not feel like negotiating any of it. This AGREEMENT contains lots of print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not This AGREEMENT contains lots of really fine print and we really do feel like negotiating any of it. This AGREEMENT contains lots of really not feel like negotiating any of it. This AGREEMENT contains lots of fine print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. This AGREEMENT contains lots of really fine not feel like negotiating any of it. This AGREEMENT contains lots of print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. AGREEMENT contains lots of really fine print and we really do not feel This AGREEMENT contains lots of really fine print and we really do like negotiating any of it. not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not* * * This AGREEMENT contains lots of really fine print and we really do feel like negotiating any of it. This AGREEMENT contains lots of really not feel like negotiating any of it. This AGREEMENT contains lots of fine print and we really do not feel like negotiating any of it. This really fine print and we really do not feel like negotiating any of it. CLOUD COMPUTING 20
  • 21.
    Guiding Principles forContracting with Cloud Providers • Must understand Cloud Provider’s business model – Standard service to all customers – Consistent, repeatable processes • Customers must accept a standard delivery model to take advantage of the cost savings • Cloud Providers insist on their own contract template – They want standardized contracts to match their standardized delivery model • But there ARE terms to negotiate ! CLOUD COMPUTING 21
  • 22.
    Outsourcing vs. Cloudcontracting Topic Outsourcing Cloud Services Contract Template Use Customer’s template Cloud Providers insist on their contract documents Each deal customized Contract Negotiation Almost everything negotiable Provisions impacting uniformity and scalability of the cloud service are not Service delivery solution customized negotiable. Service delivery solution standardized Contract Leverage Size of deal matters. Competition matters. Size and competition matter much less Contract Negotiation Timing 4-8 months, but can be 12 months or more Generally < 3 months and frequently faster Term 5-7 years, with Renewal Options 1-3 years, with evergreen extension unless either party terminates 30 days before anniversary CLOUD COMPUTING 22
  • 23.
    Outsourcing vs. Cloudcontracting Topic Outsourcing Cloud Services Contract Modification Modified only via written contract Governed by online terms (service amendment descriptions) or “then current” policies found on web pages (security and privacy) Control Over Supplier Key Supplier Positions, background checks, Largest contracts may include one Key Personnel and ability to remove personnel Supplier Position, but little else Subcontractors Significant restrictions on use of No restrictions - Subcontractors may be subcontractors essential to the provider’s ability to deliver the services Security Fully negotiable (for a price) Non-negotiable Governance Detailed, multi-committee governance None structure CLOUD COMPUTING 23
  • 24.
    Outsourcing vs. Cloudcontracting Topic Outsourcing Cloud Services Service Levels Customized and numerous Standardized and very few Service Level Credits Customized. Based on percentage of Can be significant – even up to 100% of monthly revenue – generally 5-15% monthly charges (but dollars are smaller and credits tied to the charges for the failed service) Data Location Customer knows where its data is Customer does not know where data is Limits on moving data center Fewer restrictions on data center location Charges Complex combination of transition Minimal transition cost (if any). Charges charges, plus ongoing fixed and variable based on simple metric such as “per user” or charges “per seat” or similar units Audits Extensive audit rights, particularly in None (although Supplier may agree to dedicated environments provide SSAE 16) CLOUD COMPUTING 24
  • 25.
    Outsourcing vs. Cloudcontracting Topic Outsourcing Cloud Services Limit of Liability General 12 months of charges Need to negotiate to make it mutual Numerous exceptions to direct and consequential damage limits – indemnities, breach of confidentiality, wrongful 12 months of charges also, but tied abandonment, failure to provide disengagement to the particular service causing the assistance, gross negligence, intentional misconduct damages Stipulated direct damages – error correction, cost of work- More limited carve-outs, especially around, overtime, government fines and penalties, cost to for consequential damages recreate data Data Breach Liability Separate liability bucket, ranging from 1 – 12 additional Generally none, but if pressed, they months of charges (may depend on whether data will agree to separate liability encrypted) bucket, and acknowledge notice and credit monitoring costs are Stipulated direct damages - Cost of data breach notices, recoverable credit monitoring, call center, identity restoration services, consulting and attorney fees Be wary of commitment to perform “as required by law” CLOUD COMPUTING 25
  • 26.
    Outsourcing vs. Cloudcontracting Topic Outsourcing Cloud Services Customer’s Termination Rights Cause, Service Level Failures, Change of For Supplier’s material breach (cause and other) Control of Customer, Change of Control of Supplier, Force Majeure Events, Change in Laws, Increase in Taxes, Supplier’s Liability Cap, Regulatory Approval, Business Associate Addendum, Insolvency Supplier’s Termination Rights Limited to: Failure to pay 2 month’s Starting position is Supplier may terminate or and Right to Suspend charges and Breach of Confidentiality suspend “for any reason” or for “breach of Acceptable Use Policy” or if Provider believes No right to suspend Customer’s use threatens providers network or ability to provide services Can limit termination right to “Customer’s material breach”, and add cure rights Can limit right to suspend only “to the extent” necessary to address the breach of the AUP, or to address the breach CLOUD COMPUTING 26
  • 27.
    Outsourcing vs. Cloudcontracting Topic Outsourcing Cloud Services Termination for Convenience Yes, but must make Supplier whole Yes, after initial commitment on 30 days notice without cost Also, if Supplier changes terms that adversely affects Customer, without cost Termination Assistance Requires fairly extensive cooperation Need to negotiate between customer, existing service provider and replacement service provider Very limited cooperation required 12-18 months of assistance, with right to Existing Cloud Provider provides a copy of all acquire hardware, software, contracts and data resident in cloud environment for people transfer to replacement service provider No right to acquire assets CLOUD COMPUTING 27
  • 28.
    In sum .. . By understanding: (1) where a Cloud Provider can negotiate, and (2) where the cloud model precludes negotiation, you can balance your risk reduction efforts against the Cloud Service benefits, to achieve best results for the Blue Plan. CLOUD COMPUTING 28
  • 29.
    e-Discovery and Subpoenasin the Cloud CLOUD COMPUTING 29
  • 30.
    Access to CloudData • Subpoenas for data in the US – Not a lot of case law directly addressing discovery of corporate email held by Cloud Providers – Instructive analogs found in: • Cases involving 3rd-party email providers under Stored Communications Act ("SCA") and • Cases addressing the concept of "control" under US Federal regulations • US Civil Subpoenas – Basic test under FRCP: “possession, custody, or control” – U.S. courts construe “control” broadly • Party often deemed to have control if it has the legal right, authority or practical ability to obtain the materials sought upon demand – However, courts generally presume 3rd parties cannot be compelled to disclose electronic communications pursuant to a civil subpoena – Courts tend to focus on whether email account holders who are parties in the underlying litigation can be ordered to authorize access to their email accounts, despite the SCA CLOUD COMPUTING 30
  • 31.
    Stored Communications ActCases Thayer v. Chiczewski (N.D. Ill. Sept. 11, 2009) • Civil rights suit against Chicago • City served a subpoena on AOL seeking production of several of plaintiff's emails • Contrary to general practice, the court granted the motion over the objections of both the plaintiff and AOL. • Court first acknowledged SCA usually prevents enforcement of civil subpoenas against 3rd parties: – "The Court agrees that, although decisions analyzing the SCA have defined its parameters in sometimes competing ways, most courts have concluded that third parties cannot be compelled to disclose electronic communications pursuant to a civil-as opposed to criminal-discovery subpoena." CLOUD COMPUTING 31
  • 32.
    Stored Communications ActCases (cont.) Thayer v. Chiczewski (N.D. Ill. Sept. 11, 2009) - continued • Court stated that because plaintiff would be required to produce relevant emails if he were in possession of them, and AOL would be obliged to produce the emails at plaintiff's request, the emails were under the plaintiff's "control" for discovery purposes • Court noted that plaintiff authorized production of at least one email and had put his mental state at time of relevant events at issue (which arguably would be shown by contemporaneous emails), thus, court assumed that plaintiff had authorized disclosure CLOUD COMPUTING 32
  • 33.
    Stored Communications ActCases (cont.) Chasten v. Franklin (No. C10-80205 MISC JW (HRL), 2010 WL 4065606 (N.D. Cal. Oct. 14, 2010)) •Defendant in civil rights case served subpoena on Yahoo seeking plaintiff's emails •Plaintiff argued SCA prohibited Yahoo from disclosing his emails •Court agreed and quashed subpoena stating: – "Because no exception applies, compliance with the [third-party] subpoena would be an invasion of the specific interests that the SCA seeks to protect." •Unlike Thayer, Chasten court did not examine whether plaintiff could/should be ordered to consent to Yahoo producing emails •Court's failure to discuss whether account holder could be forced to consent to disclosure was unique CLOUD COMPUTING 33
  • 34.
    Discovery Obligation ComesBack to You • The fact that court does not force a Cloud Provider to turn over your information simply brings the issue to your doorstep • U.S. discovery system encourages extensive production of information • Having data held by a Cloud Provider can make compliance with discovery obligations more challenging CLOUD COMPUTING 34
  • 35.
    Inadvertent Loss/Destruction • What happens if a Cloud Provider loses / inadvertently deletes your information? • Currently uncommon for a cloud agreement to reference e-discovery type requirements – Difficult to claim Cloud Provider is responsible if there’s nothing in the contract on point • Legal analysis for a “spoilation claim” normally focuses on “possession, custody or control” over the data, which would generally point back to you – even for hosted services – Cloud Provider is not (normally) party to the litigation; court will typically focus its efforts on the parties appearing in court • If court finds you responsible (i.e., it did not produce information in its possession, custody or control) then court can order sanctions – Sanctions can range from fines to a terminating order that ends the case in the other party’s favor CLOUD COMPUTING 35
  • 36.
    Inadvertent Loss/Destruction • If the data was lost due to the Cloud Provider’s actions (or inactions), you will need to argue that you were not at fault – Trying to establish this fact would likely require going far beyond merely establishing who deleted the data – You need to show you acted diligently in selecting Cloud Provider, negotiating terms, putting controls in place and notifying the provider in a timely manner — and that despite all of those efforts, data was lost through no fault of yours – Even so, minimal (if any) case law guidance on whether this argument would be adequate – More likely, if the other party has been prejudiced by the loss of data, a sanction of some type is likely to balance the playing field • Recovery of fines from Cloud Provider unlikely – Based on standard limitation of liability approaches in most cloud contracts, you may not be able to recover damages from Cloud Provider CLOUD COMPUTING 36
  • 37.
    The “Democratization” Wrinkle • Employees may be using cloud services without the knowledge of the company (e.g., Google docs, Dropbox) or social media (e.g., Facebook) • When employees leave, Plans may lose access to those password protected accounts • BUT, if you end up in litigation you may have had a duty to preserve that information and/or produce it – Cloud Providers may not store information in easily accessible, legally compliant (i.e., “reasonably usable”) format – Facebook and other social media services are not e-discovery friendly – Obtaining information without employee’s password/cooperation may require litigation against that Cloud Provider CLOUD COMPUTING 37
  • 38.
    The International Wrinkle • What happens if a lawsuit is in the US but the other party’s headquarters is in another country? Or what if the data is in a country where the rules are different? • U.S. Supreme Court has held that U.S. courts may order production of documents governed by foreign blocking laws • Violation of French blocking statute to deliver documents in the U.S. has resulted in criminal sanctions in France • AccessData Corp. v. ALSTE Technologies GMBH, 2010 WL 318477 (D. Utah Jan. 21, 2010) – ALSTE argued German privacy laws prevented collection of company emails located in Germany – U.S. court held German law did not bar disclosure of information relevant to the litigation – U.S. court required ALSTE to proceed with e-discovery – Failure to produce the data after the court’s ruling would likely result in severe sanctions – However, German Data Protection authorities have sanctioning powers, as well • Companies with data spread across different jurisdictions may have to make difficult choices if cloud-based data is implicated in litigation CLOUD COMPUTING 38
  • 39.
    Best Practices forData in the Cloud CLOUD COMPUTING 39
  • 40.
    Best Practices forData in the Cloud When drafting your RFP / evaluating potential Cloud Providers / negotiating with the selected Cloud Provider 1. Know where Blue Plan data is/will be stored - Request data center locations and consider including in contract - Request geographic limits (e.g., “stored in the US”) 2. Protect Blue Plan data - ISO 27001 certification, SOC 2, Cloud Security Alliance Cloud Controls Matrix 3. Ensure Blue Plan can use its data - Make sure Blue Plan has right to access its data at all times (and the Cloud Provider cannot hold your data “hostage” in a dispute) - Make sure that Blue Plan can export it in a useable format - Cloud Provider should be obligated to provide Disengagement Assistance CLOUD COMPUTING 40
  • 41.
    Best Practices forData in the Cloud 4. Determine if Cloud Provider can comply with Blue Plan data retention/destruction policies - Including litigation holds 5. Subpoena / e-Discovery Requirements - Require notice of subpoenas received by Cloud Provider that could impact your data - Ensure that Cloud Provider will assist with e-Discovery efforts and specify costs 6. Ensure there is financial responsibility for data breaches - Separate liability bucket - Do not accept “as required by law” language - Costs of notice, credit monitoring, call center should be recoverable (not consequential) - Cyber Liability Insurance - Legal review is important ! CLOUD COMPUTING 41
  • 42.
    Questions & Answers/ Thank you! Joseph Kendall Partner Pillsbury Winthrop Shaw Pittman LLP +1 202.663.8350 joseph.kendall@pillsburylaw.com John Nicholson Counsel Pillsbury Winthrop Shaw Pittman LLP +1 202.663.8269 john.nicholson@pillsburylaw.com CLOUD COMPUTING 42