Cloud Computing: Legal Risks and Best Practices
1. Security and Data Privacy.
2. Recent OPC Guidelines.
3. Compliance Issues.
4. Negotiating Contracts with Cloud Providers.
5. New Trends and Challenges.
6. Practical Tips
1. Cloud Computing: Legal Risks and Best Practices
A Bennett Jones Presentation
Toronto, Ontario
Lisa Abe-Oldenburg, Partner
Bennett Jones LLP
November 7, 2012
2. Introduction
• Security and Data Privacy
• Recent OPC Guidelines
• Compliance Issues
• Negotiating Contracts with Cloud Providers
• New Trends and Challenges
• Practical Tips
3. Security and Data Privacy
• Access to and security of the data stored in the cloud.
• When it comes to cloud computing, the security and privacy of
personal information is extremely important. Given that personal
information is being turned over to another organization, often in
another country, it is vital to ensure that the information is safe
and that only the people who need to access it are able to do so.
• There is the risk that personal information sent to a cloud provider
might be kept indefinitely or used for other purposes. Such
information could also be accessed by government agencies,
domestic or foreign (if the cloud provider retains the information
outside of Canada).
4. Security and Data Privacy
• The Personal Information Protection and Electronic Documents
Act (PIPEDA) does not prohibit cloud computing or cross-border
data transfer, even when the cloud service provider is in another
country.
• However, PIPEDA (and other privacy laws) establishes rules
governing use of the cloud and data transfer — particularly with
respect to obtaining consent for the collection, use and disclosure
of personal information, securing the data, and ensuring
accountability for the information and transparency in terms of
practices.
5. Security and Data Privacy
• Cloud providers often serve multiple customers simultaneously.
Many parties may have access to the data.
• Risk of exposure to possible breaches, both accidental and
deliberate.
• Cloud computing may lead to “function creep” — uses of data by
cloud providers that, were not anticipated when the information
was originally collected and for which consent has typically not
been obtained.
• Given how inexpensive it is to keep data, there is little incentive to
remove the information from the cloud and more reasons to find
other things to do with it.
6. Security and Data Privacy
• Need security protocols maintained at every stage
• Strict policies as well as enforcement measures need to be reviewed
to ensure that the data is being kept confidential
• A detailed audit assessment may be required of the security
protocols before an organization signs up with the service
• Tools such as Privacy Impact Assessments (PIA) or Threat Risk
Assessments (TRA) could be valuable to help make assessments of
safeguards
• Use of external auditors to ensure the industry standards of
security protocols are being met by the service provider
7. Recent OPC Guidelines
• Office of the Privacy Commissioner of Canada (OPC), along with
the Privacy Commissioner of Alberta and BC, developed a
Guidance Document for Cloud Computing for Small and Medium-
sized Enterprises: Privacy Responsibilities and Considerations
• Organizations must ensure they fully understand their obligations
under Canada’s private sector privacy legislation, including those
under certain provincial privacy legislation, and they need to
carefully assess the risks against the benefits.
• Organizations considering a cloud computing service should
carefully consider what information will be stored in the cloud and
why.
8. Recent OPC Guidelines
• Organizations must consider the sensitivity of the personal
information and carefully assess all the risks and implications
involved in outsourcing personal data to the cloud. This assessment
should also take into account whether the cloud is a public cloud,
community cloud, private cloud or hybrid cloud, as defined in the
OPC’s Introduction to Cloud Computing.
• The sensitivity of the information, the type of cloud, and the
contractual arrangements should all play a key role in an
organization’s decision to move, or not to move, personal
information to the cloud.
• The Guideline recommends seeking professional advice in
assessing the risks of using a cloud service provider.
9. Recent OPC Guidelines
• In order to ensure that personal information is protected,
organizations using cloud computing services should:
• Limit access to the information and restrict further uses by the provider.
Set parameters for restricted access and use of personal information that
is appropriate for the context and sensitivity of the information. Find out
if personal information will be segregated or stored in the same database
as information from the cloud provider’s other clients. Ensure access to
personal information is only granted to those who need it to do their job.
Ensure that access to personal information is logged in protected audit
trails. Do not assume that the provider’s general terms of service or
policies will be adequate to establish such restrictions, review them
carefully.
10. Recent OPC Guidelines
• Ensure that the provider has in place appropriate authentication/access
controls. Stronger methods of authentication are recommended, such as
multi-factor authentication. The level of authentication should be
commensurate with the risk to the personal information being protected.
Ensure there are procedures and technical controls to manage who has
access rights to the personal information.
• Manage encryption. Understand what type of encryption method is being
used and identify where data is encrypted or unencrypted at each stage
(e.g., data in transit, data at rest). Conduct an assessment of the risks
associated with any lack of encryption. Determine if the encryption
method is adequate and the access to encryption keys is properly
managed. Risks may be reduced if organizations encrypt personal
information before it is sent to the cloud provider.
11. Recent OPC Guidelines
• Ensure that there are procedures in place in the event of a personal
information breach or security incident. These should include technical
and organizational measures that will be implemented in the event of
accidental or deliberate loss, or unauthorized access or disclosure of
personal information. Ensure there are provisions in the agreement with
the cloud provider that specify when it will provide notification to the
organization in the event of a security breach. Organizations subject to
breach notification requirements will want to ensure the contract is clear
about when the cloud provider is to provide reports on breaches in order
for it to meet its legal obligations.
• Ensure that there are procedures in place in the event of an outage to
ensure business continuity and prevent data loss. Business continuity
plans should be clearly documented in the contract.
12. Recent OPC Guidelines
• Ensure periodic audits are performed. It is important for an organization
to have some measure of oversight over a cloud provider’s policies and
practices. Ensure the cloud provider logs all accesses and uses of personal
information. Audits should be conducted periodically to inspect access
logs and confirm that physical locations where personal information is
processed and stored are inspected. Organizations should verify practices
and procedures to ensure the provider is handling personal information in
accordance with the agreements in place and request evidence of effective
auditing and timely response to security incidents.
• Have an exit strategy. Ensure the termination procedures permit the
transfer of personal information back to the organization and require that
the cloud provider securely delete all personal information within
reasonable and specified timeframes.
13. Compliance Issues
• Statutes, regulations and guidelines that apply to a
particular industry sector in a particular jurisdiction, may
require specific compliance, such as service level terms,
data recovery terms, data security regimes, audit
provisions and processes for retaining and selecting any
third party service provider.
• The organization transferring data to the cloud provider is
ultimately accountable for its protection. It needs to
ensure that the data is appropriately handled in
compliance with any regulatory requirements.
14. Compliance Issues
• Cloud service provider may not have standards, controls or
notification process that meet OSFI, PIPEDA or other
statutory or regulatory requirements
• In Alberta for example, there are specific breach
notification requirements and requirements to notify
individuals when personal information is transferred to a
service provider located outside of Canada.
15. Compliance Issues
• International issues – cross-border data transfer,
compliance with foreign jurisdiction laws, export controls
• It is important to note that many non-Canadian based
cloud providers may also be subject to PIPEDA. To the
extent that a cloud provider has a real and substantial
connection to Canada, and collects, uses or discloses
personal information in the course of a commercial
activity, the provider is expected to protect personal
information, in keeping with PIPEDA.
16. Compliance Issues
• For more information on outsourcing of personal data
processing across borders, please see Privacy
Commissioner's Guidelines for Processing Personal Data
Across Borders. These considerations apply whether
moving data in the cloud or otherwise.
17. Negotiating Contracts with Cloud Providers
• Unlike outsourcing, many more parties are involved in a cloud
based service model
• a platform provider
• a provider of servers
• the data centre provider
• data centre operator(s)
• OS provider
• applications software providers
• a reseller, distributor or broker
• Disaster Recovery or Business Continuity Provider
• As a result it is a complex contracting environment
• No contractual privity between the customer and
many of the parties involved in the cloud services
18. Negotiating Contracts with Cloud Providers
• Typical contract structures that may be encountered in a cloud
service arrangement are:
• Terms of Service
• Service Level Agreement
• Acceptable Use Policies
• Privacy Policies
• Important points need to be negotiated before contract is executed
19. Negotiating Contracts with Cloud Providers
• As a low cost commodity service the service provider seeks to keep
transaction costs down and simplify managing obligations to the
customers
• services provided by the cloud service provider are usually on
standard terms
• terms are often non-negotiable
• tend to strongly favour the service provider
• cloud provider often leaves open the option to unilaterally change
the agreement, limit its liability for the information, and/or
subcontract to various other providers.
20. Negotiating Contracts with Cloud Providers
• Organizations sometimes find that cloud providers present “take it
or leave it” contracts. In other words, the provider sets the
parameters of the relationship, and the contracting organization is
required to go along with it in order to use the service. This tends to
be the case with low cost online services offered by cloud providers.
• The risk is that the terms of service that govern the relationship
with the cloud service provider sometimes allow for more liberal
usage of personal information and retention practices, and these
standard contract clauses may not be sufficient to allow
organizations to meet their privacy obligations.
21. Negotiating Contracts with Cloud Providers
• Many cloud agreements do not take responsibility for the
customer's data
• Ultimate responsibility for the preservation of confidentiality and
integrity of data is on the customer
• Some standard terms reserve the right to delete customer data for
breach of term of the contract i.e. non-payment
22. Negotiating Contracts with Cloud Providers
• Warranties in general are limited
• Even when warranties are available, they often exclude any data
loss, corruption or service
• Need to still have traditional representations and warranties , e.g.
performance of the service must not interfere with or breach third
party rights – whether intellectual property, contractual or other
rights
23. Negotiating Contracts with Cloud Providers
• If you are not comfortable with what a particular cloud provider is
proposing, you should not transfer personal information entrusted
to you by your customers to that provider. You should push back,
or take the time to shop around for a better solution.
• Since the data and processing infrastructure will be outside the
customer's control and influence, the vital issues a customer seeks
to address include:
• Service security
• Trade secret protection, information confidentiality
• Data integrity
• Compliance with privacy laws and regulations
• Potential secondary uses of the data
• Assurance of data segregation and isolation
24. Negotiating Contracts with Cloud Providers
• Other terms dealing with data management include:
• Data ownership provisions
• Determining of how the data is being used. For example, whether the data
that is being stored on the servers of the cloud service providers is also
going to be used by the service provider, or accessed by others
• When can the customer (who owns the data) obtain copies of information
that are stored on the cloud
• Data backup and recovery
• At what time intervals the copies of information or data are to be
transmitted to the Customer
• Data breach notification, whether by cloud provider or data host
• Geographical locations of data
• Compliance with local security and data protection laws and regulations,
including positive data breach notification statutes
25. Negotiating Contracts with Cloud Providers
• Organizations must ensure that they collect personal information
for appropriate purposes and that these purposes be made clear to
individuals; they obtain consent; they limit collection of personal
information to those purposes; they protect the information; and
that they be transparent about their privacy practices. These types
of obligations and controls need to be in contracts with any
subcontractor, outsourcer or cloud service provider, that is
engaging in any of these activities on behalf of an organization.
26. Negotiating Contracts with Cloud Providers
• You must use contractual or other means to ensure that the
personal information transferred to the third-party is appropriately
protected. Therefore, an organization that is considering using a
cloud service remains accountable for the personal information
that it transfers to the cloud service, and it must ensure that the
personal information remain protected in the hands of that cloud
service provider. Organizations need to carefully review the terms
of service of the cloud provider and ensure that the personal
information it entrusts to it will be treated in a manner consistent
with PIPEDA.
27. Negotiating Contracts with Cloud Providers
• Service level agreements are critical
• Outages, downtimes, response times
• During an outage, one may not be able to access data or software and
disruption of business operations may occur
• SLA should state what happens when data is lost due to a service
interruption
• Most SLAs contain no guarantee of quality of the service and the
sole remedy may be service credits, subject to cap on liability
• Service levels are typically subject to scheduled downtime for
maintenance and are also subject to internet or 3rd party down
time – need to review and assess impact on business
28. Negotiating Contracts with Cloud Providers
• SLAs should include a duty of care, diligence and professionalism
that is reasonably commensurate with the standards and practices
that such services are performed and delivered in the customer's
jurisdiction
• Performance risk transfers to the service provider who is better
able to mitigate those risks
• Therefore performance outcomes and results need to be clearly
stated as obligations of the provider in the contract
29. Negotiating Contracts with Cloud Providers
• Dealing with termination of the cloud services:
• provisions relating to changing of service providers
• exit strategy or transition plan
• how and when the data is to be delivered
• delivery of data as per the agreed delivery format
• commitment by the vendor to destroy all customer data
• Need express disaster recovery and contingency planning
obligations on the cloud service provider
30. Negotiating Contracts with Cloud Providers
• Problematic terms to watch out for:
• Limits on service provider's liability very low,
disclaimers, short limitation periods
• Exclusion of liability even if service provider had
knowledge
• No indemnities by service provider for third party
claims; broad indemnities by customer for violation,
conduct, content
• Terms not visible, may be cross-referenced and
unilaterally amended by service provider, deemed
acceptance by use, especially if dependencies on
other providers
31. Negotiating Contracts with Cloud Providers
• Problematic terms to watch out for (cont.):
• hidden fees (e.g. for data backup, retrieval), service
failures
• data encryption, cleansing and backup obligations
pushed onto customer
• no restrictions on subcontracting, no background
checks
• indefinite term of contract, termination by provider
• failure to notify of data breach
• freezing of accounts and no access to data upon
termination or deletion (data hijacking until fees
paid or dispute resolved)
32. New Trends and Challenges
• Cloud computing can significantly reduce the cost and complexity
of owning and operating computers and networks. If an
organization uses a cloud provider, it does not need to spend
money on information technology infrastructure, or buy hardware
or software licences.
• Pay-per-use or consumption based pricing has been one of the
most attractive features of cloud computing
• Cloud services can often be customized and flexible to use,
providing scalability, better service levels and offer advanced
services that an individual company might not have the money or
expertise to develop.
33. New Trends and Challenges
• For businesses that are considering using a cloud service, cloud
computing could offer better protection of personal information
compared with current security and privacy practices. Through
economies of scale, large cloud providers may be able to use better
security technologies than individuals or small companies can, and
have better backup and disaster-recovery capabilities.
• Cloud providers may also be motivated to build privacy protections
into new technology, and to support better audit trails.
34. New Trends and Challenges
• On the other hand, while cloud computing may not increase the
risk that personal information will be misused or improperly
exposed, it could increase the scale of exposure. The aggregation of
data in a cloud provider can make that data very attractive to
cybercriminals, for example. Moreover, given how inexpensive it is
to keep data in the cloud, there may be a tendency to retain it
indefinitely, thereby increasing the risk and scale of breaches.
35. New Trends and Challenges
• Frequently, organizations find that employees have already moved
personal information to a cloud service without IT staff or
management being aware. For example:
• Employees may be using a cloud-based e-mail service for business
correspondence
• Employees may be using an online service to collaborate on documents
• Client databases that are accessible online from any location could be
hosted in the cloud
• An organization that outsources personal data for processing or
other services to a cloud service provider remains accountable for
protecting its customers’ personal information and it must be
transparent about its information management and privacy
practices.
• Corporate policies need to be implemented.
36. Practical Tips
• Due diligence of cloud provider, processes, systems and controls -
audits, certifications, testing
• Insist on transparency. Identify the Cloud support parties, type,
processes, data flow, locations/jurisdictions, security, business
resumption planning
• Select configurations and controls
• Specify ownership and obtain assignments of rights if needed
• Analyze contracts and if can’t negotiate necessary changes,
implement internal process changes or controls of what gets onto
Cloud
• Think way ahead – contractual requirements should be part of any
RFP
37. Conclusion
Cloud computing offers benefits for organizations and individuals. There are
also privacy and security concerns. If you are considering a cloud service, you
should think about how personal information and data can best be protected.
Carefully review the terms of service or contracts, and challenge the cloud
service provider to meet your needs.
38. Questions? • This presentation
contains statements of
general
principles and not legal
opinions and should not
be acted upon without
Lisa K. Abe- Oldenburg, B.Comm., J.D. first consulting a lawyer
who will provide
Abe-oldenburgL@bennettjones.com analysis and advice on a
specific
matter.
Tel.: 416-777-7475
www.bennettjones.com