SlideShare a Scribd company logo

Cloud Computing Legal Risks And Best Practices

Download as PPT, PDF
L
lisaabe

Cloud Computing: Legal Risks and Best Practices 1. Security and Data Privacy. 2. Recent OPC Guidelines. 3. Compliance Issues. 4. Negotiating Contracts with Cloud Providers. 5. New Trends and Challenges. 6. Practical Tips

1 of 38
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012
Introduction • Security and Data Privacy • Recent OPC Guidelines • Compliance Issues • Negotiating Contracts with Cloud Providers • New Trends and Challenges • Practical Tips
Security and Data Privacy • Access to and security of the data stored in the cloud. • When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so. • There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada).
Security and Data Privacy • The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing or cross-border data transfer, even when the cloud service provider is in another country. • However, PIPEDA (and other privacy laws) establishes rules governing use of the cloud and data transfer — particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.
Security and Data Privacy • Cloud providers often serve multiple customers simultaneously. Many parties may have access to the data. • Risk of exposure to possible breaches, both accidental and deliberate. • Cloud computing may lead to “function creep” — uses of data by cloud providers that, were not anticipated when the information was originally collected and for which consent has typically not been obtained. • Given how inexpensive it is to keep data, there is little incentive to remove the information from the cloud and more reasons to find other things to do with it.
Security and Data Privacy • Need security protocols maintained at every stage • Strict policies as well as enforcement measures need to be reviewed to ensure that the data is being kept confidential • A detailed audit assessment may be required of the security protocols before an organization signs up with the service • Tools such as Privacy Impact Assessments (PIA) or Threat Risk Assessments (TRA) could be valuable to help make assessments of safeguards • Use of external auditors to ensure the industry standards of security protocols are being met by the service provider
Recent OPC Guidelines • Office of the Privacy Commissioner of Canada (OPC), along with the Privacy Commissioner of Alberta and BC, developed a Guidance Document for Cloud Computing for Small and Medium- sized Enterprises: Privacy Responsibilities and Considerations • Organizations must ensure they fully understand their obligations under Canada’s private sector privacy legislation, including those under certain provincial privacy legislation, and they need to carefully assess the risks against the benefits. • Organizations considering a cloud computing service should carefully consider what information will be stored in the cloud and why.
Recent OPC Guidelines • Organizations must consider the sensitivity of the personal information and carefully assess all the risks and implications involved in outsourcing personal data to the cloud. This assessment should also take into account whether the cloud is a public cloud, community cloud, private cloud or hybrid cloud, as defined in the OPC’s Introduction to Cloud Computing. • The sensitivity of the information, the type of cloud, and the contractual arrangements should all play a key role in an organization’s decision to move, or not to move, personal information to the cloud. • The Guideline recommends seeking professional advice in assessing the risks of using a cloud service provider.
Recent OPC Guidelines • In order to ensure that personal information is protected, organizations using cloud computing services should: • Limit access to the information and restrict further uses by the provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information. Find out if personal information will be segregated or stored in the same database as information from the cloud provider’s other clients. Ensure access to personal information is only granted to those who need it to do their job. Ensure that access to personal information is logged in protected audit trails. Do not assume that the provider’s general terms of service or policies will be adequate to establish such restrictions, review them carefully.
Recent OPC Guidelines • Ensure that the provider has in place appropriate authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication. The level of authentication should be commensurate with the risk to the personal information being protected. Ensure there are procedures and technical controls to manage who has access rights to the personal information. • Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Conduct an assessment of the risks associated with any lack of encryption. Determine if the encryption method is adequate and the access to encryption keys is properly managed. Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider.
Recent OPC Guidelines • Ensure that there are procedures in place in the event of a personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information. Ensure there are provisions in the agreement with the cloud provider that specify when it will provide notification to the organization in the event of a security breach. Organizations subject to breach notification requirements will want to ensure the contract is clear about when the cloud provider is to provide reports on breaches in order for it to meet its legal obligations. • Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract.
Recent OPC Guidelines • Ensure periodic audits are performed. It is important for an organization to have some measure of oversight over a cloud provider’s policies and practices. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected. Organizations should verify practices and procedures to ensure the provider is handling personal information in accordance with the agreements in place and request evidence of effective auditing and timely response to security incidents. • Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.
Compliance Issues • Statutes, regulations and guidelines that apply to a particular industry sector in a particular jurisdiction, may require specific compliance, such as service level terms, data recovery terms, data security regimes, audit provisions and processes for retaining and selecting any third party service provider. • The organization transferring data to the cloud provider is ultimately accountable for its protection. It needs to ensure that the data is appropriately handled in compliance with any regulatory requirements.
Compliance Issues • Cloud service provider may not have standards, controls or notification process that meet OSFI, PIPEDA or other statutory or regulatory requirements • In Alberta for example, there are specific breach notification requirements and requirements to notify individuals when personal information is transferred to a service provider located outside of Canada.
Compliance Issues • International issues – cross-border data transfer, compliance with foreign jurisdiction laws, export controls • It is important to note that many non-Canadian based cloud providers may also be subject to PIPEDA. To the extent that a cloud provider has a real and substantial connection to Canada, and collects, uses or discloses personal information in the course of a commercial activity, the provider is expected to protect personal information, in keeping with PIPEDA.
Compliance Issues • For more information on outsourcing of personal data processing across borders, please see Privacy Commissioner's Guidelines for Processing Personal Data Across Borders. These considerations apply whether moving data in the cloud or otherwise.
Negotiating Contracts with Cloud Providers • Unlike outsourcing, many more parties are involved in a cloud based service model • a platform provider • a provider of servers • the data centre provider • data centre operator(s) • OS provider • applications software providers • a reseller, distributor or broker • Disaster Recovery or Business Continuity Provider • As a result it is a complex contracting environment • No contractual privity between the customer and many of the parties involved in the cloud services
Negotiating Contracts with Cloud Providers • Typical contract structures that may be encountered in a cloud service arrangement are: • Terms of Service • Service Level Agreement • Acceptable Use Policies • Privacy Policies • Important points need to be negotiated before contract is executed
Negotiating Contracts with Cloud Providers • As a low cost commodity service the service provider seeks to keep transaction costs down and simplify managing obligations to the customers • services provided by the cloud service provider are usually on standard terms • terms are often non-negotiable • tend to strongly favour the service provider • cloud provider often leaves open the option to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other providers.
Negotiating Contracts with Cloud Providers • Organizations sometimes find that cloud providers present “take it or leave it” contracts. In other words, the provider sets the parameters of the relationship, and the contracting organization is required to go along with it in order to use the service. This tends to be the case with low cost online services offered by cloud providers. • The risk is that the terms of service that govern the relationship with the cloud service provider sometimes allow for more liberal usage of personal information and retention practices, and these standard contract clauses may not be sufficient to allow organizations to meet their privacy obligations.
Negotiating Contracts with Cloud Providers • Many cloud agreements do not take responsibility for the customer's data • Ultimate responsibility for the preservation of confidentiality and integrity of data is on the customer • Some standard terms reserve the right to delete customer data for breach of term of the contract i.e. non-payment
Negotiating Contracts with Cloud Providers • Warranties in general are limited • Even when warranties are available, they often exclude any data loss, corruption or service • Need to still have traditional representations and warranties , e.g. performance of the service must not interfere with or breach third party rights – whether intellectual property, contractual or other rights
Negotiating Contracts with Cloud Providers • If you are not comfortable with what a particular cloud provider is proposing, you should not transfer personal information entrusted to you by your customers to that provider. You should push back, or take the time to shop around for a better solution. • Since the data and processing infrastructure will be outside the customer's control and influence, the vital issues a customer seeks to address include: • Service security • Trade secret protection, information confidentiality • Data integrity • Compliance with privacy laws and regulations • Potential secondary uses of the data • Assurance of data segregation and isolation
Negotiating Contracts with Cloud Providers • Other terms dealing with data management include: • Data ownership provisions • Determining of how the data is being used. For example, whether the data that is being stored on the servers of the cloud service providers is also going to be used by the service provider, or accessed by others • When can the customer (who owns the data) obtain copies of information that are stored on the cloud • Data backup and recovery • At what time intervals the copies of information or data are to be transmitted to the Customer • Data breach notification, whether by cloud provider or data host • Geographical locations of data • Compliance with local security and data protection laws and regulations, including positive data breach notification statutes
Negotiating Contracts with Cloud Providers • Organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices. These types of obligations and controls need to be in contracts with any subcontractor, outsourcer or cloud service provider, that is engaging in any of these activities on behalf of an organization.
Negotiating Contracts with Cloud Providers • You must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.
Negotiating Contracts with Cloud Providers • Service level agreements are critical • Outages, downtimes, response times • During an outage, one may not be able to access data or software and disruption of business operations may occur • SLA should state what happens when data is lost due to a service interruption • Most SLAs contain no guarantee of quality of the service and the sole remedy may be service credits, subject to cap on liability • Service levels are typically subject to scheduled downtime for maintenance and are also subject to internet or 3rd party down time – need to review and assess impact on business
Negotiating Contracts with Cloud Providers • SLAs should include a duty of care, diligence and professionalism that is reasonably commensurate with the standards and practices that such services are performed and delivered in the customer's jurisdiction • Performance risk transfers to the service provider who is better able to mitigate those risks • Therefore performance outcomes and results need to be clearly stated as obligations of the provider in the contract
Negotiating Contracts with Cloud Providers • Dealing with termination of the cloud services: • provisions relating to changing of service providers • exit strategy or transition plan • how and when the data is to be delivered • delivery of data as per the agreed delivery format • commitment by the vendor to destroy all customer data • Need express disaster recovery and contingency planning obligations on the cloud service provider
Negotiating Contracts with Cloud Providers • Problematic terms to watch out for: • Limits on service provider's liability very low, disclaimers, short limitation periods • Exclusion of liability even if service provider had knowledge • No indemnities by service provider for third party claims; broad indemnities by customer for violation, conduct, content • Terms not visible, may be cross-referenced and unilaterally amended by service provider, deemed acceptance by use, especially if dependencies on other providers
Negotiating Contracts with Cloud Providers • Problematic terms to watch out for (cont.): • hidden fees (e.g. for data backup, retrieval), service failures • data encryption, cleansing and backup obligations pushed onto customer • no restrictions on subcontracting, no background checks • indefinite term of contract, termination by provider • failure to notify of data breach • freezing of accounts and no access to data upon termination or deletion (data hijacking until fees paid or dispute resolved)
New Trends and Challenges • Cloud computing can significantly reduce the cost and complexity of owning and operating computers and networks. If an organization uses a cloud provider, it does not need to spend money on information technology infrastructure, or buy hardware or software licences. • Pay-per-use or consumption based pricing has been one of the most attractive features of cloud computing • Cloud services can often be customized and flexible to use, providing scalability, better service levels and offer advanced services that an individual company might not have the money or expertise to develop.
New Trends and Challenges • For businesses that are considering using a cloud service, cloud computing could offer better protection of personal information compared with current security and privacy practices. Through economies of scale, large cloud providers may be able to use better security technologies than individuals or small companies can, and have better backup and disaster-recovery capabilities. • Cloud providers may also be motivated to build privacy protections into new technology, and to support better audit trails.
New Trends and Challenges • On the other hand, while cloud computing may not increase the risk that personal information will be misused or improperly exposed, it could increase the scale of exposure. The aggregation of data in a cloud provider can make that data very attractive to cybercriminals, for example. Moreover, given how inexpensive it is to keep data in the cloud, there may be a tendency to retain it indefinitely, thereby increasing the risk and scale of breaches.
New Trends and Challenges • Frequently, organizations find that employees have already moved personal information to a cloud service without IT staff or management being aware. For example: • Employees may be using a cloud-based e-mail service for business correspondence • Employees may be using an online service to collaborate on documents • Client databases that are accessible online from any location could be hosted in the cloud • An organization that outsources personal data for processing or other services to a cloud service provider remains accountable for protecting its customers’ personal information and it must be transparent about its information management and privacy practices. • Corporate policies need to be implemented.
Practical Tips • Due diligence of cloud provider, processes, systems and controls - audits, certifications, testing • Insist on transparency. Identify the Cloud support parties, type, processes, data flow, locations/jurisdictions, security, business resumption planning • Select configurations and controls • Specify ownership and obtain assignments of rights if needed • Analyze contracts and if can’t negotiate necessary changes, implement internal process changes or controls of what gets onto Cloud • Think way ahead – contractual requirements should be part of any RFP
Conclusion Cloud computing offers benefits for organizations and individuals. There are also privacy and security concerns. If you are considering a cloud service, you should think about how personal information and data can best be protected. Carefully review the terms of service or contracts, and challenge the cloud service provider to meet your needs.
Questions? • This presentation contains statements of general principles and not legal opinions and should not be acted upon without Lisa K. Abe- Oldenburg, B.Comm., J.D. first consulting a lawyer who will provide Abe-oldenburgL@bennettjones.com analysis and advice on a specific matter. Tel.: 416-777-7475 www.bennettjones.com

Recommended

ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposalDale White
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 

Recommended

ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposalDale White
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawSynopsys Software Integrity Group
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThis account is closed
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud finalguest50a642f
 
Chapter 1 Personal security
Chapter 1 Personal securityChapter 1 Personal security
Chapter 1 Personal securityKarthikeyan Dhayalan
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30This account is closed
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systemsCognic Systems Pvt Ltd
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersBrightPay Payroll and Auto Enrolment Software
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEBMEHMET FATIH YALDIZ
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Lisa Abe-Oldenburg, B.Comm., JD.
 
Alexis Bolin Negotiating Contract To Close
Alexis Bolin Negotiating Contract To CloseAlexis Bolin Negotiating Contract To Close
Alexis Bolin Negotiating Contract To CloseHomesPro from Homes.com
 
Ian Hempseed, Hempsons
Ian Hempseed, HempsonsIan Hempseed, Hempsons
Ian Hempseed, HempsonsNCVO - National Council for Voluntary Organisations
 

More Related Content

What's hot

Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThis account is closed
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud finalguest50a642f
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30This account is closed
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 

What's hot (20)

Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The Challenges
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud final
 
Chapter 1 Personal security
Chapter 1 Personal securityChapter 1 Personal security
Chapter 1 Personal security
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEB
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
 

Viewers also liked

Alexis Bolin Negotiating Contract To Close
Alexis Bolin Negotiating Contract To CloseAlexis Bolin Negotiating Contract To Close
Alexis Bolin Negotiating Contract To CloseHomesPro from Homes.com
 
Contract Drafting Under English Law
Contract Drafting Under English LawContract Drafting Under English Law
Contract Drafting Under English LawMarian Dent
 
The Benefits Of International Arbitration
The Benefits Of International ArbitrationThe Benefits Of International Arbitration
The Benefits Of International ArbitrationDuguekirtley
 
International Arbitration Overview
International Arbitration OverviewInternational Arbitration Overview
International Arbitration OverviewDuguekirtley
 
Drafting Game Rules to Minimize Litigation
Drafting Game Rules to Minimize LitigationDrafting Game Rules to Minimize Litigation
Drafting Game Rules to Minimize LitigationEric Pesik
 
Cloud Computing - a legal view from Bird & Bird
Cloud Computing - a legal view from Bird & BirdCloud Computing - a legal view from Bird & Bird
Cloud Computing - a legal view from Bird & BirdEduserv
 
Negotiating Employment Contracts in the Year of the Dragon
Negotiating Employment Contracts in the Year of the DragonNegotiating Employment Contracts in the Year of the Dragon
Negotiating Employment Contracts in the Year of the DragonMorry Morgan
 
Negotiate Like a Pro - the Four Levers of a Sale by Lessonly
Negotiate Like a Pro - the Four Levers of a Sale by LessonlyNegotiate Like a Pro - the Four Levers of a Sale by Lessonly
Negotiate Like a Pro - the Four Levers of a Sale by LessonlyLessonly
 
Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...
Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...
Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...ASpacone
 
Finance Vocabulary (ESL: Personal Finance)
Finance Vocabulary (ESL: Personal Finance)Finance Vocabulary (ESL: Personal Finance)
Finance Vocabulary (ESL: Personal Finance)KatieEnglishTutoring
 
How to Build, Deliver and Sell Online Courses (BESIG 2016)
How to Build, Deliver and Sell Online Courses (BESIG 2016)How to Build, Deliver and Sell Online Courses (BESIG 2016)
How to Build, Deliver and Sell Online Courses (BESIG 2016)Business English Pod
 
Chap013 cross cultural negotiation 2
Chap013 cross cultural negotiation 2Chap013 cross cultural negotiation 2
Chap013 cross cultural negotiation 2laltisingh
 
Drafting contract
Drafting contractDrafting contract
Drafting contractLeks&Co
 
Cross cultural Negotiations
Cross cultural NegotiationsCross cultural Negotiations
Cross cultural NegotiationsJon R Wallace
 

Viewers also liked (20)

Alexis Bolin Negotiating Contract To Close
Alexis Bolin Negotiating Contract To CloseAlexis Bolin Negotiating Contract To Close
Alexis Bolin Negotiating Contract To Close
 
Ian Hempseed, Hempsons
Ian Hempseed, HempsonsIan Hempseed, Hempsons
Ian Hempseed, Hempsons
 
Contract Drafting Under English Law
Contract Drafting Under English LawContract Drafting Under English Law
Contract Drafting Under English Law
 
The Benefits Of International Arbitration
The Benefits Of International ArbitrationThe Benefits Of International Arbitration
The Benefits Of International Arbitration
 
International Arbitration Overview
International Arbitration OverviewInternational Arbitration Overview
International Arbitration Overview
 
Drafting Game Rules to Minimize Litigation
Drafting Game Rules to Minimize LitigationDrafting Game Rules to Minimize Litigation
Drafting Game Rules to Minimize Litigation
 
Power Negotiation
Power NegotiationPower Negotiation
Power Negotiation
 
Cloud Computing - a legal view from Bird & Bird
Cloud Computing - a legal view from Bird & BirdCloud Computing - a legal view from Bird & Bird
Cloud Computing - a legal view from Bird & Bird
 
Negotiating Employment Contracts in the Year of the Dragon
Negotiating Employment Contracts in the Year of the DragonNegotiating Employment Contracts in the Year of the Dragon
Negotiating Employment Contracts in the Year of the Dragon
 
Contract drafting
Contract draftingContract drafting
Contract drafting
 
Negotiate Like a Pro - the Four Levers of a Sale by Lessonly
Negotiate Like a Pro - the Four Levers of a Sale by LessonlyNegotiate Like a Pro - the Four Levers of a Sale by Lessonly
Negotiate Like a Pro - the Four Levers of a Sale by Lessonly
 
Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...
Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...
Common Mistakes Attorneys [and Their Clients] Make Drafting and Negotating Co...
 
Intercultural Negotiation Components Chapter 11
Intercultural Negotiation Components Chapter 11Intercultural Negotiation Components Chapter 11
Intercultural Negotiation Components Chapter 11
 
Finance Vocabulary (ESL: Personal Finance)
Finance Vocabulary (ESL: Personal Finance)Finance Vocabulary (ESL: Personal Finance)
Finance Vocabulary (ESL: Personal Finance)
 
How to Build, Deliver and Sell Online Courses (BESIG 2016)
How to Build, Deliver and Sell Online Courses (BESIG 2016)How to Build, Deliver and Sell Online Courses (BESIG 2016)
How to Build, Deliver and Sell Online Courses (BESIG 2016)
 
Intercultural Negotiation Process: Chapter10
Intercultural Negotiation Process: Chapter10Intercultural Negotiation Process: Chapter10
Intercultural Negotiation Process: Chapter10
 
Contract Drafting
Contract DraftingContract Drafting
Contract Drafting
 
Chap013 cross cultural negotiation 2
Chap013 cross cultural negotiation 2Chap013 cross cultural negotiation 2
Chap013 cross cultural negotiation 2
 
Drafting contract
Drafting contractDrafting contract
Drafting contract
 
Cross cultural Negotiations
Cross cultural NegotiationsCross cultural Negotiations
Cross cultural Negotiations
 

Similar to Cloud Computing Legal Risks And Best Practices

Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityRussell_Kennedy
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomBrendon Noney
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Ontario Cloud SIG
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptxNguyenNM
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowRachel Roach
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...acemindia
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesPeister
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 

Similar to Cloud Computing Legal Risks And Best Practices (20)

Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Informed consent and cloud computing
Informed consent and cloud computingInformed consent and cloud computing
Informed consent and cloud computing
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the Boardroom
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
 
Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to Know
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Risks and Benefits of Cloud Computing
Risks and Benefits of Cloud ComputingRisks and Benefits of Cloud Computing
Risks and Benefits of Cloud Computing
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
 
Cloud Security.ppt
Cloud Security.pptCloud Security.ppt
Cloud Security.ppt
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 

More from lisaabe

Outsourcing Agreement Checklist By Lisa Abe-Oldenburg
Outsourcing Agreement Checklist By Lisa Abe-OldenburgOutsourcing Agreement Checklist By Lisa Abe-Oldenburg
Outsourcing Agreement Checklist By Lisa Abe-Oldenburglisaabe
 
Health Care IT Legal Issues
Health Care IT Legal IssuesHealth Care IT Legal Issues
Health Care IT Legal Issueslisaabe
 
Overcoming the Challenges of Integration: The Legal Issues
Overcoming the Challenges of Integration: The Legal IssuesOvercoming the Challenges of Integration: The Legal Issues
Overcoming the Challenges of Integration: The Legal Issueslisaabe
 
Accountability – Managing the Risks of Innovation Procurement
Accountability – Managing the Risks of Innovation ProcurementAccountability – Managing the Risks of Innovation Procurement
Accountability – Managing the Risks of Innovation Procurementlisaabe
 
A Step By Step Guide To Growing A Technology Business The Legal Aspects O...
A Step By Step Guide To Growing A Technology Business The Legal Aspects O...A Step By Step Guide To Growing A Technology Business The Legal Aspects O...
A Step By Step Guide To Growing A Technology Business The Legal Aspects O...lisaabe
 
Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...
Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...
Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...lisaabe
 
Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...
Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...
Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...lisaabe
 
Nanotechnology Law: The Legal Issues
Nanotechnology Law: The Legal IssuesNanotechnology Law: The Legal Issues
Nanotechnology Law: The Legal Issueslisaabe
 
Nanotechnology Business Model
Nanotechnology Business ModelNanotechnology Business Model
Nanotechnology Business Modellisaabe
 
Modern Software Licensing: New Trends and Options
Modern Software Licensing: New Trends and OptionsModern Software Licensing: New Trends and Options
Modern Software Licensing: New Trends and Optionslisaabe
 
Legal Implications And Pitfalls Of Drafting Technical Documentation
Legal Implications And Pitfalls Of Drafting Technical DocumentationLegal Implications And Pitfalls Of Drafting Technical Documentation
Legal Implications And Pitfalls Of Drafting Technical Documentationlisaabe
 
Improvements And Gainsharing Oba March 8 2010
Improvements And Gainsharing Oba March 8 2010Improvements And Gainsharing Oba March 8 2010
Improvements And Gainsharing Oba March 8 2010lisaabe
 

More from lisaabe (12)

Outsourcing Agreement Checklist By Lisa Abe-Oldenburg
Outsourcing Agreement Checklist By Lisa Abe-OldenburgOutsourcing Agreement Checklist By Lisa Abe-Oldenburg
Outsourcing Agreement Checklist By Lisa Abe-Oldenburg
 
Health Care IT Legal Issues
Health Care IT Legal IssuesHealth Care IT Legal Issues
Health Care IT Legal Issues
 
Overcoming the Challenges of Integration: The Legal Issues
Overcoming the Challenges of Integration: The Legal IssuesOvercoming the Challenges of Integration: The Legal Issues
Overcoming the Challenges of Integration: The Legal Issues
 
Accountability – Managing the Risks of Innovation Procurement
Accountability – Managing the Risks of Innovation ProcurementAccountability – Managing the Risks of Innovation Procurement
Accountability – Managing the Risks of Innovation Procurement
 
A Step By Step Guide To Growing A Technology Business The Legal Aspects O...
A Step By Step Guide To Growing A Technology Business The Legal Aspects O...A Step By Step Guide To Growing A Technology Business The Legal Aspects O...
A Step By Step Guide To Growing A Technology Business The Legal Aspects O...
 
Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...
Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...
Building Awareness Of The Business Case Is It A Rule Problem Or Is It Somet...
 
Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...
Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...
Cloud Computing presentation by Lisa Abe at the Canadian IT Lawyers Associat...
 
Nanotechnology Law: The Legal Issues
Nanotechnology Law: The Legal IssuesNanotechnology Law: The Legal Issues
Nanotechnology Law: The Legal Issues
 
Nanotechnology Business Model
Nanotechnology Business ModelNanotechnology Business Model
Nanotechnology Business Model
 
Modern Software Licensing: New Trends and Options
Modern Software Licensing: New Trends and OptionsModern Software Licensing: New Trends and Options
Modern Software Licensing: New Trends and Options
 
Legal Implications And Pitfalls Of Drafting Technical Documentation
Legal Implications And Pitfalls Of Drafting Technical DocumentationLegal Implications And Pitfalls Of Drafting Technical Documentation
Legal Implications And Pitfalls Of Drafting Technical Documentation
 
Improvements And Gainsharing Oba March 8 2010
Improvements And Gainsharing Oba March 8 2010Improvements And Gainsharing Oba March 8 2010
Improvements And Gainsharing Oba March 8 2010
 

Cloud Computing Legal Risks And Best Practices

  • 1. Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012
  • 2. Introduction • Security and Data Privacy • Recent OPC Guidelines • Compliance Issues • Negotiating Contracts with Cloud Providers • New Trends and Challenges • Practical Tips
  • 3. Security and Data Privacy • Access to and security of the data stored in the cloud. • When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so. • There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada).
  • 4. Security and Data Privacy • The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing or cross-border data transfer, even when the cloud service provider is in another country. • However, PIPEDA (and other privacy laws) establishes rules governing use of the cloud and data transfer — particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.
  • 5. Security and Data Privacy • Cloud providers often serve multiple customers simultaneously. Many parties may have access to the data. • Risk of exposure to possible breaches, both accidental and deliberate. • Cloud computing may lead to “function creep” — uses of data by cloud providers that, were not anticipated when the information was originally collected and for which consent has typically not been obtained. • Given how inexpensive it is to keep data, there is little incentive to remove the information from the cloud and more reasons to find other things to do with it.
  • 6. Security and Data Privacy • Need security protocols maintained at every stage • Strict policies as well as enforcement measures need to be reviewed to ensure that the data is being kept confidential • A detailed audit assessment may be required of the security protocols before an organization signs up with the service • Tools such as Privacy Impact Assessments (PIA) or Threat Risk Assessments (TRA) could be valuable to help make assessments of safeguards • Use of external auditors to ensure the industry standards of security protocols are being met by the service provider
  • 7. Recent OPC Guidelines • Office of the Privacy Commissioner of Canada (OPC), along with the Privacy Commissioner of Alberta and BC, developed a Guidance Document for Cloud Computing for Small and Medium- sized Enterprises: Privacy Responsibilities and Considerations • Organizations must ensure they fully understand their obligations under Canada’s private sector privacy legislation, including those under certain provincial privacy legislation, and they need to carefully assess the risks against the benefits. • Organizations considering a cloud computing service should carefully consider what information will be stored in the cloud and why.
  • 8. Recent OPC Guidelines • Organizations must consider the sensitivity of the personal information and carefully assess all the risks and implications involved in outsourcing personal data to the cloud. This assessment should also take into account whether the cloud is a public cloud, community cloud, private cloud or hybrid cloud, as defined in the OPC’s Introduction to Cloud Computing. • The sensitivity of the information, the type of cloud, and the contractual arrangements should all play a key role in an organization’s decision to move, or not to move, personal information to the cloud. • The Guideline recommends seeking professional advice in assessing the risks of using a cloud service provider.
  • 9. Recent OPC Guidelines • In order to ensure that personal information is protected, organizations using cloud computing services should: • Limit access to the information and restrict further uses by the provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information. Find out if personal information will be segregated or stored in the same database as information from the cloud provider’s other clients. Ensure access to personal information is only granted to those who need it to do their job. Ensure that access to personal information is logged in protected audit trails. Do not assume that the provider’s general terms of service or policies will be adequate to establish such restrictions, review them carefully.
  • 10. Recent OPC Guidelines • Ensure that the provider has in place appropriate authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication. The level of authentication should be commensurate with the risk to the personal information being protected. Ensure there are procedures and technical controls to manage who has access rights to the personal information. • Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Conduct an assessment of the risks associated with any lack of encryption. Determine if the encryption method is adequate and the access to encryption keys is properly managed. Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider.
  • 11. Recent OPC Guidelines • Ensure that there are procedures in place in the event of a personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information. Ensure there are provisions in the agreement with the cloud provider that specify when it will provide notification to the organization in the event of a security breach. Organizations subject to breach notification requirements will want to ensure the contract is clear about when the cloud provider is to provide reports on breaches in order for it to meet its legal obligations. • Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract.
  • 12. Recent OPC Guidelines • Ensure periodic audits are performed. It is important for an organization to have some measure of oversight over a cloud provider’s policies and practices. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected. Organizations should verify practices and procedures to ensure the provider is handling personal information in accordance with the agreements in place and request evidence of effective auditing and timely response to security incidents. • Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.
  • 13. Compliance Issues • Statutes, regulations and guidelines that apply to a particular industry sector in a particular jurisdiction, may require specific compliance, such as service level terms, data recovery terms, data security regimes, audit provisions and processes for retaining and selecting any third party service provider. • The organization transferring data to the cloud provider is ultimately accountable for its protection. It needs to ensure that the data is appropriately handled in compliance with any regulatory requirements.
  • 14. Compliance Issues • Cloud service provider may not have standards, controls or notification process that meet OSFI, PIPEDA or other statutory or regulatory requirements • In Alberta for example, there are specific breach notification requirements and requirements to notify individuals when personal information is transferred to a service provider located outside of Canada.
  • 15. Compliance Issues • International issues – cross-border data transfer, compliance with foreign jurisdiction laws, export controls • It is important to note that many non-Canadian based cloud providers may also be subject to PIPEDA. To the extent that a cloud provider has a real and substantial connection to Canada, and collects, uses or discloses personal information in the course of a commercial activity, the provider is expected to protect personal information, in keeping with PIPEDA.
  • 16. Compliance Issues • For more information on outsourcing of personal data processing across borders, please see Privacy Commissioner's Guidelines for Processing Personal Data Across Borders. These considerations apply whether moving data in the cloud or otherwise.
  • 17. Negotiating Contracts with Cloud Providers • Unlike outsourcing, many more parties are involved in a cloud based service model • a platform provider • a provider of servers • the data centre provider • data centre operator(s) • OS provider • applications software providers • a reseller, distributor or broker • Disaster Recovery or Business Continuity Provider • As a result it is a complex contracting environment • No contractual privity between the customer and many of the parties involved in the cloud services
  • 18. Negotiating Contracts with Cloud Providers • Typical contract structures that may be encountered in a cloud service arrangement are: • Terms of Service • Service Level Agreement • Acceptable Use Policies • Privacy Policies • Important points need to be negotiated before contract is executed
  • 19. Negotiating Contracts with Cloud Providers • As a low cost commodity service the service provider seeks to keep transaction costs down and simplify managing obligations to the customers • services provided by the cloud service provider are usually on standard terms • terms are often non-negotiable • tend to strongly favour the service provider • cloud provider often leaves open the option to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other providers.
  • 20. Negotiating Contracts with Cloud Providers • Organizations sometimes find that cloud providers present “take it or leave it” contracts. In other words, the provider sets the parameters of the relationship, and the contracting organization is required to go along with it in order to use the service. This tends to be the case with low cost online services offered by cloud providers. • The risk is that the terms of service that govern the relationship with the cloud service provider sometimes allow for more liberal usage of personal information and retention practices, and these standard contract clauses may not be sufficient to allow organizations to meet their privacy obligations.
  • 21. Negotiating Contracts with Cloud Providers • Many cloud agreements do not take responsibility for the customer's data • Ultimate responsibility for the preservation of confidentiality and integrity of data is on the customer • Some standard terms reserve the right to delete customer data for breach of term of the contract i.e. non-payment
  • 22. Negotiating Contracts with Cloud Providers • Warranties in general are limited • Even when warranties are available, they often exclude any data loss, corruption or service • Need to still have traditional representations and warranties , e.g. performance of the service must not interfere with or breach third party rights – whether intellectual property, contractual or other rights
  • 23. Negotiating Contracts with Cloud Providers • If you are not comfortable with what a particular cloud provider is proposing, you should not transfer personal information entrusted to you by your customers to that provider. You should push back, or take the time to shop around for a better solution. • Since the data and processing infrastructure will be outside the customer's control and influence, the vital issues a customer seeks to address include: • Service security • Trade secret protection, information confidentiality • Data integrity • Compliance with privacy laws and regulations • Potential secondary uses of the data • Assurance of data segregation and isolation
  • 24. Negotiating Contracts with Cloud Providers • Other terms dealing with data management include: • Data ownership provisions • Determining of how the data is being used. For example, whether the data that is being stored on the servers of the cloud service providers is also going to be used by the service provider, or accessed by others • When can the customer (who owns the data) obtain copies of information that are stored on the cloud • Data backup and recovery • At what time intervals the copies of information or data are to be transmitted to the Customer • Data breach notification, whether by cloud provider or data host • Geographical locations of data • Compliance with local security and data protection laws and regulations, including positive data breach notification statutes
  • 25. Negotiating Contracts with Cloud Providers • Organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices. These types of obligations and controls need to be in contracts with any subcontractor, outsourcer or cloud service provider, that is engaging in any of these activities on behalf of an organization.
  • 26. Negotiating Contracts with Cloud Providers • You must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.
  • 27. Negotiating Contracts with Cloud Providers • Service level agreements are critical • Outages, downtimes, response times • During an outage, one may not be able to access data or software and disruption of business operations may occur • SLA should state what happens when data is lost due to a service interruption • Most SLAs contain no guarantee of quality of the service and the sole remedy may be service credits, subject to cap on liability • Service levels are typically subject to scheduled downtime for maintenance and are also subject to internet or 3rd party down time – need to review and assess impact on business
  • 28. Negotiating Contracts with Cloud Providers • SLAs should include a duty of care, diligence and professionalism that is reasonably commensurate with the standards and practices that such services are performed and delivered in the customer's jurisdiction • Performance risk transfers to the service provider who is better able to mitigate those risks • Therefore performance outcomes and results need to be clearly stated as obligations of the provider in the contract
  • 29. Negotiating Contracts with Cloud Providers • Dealing with termination of the cloud services: • provisions relating to changing of service providers • exit strategy or transition plan • how and when the data is to be delivered • delivery of data as per the agreed delivery format • commitment by the vendor to destroy all customer data • Need express disaster recovery and contingency planning obligations on the cloud service provider
  • 30. Negotiating Contracts with Cloud Providers • Problematic terms to watch out for: • Limits on service provider's liability very low, disclaimers, short limitation periods • Exclusion of liability even if service provider had knowledge • No indemnities by service provider for third party claims; broad indemnities by customer for violation, conduct, content • Terms not visible, may be cross-referenced and unilaterally amended by service provider, deemed acceptance by use, especially if dependencies on other providers
  • 31. Negotiating Contracts with Cloud Providers • Problematic terms to watch out for (cont.): • hidden fees (e.g. for data backup, retrieval), service failures • data encryption, cleansing and backup obligations pushed onto customer • no restrictions on subcontracting, no background checks • indefinite term of contract, termination by provider • failure to notify of data breach • freezing of accounts and no access to data upon termination or deletion (data hijacking until fees paid or dispute resolved)
  • 32. New Trends and Challenges • Cloud computing can significantly reduce the cost and complexity of owning and operating computers and networks. If an organization uses a cloud provider, it does not need to spend money on information technology infrastructure, or buy hardware or software licences. • Pay-per-use or consumption based pricing has been one of the most attractive features of cloud computing • Cloud services can often be customized and flexible to use, providing scalability, better service levels and offer advanced services that an individual company might not have the money or expertise to develop.
  • 33. New Trends and Challenges • For businesses that are considering using a cloud service, cloud computing could offer better protection of personal information compared with current security and privacy practices. Through economies of scale, large cloud providers may be able to use better security technologies than individuals or small companies can, and have better backup and disaster-recovery capabilities. • Cloud providers may also be motivated to build privacy protections into new technology, and to support better audit trails.
  • 34. New Trends and Challenges • On the other hand, while cloud computing may not increase the risk that personal information will be misused or improperly exposed, it could increase the scale of exposure. The aggregation of data in a cloud provider can make that data very attractive to cybercriminals, for example. Moreover, given how inexpensive it is to keep data in the cloud, there may be a tendency to retain it indefinitely, thereby increasing the risk and scale of breaches.
  • 35. New Trends and Challenges • Frequently, organizations find that employees have already moved personal information to a cloud service without IT staff or management being aware. For example: • Employees may be using a cloud-based e-mail service for business correspondence • Employees may be using an online service to collaborate on documents • Client databases that are accessible online from any location could be hosted in the cloud • An organization that outsources personal data for processing or other services to a cloud service provider remains accountable for protecting its customers’ personal information and it must be transparent about its information management and privacy practices. • Corporate policies need to be implemented.
  • 36. Practical Tips • Due diligence of cloud provider, processes, systems and controls - audits, certifications, testing • Insist on transparency. Identify the Cloud support parties, type, processes, data flow, locations/jurisdictions, security, business resumption planning • Select configurations and controls • Specify ownership and obtain assignments of rights if needed • Analyze contracts and if can’t negotiate necessary changes, implement internal process changes or controls of what gets onto Cloud • Think way ahead – contractual requirements should be part of any RFP
  • 37. Conclusion Cloud computing offers benefits for organizations and individuals. There are also privacy and security concerns. If you are considering a cloud service, you should think about how personal information and data can best be protected. Carefully review the terms of service or contracts, and challenge the cloud service provider to meet your needs.
  • 38. Questions? • This presentation contains statements of general principles and not legal opinions and should not be acted upon without Lisa K. Abe- Oldenburg, B.Comm., J.D. first consulting a lawyer who will provide Abe-oldenburgL@bennettjones.com analysis and advice on a specific matter. Tel.: 416-777-7475 www.bennettjones.com