This document discusses data security and privacy risks associated with cloud computing. It identifies 8 key risks: 1) regulatory requirements regarding data security and privacy, 2) practical data hazards like weak access protection, 3) meeting legal holds for litigation documents, 4) complying with European data privacy laws, 5) low-cost cloud providers having limited protections and liability, 6) tier 1 cloud providers still potentially falling short of legal obligations, 7) insufficient control over software changes, and 8) responsibility for costs of database breaches. The document is presented by William Tanenbaum, chair of the technology and outsourcing group at Kaye Scholer LLP, to highlight legal and practical risks companies should consider regarding data security and privacy

1. Chicago . Frankfurt . London . Los Angeles . New York . Palo Alto . Shanghai . Washington DC . West Palm Beach
Data Security and Privacy Risks in
Cloud Computing
William A. Tanenbaum
Chair, Technology, Intellectual Property & Outsourcing Group, and
Chair, GreenTech and Sustainability Group
Kaye Scholer LLP
New York and Palo Alto Offices

2. Audience Poll
• Do you have company trade secrets in
the Cloud?
• Do you have contractual consent to use
U.S. health and financial personal data?
• Do you have customer data from Europe
in the Cloud?
• Has a court ordered you to preserve
litigation documents?
• Will your Cloud provider pay for costs of
database breaches?
60350343.PPTX

3. Data Security vs. Privacy
• To identify and protect against
your risks, you need to
distinguish between company
data and personally identifiable
information (“PII”)
• Unauthorized access vs.
impermissible use
60414334.PPTX

4. Risk No. 1: Regulatory Requirements
• Data security requirements
imposed by US regulations
– HIPPA, HITECH, GLB, SOX,
FTC Act § 5, FERPA,
Massachusetts, other states
• Raises audit issues
• Also export control
regulations
60350343.PPTX

5. Risk No. 2: Practical Data Hazards
• Weak technical access
protection
• Provider’s employees
• Provider’s subcontractors
• Lack of transparency
• Lack of customer control
60350343.PPTX

6. Risk No. 3: Litigation Holds
• Can you meet litigation
document hold requirements
if your data is in the Cloud?
• Is metadata a legal and
practical solution?
• Who pays tagging costs?
60350343.PPTX

7. Risk No. 4: Can You Use Available Legal
Options Under EEA Law?
• Safe Harbor
• Approved Clauses
• Binding Corporate
60350343.PPTX

8. Risk No. 5: Low Price Comes at a Cost
• Generally, Utility Cloud
providers:
– Rely on third party platforms
and software
– Use one-sided contracts
– No ability to negotiate stronger
protections
– No service levels
– Disclaim liability
• Conclusion: may not meet
customer’s legal
obligations
60350343.PPTX

9. Risk No. 6. Do Tier 1 Providers Go Far
Enough?
• Offer Private Clouds, but
they may still fall short of
legal obligations
• Offer more location
specificity, but still may fall
short
• Pay extra for data security
• At some point, tips into
custom data center and
hosting services, and
becomes more ITO than
Cloud
60350343.PPTX

10. Risk No. 7: Is There Sufficient Software
Change Control?
• If Provider changes software or
version, will your software still
work?
• Can compromise on advance
notice?
• Caution: what do online terms
and conditions allow?
60350343.PPTX

11. Risk No. 8: Database Breaches
• Who bears cost of:
– Determining liability and exposure
under state law?
– Providing statutory notices?
– Providing identity protection
services?
– Providing call centers and other
customer-facing remediation?
– Government investigations?
– Infrastructure upgrades?
60350343.PPTX

12. Questions and Answers
William A. Tanenbaum
Chair, Technology, Intellectual
Property & Outsourcing Group
Chair, GreenTech and
Sustainability Group
Kaye Scholer LLP,
New York and Palo Alto
wtanenbaum@kayescholer.com
212-836-7661
60350343.PPTX

13. William A. Tanenbaum
wtanenbaum@kayescholer.com
• William A. Tanenbaum is the international chair of both Kaye Scholer’s Technology, Intellectual
Property & Outsourcing Group and its GreenTech and Sustainability Group, and works in the
firm’s New York and Palo Alto offices. Legal Researcher Chambers found that Bill:
• “built one of New York City‟s most outstanding transactional IT practices,”
• is an “internationally recognized intellectual property, technology and outsourcing lawyer,”
• is a “well-respected attorney, with a well-informed approach [who] provides litigation,
transaction work and strategic counseling on a range of technology and outsourcing-related
issues,”
• is “efficient, solution-driven and makes excellent judgment calls,”
• is “a leading light” in outsourcing with “household names” in his client roster,
• is “an acknowledged expert on the convergence of mainstream business with cleantech,” and
that
• “clients highlight his IP experience but „commend his command of the whole deal.‟”
• The Legal 500 publication found that Bill is “an outstanding attorney with a deep knowledge
and understanding of technology and outsourcing and a deeply principled and trustworthy
colleague.”
60350343.PPTX

14. William A. Tanenbaum (cont’d)
• Bill’s Information Technology Law practice has been recognized for over ten years by Best
Lawyers and was ranked in the First Tier in New York in the 2010 Best Law Firms Survey
by U.S. News and World Report. Because of the strength of his Group’s practice, Kaye
Scholer was named as the “Internet & E-Commerce Law Firm of the Year” by The Lawyers
World Law Awards 2011. He is a past President of the ITech Law Association and a graduate
of Brown University (Phi Beta Kappa), Cornell Law School, and the Bob Bondurant School of
High Performance Driving. Chambers recognized him as a “Leading Individual” and awarded
him “Recommended” ratings in both “Technology and IT Outsourcing” and “Business Process
Outsourcing,” and named him as a “Notable Practitioner” at the national level in Outsourcing.
He was voted one of the World‟s Top 250 IP strategists (IAM client survey) and he was
selected as one of the country‟s top 25 pre-eminent IT practitioners in the Best of the Best
USA. He regularly advises clients on strategic intellectual property concerns, privacy, data
security, data transfer, information life cycle management and competitive intelligence matters,
in both transactional and litigation contexts. His the founder and co-chair of PLI’s annual legal
Outsourcing Conference and the founder and chair of PLI’s annual GreenTech Law and
Business Conference. He is listed in Who‟s Who in America, the International Who‟s Who of
Business Lawyers, the Guide to the World‟s Leading Litigation Experts and the Guide to the
World‟s Leading Patent Law Experts. He was the privacy and data protection columnist for the
New York Law Journal, co-author of a book on privacy law and has been quoted in The
Economist magazine as an expert on IP law. His articles have been used at Harvard and
other law schools.
60350343.PPTX

15. Chicago . Frankfurt . London . Los Angeles . New York . Palo Alto . Shanghai . Washington DC . West Palm Beach
Copyright ©2011 by Kaye Scholer LLP. All Rights Reserved. This publication is intended as a general guide only. It does not
contain a general legal analysis or constitute an opinion of Kaye Scholer LLP or any member of the firm on legal issues described.
It is recommended that readers not rely on this general guide in structuring individual transactions but that professional advice be
sought in connection with individual transactions. References herein to “Kaye Scholer LLP & Affiliates,” “Kaye Scholer,” “Kaye
Scholer LLP,” “the firm” and terms of similar import refer to Kaye Scholer LLP and its affiliates operating in various jurisdictions.