Legal nuances to the cloud

LEGAL NUANCES TO THE CLOUD

CLUBHACK 2012
RITAMBHARA AGRAWAL
01 DECEMBER 2012

ISSUES, RISKS & MITIGATION

• Encryption of
• Security & Data
Privacy of Data • Define each
• Confidentiality Risks Party’s liability
• Ownership • Pre-contract
due-
• Liability
• Loss of Data diligence, contra
• Attacks ct
• Choice of Law
• Compliances negotiation, pos
• Disclosure of
• Contracts trade secrets t-contract
• Termination & monitoring, ter
• Recovery
Exit mination
• Data
• Jurisdiction • Right to Audit to
Segregation
check location &
• Portability compliances
Legal Issues • Sharing of Data
with 3rd Party
Mitigation

2

LEGAL CHALLENGES IN CLOUD

SECURITY

COMPLIANCES JURISDICTION

CONTRACTUAL
LEGAL ISSUES
TERMINATION
LIMITATIONS & EXIT

ATTACKS
OWNERSHIP

3

SECURITY & PRIVACY

Security & Privacy Physical Location of the data centers

Encryption of Data

Multi-tenant architecture

Adversity and intrusion

Data mining by the service provider

Access rights management
Different user data are usually stored
on a single virtual server
Multiple virtual servers run on a single
physical server

4

SERVICE LEVEL AGREEMENTS

Service Level Agreements Non-negotiable SLAs (often click wrap agreements)

If the SLA is non-negotiable, higher degree of
reporting should be integrated in the Agreement
Additional options for termination should be
available

Little opportunity to conduct due diligence

Strong limits on liability are included (including direct
liability)
Terms often subject to change without prior
intimation
Risk is usually shifted to user through provider
friendly agreements

5

MULTIPLE PARTIES

Involvement of multiple parties makes onus & liability shift on
one another
Multiple Parties

Liability of sub-contractors is often limited or disclaimed in
entirety

Lack of contractual privity makes it difficult to make the
provider accountable for any breach

Liability of provider for the acts of the sub-contractor

Right to conduct due diligence and to understand the model
of delivery of services should be given to the customer.

6

DATA PROTECTION, RIGHTS & USAGE

Data Protection & IP Rights Define data clearly, it’s not standard that all
data belongs to the customer

Specify ownership rights

Define rights granted and the restrictions to
monitor and access data by the provider

Third-party access to the data

Non-Disclosure Agreement with the service
provider
Ensuring no rights are transferred to the
service provider
Ensure if back up and transfer of data is
permitted

7

JURISDICTION

Cross-Border Data Flow Data flows across various borders

Cloud servers located in different countries, location of
data is uncertain

Complications of conflicting laws

Dispute can be subject to various countries legal system

Jurisdictional Issues & Dispute Resolution Mechanism

8

COMPLIANCES

Country and data specific compliances

The owner is equally liable as the service provider to
ensure compliance of law
Compliances

HIPPA, SOX, SAS 70 I & II, GLB, PCI DSS, FERPA and
State Laws

Eg. HIPPA mandates standard practices to ensure
security, confidentiality and data integrity for
healthcare-related data

Default in the respective compliances can bring in
legal implications

9

TERMINATION & EXIT

Termination & Exit Interoperability of data after termination

Data portability from one vendor another and bringing it
entirely back-in house

In case of exit, can the records be successfully accessed?

Can data be extracted from the cloud

Obligations of each party in case of exit

10

ATTACKS

Hacking, virus, malware disruptions, browser
attacks, tampering, network security attacks, SQL Injection
Attacks

Inducing threats, like data & network security, data locality, data
integrity, data access, data segregation

Authorization & authentication, data confidentiality, web
application security, data breaches, availability & back-up

11

CASE STUDIES- SONY

Attacks on Customers
Dozen data
Sony reusing
breaches, ong
Sony laid off Failure to PlayStation passwords, ris
oing customer
many of its protect over Network, Son ks from
relations
security 100 million y Online attackers
fallout &
personnel user records Entertainment accessing
class-action
& Sony their other
lawsuits.
Pictures accounts also

12

CASE STUDIES

• Spear-phishing attack leading to breach affecting it’s clients and
customer’s data
EPSILON • Approximately 60 million customer email addresses were breached
• Lesson: The Company outsourcing the job is equally responsible for
security of the customer data

• Hackers used SQL attack method to access the database that fed
the server hosting the site
• Exposing 4,50,000 usernames and passwords
YAHOO • Yahoo didn’t store the data in cryptographic form and left it in plain
text making it vulnerable to attack

• Hackers breached the site, stealing more than 6million customer’s
passwords, which were very lightly encrypted & posted them on a
LINKEDIN Russian hacker forum

13

MITIGATION OF RISK

• Evaluation of service provider’s security policy
Security • Encryption to protect confidentiality & integrity of data
• Suspected data breach must be addressed

• Identifying relative risks between the parties, like ownership of data, data
protection guidelines, trade secrets, indemnities, jurisdiction
• Pre-contract due-diligence, negotiable SLA
Contract • Planned & unplanned termination of the Agreement & return of data &
assets
• Liability of each party in the event of breach of contract
• Ownership of data

• Right to audit to check the compliances
Audit • To check the location of the data to ensure compliance of legal & statutory
provisions

14

Thank you

INDIA
A-42/6, Sector-62, Noida-201301
Tel: +91-0120-47040722, +91 -0120-4740700
Fax: + 91 11 2741 8595

USA
Suite 119, 2 Davis Drive, Research Triangle
Park, Durham (NC)-27709
Ph: 1 262 432 1718; Fax: 1 877 895 9706

E-mail: info@intelligere.in
www.intelligere.in

15

Legal nuances to the cloud

More Related Content

What's hot

Viewers also liked

Similar to Legal nuances to the cloud

Recently uploaded

Legal nuances to the cloud