Business is based on trust. In the cloud, to deserve the trust of its customers and others, a company must be able to demonstrate that it protects the privacy and security of the data in its custody. It must communicate clearly and specifically the nature and extent of the measures taken to protect these data, and show how they meet the existing legal and regulatory requirements, standards, best practices and benchmarks. Customers, on the other end, need tools to evaluate and compare different offerings so that they can decide which one deserves their trust and their business.
2. The House of Cards
The cloud ecosystem is very fragile.
It is a huge house of cards where layers sit on top of other layers.
If one layer fails, the house of cards is likely to collapse
3. The cloud is based on dependencies.
An organization depends on many others to operate.
The glue that can help keep the Cloud House of Cards from collapsing
is made of:
- Transparency
- Accountability
- Trust
4. General Principles
An organization
Is responsible for data under its control, including data that have been transferred
to third parties for processing
Should implement policies and practices to protect data in its custody,
including:
Implementing procedures to protect the privacy and security of personal
information
Training staff on the organization’s policies and practices
Developing information to explain the organizations’ policies and procedures
Should use contractual or other means to provide comparable levels of protection
while the data are being processed by a third party
5. In practice: A Recipe for Trust?
Comply with applicable laws
Abide by the promises that they made in contracts
Implement appropriate measures to protect the privacy and security of data in the
company’s custody
Relevant to the type of data to be protected
Take into account the state of technology, threats to the data
Require the same from contractors, service providers
Communicate clearly with constituents (customers, employees, business partners)
Clear, detailed, understandable, disclosures
Metrics, certification, attestation
7. FTC Consent Decrees
Recent FTC Actions for lax security practices
GMR Transcription Services, Inc. (Jan 31, 2014)
Provider of medical transcription service.
Foru International Corporation (Jan 7, 2014)
Manufacturer of notional supplements
GeneLink (Jan 7, 2014)
Manufacturer of nutritional supplements
Accretive Health, Inc. (Dec. 31, 2013)
Medical billing and revenue management service for hospitals
TRENDnet, Inc. (Sep. 4, 2013)
Telesurveillance service
8. FTC Consent Decree Requirements
Designate employee(s) to coordinate and be accountable for the information security program
Identify material internal and external risks to security, confidentiality, integrity of personal data that could result in
unauthorized disclosure, misuse, loss, etc.
Assess sufficiency of the safeguards in place to control these risks, especially:
Information systems
Employee training and management
Prevention, detection, response to attacks
Design, implement reasonable safeguards to control risk
Regularly test and monitor effectiveness of the safeguards
Develop and use reasonable steps to select and retain service providers capable of maintaining
security practices consistent with the order; and require them by contract to establish and implement
and maintain, appropriate safeguards
Evaluate and adjust the program in light of the results of the testing and monitoring.
9. HIPAA - Privacy & Security Rules
Security Rule 45 CFR §164.300 et seq.
45 requirements, including
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Security Breach Disclosure Rule 45 CFR §164.400 et seq. (covered entities) and
16 CFR 318 (PRH and related entities)
Notification of individuals
Notification of the Secretary (covered entities) or the FTC (PHR)
Notification of the Media
Privacy Rule 45 CFR §164.500 et seq.
10. HIPAA - Business Associates
45 CFR §164.308 (b)(1)
“A covered entity may permit a business associate to create, receive, maintain or
transmit ePHI on the covered entity's behalf ONLY if the covered entity obtains
satisfactory assurances … that the business associate will appropriately
safeguard the information”
45 CFR §164.308 (b)(3)
The organization must “document the satisfactory assurances … through a
written contract or other arrangement with the business associate that meet
the … requirements”
11. European Union – Data Controllers
EU Data Protection Directive + implementation in the EU Member States national laws
Article 17 – Security of the Processing:
Subsection 1:
“[Data] controllers must implement appropriate technical and organizational measures
to protect personal data against …. all unlawful forms of processing…”
“Such measures shall ensure a level of security appropriate to the risks represented by
the processing and the nature of the data to be protected”
Subsection 2:
“[Data] controller must, where the processing is carried out on its behalf, choose a
processor providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing to be carried out, and
must ensure compliance with those measures”
12. European Union – Data Processors
EU Data Protection Directive
Article 17 – Security of the Processing
Subsection 3:
“The carrying out of processing by way of a processor must be governed by a contract or
legal act binding the processor to the controller, and stipulating, in particular, that:
The processor shall act only on instructions from the controller
The obligations [to implement appropriate technical and organizational measures to
protect personal data] … shall also be incumbent on the processor”
Subsection 4:
“For the purposes of keeping proof, the parts of the contract or legal act relating to data
protection and the requirements relating to the [technical and organizational security
measures] … shall be in writing or in another equivalent form”.
13. European Union – Crossborder
Data Transfer Restrictions
EU Data Protection Directive + EU Member States national laws
Article 25
Crossborder data transfer out of the EU/EEA prohibited unless the third country in question
ensures an adequate level of protection
Article 26(2)
Crossborder data transfer permitted if the controller adduces adequate safeguards with
respect to the protection of the privacy of individuals, such safeguards may result from
appropriate contractual clauses
Implemented in:
Standard Contractual Clauses
Safe Harbor Program
14. US/EU Safe Harbor Principles
Notice / Choice / Access Principles
Security Principle
Take reasonable precautions to protect personal information from loss, misuse and
unauthorized access, disclosure, alteration and destruction
Onward Transfer Principle:
Where an organization wishes to transfer information to a third party that is acting as an
agent, it may do so if it:
Ascertains that the third party subscribes to the [EU Safe Harbor] Principles, or is subject
to the [1995 EU Data Protection] Directive; or
Enters into a written agreement with such third party requiring at least the same
level of privacy protection as is required by the relevant Principles.
15. Canada
PIPEDA
Principles for the Protection of Personal Data (see: http://laws-
lois.justice.gc.ca/eng/acts/P-8.6/page-19.html#h-25)
Principles 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to the
sensitivity of the information.
Principle 1 – Accountability
An organization is responsible for personal information in its possession or control,
including information that has been transferred to a third party for processing. The
organization must use contractual or other means to provide a comparable level of
protection when the information is being processed by a third party”
17. Are you Contracting with a Third Party?
3-step process:
Conduct appropriate due diligence to determine whether the third party uses – and
will continue to use – appropriate security and other measures
Enter into a written contract that requires the third party to use these appropriate
security measures
Monitor compliance with these obligations throughout the life of the contract (or
longer as needed), so long as the service provider holds the company’s data
This applies to ALL layers of the house of cards
Ensure that each service provider or third party that will access your data will do the
same with its own service providers
18. Due Diligence?
To be performed BEFORE engaging third party
How to evaluate a third party’s procedures and practices
Detailed questionnaire
Onsite investigation
Interaction with other clients
Review third parties’ certifications, attestations
Note: Different types of due diligence depending on the nature of the relationship,
bargaining power, etc.
Important: Keep track of the nature, scope, extent, responses, results of the due
diligence
19. Consequence?
Inadequate due diligence may have
missed
- Practices that:
- Do not meet industry standards
- do not meet your own legal
obligations
- are not adapted to your business
model
- That the service provider lacks the
financial backing and financial stability
- That the service provider actually
relies itself on other service providers,
about whom you know nothing
20. Contracts
In the cloud, a majority of contracts are not negotiated
Even those that are negotiated might provide limited promises
Non negotiated contracts:
Pay-as-you-go model, where terms of contract may change at any time
One sided provisions in favor of cloud provider
Do not address security breach disclosure obligations
Take it or leave it approach
Very limited liability; only downtime, if any
Negotiated contracts – for the lucky ones
Better terms
Very difficult to negotiate
Price increase if you ask for more warranties, more liability
Difficult to acquire the “trust” of others in these conditions
21. If contract can be negotiated
Contractual provisions
Service level agreements
Damages
In case of outage
In case of breach of security
Amount of damages ; damage limitation
Direct
Liquidated
Indemnification
Reports
Audit
22. Monitoring
During performance of the contract
Monitor the company’s or the third party’s performance
Directly?
Indirectly:
Periodic reports
Attestations
Certifications
What metrics?
Transparency reports
25. Policies and Procedures
Develop policies and procedures that meet the legal, contractual, and other requirements to
which your company is subject, based on applicable or relevant
Regulations
Standards
Best practices
Keep track of the rationale for developing them
Monitor their application by your personnel
Discipline the infringers
Ensure that your service providers, contractors, abide by similar rules and enforce them
AND communicate these policies, procedures, practices, success, failures to others to acquire
their TRUST
26. Security Breaches
The reputation killer
Anticipate
Develop an incident response plan
Conduct periodic “Fire drills”
Respond to the breach carefully
Important effect on reputation, trust
Make sure that you comply with all applicable laws, worldwide
Evaluate whether you should go beyond what the laws require
Importance of the communication, interaction with customers, affected parties
27. Keep Track
Don’t let your policies and procedures gather dust
Keep track of their application and implementation within the company
Develop matrix to measure performance
Within the company
By third parties, service providers, etc.
Look for benchmarks to evaluate your performance or that of your service providers
Certifications, e.g. STAR Certification
Communicate, communicate, communicate
29. Takeaways
Trust is fragile. Easy to lose
Transparency is a close ally of trust. Meaningful disclosures help bring trust
In an era where the cloud that your company uses or wishes to use is likely sitting on
top of multiple layers of other third party clouds, about which you may know nothing, it
is important to:
Understand your company's obligations with respect to the data stored or processed
in the cloud
Conduct appropriate, in depth due diligence
Review service providers’ disclosures
Insist on comprehensive information
30. More Takeaways
Keep in mind that “it’s your data; it’s your responsibility”
You get what you pay for. If using cloud is such a saving from your current operation, there
must be a reason…. Find out why it is so inexpensive.
Be realistic about what you are getting; evaluate whether the service
Meets the needs of your own company with respect to the specific categories of data
that you will store in the cloud
Decide what is the right route to take, and what is needed to fulfill your company’s
obligations as the custodian of very sensitive, valuable data
Do it, and make sure that all your service providers upstream are also doing it to protect your
data
Insurance – assuming that you can purchase some - will not solve all of your problems.
Insurance companies may agree to provide coverage only if they have determined that your
company has done its homework, uses proper safeguards, is responsible and accountable.
31. Contact Information
Francoise Gilbert, JD, CIPP
Managing Director
IT Law Group
Email: fgilbert@itlawgroup.com
Phone: (650) 804-1235
Mail: 555 Bryant Street # 603 – Palo Alto, CA 94301
www.itlawgroup.com
www.francoisegilbert.com
www.globalprivacybook.com
@francoisegilbrt