SlideShare a Scribd company logo

Trust in the Cloud: Legal and Regulatory Framework

Download as PPTX, PDF
Francoise Gilbert
Francoise Gilbert

Business is based on trust. In the cloud, to deserve the trust of its customers and others, a company must be able to demonstrate that it protects the privacy and security of the data in its custody. It must communicate clearly and specifically the nature and extent of the measures taken to protect these data, and show how they meet the existing legal and regulatory requirements, standards, best practices and benchmarks. Customers, on the other end, need tools to evaluate and compare different offerings so that they can decide which one deserves their trust and their business.

BusinessTechnology
1 of 31
Cloud Security Alliance San Francisco, CA February 26, 2014 Francoise Gilbert, JD, CIPP Managing Director IT Law Group © 2014 IT Law Group All Rights Reserved Trust in the Cloud Legal and Regulatory Framework
The House of Cards The cloud ecosystem is very fragile. It is a huge house of cards where layers sit on top of other layers. If one layer fails, the house of cards is likely to collapse
The cloud is based on dependencies. An organization depends on many others to operate. The glue that can help keep the Cloud House of Cards from collapsing is made of: - Transparency - Accountability - Trust
General Principles An organization  Is responsible for data under its control, including data that have been transferred to third parties for processing  Should implement policies and practices to protect data in its custody, including:  Implementing procedures to protect the privacy and security of personal information  Training staff on the organization’s policies and practices  Developing information to explain the organizations’ policies and procedures  Should use contractual or other means to provide comparable levels of protection while the data are being processed by a third party
In practice: A Recipe for Trust?  Comply with applicable laws  Abide by the promises that they made in contracts  Implement appropriate measures to protect the privacy and security of data in the company’s custody  Relevant to the type of data to be protected  Take into account the state of technology, threats to the data  Require the same from contractors, service providers  Communicate clearly with constituents (customers, employees, business partners)  Clear, detailed, understandable, disclosures  Metrics, certification, attestation
Compliance with Applicable Laws
FTC Consent Decrees  Recent FTC Actions for lax security practices  GMR Transcription Services, Inc. (Jan 31, 2014)  Provider of medical transcription service.  Foru International Corporation (Jan 7, 2014)  Manufacturer of notional supplements  GeneLink (Jan 7, 2014)  Manufacturer of nutritional supplements  Accretive Health, Inc. (Dec. 31, 2013)  Medical billing and revenue management service for hospitals  TRENDnet, Inc. (Sep. 4, 2013)  Telesurveillance service
FTC Consent Decree Requirements  Designate employee(s) to coordinate and be accountable for the information security program  Identify material internal and external risks to security, confidentiality, integrity of personal data that could result in unauthorized disclosure, misuse, loss, etc.  Assess sufficiency of the safeguards in place to control these risks, especially:  Information systems  Employee training and management  Prevention, detection, response to attacks  Design, implement reasonable safeguards to control risk  Regularly test and monitor effectiveness of the safeguards  Develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order; and require them by contract to establish and implement and maintain, appropriate safeguards  Evaluate and adjust the program in light of the results of the testing and monitoring.
HIPAA - Privacy & Security Rules  Security Rule 45 CFR §164.300 et seq.  45 requirements, including  Administrative Safeguards  Physical Safeguards  Technical Safeguards  Security Breach Disclosure Rule 45 CFR §164.400 et seq. (covered entities) and 16 CFR 318 (PRH and related entities)  Notification of individuals  Notification of the Secretary (covered entities) or the FTC (PHR)  Notification of the Media  Privacy Rule 45 CFR §164.500 et seq.
HIPAA - Business Associates  45 CFR §164.308 (b)(1)  “A covered entity may permit a business associate to create, receive, maintain or transmit ePHI on the covered entity's behalf ONLY if the covered entity obtains satisfactory assurances … that the business associate will appropriately safeguard the information”  45 CFR §164.308 (b)(3)  The organization must “document the satisfactory assurances … through a written contract or other arrangement with the business associate that meet the … requirements”
European Union – Data Controllers  EU Data Protection Directive + implementation in the EU Member States national laws  Article 17 – Security of the Processing:  Subsection 1:  “[Data] controllers must implement appropriate technical and organizational measures to protect personal data against …. all unlawful forms of processing…”  “Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected”  Subsection 2:  “[Data] controller must, where the processing is carried out on its behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures”
European Union – Data Processors  EU Data Protection Directive  Article 17 – Security of the Processing  Subsection 3:  “The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller, and stipulating, in particular, that:  The processor shall act only on instructions from the controller  The obligations [to implement appropriate technical and organizational measures to protect personal data] … shall also be incumbent on the processor”  Subsection 4:  “For the purposes of keeping proof, the parts of the contract or legal act relating to data protection and the requirements relating to the [technical and organizational security measures] … shall be in writing or in another equivalent form”.
European Union – Crossborder Data Transfer Restrictions  EU Data Protection Directive + EU Member States national laws  Article 25  Crossborder data transfer out of the EU/EEA prohibited unless the third country in question ensures an adequate level of protection  Article 26(2)  Crossborder data transfer permitted if the controller adduces adequate safeguards with respect to the protection of the privacy of individuals, such safeguards may result from appropriate contractual clauses  Implemented in:  Standard Contractual Clauses  Safe Harbor Program
US/EU Safe Harbor Principles  Notice / Choice / Access Principles  Security Principle  Take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction  Onward Transfer Principle:  Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it:  Ascertains that the third party subscribes to the [EU Safe Harbor] Principles, or is subject to the [1995 EU Data Protection] Directive; or  Enters into a written agreement with such third party requiring at least the same level of privacy protection as is required by the relevant Principles.
Canada  PIPEDA Principles for the Protection of Personal Data (see: http://laws- lois.justice.gc.ca/eng/acts/P-8.6/page-19.html#h-25)  Principles 7 – Safeguards  Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.  Principle 1 – Accountability  An organization is responsible for personal information in its possession or control, including information that has been transferred to a third party for processing. The organization must use contractual or other means to provide a comparable level of protection when the information is being processed by a third party”
Contractual Process Contract Terms
Are you Contracting with a Third Party?  3-step process:  Conduct appropriate due diligence to determine whether the third party uses – and will continue to use – appropriate security and other measures  Enter into a written contract that requires the third party to use these appropriate security measures  Monitor compliance with these obligations throughout the life of the contract (or longer as needed), so long as the service provider holds the company’s data  This applies to ALL layers of the house of cards  Ensure that each service provider or third party that will access your data will do the same with its own service providers
Due Diligence?  To be performed BEFORE engaging third party  How to evaluate a third party’s procedures and practices  Detailed questionnaire  Onsite investigation  Interaction with other clients  Review third parties’ certifications, attestations  Note: Different types of due diligence depending on the nature of the relationship, bargaining power, etc.  Important: Keep track of the nature, scope, extent, responses, results of the due diligence
Consequence? Inadequate due diligence may have missed - Practices that: - Do not meet industry standards - do not meet your own legal obligations - are not adapted to your business model - That the service provider lacks the financial backing and financial stability - That the service provider actually relies itself on other service providers, about whom you know nothing
Contracts  In the cloud, a majority of contracts are not negotiated  Even those that are negotiated might provide limited promises  Non negotiated contracts:  Pay-as-you-go model, where terms of contract may change at any time  One sided provisions in favor of cloud provider  Do not address security breach disclosure obligations  Take it or leave it approach  Very limited liability; only downtime, if any  Negotiated contracts – for the lucky ones  Better terms  Very difficult to negotiate  Price increase if you ask for more warranties, more liability  Difficult to acquire the “trust” of others in these conditions
If contract can be negotiated  Contractual provisions  Service level agreements  Damages  In case of outage  In case of breach of security  Amount of damages ; damage limitation  Direct  Liquidated  Indemnification  Reports  Audit
Monitoring During performance of the contract  Monitor the company’s or the third party’s performance  Directly?  Indirectly:  Periodic reports  Attestations  Certifications  What metrics?  Transparency reports
Consequences Without the proper - Due diligence - Contracts - Monitoring You are riding on a road with a very weak foundation
Policies Procedures
Policies and Procedures  Develop policies and procedures that meet the legal, contractual, and other requirements to which your company is subject, based on applicable or relevant  Regulations  Standards  Best practices  Keep track of the rationale for developing them  Monitor their application by your personnel  Discipline the infringers  Ensure that your service providers, contractors, abide by similar rules and enforce them  AND communicate these policies, procedures, practices, success, failures to others to acquire their TRUST
Security Breaches  The reputation killer  Anticipate  Develop an incident response plan  Conduct periodic “Fire drills”  Respond to the breach carefully  Important effect on reputation, trust  Make sure that you comply with all applicable laws, worldwide  Evaluate whether you should go beyond what the laws require  Importance of the communication, interaction with customers, affected parties
Keep Track  Don’t let your policies and procedures gather dust  Keep track of their application and implementation within the company  Develop matrix to measure performance  Within the company  By third parties, service providers, etc.  Look for benchmarks to evaluate your performance or that of your service providers  Certifications, e.g. STAR Certification  Communicate, communicate, communicate
Conclusion
Takeaways  Trust is fragile. Easy to lose  Transparency is a close ally of trust. Meaningful disclosures help bring trust  In an era where the cloud that your company uses or wishes to use is likely sitting on top of multiple layers of other third party clouds, about which you may know nothing, it is important to:  Understand your company's obligations with respect to the data stored or processed in the cloud  Conduct appropriate, in depth due diligence  Review service providers’ disclosures  Insist on comprehensive information
More Takeaways  Keep in mind that “it’s your data; it’s your responsibility”  You get what you pay for. If using cloud is such a saving from your current operation, there must be a reason…. Find out why it is so inexpensive.  Be realistic about what you are getting; evaluate whether the service  Meets the needs of your own company with respect to the specific categories of data that you will store in the cloud  Decide what is the right route to take, and what is needed to fulfill your company’s obligations as the custodian of very sensitive, valuable data  Do it, and make sure that all your service providers upstream are also doing it to protect your data  Insurance – assuming that you can purchase some - will not solve all of your problems.  Insurance companies may agree to provide coverage only if they have determined that your company has done its homework, uses proper safeguards, is responsible and accountable.
Contact Information Francoise Gilbert, JD, CIPP Managing Director IT Law Group Email: fgilbert@itlawgroup.com Phone: (650) 804-1235 Mail: 555 Bryant Street # 603 – Palo Alto, CA 94301 www.itlawgroup.com www.francoisegilbert.com www.globalprivacybook.com @francoisegilbrt

Recommended

5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR ComplianceGabor Farkas
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!Fintan Swanton
 
Conducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceConducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceFintan Swanton
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protectionJos Dumortier
 
2017 10 26 webinar - gdpr final
2017 10 26 webinar - gdpr final2017 10 26 webinar - gdpr final
2017 10 26 webinar - gdpr finalBrian Matteson, CISSP CISA
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 

Recommended

5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR ComplianceGabor Farkas
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!Fintan Swanton
 
Conducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceConducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceFintan Swanton
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protectionJos Dumortier
 
2017 10 26 webinar - gdpr final
2017 10 26 webinar - gdpr final2017 10 26 webinar - gdpr final
2017 10 26 webinar - gdpr finalBrian Matteson, CISSP CISA
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?Frederick Penaud
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPRRobert Bond
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Mark Honeyball
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPRIT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk►David Clarke FBCS CITP
 
Kyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte Consultants Ltd.
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Morgan
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 

More Related Content

What's hot

The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?Frederick Penaud
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPRRobert Bond
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Mark Honeyball
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
Kyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte Consultants Ltd.
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)Nordic APIs
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Morgan
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 

What's hot (20)

The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPR
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
 
Kyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered Services
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 

Similar to Trust in the Cloud: Legal and Regulatory Framework

How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
STUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdfSTUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdf503SaranyaS
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramTrustArc
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protectionMathew Chacko
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectJohn Macasio
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdfNymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdfAntónio Mendes
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?Patrick Soenen
 
1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docxoswald1horne84988
 

Similar to Trust in the Cloud: Legal and Regulatory Framework (20)

How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
STUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdfSTUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdf
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy Shield
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdfNymit-Accountability-Roadmap-GDPR-Compliance.pdf
Nymit-Accountability-Roadmap-GDPR-Compliance.pdf
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx
 

Recently uploaded

Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...lizamodels9
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...lizamodels9
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc.../:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...lizamodels9
 

Recently uploaded (20)

Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc.../:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
 

Trust in the Cloud: Legal and Regulatory Framework

  • 1. Cloud Security Alliance San Francisco, CA February 26, 2014 Francoise Gilbert, JD, CIPP Managing Director IT Law Group © 2014 IT Law Group All Rights Reserved Trust in the Cloud Legal and Regulatory Framework
  • 2. The House of Cards The cloud ecosystem is very fragile. It is a huge house of cards where layers sit on top of other layers. If one layer fails, the house of cards is likely to collapse
  • 3. The cloud is based on dependencies. An organization depends on many others to operate. The glue that can help keep the Cloud House of Cards from collapsing is made of: - Transparency - Accountability - Trust
  • 4. General Principles An organization  Is responsible for data under its control, including data that have been transferred to third parties for processing  Should implement policies and practices to protect data in its custody, including:  Implementing procedures to protect the privacy and security of personal information  Training staff on the organization’s policies and practices  Developing information to explain the organizations’ policies and procedures  Should use contractual or other means to provide comparable levels of protection while the data are being processed by a third party
  • 5. In practice: A Recipe for Trust?  Comply with applicable laws  Abide by the promises that they made in contracts  Implement appropriate measures to protect the privacy and security of data in the company’s custody  Relevant to the type of data to be protected  Take into account the state of technology, threats to the data  Require the same from contractors, service providers  Communicate clearly with constituents (customers, employees, business partners)  Clear, detailed, understandable, disclosures  Metrics, certification, attestation
  • 7. FTC Consent Decrees  Recent FTC Actions for lax security practices  GMR Transcription Services, Inc. (Jan 31, 2014)  Provider of medical transcription service.  Foru International Corporation (Jan 7, 2014)  Manufacturer of notional supplements  GeneLink (Jan 7, 2014)  Manufacturer of nutritional supplements  Accretive Health, Inc. (Dec. 31, 2013)  Medical billing and revenue management service for hospitals  TRENDnet, Inc. (Sep. 4, 2013)  Telesurveillance service
  • 8. FTC Consent Decree Requirements  Designate employee(s) to coordinate and be accountable for the information security program  Identify material internal and external risks to security, confidentiality, integrity of personal data that could result in unauthorized disclosure, misuse, loss, etc.  Assess sufficiency of the safeguards in place to control these risks, especially:  Information systems  Employee training and management  Prevention, detection, response to attacks  Design, implement reasonable safeguards to control risk  Regularly test and monitor effectiveness of the safeguards  Develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order; and require them by contract to establish and implement and maintain, appropriate safeguards  Evaluate and adjust the program in light of the results of the testing and monitoring.
  • 9. HIPAA - Privacy & Security Rules  Security Rule 45 CFR §164.300 et seq.  45 requirements, including  Administrative Safeguards  Physical Safeguards  Technical Safeguards  Security Breach Disclosure Rule 45 CFR §164.400 et seq. (covered entities) and 16 CFR 318 (PRH and related entities)  Notification of individuals  Notification of the Secretary (covered entities) or the FTC (PHR)  Notification of the Media  Privacy Rule 45 CFR §164.500 et seq.
  • 10. HIPAA - Business Associates  45 CFR §164.308 (b)(1)  “A covered entity may permit a business associate to create, receive, maintain or transmit ePHI on the covered entity's behalf ONLY if the covered entity obtains satisfactory assurances … that the business associate will appropriately safeguard the information”  45 CFR §164.308 (b)(3)  The organization must “document the satisfactory assurances … through a written contract or other arrangement with the business associate that meet the … requirements”
  • 11. European Union – Data Controllers  EU Data Protection Directive + implementation in the EU Member States national laws  Article 17 – Security of the Processing:  Subsection 1:  “[Data] controllers must implement appropriate technical and organizational measures to protect personal data against …. all unlawful forms of processing…”  “Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected”  Subsection 2:  “[Data] controller must, where the processing is carried out on its behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures”
  • 12. European Union – Data Processors  EU Data Protection Directive  Article 17 – Security of the Processing  Subsection 3:  “The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller, and stipulating, in particular, that:  The processor shall act only on instructions from the controller  The obligations [to implement appropriate technical and organizational measures to protect personal data] … shall also be incumbent on the processor”  Subsection 4:  “For the purposes of keeping proof, the parts of the contract or legal act relating to data protection and the requirements relating to the [technical and organizational security measures] … shall be in writing or in another equivalent form”.
  • 13. European Union – Crossborder Data Transfer Restrictions  EU Data Protection Directive + EU Member States national laws  Article 25  Crossborder data transfer out of the EU/EEA prohibited unless the third country in question ensures an adequate level of protection  Article 26(2)  Crossborder data transfer permitted if the controller adduces adequate safeguards with respect to the protection of the privacy of individuals, such safeguards may result from appropriate contractual clauses  Implemented in:  Standard Contractual Clauses  Safe Harbor Program
  • 14. US/EU Safe Harbor Principles  Notice / Choice / Access Principles  Security Principle  Take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction  Onward Transfer Principle:  Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it:  Ascertains that the third party subscribes to the [EU Safe Harbor] Principles, or is subject to the [1995 EU Data Protection] Directive; or  Enters into a written agreement with such third party requiring at least the same level of privacy protection as is required by the relevant Principles.
  • 15. Canada  PIPEDA Principles for the Protection of Personal Data (see: http://laws- lois.justice.gc.ca/eng/acts/P-8.6/page-19.html#h-25)  Principles 7 – Safeguards  Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.  Principle 1 – Accountability  An organization is responsible for personal information in its possession or control, including information that has been transferred to a third party for processing. The organization must use contractual or other means to provide a comparable level of protection when the information is being processed by a third party”
  • 17. Are you Contracting with a Third Party?  3-step process:  Conduct appropriate due diligence to determine whether the third party uses – and will continue to use – appropriate security and other measures  Enter into a written contract that requires the third party to use these appropriate security measures  Monitor compliance with these obligations throughout the life of the contract (or longer as needed), so long as the service provider holds the company’s data  This applies to ALL layers of the house of cards  Ensure that each service provider or third party that will access your data will do the same with its own service providers
  • 18. Due Diligence?  To be performed BEFORE engaging third party  How to evaluate a third party’s procedures and practices  Detailed questionnaire  Onsite investigation  Interaction with other clients  Review third parties’ certifications, attestations  Note: Different types of due diligence depending on the nature of the relationship, bargaining power, etc.  Important: Keep track of the nature, scope, extent, responses, results of the due diligence
  • 19. Consequence? Inadequate due diligence may have missed - Practices that: - Do not meet industry standards - do not meet your own legal obligations - are not adapted to your business model - That the service provider lacks the financial backing and financial stability - That the service provider actually relies itself on other service providers, about whom you know nothing
  • 20. Contracts  In the cloud, a majority of contracts are not negotiated  Even those that are negotiated might provide limited promises  Non negotiated contracts:  Pay-as-you-go model, where terms of contract may change at any time  One sided provisions in favor of cloud provider  Do not address security breach disclosure obligations  Take it or leave it approach  Very limited liability; only downtime, if any  Negotiated contracts – for the lucky ones  Better terms  Very difficult to negotiate  Price increase if you ask for more warranties, more liability  Difficult to acquire the “trust” of others in these conditions
  • 21. If contract can be negotiated  Contractual provisions  Service level agreements  Damages  In case of outage  In case of breach of security  Amount of damages ; damage limitation  Direct  Liquidated  Indemnification  Reports  Audit
  • 22. Monitoring During performance of the contract  Monitor the company’s or the third party’s performance  Directly?  Indirectly:  Periodic reports  Attestations  Certifications  What metrics?  Transparency reports
  • 23. Consequences Without the proper - Due diligence - Contracts - Monitoring You are riding on a road with a very weak foundation
  • 25. Policies and Procedures  Develop policies and procedures that meet the legal, contractual, and other requirements to which your company is subject, based on applicable or relevant  Regulations  Standards  Best practices  Keep track of the rationale for developing them  Monitor their application by your personnel  Discipline the infringers  Ensure that your service providers, contractors, abide by similar rules and enforce them  AND communicate these policies, procedures, practices, success, failures to others to acquire their TRUST
  • 26. Security Breaches  The reputation killer  Anticipate  Develop an incident response plan  Conduct periodic “Fire drills”  Respond to the breach carefully  Important effect on reputation, trust  Make sure that you comply with all applicable laws, worldwide  Evaluate whether you should go beyond what the laws require  Importance of the communication, interaction with customers, affected parties
  • 27. Keep Track  Don’t let your policies and procedures gather dust  Keep track of their application and implementation within the company  Develop matrix to measure performance  Within the company  By third parties, service providers, etc.  Look for benchmarks to evaluate your performance or that of your service providers  Certifications, e.g. STAR Certification  Communicate, communicate, communicate
  • 29. Takeaways  Trust is fragile. Easy to lose  Transparency is a close ally of trust. Meaningful disclosures help bring trust  In an era where the cloud that your company uses or wishes to use is likely sitting on top of multiple layers of other third party clouds, about which you may know nothing, it is important to:  Understand your company's obligations with respect to the data stored or processed in the cloud  Conduct appropriate, in depth due diligence  Review service providers’ disclosures  Insist on comprehensive information
  • 30. More Takeaways  Keep in mind that “it’s your data; it’s your responsibility”  You get what you pay for. If using cloud is such a saving from your current operation, there must be a reason…. Find out why it is so inexpensive.  Be realistic about what you are getting; evaluate whether the service  Meets the needs of your own company with respect to the specific categories of data that you will store in the cloud  Decide what is the right route to take, and what is needed to fulfill your company’s obligations as the custodian of very sensitive, valuable data  Do it, and make sure that all your service providers upstream are also doing it to protect your data  Insurance – assuming that you can purchase some - will not solve all of your problems.  Insurance companies may agree to provide coverage only if they have determined that your company has done its homework, uses proper safeguards, is responsible and accountable.
  • 31. Contact Information Francoise Gilbert, JD, CIPP Managing Director IT Law Group Email: fgilbert@itlawgroup.com Phone: (650) 804-1235 Mail: 555 Bryant Street # 603 – Palo Alto, CA 94301 www.itlawgroup.com www.francoisegilbert.com www.globalprivacybook.com @francoisegilbrt