SlideShare une entreprise Scribd logo
1  sur  38
Télécharger pour lire hors ligne
Legal issues in the Cloud

                                   Renzo Marchini, Dechert LLP, London, UK

                                   Gene K. Landy, Ruberto, Israel & Weiner, PC
                                   Boston, MA, USA




Portions © 2010 Dechert LLP. Portions © 2010 Ruberto, Israel & Weiner, PC.
Attorneys and Authors
Cloud Overview
•   What is Cloud Computing?
     – Setting the scene

•   Data Protection and Information Security
     – Who is responsible for data protection compliance?
     – What are the security requirements?
     – Does it matter where the data is?

•   Issues in Cloud Contracts
     – Comparison with other IT models
     – Service changes
     – Service level agreements
     – Liability for data
     – Ownership/use of data

•   Other Cloud Legal Issues
Concepts of Cloud Computing
 Cloud computing is a simple idea with a huge impact. Instead
 of running your apps yourself, they run on a shared data
 center that’s managed by the service provider. You just log in,
 customize, and start using an app.

     Source: SalesForce.com

 What [cloud computing] has come to mean now is a synonym
 for the return of the mainframe, … and the mainframe is a set
 of computers. You never visit them, you never see them. But
 they're out there. They're in a cloud somewhere. They're in the
 sky, and they're always around. That's roughly the metaphor.

     Source: Google CEO Eric Schmidt
Why “Cloud”?
Many Business and Consumer Cloud Services
• Business Services – e.g. Net Suite
• Media Services – e.g. Bright Cove
• Online Application Add-Ins – e.g. Google Maps
• Social Media – e.g. Facebook, Twitter
• Small Business Services – e.g. Constant Contact
• Consumer Services – Gmail
• Development Platforms – Microsoft Azure
Cloud Digital Media Issues

• Search Engine Issues – Excerpts and thumbnails –
  Google News Cases / Google Book Litigation and
  Settlement

• Notice and Takedown Rules – Viacom v. YouTube

• Cartoon Network v. CSC Holdings, 536 F.3d 121
  (2nd Cir. 2008)
Entrepreneurship in the Public Cloud

• “No Server” startups.

• Scaling up and scaling down in the cloud.

• Functionality that works best in the cloud.

• Operational advantages and challenges.

• The Customers: Consumer. Small business.
  Enterprise.
Some Types of Cloud Services

                  Software as a Service (SaaS)
                      (eg Salesforce.com)


                  Platform as a Service (PaaS)
                      (eg Microsoft Azure)


              Infrastructure as a Service (IaaS)
                      (eg Amazon EC2)


        Storage       Servers   Networks   Virtualisation
Typical SaaS Business Solution

  • Hosted and Accessed Remotely via Internet
    or Mobile

  • Specially Built for SaaS

  • Web Technology

  • Multi-Tenanted
Typical Cloud Solution - A Complex Environment

                                     Browser
                       Mobile
                       Client
                                   Presentation

  Data,
                                                       Security
  Media, or
                                                       Services    Directory
  Other
                   Process Services                                Services
  Third
  Party
  Services
                       Business or Consumer
                       Services

                                                              Chart Adapted
              Data /              File                           from
              Media               System          Databases
                                                              Microsoft®
Key Data Protection Issues

• Who is responsible for data protection
  compliance?
   – Who is the controller?

• What are the security requirements?
   – Can that be delegated to the cloud provider?

• Does it matter where the data is?
   – Cross border issues
Controller or Processor?

•   Directive 95/46 on protection of personal data

•   data controller: “person … which alone or jointly with others
    determines the purposes and means of the processing of personal
    data”

•   data processor: “person … which processes personal data on behalf
    of the controller”

•   Controllers have obligations under the Directive; processors (in most
    member states) have none.
     – of course, controllers take responsibility for processors
     – controllers/processors may well want indemnities
SWIFT


                      US Government
                                       Data Controller




    Bank                              Bank




    Data Controller
SWIFT
•   Irrelevant what contract says

•   SWIFT determined
     – what personal data was processed.
     – functionality eg determining standards as to the form and content of messages.
     – security standard
     – the location of its data centres

•   SWIFT decided to negotiate with the US authorities in relation to the
    warrants.

•   Article 29 Working Party (February 2010)
     – technical decisions can be delegated
     – but not “the essential elements of the means”
     – ISP providing hosting services is ”in principle” a “processor”
Who is the Data Controller in the Cloud?
•   Services may be presented almost on a “take it or leave it” basis

•   Purpose behind cloud is to shift data to locations where resources
    are available

•   According to working party criteria: doesn’t this sound like a
    controller?

•   Still a risk that a cloud provider (an SaaS) will be found to be a
    controller.

•   Perhaps less so for an IaaS provider
What if the provider is a controller?
•   The provider has no contractual
    relationship with the individuals
                                                   Individuals
                                             (eg employee/customer)
•   How can it comply with Directive
    obligations?
     – Of course, it may be outside of the
       EU, but if not ….
                                                Cloud Customer
•   Article 7 – legitimisation of
    processing

•   Article 11 – Information to be
    provided to the data subject                  SaaS Provider
                                               (eg Salesforce.com)

•   Article 12 – Rights of Access

•   …. and so on.
Key Data Protection Issues

• Who is responsible for data protection compliance?
   – Who is the controller?

• What are the security requirements?
   – Can that be delegated to the cloud provider?

• Does it matter where the data is?
   – Cross border issues
Article 17 – Security of Processing
•   “.. the controller must implement appropriate technical and
    organizational measures to protect personal data against
    accidental or unlawful destruction or accidental loss, alteration,
    unauthorized disclosure or access ….

•   Data controller must:
     – carry out diligence
     – take reasonable steps to ensure compliance with those measures
     – written contract under which
          (i) processor acts only upon instructions from controller and
          (ii) equivalent security obligation accepted by processor
Security in practice in the cloud (1)
•   Due Diligence
     – cloud providers inundated by questionnaires
     – being more and more open; increasing use of FAQs

•   Security Policy
     – Physical Security - policy on access restrictions
     – Network Security - firewalling technology and so on
     – Server Security - how servers have been hardened against attack, policies for
       continuing improvement.
     – Data Segregation policies
          • multi-tenancy implies that no physical segregation
          • …… but how is logical segregation achieved
          • user (client) authentication policies, etc.
     – Encryption - what algorithms and what strength
          • data at rest
          • data in transit
Security in practice in the cloud (2)
•   Audit/Certification
     – How can you undertake diligence of audit, when you don’t know where the data is?
     – Will regulators accept certification by accredited third parties as an alternative

•   ISO 27001 (and series)
     – Security standard
     – Careful with “Conforms with” – this is self-assessment
     – Ensure it is “certified by” a recognised, third party accredited body

•   SAS 70
     – Statement on Auditing Standards No. 70 (SAS 70)
     – Accounting standard, not a security standard
     – Need to see actual report (ensure it is a “Type II” report)
     – Need to examine the controls which are in place and have been described and
       commented on.
Key Data Protection Issues

• Who is responsible for data protection compliance?
   – Who is the controller?

• What are the security requirements?
   – Can that be delegated to the cloud provider?

• Does it matter where the data is?
   – Cross border issues
Transborder Issues – Transfers out of the
EEA
•   Article 25 of Directive 95/46:
     – “The Member States shall provide that the transfer to a third country of personal
       data … may take place only if … the third country in question ensures an
       adequate level of protection”

•   Adequate countries
     – Argentina, Canada, Switzerland, and Jersey, Guernsey and the Isle of Man, Faroe
       Islands
     – Soon Andora and Israel

•   Fundamental point here is that you need to know where the data is.
What to do if Transferee Country not Adequate?

• US – Safe Harbor

• Model Contracts
   – Controller to Controller (two sets)
   – Controller to Processor (the new set – makes it easier for outsourcing)

• BCRs – not applicable
   – except for “private clouds” perhaps

• Self-assessment
   – OK – in the UK
Problems of onward transfers


                                                                      IaaS
       Customer                SaaS Provider
                                                                    Provider
      (in Europe)            (in a third country)             (in a third country)



•   US Safe Harbor: onward transfers allowed to sub-processors under written
    contract.

•   Model Clauses for controller to controller (set II): allows onward transfers to
    processors (with no additional formality)

•   Model Clauses for controller to processor (new set): allowed if sub-processor
    signs own contract ! (and many other hoops)
US Data Protection Issues – Many Different Laws

• Federal Trade Commission Cases
• Children’s Online Data Privacy Protection Act (COPPA)
• State Data Breach Notification Acts.
• The Health Insurance Portability and Accountability Act of
  1996 (HIPAA)
• The Gramm-Leach-Bliley Act (GLBA), also known as the
  Financial Services Modernization Act of 1999
• Federal Trade Commission “Red Flag Rules” regarding
  personal financial and payment data.
• Massachusetts Data Privacy Regulations
Comparison – SaaS and Software Licensing


     Software as a Service            Software Licence

     Provider Infrastructure          Customer’s Server

         Remote Access            Physical Delivery (Media or
                                          Download)
       Subscription Based                License Fee

       Continuous Update             Release Schedules

      Data with Provider (or         Data with Customer
   Provider’s Hosting Provider)
Comparison – SaaS and Managed Services


     Software as a Service          Managed Service
     Provider Infrastructure/     Provider Infrastructure/
        Remote Access                Remote Access
       Data with Provider           Data with Provider

      Usage Based Fees                  Negotiable

      Normally Virtualised      Fixed Infrastructure (may be
                                         Virtualized)
     Scalable On-Demand          Normally not Dynamically
                                         Scalable
Contracting Issues – Pricing Models

• Google Maps Commercial Service
   – Per User
   – Per Access
   – Per Transaction

• Try and Buy

• Terminable at Will?

• Configuration and Customization?

• Acceptance?
Service Level Agreements (SLAs)

• Aspects of SLAs
  – Downtime
  – Response / Fix
  – Remedies
Contracting Issues - Liability for Data
• One breach might affect several or all customers
  because of multi-tenancy
• Customer wants (but likely cannot get) indemnity for
  cost of breach of security including:
   –   Investigation and repair of data
   –   Notification of data subjects
   –   Advertising / public relations
   –   Customer ID theft insurance
   –   Help desks, etc.
   –   Claims from customers or shareholders

• Is security transparent and auditable?
Contracting Issues - Liability for Data, cont’d
• Provider Normally Accepts no Liability for:
    – Loss of data
    – Breach of security of data
    – Integrity of data

• US Provider may have SAS 70 Certification (Statement on
  Auditing Standards No. 70: Service Organizations of the AICPA) or the
  hosting provider may have this certification.

• Backup and Recovery
    – Manner and frequency of backing-up? Access to data
      backups.
    – Data recovery site – Fail-over protection?
Contracting Issues – Access to Data
•    Data retrieval / migration to new vendor
     on termination (and “lock in”).
                                                         Customer
•    Where is the data?
      – Customer contracts with a SaaS provider
      – who in turn contracts with a PaaS
        provider                                    Software as a Service

      – who in turn contracts with an IaaS
                                                    Platform as a Service
        provider

•    What happens if the SaaS provider is
     insolvent?                                   Infrastructure as a Service

•    Third party access to data via                “Data is somewhere”
     compulsory legal process.

•    The software escrow conundrum.
“Bad” User Data

• Infringing, libelous, obscene, threatening, stolen,
  restricted, etc. supplied by customer or users

• Mass mailings of unsolicited mail – Spam

• Can provider use self-help without prior notice?
Issues in Partnering Between SaaS Vendors
• User data in multiple places in the cloud

• Additional security/data breach failure points

• Technical / business dependencies / more failure modes

• Integration - Do APIs exist or do they have to be built? At
  whose cost?

• Bottom line: need a workable technical and contingency
  strategy that is documented in the agreement
Other Cloud/Legal Issues to Note
•   Taxation / Investment – Expense vs. capital investment

•   Continuous Improvement Model – Shifting definition of the SaaS
    service, defined by online documentation that is continually updated.

•   Multi-SaaS Vendor Solutions – Who has service responsibility?

•   IP / Infringement Risk – Shift from Customer to Cloud Vendor.

•   Open Source (Copy Left) Problems – Providing cloud services can
    be a “magic bullet” solution.

•   Trade Secret Protection – Much easier if the vendor never ships
    the code. Reverse engineering rights don’t apply.

•   Vendor’s Contractual Rights to Use Data. The value of data
    aggregation.
Questions?
Want to Know More?
Just Contact:

             Renzo Marchini
               Dechert LLP
         160 Queen Victoria Street
            London EC4V 4QQ
        renzo.marchini@dechert.com
              020 7184 7563


               Gene Landy
        Ruberto Israel & Weiner, PC
         100 No. Washington Street
              Boston MA USA
               gkl@riw.com
               617 742 4200

Contenu connexe

Tendances

Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Brad Deflin
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsCertification Europe
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
Creating Trust for the Internet of Things
Creating Trust for the Internet of ThingsCreating Trust for the Internet of Things
Creating Trust for the Internet of ThingsPECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001Iris Maaß
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001   a business view by Sripathi[null] Iso 27001   a business view by Sripathi
[null] Iso 27001 a business view by SripathiPrajwal Panchmahalkar
 
Cyber Crime Simulation Game - incl quick overview of ISO 27001
Cyber Crime Simulation Game - incl quick overview of ISO 27001Cyber Crime Simulation Game - incl quick overview of ISO 27001
Cyber Crime Simulation Game - incl quick overview of ISO 27001PECB
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 

Tendances (20)

Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdfIso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and Developments
 
Pindad iso27000 2016 smki
Pindad   iso27000 2016 smkiPindad   iso27000 2016 smki
Pindad iso27000 2016 smki
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event Professionals
 
Creating Trust for the Internet of Things
Creating Trust for the Internet of ThingsCreating Trust for the Internet of Things
Creating Trust for the Internet of Things
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001   a business view by Sripathi[null] Iso 27001   a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
 
Cyber Crime Simulation Game - incl quick overview of ISO 27001
Cyber Crime Simulation Game - incl quick overview of ISO 27001Cyber Crime Simulation Game - incl quick overview of ISO 27001
Cyber Crime Simulation Game - incl quick overview of ISO 27001
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 

En vedette

Franchising & social media
Franchising & social mediaFranchising & social media
Franchising & social mediaenovapr
 
Digital Trends for 2011
Digital Trends for 2011Digital Trends for 2011
Digital Trends for 2011Aaron Perrino
 
Grow Nebraska Social Media Updated Version N
Grow Nebraska Social Media Updated Version NGrow Nebraska Social Media Updated Version N
Grow Nebraska Social Media Updated Version Nguestbf8a85e
 
Social Media als Kommunikations-Möglichkeiten
Social Media als Kommunikations-MöglichkeitenSocial Media als Kommunikations-Möglichkeiten
Social Media als Kommunikations-MöglichkeitenKarsten Ehms
 
Krispy Kreme Production Process
Krispy Kreme Production ProcessKrispy Kreme Production Process
Krispy Kreme Production ProcessFreshy Serapio
 
Vortrag IIR Corporate Web 2.0 Kongress
Vortrag IIR Corporate Web 2.0 KongressVortrag IIR Corporate Web 2.0 Kongress
Vortrag IIR Corporate Web 2.0 KongressKarsten Ehms
 
How to fail early with you social media project - and why
How to fail early with you social media project - and whyHow to fail early with you social media project - and why
How to fail early with you social media project - and whyKarsten Ehms
 

En vedette (15)

Franchising & social media
Franchising & social mediaFranchising & social media
Franchising & social media
 
Transfer of employees in secondary outsourcing timo karsten
Transfer of employees in secondary outsourcing   timo karstenTransfer of employees in secondary outsourcing   timo karsten
Transfer of employees in secondary outsourcing timo karsten
 
Software platform for converging devices dietmar tallroth
Software platform for converging devices   dietmar tallrothSoftware platform for converging devices   dietmar tallroth
Software platform for converging devices dietmar tallroth
 
Legal and ip trends in standardisation marcus glader
Legal and ip trends in standardisation   marcus gladerLegal and ip trends in standardisation   marcus glader
Legal and ip trends in standardisation marcus glader
 
Digital Trends for 2011
Digital Trends for 2011Digital Trends for 2011
Digital Trends for 2011
 
DIY Advertising
DIY AdvertisingDIY Advertising
DIY Advertising
 
Benchmark and exit clauses how to knock down the exit barriers - ulrich bäumer
Benchmark and exit clauses  how to knock down the exit barriers - ulrich bäumerBenchmark and exit clauses  how to knock down the exit barriers - ulrich bäumer
Benchmark and exit clauses how to knock down the exit barriers - ulrich bäumer
 
Grow Nebraska Social Media Updated Version N
Grow Nebraska Social Media Updated Version NGrow Nebraska Social Media Updated Version N
Grow Nebraska Social Media Updated Version N
 
14 Trends for 2014
14 Trends for 201414 Trends for 2014
14 Trends for 2014
 
Social Media als Kommunikations-Möglichkeiten
Social Media als Kommunikations-MöglichkeitenSocial Media als Kommunikations-Möglichkeiten
Social Media als Kommunikations-Möglichkeiten
 
What Lies Ahead? Emerging Licensing Models For Commercial Content Oosterbaan
What Lies Ahead? Emerging Licensing Models For Commercial Content OosterbaanWhat Lies Ahead? Emerging Licensing Models For Commercial Content Oosterbaan
What Lies Ahead? Emerging Licensing Models For Commercial Content Oosterbaan
 
Agile software development how can it go wrong - purdey castle
Agile software development   how can it go wrong - purdey castleAgile software development   how can it go wrong - purdey castle
Agile software development how can it go wrong - purdey castle
 
Krispy Kreme Production Process
Krispy Kreme Production ProcessKrispy Kreme Production Process
Krispy Kreme Production Process
 
Vortrag IIR Corporate Web 2.0 Kongress
Vortrag IIR Corporate Web 2.0 KongressVortrag IIR Corporate Web 2.0 Kongress
Vortrag IIR Corporate Web 2.0 Kongress
 
How to fail early with you social media project - and why
How to fail early with you social media project - and whyHow to fail early with you social media project - and why
How to fail early with you social media project - and why
 

Similaire à Legal issues in the cloud renzo marchini & gene landy

Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeAhmad Abdalla
 
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of TradeSecuring Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of TradeLisa Abe-Oldenburg, B.Comm., JD.
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series   Danny   November 18   Emerging Technology Challenges And...Nfp Seminar Series   Danny   November 18   Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared CarstensenCloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared Carstensenjaredcarst
 
Security Issues for Cloud Applications
Security Issues for Cloud ApplicationsSecurity Issues for Cloud Applications
Security Issues for Cloud ApplicationsGuillermo Remache
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Amazon Web Services
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersGokul Alex
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011Donald E. Hester
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationTejaswi Agarwal
 
Intro to cloud computing
Intro to cloud computingIntro to cloud computing
Intro to cloud computingKashif Bhatti
 

Similaire à Legal issues in the cloud renzo marchini & gene landy (20)

Risks and Benefits of Cloud Computing
Risks and Benefits of Cloud ComputingRisks and Benefits of Cloud Computing
Risks and Benefits of Cloud Computing
 
Bird&Bird
Bird&BirdBird&Bird
Bird&Bird
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of TradeSecuring Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series   Danny   November 18   Emerging Technology Challenges And...Nfp Seminar Series   Danny   November 18   Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared CarstensenCloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared Carstensen
 
Security Issues for Cloud Applications
Security Issues for Cloud ApplicationsSecurity Issues for Cloud Applications
Security Issues for Cloud Applications
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and Frontiers
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011
 
Cloud security
Cloud securityCloud security
Cloud security
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Intro to cloud computing
Intro to cloud computingIntro to cloud computing
Intro to cloud computing
 

Plus de IFCLA - International Federation of Computer Law Associations

Plus de IFCLA - International Federation of Computer Law Associations (18)

Agile project case study by a satisfied customer jora gill
Agile project case study by a satisfied customer   jora gillAgile project case study by a satisfied customer   jora gill
Agile project case study by a satisfied customer jora gill
 
Software development contractual issues susan atkinson
Software development contractual issues   susan atkinsonSoftware development contractual issues   susan atkinson
Software development contractual issues susan atkinson
 
What is agile and how does it differ from the traditional waterfall method ...
What is agile and how does it differ from the traditional waterfall method   ...What is agile and how does it differ from the traditional waterfall method   ...
What is agile and how does it differ from the traditional waterfall method ...
 
Convergence legal aspects- regulatory framework - patrick van eecke
Convergence   legal aspects- regulatory framework - patrick van eeckeConvergence   legal aspects- regulatory framework - patrick van eecke
Convergence legal aspects- regulatory framework - patrick van eecke
 
Whose content? whose revenue? who should be liable for a user's content? jo...
Whose content? whose revenue? who should be liable for a user's content?   jo...Whose content? whose revenue? who should be liable for a user's content?   jo...
Whose content? whose revenue? who should be liable for a user's content? jo...
 
Service provider view how to cope with content diversity - kaisa olkkonen
Service provider view   how to cope with content diversity - kaisa olkkonenService provider view   how to cope with content diversity - kaisa olkkonen
Service provider view how to cope with content diversity - kaisa olkkonen
 
Multi channel digital distribution - jp virtanen
Multi channel digital distribution - jp virtanenMulti channel digital distribution - jp virtanen
Multi channel digital distribution - jp virtanen
 
From isp liability to isp cooperation international developments from us dm...
From isp liability to isp cooperation   international developments from us dm...From isp liability to isp cooperation   international developments from us dm...
From isp liability to isp cooperation international developments from us dm...
 
Carlsberg lessons learned from re-tendering an international infrastructure ...
Carlsberg  lessons learned from re-tendering an international infrastructure ...Carlsberg  lessons learned from re-tendering an international infrastructure ...
Carlsberg lessons learned from re-tendering an international infrastructure ...
 
Managing risks when offshoring services including a practical indian experie...
Managing risks when offshoring services  including a practical indian experie...Managing risks when offshoring services  including a practical indian experie...
Managing risks when offshoring services including a practical indian experie...
 
Exiting and replacement suppliers managing transition risk - clive davies
Exiting and replacement suppliers  managing transition risk - clive daviesExiting and replacement suppliers  managing transition risk - clive davies
Exiting and replacement suppliers managing transition risk - clive davies
 
It outsourcing enters new decade claudio da rold
It outsourcing enters new decade   claudio da roldIt outsourcing enters new decade   claudio da rold
It outsourcing enters new decade claudio da rold
 
Navigating the privacy sea christian runte
Navigating the privacy sea   christian runteNavigating the privacy sea   christian runte
Navigating the privacy sea christian runte
 
Navigating the regulatory sea graham smith
Navigating the regulatory sea   graham smithNavigating the regulatory sea   graham smith
Navigating the regulatory sea graham smith
 
Competing while collaborating petri kuoppamäki
Competing while collaborating   petri kuoppamäkiCompeting while collaborating   petri kuoppamäki
Competing while collaborating petri kuoppamäki
 
Convergence business models and services dr. klaus m. steinmaurer
Convergence business models and services   dr. klaus m. steinmaurerConvergence business models and services   dr. klaus m. steinmaurer
Convergence business models and services dr. klaus m. steinmaurer
 
Digital convergence harri koponen
Digital convergence   harri koponenDigital convergence   harri koponen
Digital convergence harri koponen
 
Challenges and opportunities in achieving digital single european market su...
Challenges and opportunities in achieving digital single european market   su...Challenges and opportunities in achieving digital single european market   su...
Challenges and opportunities in achieving digital single european market su...
 

Dernier

Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Dernier (20)

Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

Legal issues in the cloud renzo marchini & gene landy

  • 1. Legal issues in the Cloud Renzo Marchini, Dechert LLP, London, UK Gene K. Landy, Ruberto, Israel & Weiner, PC Boston, MA, USA Portions © 2010 Dechert LLP. Portions © 2010 Ruberto, Israel & Weiner, PC.
  • 3. Cloud Overview • What is Cloud Computing? – Setting the scene • Data Protection and Information Security – Who is responsible for data protection compliance? – What are the security requirements? – Does it matter where the data is? • Issues in Cloud Contracts – Comparison with other IT models – Service changes – Service level agreements – Liability for data – Ownership/use of data • Other Cloud Legal Issues
  • 4. Concepts of Cloud Computing Cloud computing is a simple idea with a huge impact. Instead of running your apps yourself, they run on a shared data center that’s managed by the service provider. You just log in, customize, and start using an app. Source: SalesForce.com What [cloud computing] has come to mean now is a synonym for the return of the mainframe, … and the mainframe is a set of computers. You never visit them, you never see them. But they're out there. They're in a cloud somewhere. They're in the sky, and they're always around. That's roughly the metaphor. Source: Google CEO Eric Schmidt
  • 6. Many Business and Consumer Cloud Services • Business Services – e.g. Net Suite • Media Services – e.g. Bright Cove • Online Application Add-Ins – e.g. Google Maps • Social Media – e.g. Facebook, Twitter • Small Business Services – e.g. Constant Contact • Consumer Services – Gmail • Development Platforms – Microsoft Azure
  • 7. Cloud Digital Media Issues • Search Engine Issues – Excerpts and thumbnails – Google News Cases / Google Book Litigation and Settlement • Notice and Takedown Rules – Viacom v. YouTube • Cartoon Network v. CSC Holdings, 536 F.3d 121 (2nd Cir. 2008)
  • 8. Entrepreneurship in the Public Cloud • “No Server” startups. • Scaling up and scaling down in the cloud. • Functionality that works best in the cloud. • Operational advantages and challenges. • The Customers: Consumer. Small business. Enterprise.
  • 9. Some Types of Cloud Services Software as a Service (SaaS) (eg Salesforce.com) Platform as a Service (PaaS) (eg Microsoft Azure) Infrastructure as a Service (IaaS) (eg Amazon EC2) Storage Servers Networks Virtualisation
  • 10. Typical SaaS Business Solution • Hosted and Accessed Remotely via Internet or Mobile • Specially Built for SaaS • Web Technology • Multi-Tenanted
  • 11. Typical Cloud Solution - A Complex Environment Browser Mobile Client Presentation Data, Security Media, or Services Directory Other Process Services Services Third Party Services Business or Consumer Services Chart Adapted Data / File from Media System Databases Microsoft®
  • 12. Key Data Protection Issues • Who is responsible for data protection compliance? – Who is the controller? • What are the security requirements? – Can that be delegated to the cloud provider? • Does it matter where the data is? – Cross border issues
  • 13. Controller or Processor? • Directive 95/46 on protection of personal data • data controller: “person … which alone or jointly with others determines the purposes and means of the processing of personal data” • data processor: “person … which processes personal data on behalf of the controller” • Controllers have obligations under the Directive; processors (in most member states) have none. – of course, controllers take responsibility for processors – controllers/processors may well want indemnities
  • 14. SWIFT US Government Data Controller Bank Bank Data Controller
  • 15. SWIFT • Irrelevant what contract says • SWIFT determined – what personal data was processed. – functionality eg determining standards as to the form and content of messages. – security standard – the location of its data centres • SWIFT decided to negotiate with the US authorities in relation to the warrants. • Article 29 Working Party (February 2010) – technical decisions can be delegated – but not “the essential elements of the means” – ISP providing hosting services is ”in principle” a “processor”
  • 16. Who is the Data Controller in the Cloud? • Services may be presented almost on a “take it or leave it” basis • Purpose behind cloud is to shift data to locations where resources are available • According to working party criteria: doesn’t this sound like a controller? • Still a risk that a cloud provider (an SaaS) will be found to be a controller. • Perhaps less so for an IaaS provider
  • 17. What if the provider is a controller? • The provider has no contractual relationship with the individuals Individuals (eg employee/customer) • How can it comply with Directive obligations? – Of course, it may be outside of the EU, but if not …. Cloud Customer • Article 7 – legitimisation of processing • Article 11 – Information to be provided to the data subject SaaS Provider (eg Salesforce.com) • Article 12 – Rights of Access • …. and so on.
  • 18. Key Data Protection Issues • Who is responsible for data protection compliance? – Who is the controller? • What are the security requirements? – Can that be delegated to the cloud provider? • Does it matter where the data is? – Cross border issues
  • 19. Article 17 – Security of Processing • “.. the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access …. • Data controller must: – carry out diligence – take reasonable steps to ensure compliance with those measures – written contract under which (i) processor acts only upon instructions from controller and (ii) equivalent security obligation accepted by processor
  • 20. Security in practice in the cloud (1) • Due Diligence – cloud providers inundated by questionnaires – being more and more open; increasing use of FAQs • Security Policy – Physical Security - policy on access restrictions – Network Security - firewalling technology and so on – Server Security - how servers have been hardened against attack, policies for continuing improvement. – Data Segregation policies • multi-tenancy implies that no physical segregation • …… but how is logical segregation achieved • user (client) authentication policies, etc. – Encryption - what algorithms and what strength • data at rest • data in transit
  • 21. Security in practice in the cloud (2) • Audit/Certification – How can you undertake diligence of audit, when you don’t know where the data is? – Will regulators accept certification by accredited third parties as an alternative • ISO 27001 (and series) – Security standard – Careful with “Conforms with” – this is self-assessment – Ensure it is “certified by” a recognised, third party accredited body • SAS 70 – Statement on Auditing Standards No. 70 (SAS 70) – Accounting standard, not a security standard – Need to see actual report (ensure it is a “Type II” report) – Need to examine the controls which are in place and have been described and commented on.
  • 22. Key Data Protection Issues • Who is responsible for data protection compliance? – Who is the controller? • What are the security requirements? – Can that be delegated to the cloud provider? • Does it matter where the data is? – Cross border issues
  • 23. Transborder Issues – Transfers out of the EEA • Article 25 of Directive 95/46: – “The Member States shall provide that the transfer to a third country of personal data … may take place only if … the third country in question ensures an adequate level of protection” • Adequate countries – Argentina, Canada, Switzerland, and Jersey, Guernsey and the Isle of Man, Faroe Islands – Soon Andora and Israel • Fundamental point here is that you need to know where the data is.
  • 24. What to do if Transferee Country not Adequate? • US – Safe Harbor • Model Contracts – Controller to Controller (two sets) – Controller to Processor (the new set – makes it easier for outsourcing) • BCRs – not applicable – except for “private clouds” perhaps • Self-assessment – OK – in the UK
  • 25. Problems of onward transfers IaaS Customer SaaS Provider Provider (in Europe) (in a third country) (in a third country) • US Safe Harbor: onward transfers allowed to sub-processors under written contract. • Model Clauses for controller to controller (set II): allows onward transfers to processors (with no additional formality) • Model Clauses for controller to processor (new set): allowed if sub-processor signs own contract ! (and many other hoops)
  • 26. US Data Protection Issues – Many Different Laws • Federal Trade Commission Cases • Children’s Online Data Privacy Protection Act (COPPA) • State Data Breach Notification Acts. • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 • Federal Trade Commission “Red Flag Rules” regarding personal financial and payment data. • Massachusetts Data Privacy Regulations
  • 27. Comparison – SaaS and Software Licensing Software as a Service Software Licence Provider Infrastructure Customer’s Server Remote Access Physical Delivery (Media or Download) Subscription Based License Fee Continuous Update Release Schedules Data with Provider (or Data with Customer Provider’s Hosting Provider)
  • 28. Comparison – SaaS and Managed Services Software as a Service Managed Service Provider Infrastructure/ Provider Infrastructure/ Remote Access Remote Access Data with Provider Data with Provider Usage Based Fees Negotiable Normally Virtualised Fixed Infrastructure (may be Virtualized) Scalable On-Demand Normally not Dynamically Scalable
  • 29. Contracting Issues – Pricing Models • Google Maps Commercial Service – Per User – Per Access – Per Transaction • Try and Buy • Terminable at Will? • Configuration and Customization? • Acceptance?
  • 30. Service Level Agreements (SLAs) • Aspects of SLAs – Downtime – Response / Fix – Remedies
  • 31. Contracting Issues - Liability for Data • One breach might affect several or all customers because of multi-tenancy • Customer wants (but likely cannot get) indemnity for cost of breach of security including: – Investigation and repair of data – Notification of data subjects – Advertising / public relations – Customer ID theft insurance – Help desks, etc. – Claims from customers or shareholders • Is security transparent and auditable?
  • 32. Contracting Issues - Liability for Data, cont’d • Provider Normally Accepts no Liability for: – Loss of data – Breach of security of data – Integrity of data • US Provider may have SAS 70 Certification (Statement on Auditing Standards No. 70: Service Organizations of the AICPA) or the hosting provider may have this certification. • Backup and Recovery – Manner and frequency of backing-up? Access to data backups. – Data recovery site – Fail-over protection?
  • 33. Contracting Issues – Access to Data • Data retrieval / migration to new vendor on termination (and “lock in”). Customer • Where is the data? – Customer contracts with a SaaS provider – who in turn contracts with a PaaS provider Software as a Service – who in turn contracts with an IaaS Platform as a Service provider • What happens if the SaaS provider is insolvent? Infrastructure as a Service • Third party access to data via “Data is somewhere” compulsory legal process. • The software escrow conundrum.
  • 34. “Bad” User Data • Infringing, libelous, obscene, threatening, stolen, restricted, etc. supplied by customer or users • Mass mailings of unsolicited mail – Spam • Can provider use self-help without prior notice?
  • 35. Issues in Partnering Between SaaS Vendors • User data in multiple places in the cloud • Additional security/data breach failure points • Technical / business dependencies / more failure modes • Integration - Do APIs exist or do they have to be built? At whose cost? • Bottom line: need a workable technical and contingency strategy that is documented in the agreement
  • 36. Other Cloud/Legal Issues to Note • Taxation / Investment – Expense vs. capital investment • Continuous Improvement Model – Shifting definition of the SaaS service, defined by online documentation that is continually updated. • Multi-SaaS Vendor Solutions – Who has service responsibility? • IP / Infringement Risk – Shift from Customer to Cloud Vendor. • Open Source (Copy Left) Problems – Providing cloud services can be a “magic bullet” solution. • Trade Secret Protection – Much easier if the vendor never ships the code. Reverse engineering rights don’t apply. • Vendor’s Contractual Rights to Use Data. The value of data aggregation.
  • 38. Want to Know More? Just Contact: Renzo Marchini Dechert LLP 160 Queen Victoria Street London EC4V 4QQ renzo.marchini@dechert.com 020 7184 7563 Gene Landy Ruberto Israel & Weiner, PC 100 No. Washington Street Boston MA USA gkl@riw.com 617 742 4200