3. Cloud Overview
• What is Cloud Computing?
– Setting the scene
• Data Protection and Information Security
– Who is responsible for data protection compliance?
– What are the security requirements?
– Does it matter where the data is?
• Issues in Cloud Contracts
– Comparison with other IT models
– Service changes
– Service level agreements
– Liability for data
– Ownership/use of data
• Other Cloud Legal Issues
4. Concepts of Cloud Computing
Cloud computing is a simple idea with a huge impact. Instead
of running your apps yourself, they run on a shared data
center that’s managed by the service provider. You just log in,
customize, and start using an app.
Source: SalesForce.com
What [cloud computing] has come to mean now is a synonym
for the return of the mainframe, … and the mainframe is a set
of computers. You never visit them, you never see them. But
they're out there. They're in a cloud somewhere. They're in the
sky, and they're always around. That's roughly the metaphor.
Source: Google CEO Eric Schmidt
6. Many Business and Consumer Cloud Services
• Business Services – e.g. Net Suite
• Media Services – e.g. Bright Cove
• Online Application Add-Ins – e.g. Google Maps
• Social Media – e.g. Facebook, Twitter
• Small Business Services – e.g. Constant Contact
• Consumer Services – Gmail
• Development Platforms – Microsoft Azure
7. Cloud Digital Media Issues
• Search Engine Issues – Excerpts and thumbnails –
Google News Cases / Google Book Litigation and
Settlement
• Notice and Takedown Rules – Viacom v. YouTube
• Cartoon Network v. CSC Holdings, 536 F.3d 121
(2nd Cir. 2008)
8. Entrepreneurship in the Public Cloud
• “No Server” startups.
• Scaling up and scaling down in the cloud.
• Functionality that works best in the cloud.
• Operational advantages and challenges.
• The Customers: Consumer. Small business.
Enterprise.
9. Some Types of Cloud Services
Software as a Service (SaaS)
(eg Salesforce.com)
Platform as a Service (PaaS)
(eg Microsoft Azure)
Infrastructure as a Service (IaaS)
(eg Amazon EC2)
Storage Servers Networks Virtualisation
10. Typical SaaS Business Solution
• Hosted and Accessed Remotely via Internet
or Mobile
• Specially Built for SaaS
• Web Technology
• Multi-Tenanted
11. Typical Cloud Solution - A Complex Environment
Browser
Mobile
Client
Presentation
Data,
Security
Media, or
Services Directory
Other
Process Services Services
Third
Party
Services
Business or Consumer
Services
Chart Adapted
Data / File from
Media System Databases
Microsoft®
12. Key Data Protection Issues
• Who is responsible for data protection
compliance?
– Who is the controller?
• What are the security requirements?
– Can that be delegated to the cloud provider?
• Does it matter where the data is?
– Cross border issues
13. Controller or Processor?
• Directive 95/46 on protection of personal data
• data controller: “person … which alone or jointly with others
determines the purposes and means of the processing of personal
data”
• data processor: “person … which processes personal data on behalf
of the controller”
• Controllers have obligations under the Directive; processors (in most
member states) have none.
– of course, controllers take responsibility for processors
– controllers/processors may well want indemnities
14. SWIFT
US Government
Data Controller
Bank Bank
Data Controller
15. SWIFT
• Irrelevant what contract says
• SWIFT determined
– what personal data was processed.
– functionality eg determining standards as to the form and content of messages.
– security standard
– the location of its data centres
• SWIFT decided to negotiate with the US authorities in relation to the
warrants.
• Article 29 Working Party (February 2010)
– technical decisions can be delegated
– but not “the essential elements of the means”
– ISP providing hosting services is ”in principle” a “processor”
16. Who is the Data Controller in the Cloud?
• Services may be presented almost on a “take it or leave it” basis
• Purpose behind cloud is to shift data to locations where resources
are available
• According to working party criteria: doesn’t this sound like a
controller?
• Still a risk that a cloud provider (an SaaS) will be found to be a
controller.
• Perhaps less so for an IaaS provider
17. What if the provider is a controller?
• The provider has no contractual
relationship with the individuals
Individuals
(eg employee/customer)
• How can it comply with Directive
obligations?
– Of course, it may be outside of the
EU, but if not ….
Cloud Customer
• Article 7 – legitimisation of
processing
• Article 11 – Information to be
provided to the data subject SaaS Provider
(eg Salesforce.com)
• Article 12 – Rights of Access
• …. and so on.
18. Key Data Protection Issues
• Who is responsible for data protection compliance?
– Who is the controller?
• What are the security requirements?
– Can that be delegated to the cloud provider?
• Does it matter where the data is?
– Cross border issues
19. Article 17 – Security of Processing
• “.. the controller must implement appropriate technical and
organizational measures to protect personal data against
accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access ….
• Data controller must:
– carry out diligence
– take reasonable steps to ensure compliance with those measures
– written contract under which
(i) processor acts only upon instructions from controller and
(ii) equivalent security obligation accepted by processor
20. Security in practice in the cloud (1)
• Due Diligence
– cloud providers inundated by questionnaires
– being more and more open; increasing use of FAQs
• Security Policy
– Physical Security - policy on access restrictions
– Network Security - firewalling technology and so on
– Server Security - how servers have been hardened against attack, policies for
continuing improvement.
– Data Segregation policies
• multi-tenancy implies that no physical segregation
• …… but how is logical segregation achieved
• user (client) authentication policies, etc.
– Encryption - what algorithms and what strength
• data at rest
• data in transit
21. Security in practice in the cloud (2)
• Audit/Certification
– How can you undertake diligence of audit, when you don’t know where the data is?
– Will regulators accept certification by accredited third parties as an alternative
• ISO 27001 (and series)
– Security standard
– Careful with “Conforms with” – this is self-assessment
– Ensure it is “certified by” a recognised, third party accredited body
• SAS 70
– Statement on Auditing Standards No. 70 (SAS 70)
– Accounting standard, not a security standard
– Need to see actual report (ensure it is a “Type II” report)
– Need to examine the controls which are in place and have been described and
commented on.
22. Key Data Protection Issues
• Who is responsible for data protection compliance?
– Who is the controller?
• What are the security requirements?
– Can that be delegated to the cloud provider?
• Does it matter where the data is?
– Cross border issues
23. Transborder Issues – Transfers out of the
EEA
• Article 25 of Directive 95/46:
– “The Member States shall provide that the transfer to a third country of personal
data … may take place only if … the third country in question ensures an
adequate level of protection”
• Adequate countries
– Argentina, Canada, Switzerland, and Jersey, Guernsey and the Isle of Man, Faroe
Islands
– Soon Andora and Israel
• Fundamental point here is that you need to know where the data is.
24. What to do if Transferee Country not Adequate?
• US – Safe Harbor
• Model Contracts
– Controller to Controller (two sets)
– Controller to Processor (the new set – makes it easier for outsourcing)
• BCRs – not applicable
– except for “private clouds” perhaps
• Self-assessment
– OK – in the UK
25. Problems of onward transfers
IaaS
Customer SaaS Provider
Provider
(in Europe) (in a third country) (in a third country)
• US Safe Harbor: onward transfers allowed to sub-processors under written
contract.
• Model Clauses for controller to controller (set II): allows onward transfers to
processors (with no additional formality)
• Model Clauses for controller to processor (new set): allowed if sub-processor
signs own contract ! (and many other hoops)
26. US Data Protection Issues – Many Different Laws
• Federal Trade Commission Cases
• Children’s Online Data Privacy Protection Act (COPPA)
• State Data Breach Notification Acts.
• The Health Insurance Portability and Accountability Act of
1996 (HIPAA)
• The Gramm-Leach-Bliley Act (GLBA), also known as the
Financial Services Modernization Act of 1999
• Federal Trade Commission “Red Flag Rules” regarding
personal financial and payment data.
• Massachusetts Data Privacy Regulations
27. Comparison – SaaS and Software Licensing
Software as a Service Software Licence
Provider Infrastructure Customer’s Server
Remote Access Physical Delivery (Media or
Download)
Subscription Based License Fee
Continuous Update Release Schedules
Data with Provider (or Data with Customer
Provider’s Hosting Provider)
28. Comparison – SaaS and Managed Services
Software as a Service Managed Service
Provider Infrastructure/ Provider Infrastructure/
Remote Access Remote Access
Data with Provider Data with Provider
Usage Based Fees Negotiable
Normally Virtualised Fixed Infrastructure (may be
Virtualized)
Scalable On-Demand Normally not Dynamically
Scalable
29. Contracting Issues – Pricing Models
• Google Maps Commercial Service
– Per User
– Per Access
– Per Transaction
• Try and Buy
• Terminable at Will?
• Configuration and Customization?
• Acceptance?
31. Contracting Issues - Liability for Data
• One breach might affect several or all customers
because of multi-tenancy
• Customer wants (but likely cannot get) indemnity for
cost of breach of security including:
– Investigation and repair of data
– Notification of data subjects
– Advertising / public relations
– Customer ID theft insurance
– Help desks, etc.
– Claims from customers or shareholders
• Is security transparent and auditable?
32. Contracting Issues - Liability for Data, cont’d
• Provider Normally Accepts no Liability for:
– Loss of data
– Breach of security of data
– Integrity of data
• US Provider may have SAS 70 Certification (Statement on
Auditing Standards No. 70: Service Organizations of the AICPA) or the
hosting provider may have this certification.
• Backup and Recovery
– Manner and frequency of backing-up? Access to data
backups.
– Data recovery site – Fail-over protection?
33. Contracting Issues – Access to Data
• Data retrieval / migration to new vendor
on termination (and “lock in”).
Customer
• Where is the data?
– Customer contracts with a SaaS provider
– who in turn contracts with a PaaS
provider Software as a Service
– who in turn contracts with an IaaS
Platform as a Service
provider
• What happens if the SaaS provider is
insolvent? Infrastructure as a Service
• Third party access to data via “Data is somewhere”
compulsory legal process.
• The software escrow conundrum.
34. “Bad” User Data
• Infringing, libelous, obscene, threatening, stolen,
restricted, etc. supplied by customer or users
• Mass mailings of unsolicited mail – Spam
• Can provider use self-help without prior notice?
35. Issues in Partnering Between SaaS Vendors
• User data in multiple places in the cloud
• Additional security/data breach failure points
• Technical / business dependencies / more failure modes
• Integration - Do APIs exist or do they have to be built? At
whose cost?
• Bottom line: need a workable technical and contingency
strategy that is documented in the agreement
36. Other Cloud/Legal Issues to Note
• Taxation / Investment – Expense vs. capital investment
• Continuous Improvement Model – Shifting definition of the SaaS
service, defined by online documentation that is continually updated.
• Multi-SaaS Vendor Solutions – Who has service responsibility?
• IP / Infringement Risk – Shift from Customer to Cloud Vendor.
• Open Source (Copy Left) Problems – Providing cloud services can
be a “magic bullet” solution.
• Trade Secret Protection – Much easier if the vendor never ships
the code. Reverse engineering rights don’t apply.
• Vendor’s Contractual Rights to Use Data. The value of data
aggregation.
38. Want to Know More?
Just Contact:
Renzo Marchini
Dechert LLP
160 Queen Victoria Street
London EC4V 4QQ
renzo.marchini@dechert.com
020 7184 7563
Gene Landy
Ruberto Israel & Weiner, PC
100 No. Washington Street
Boston MA USA
gkl@riw.com
617 742 4200