SlideShare une entreprise Scribd logo
1  sur  7
Télécharger pour lire hors ligne
INTERNET LAW
JO U R N A L O F
                                                                                                                                     VOLUME 15

                                                                                                                                     NUMBER 12



                                                                                                                                   JUNE 2012

                                                        EDITED BY        DLA     PIPER




                  PROTECTION IN THE CLOUD: RISK
                 MANAGEMENT AND INSURANCE FOR
                        CLOUD COMPUTING
By Joshua Gold

      major technological trend these days is cloud                       goes “off the rails,” however, the consequences can


 A    computing. Many businesses find themselves
      faced with the key decision of whether to embrace
      this technology and migrate their data (and some-
 times the data of their customers) to a professional
 “cloud” firm to host and manage this data. While
                                                                          be devastating.
                                                                               Take, for example, a massive cloud-computing
                                                                          breach that occurred in 2011. The cloud security
                                                                          breach affected one of the largest entertainment
                                                                          and electronics companies in the world, its custom-
 many companies are intrigued with the savings prom-                      ers, and one of the largest cloud-services firms—
 ised by sending their information to the cloud, money                    all at once.1 Specifically, the entertainment firm
 alone should not be allowed to dictate this decision.                    had entrusted data to a cloud-computing company
 Just like any other online endeavor, cloud computing                     that was in turn infiltrated by computer hackers.
 is not without risks—many of which are significant.                      According to reports of the incident, approximately

 CLOUD PERILS                                                                                                            Continued on page 24


      When cloud computing goes as planned, it can                        PROTECTION IN THE CLOUD: RISK MANAGEMENT
 be an efficient way to outsource a significant part of                   AND INSURANCE FOR CLOUD COMPUTING . . . . . 1
 a business’ management of electronically captured                        By Joshua Gold
 information. It may also yield savings, as do other                      CYBER-TERRITORY AND JURISDICTION
 out-sourcing strategies. When cloud computing                            OF NATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
                                                                          By Georgios I. Zekos

                                                                          ON DOMAIN NAMES AND TRADEMARKS . . . . . . . . .29
                                                                          By Ana Rac ki Marinkovic
                                                                                   ˇ             ´
 Joshua Gold is a shareholder at Anderson Kill & Olick, P.C.
 in New York, NY. Mr. Gold regularly represents policyholders,
 including gaming and hospitality businesses, software companies,
 and retailers, in insurance coverage matters and disputes
 concerning contracts, liability, arbitration, time element insurance,
 electronic data, and related property-casualty insurance coverage
 issues. He can be reached at jgold@andersonkill.com.
J O U R N A L O F I N T E R N E T L AW                                                            June   2012




                                 Protection in the Cloud      other negative consequences, which may include,
                                 Continued from page 1        but are not limited to:

     100 million customer account files (including credit     •   Remediation costs that may include liability
     and debit card information) were compromised when            for stolen assets or information and for repair-
     the hackers infiltrated the cloud site and improperly        ing system damage that may have been caused.
     accessed the sensitive account information. What             Remediation costs may also include incentives
     was unique in this situation is that the hackers             offered to customers or other business partners in
     actually had a legitimate account set up with the            an effort to maintain the business relationships
     cloud-computing site (albeit with phony identifying          after a cyber-attack.
     information and fraudulent intentions), as opposed to    •   Increased cyber-security protection costs that
     hackers who anonymously hack into other networks             may be incurred from organizational changes,
     or systems.                                                  deploying additional personnel and protection
          Another cloud-security breach involved a com-           technologies, training employees, and engaging
     pany that provides e-mail services2 to other busi-           third-party experts and consultants.
     nesses and handles more than 40 billion e-mails          •   Lost revenues resulting from unauthorized use of
     annually for more than “2,000 global brands.”3 In a          proprietary information or the failure to retain or
     2011 statement issued after the breach, the hacked           attract customers following a cyber-attack.
     company indicated that “clients’ customer data           •   Litigation.
     were exposed by an unauthorized entry into [the          •   Reputational damage adversely affecting cus-
     company’s] email system. The information that was            tomer or investor confidence.6
     obtained was limited to email addresses and/or cus-
     tomer names only.”4                                           Today, for just about any company, a cloud-
          Among the company’s customers are three of the      computing breach means facing financial fraud loss,
     top ten US banks, as well as other financial institu-    privacy invasion claims, business interruption, loss
     tions. After the breach, numerous customers of the       of good will, and litigation, including class action
     e-mail services company sent warnings to their own       litigation.
     customers alerting them to the existence of the stolen
     information.                                             C AT E G O R I E S O F DATA
                                                              ON THE CLOUD
     L O S S E S , L I T I G AT I O N , A N D L AC K
     OF CONFIDENCE                                                 For any company considering cloud computing,
                                                              one of the early questions is what information will be
          Should data in the cloud be hacked, a busi-         entrusted to the cloud: Does one allow company trade
     ness can be certain of the prospects of becoming         secrets, employee benefits/medical information, and/
     embroiled in class action litigation and insurance       or financial information into the cloud?
     coverage litigation,5 business interruption, a hit to         If sensitive information is being considered to be
     the firm’s good will, remediation costs, customer        put into the cloud, then a central question becomes
     notification costs, government inquiries (both for-      the level of due diligence that a firm will perform
     mal and informal), investigations, litigation brought    to ensure that the cloud is both suitable and safe
     by state attorneys general, and other costs, expenses,   to house and manage the data. The level of due
     and claims.                                              diligence can take many forms, including question-
          In fairly recent disclosure guidance from           naires, attestations, third-party assessment, and on-
     the US Securities and Exchange Commission                site audits. The more sensitive the data in question
     (SEC), one of its departments identified cer-            are, the more comprehensive the due diligence effort
     tain consequences of cyber-breaches that have            must be. As part of this process, firms should also
     relevance in the context of a cloud-computing            consider obtaining from cloud-service companies
     breach. Registrants who fall victim to successful        representations, warranties, insurance, and indem-
     cyber-attacks may incur substantial costs and suffer     nity protection.

24
June   2012                                                         J O U R N A L O F I N T E R N E T L AW




DATA - S E C U R I T Y S T R AT E G Y                     their information technology (IT) departments and
                                                          in-house attorneys to protect data that are created
      For those considering cloud computing, the data-    by the business or entrusted to it by outside entities
security risks described above should lead to a check-    and individuals. One of the starting points in this
list. Specifically, due diligence should be performed     endeavor is developing a data-security protocol that
to find out how the cloud-computing company erects        establishes clear directives regarding the handling
safety walls between the data stored and processed for    of and access to information within the organization
one client versus those supplied by another customer.     and to information that might be transmitted outside
      A checklist of due diligence items will vary from   the organization as part of cloud computing. Virtually
company to company, but it could include some of the      any company will have its own business and employee
following efforts:                                        information electronically captured. So too will it
                                                          have the e-data of its customers, including, often,
•   Meetings with cloud provider to discuss security      account information.
    strategies.                                                An important step in the risk management
•   Specific discussions with cloud firms regarding       process is to inventory the information possessed
    their employment of state-of-the-art security         and determine its sensitivity. Certain categories of
    software and techniques.                              information demand heightened protection, includ-
•   Establishing clear understandings and obligations     ing health information, personally identifying infor-
    for notices of a security breach.                     mation of customers and employees, certain types
•   Reviewing the data-security track records of          of nonpublic financial information, trade secrets,
    those firms under consideration to provide data       customer lists, and business processes that yield
    hosting/management services.                          competitive advantages. Decisions should be made as
•   Conducting security audits.                           to whether this information is to be part of the busi-
•   Negotiating the right to conduct security audits.     nesses’ cloud computing plan or not. If it is, then, as
•   Seeking the names of references and then inter-       noted earlier, due diligence should follow regarding
    viewing those references as to their experiences      the cloud-computing vendor’s security, insurance, and
    with the cloud firm.                                  indemnification obligations.
                                                               Once such information is identified for height-
      Issues regarding indemnification and insurance      ened protection, it usually is not enough to simply
should also be discussed to be prepared in the event      guard against external threats of unauthorized access.
that a data breach were to occur. Businesses should       It is also important to make intelligent decisions
require immediate notification of a data breach           about internal access to protected classes of informa-
should the cloud firm detect one. Businesses should       tion—whether being accessed from on-site servers or
also explore whether they would have to disclose to       from a cloud firm. Businesses should find out what
their own customers, employees, and potentially oth-      levels of employees within a cloud-computing firm
ers, that certain data that they might have an interest   have access to information. Not surprisingly, some
in have been supplied, shared, or transmitted to a        cloud-computing firms have several other divisions
third party for storage or processing. Additionally,      and business enterprises. It is important to know
businesses may wish to consider whether there are         who has access to what categories of information to
certain categories of information that are simply too     get a handle on both external and internal hacking
sensitive to provide to an external source and, there-    threats.
fore, must remain off the cloud.                               For example, it can be risky (and unnecessary) to
                                                          grant company-wide access to sensitive business infor-
R I S K M A N AG E M E N T :                              mation. Instead, under most circumstances, limiting
S A F E G UA R D I N G DATA                               the access internally to such information based upon
                                                          necessity and security clearance reduces the risk of
    Businesses can help make informed decisions           unauthorized or improper disclosure of sensitive infor-
regarding the extent to which they use cloud comput-      mation. With cloud computing, this analysis must be
ing by having risk managers working in tandem with        performed on two different levels.

                                                                                                                    25
J O U R N A L O F I N T E R N E T L AW                                                           June    2012




     I N S U R A N C E C OV E R AG E                           reduce cybersecurity risks in the context of the
     C O N S I D E R AT I O N S                                industry in which they operate and risks to that
                                                               security, including threatened attacks of which
          Insurance coverage is available for losses arising   they are aware.
     from computer fraud or theft under both existing and
     new stand-alone insurance products. Some of this          Consistent with the Regulation S-K Item
     coverage is quite valuable, but it should never be        503(c) requirements for risk factor disclosures
     thought of as being “customer-friendly.”                  generally, cybersecurity risk disclosure provided
          Policy terms should be closely scrutinized to see    must adequately describe the nature of the
     if the use of cloud computing would alter or reduce       material risks and specify how each risk affects
     coverage. For example, a common feature of recent         the registrant. Registrants should not present
     network security policies involves clauses that pur-      risks that could apply to any issuer or any offer-
     port to condition coverage on the absence of errors or    ing and should avoid generic risk factor disclo-
     omissions in the data-security measures employed by       sure.5 Depending on the registrant’s particular
     the policyholder. Such insurance policy clauses have      facts and circumstances, and to the extent
     the potential to be exploited when insurance compa-       material, appropriate disclosures may include:
     nies argue that a policyholder was somehow derelict
     in safeguarding computer data from hackers, among         • Discussion of aspects of the registrant’s
     others. Furthermore, some policies may attempt to           business or operations that give rise to
     limit insurance coverage when a data breach occurs          material cybersecurity risks and the poten-
     when a computer is not actively connected to a net-         tial costs and consequences;
     work. Accordingly, policyholders should steer toward      • To the extent the registrant outsources
     selecting insurance policy forms that are devoid of as      functions that have material cybersecurity
     many coverage exclusions (a.k.a. the fine print) as         risks, description of those functions and
     possible.                                                   how the registrant addresses those risks;
                                                               • Description of cyber incidents experienced
     S E C D I S C L O S U R E G U I DA N C E                    by the registrant that are individually, or
                                                                 in the aggregate, material, including a
          As indicated earlier, the SEC has provided guid-       description of the costs and other conse-
     ance to registrants as to what disclosure obligations       quences;
     they may face as a result of their cyber-exposure. In     • Risks related to cyber incidents that
     relevant part:                                              may  remain undetected for an extended
                                                                 period; and
         In determining whether risk factor disclosure is      • Description of relevant insurance coverage.
         required, we expect registrants to evaluate their
         cybersecurity risks and take into account all         A registrant may need to disclose known or
         available relevant information, including prior       threatened cyber incidents to place the dis-
         cyber incidents and the severity and frequency        cussion of cybersecurity risks in context. For
         of those incidents. As part of this evaluation,       example, if a registrant experienced a material
         registrants should consider the probability of        cyber attack in which malware was embedded
         cyber incidents occurring and the quantita-           in its systems and customer data was compro-
         tive and qualitative magnitude of those risks,        mised, it likely would not be sufficient for the
         including the potential costs and other con-          registrant to disclose that there is a risk that
         sequences resulting from misappropriation of          such an attack may occur. Instead, as part of a
         assets or sensitive information, corruption of        broader discussion of malware or other similar
         data or operational disruption. In evaluat-           attacks that pose a particular risk, the registrant
         ing whether risk factor disclosure should be          may need to discuss the occurrence of the spe-
         provided, registrants should also consider the        cific attack and its known and potential costs
         adequacy of preventative actions taken to             and other consequences.7

26
June   2012                                                        J O U R N A L O F I N T E R N E T L AW




      One large software and cloud-computing com-           other practices we follow may not prevent the
pany has disclosed certain cloud-computing perils in        improper disclosure of personally identifiable
its securities disclosures, as follows:                     information. Improper disclosure of this infor-
                                                            mation could harm our reputation, lead to legal
    Security vulnerabilities in our products and            exposure to customers, or subject us to liability
    services could lead to reduced revenues or to           under laws that protect personal data, result-
    liability claims. Maintaining the security of           ing in increased costs or loss of revenue. Our
    computers and computer networks is a critical           software products and services also enable our
    issue for us and our customers. Hackers develop         customers to store and process personal data.
    and deploy viruses, worms, and other malicious          Perceptions that our products or services do
    software programs that attack our products and          not adequately protect the privacy of personal
    gain access to our networks and data centers.           information could inhibit sales of our products
    Although this is an industry-wide problem               or services.9
    that affects computers across all platforms,
    it affects our products in particular because       D I R E C TO R S A N D O F F I C E R S
    hackers tend to focus their efforts on the most     INSURANCE CONCERNS
    popular operating systems and programs and we
    expect them to continue to do so. We devote              The SEC’s guidance relates to what disclosures
    significant resources to address security vulner-   should be made by companies subject to the 1933
    abilities through:                                  Securities Act and the 1934 Securities Exchange Act.
                                                        Corporations must now consider what disclosures
    • engineering more secure products and ser-         specific to cyber-security, and to cloud computing,
      vices;                                            are appropriate in their securities filings. The new dis-
    • enhancing security and reliability features       closure requirements place added focus on directors
      in our products and services;                     and officers (D&O) insurance coverage—both at the
    • helping our customers make the best use of        point of purchase and at the point of claim payment
      our products and services to protect against      should a cyber-loss ensue.
      computer viruses and other attacks;                    The SEC identifies several aspects of cyber-perils
    • improving the deployment of software              to be disclosed when applicable. These include an
      updates to address security vulnerabilities;      analysis of potential exposure to a data breach or
    • investing in mitigation technologies that         attack, a discussion of material cyber-incidents, a
      help to secure customers from attacks             description of related legal proceedings, and the
      even when such software updates are not           implications for the firm’s finances.
      deployed; and                                          The issue of cyber-perils has thus been elevated
    • providing customers online automated              from risk management, legal, and IT departments
      security tools, published security guidance,      to the corporate suite. This will entail far greater
      and security software such as firewalls and       scrutiny from investors as to what is disclosed and
      anti-virus software.8                             the quality of the disclosure—all judged with 20/20
                                                        hindsight. D&O underwriters will accordingly find
    The cloud firm goes on to indicate that:            new interest in their customers’ cyber-security issues
                                                        and preventive measures, and they will likely add
    Improper disclosure of personal data could          new or more-tailored questions concerning both past
    result in liability and harm our reputation. We     cyber-incidents and present plans for curtailing or
    store and process large amounts of personally       preventing data breaches.
    identifiable information as we sell software,            As with any insurance application, it is impera-
    provide support and offer cloud-based ser-          tive to answer these new applications carefully.
    vices to customers. It is possible that our secu-   Policyholders should also be aware that some insur-
    rity controls over personal data, our training of   ance applications are purposefully designed to ask
    employees and vendors on data security, and         overly broad questions that are nothing more than

                                                                                                                    27
J O U R N A L O F I N T E R N E T L AW                                                                            June      2012




     a snare and a potential coverage fight. Policyholders     indemnity and “hold harmless” protection that the
     should therefore prepare for negotiation over the         cloud company will provide should the entrusted data
     terms of insurance applications.                          be hacked. Businesses should also insist on represen-
           Ensuring that D&O coverage will be avail-           tations and warranties regarding the level of security
     able should a cyber-related lawsuit arise that targets    employed by the cloud firm to protect the entrusted
     management is critical to defraying the significant       data against hacks from outsiders, other cloud cus-
     defense and indemnity costs often involved in law-        tomers, and even improper internal access of data
     suits against directors and officers. Thus, added care    from within other segments of the cloud-computing
     must go into reviewing all D&O insurance policy           firm.
     terms and endorsements (including those contained
     in the primary, excess layer, and Side A policy forms).   CONCLUSION
     It is likely that some insurance companies will try to
     insert exclusions into D&O policies akin to those             Advanced planning and analysis will not only
     inserted into many specialty Internet policies. Many      ease the burden of navigating the SEC’s new pro-
     of these terms are vague and may lead to sharp dis-       nouncements on data security threats, but it will also
     agreements over their effect on the scope of insurance    prepare a business, should a hacking incident occur,
     coverage for a cyber-related claim.                       to cope with state notice laws, shareholder litigation,
           Beyond D&O insurance issues, companies should       and inquiries and potential lawsuits from govern-
     also have an overall cyber-risk management plan that      ment authorities, including the SEC, Federal Trade
     draws from various departments, including financial,      Commission (FTC) and state attorneys general.
     risk management, legal, and IT departments, and at
     least some senior managers.                               N OT E S
           One key step for a business is to build a com-      1.   See Joseph Galante, Olga Kharif & Pavel Alpeyev, “Sony Network
     puter infrastructure with up-to-date security to guard         Breach Shows Amazon Cloud’s Appeal for Hackers,” Bloomberg,
                                                                    May 16, 2011, available at www.bloomberg.com/news/2011-05-15
     against hackers, malware, and viruses. Plaintiffs,             /sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an
     regulators, and insurance companies often seize upon           -hour.html.
     accusations that a business has used obsolete or inef-    2.   See Erik Sherman, “The Epsilon Email Break-In: A Bad Break for
                                                                    The Cloud,” CBS News Apr. 5, 2011, available at www.cbsnews.
     fectual security measures to guard against unauthor-           com/8301-505124_162-43449742/the-epsilon-email-break-in-a-bad
     ized data-access events.                                       -break-for-the-cloud/.
           A second step is that a business should disclose    3.   See Paul Ducklin, “Epsilon Email Address Megaleak Hands
                                                                    Customers’ Customers to Spammers,” Naked Security Apr. 4,
     the extent of its cloud-computing use to its custom-
                                                                    2011, nakedsecurity.sophos.com/2011/04/04/epsilon-email-address-
     ers, partners, suppliers, and other parties who may            megaleak-hands-customers-customers-to-spammers/; What Effect
     transmit or share data to conduct business. While              Will the Epsilon Data Theft Have on Cloud Computing?,
                                                                    CloudTweaks, Apr. 13, 2011, cloudtweaks.com/2011/04/what-effect
     such a disclosure may not be mandatory, it can go              -will-the-epsilon-data-theft-have-on-cloud-computing/.
     a long way toward nullifying certain accusations          4.   See Jorgen Wouters, “Massive Hack of Top E-Marketer May Leave
     by third parties. Also, a business should undertake            Millions Open to Phishing Attacks,”Daily Finance, Apr. 4, 2011.
                                                               5.   See generally, Zurich Am. Ins. Co. v. Sony Corp. of Am., No.
     (and document) due diligence measures regard-
                                                                    651982/2011 (S. Ct., N.Y.County.).
     ing the security employed by the company that is          6.   Division of Corporation Finance, Securities and Exchange
     providing the data hosting or management. It is                Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity,
                                                                    Oct. 13, 2011.
     important for a business to demonstrate and make a
                                                               7.   Division of Corporation Finance, Securities and Exchange
     record that it has been judicious in its entrustment           Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity,
     of data to any offsite businesses, such as a cloud-            Oct. 13, 2011.
     computing firm.                                           8.   Microsoft Investor Relations, “Risks and Uncertainties,” Item 1A.
                                                                    Risk Factors, http://www.microsoft.com/investor/EarningsAnd
           A third step, when cloud-computing firms are             Financials/Earnings/RisksAndUncertainities/FY11/Q2/RisksAnd
     utilized, is for a business to make sure that the con-         Uncertainties.aspx.
     tractual agreements expressly set forth the level of      9.   Id.




28
Copyright of Journal of Internet Law is the property of Aspen Publishers Inc. and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.
However, users may print, download, or email articles for individual use.

Contenu connexe

Tendances

Massive Data Analytics and the Cloud
Massive Data Analytics and the CloudMassive Data Analytics and the Cloud
Massive Data Analytics and the CloudBooz Allen Hamilton
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! EMC
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computingHossam Zein
 
New Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud DataNew Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud DataEMC
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicNetmagic Solutions Pvt. Ltd.
 
Monthly Technology Brief
Monthly Technology Brief Monthly Technology Brief
Monthly Technology Brief Capgemini
 
Cloud services full description
Cloud services full descriptionCloud services full description
Cloud services full descriptionJason Caras
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameJanine Anthony Bowen, Esq.
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?Gabe Akisanmi
 
The Cloud: Time for Delivery
The Cloud: Time for DeliveryThe Cloud: Time for Delivery
The Cloud: Time for DeliveryCapgemini
 
Rising to the New Challenges of Transactional Services in the Public Sector
Rising to the New Challenges of Transactional Services in the Public SectorRising to the New Challenges of Transactional Services in the Public Sector
Rising to the New Challenges of Transactional Services in the Public SectorCapgemini
 
Websense: A 3-step plan for mobile security
Websense: A 3-step plan for mobile securityWebsense: A 3-step plan for mobile security
Websense: A 3-step plan for mobile securityarms8586
 
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012 Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012 Livingstone Advisory
 
2013 global security report
2013 global security report2013 global security report
2013 global security reportYury Chemerkin
 
Avg SMB Cloud Computing Guide 2011
Avg SMB Cloud Computing Guide 2011Avg SMB Cloud Computing Guide 2011
Avg SMB Cloud Computing Guide 2011AVG Technologies
 
Distinguishing, Evaluating, and Selecting Cloud Service Providers
Distinguishing, Evaluating, and Selecting Cloud Service ProvidersDistinguishing, Evaluating, and Selecting Cloud Service Providers
Distinguishing, Evaluating, and Selecting Cloud Service ProvidersGartnerJessica
 

Tendances (20)

Massive Data Analytics and the Cloud
Massive Data Analytics and the CloudMassive Data Analytics and the Cloud
Massive Data Analytics and the Cloud
 
J3602068071
J3602068071J3602068071
J3602068071
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore!
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computing
 
New Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud DataNew Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud Data
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
 
Monthly Technology Brief
Monthly Technology Brief Monthly Technology Brief
Monthly Technology Brief
 
Cloud services full description
Cloud services full descriptionCloud services full description
Cloud services full description
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the Game
 
htcia-5-2015
htcia-5-2015htcia-5-2015
htcia-5-2015
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?
 
The Cloud: Time for Delivery
The Cloud: Time for DeliveryThe Cloud: Time for Delivery
The Cloud: Time for Delivery
 
Rising to the New Challenges of Transactional Services in the Public Sector
Rising to the New Challenges of Transactional Services in the Public SectorRising to the New Challenges of Transactional Services in the Public Sector
Rising to the New Challenges of Transactional Services in the Public Sector
 
Host your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsHost your Cloud – Netmagic Solutions
Host your Cloud – Netmagic Solutions
 
Websense: A 3-step plan for mobile security
Websense: A 3-step plan for mobile securityWebsense: A 3-step plan for mobile security
Websense: A 3-step plan for mobile security
 
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012 Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012
 
2013 global security report
2013 global security report2013 global security report
2013 global security report
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Avg SMB Cloud Computing Guide 2011
Avg SMB Cloud Computing Guide 2011Avg SMB Cloud Computing Guide 2011
Avg SMB Cloud Computing Guide 2011
 
Distinguishing, Evaluating, and Selecting Cloud Service Providers
Distinguishing, Evaluating, and Selecting Cloud Service ProvidersDistinguishing, Evaluating, and Selecting Cloud Service Providers
Distinguishing, Evaluating, and Selecting Cloud Service Providers
 

Similaire à Cloud risk management

Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Cloud Computing: New Approaches for Security
Cloud Computing: New Approaches for SecurityCloud Computing: New Approaches for Security
Cloud Computing: New Approaches for SecurityJohn Rhoton
 
Cloud computing Risk management
Cloud computing Risk management  Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 
Sept 2012 data security & cyber liability
Sept 2012   data security & cyber liabilitySept 2012   data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...DivvyCloud
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCloudMask inc.
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsCloudMask inc.
 
Issue identification cloud computing
Issue identification cloud computingIssue identification cloud computing
Issue identification cloud computinggirish0984
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecuritycrazyivan389
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10  - perspectives on risk itWall street journal 22 sept 10  - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 

Similaire à Cloud risk management (20)

Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
 
Cyber
Cyber Cyber
Cyber
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
Cloud Computing: New Approaches for Security
Cloud Computing: New Approaches for SecurityCloud Computing: New Approaches for Security
Cloud Computing: New Approaches for Security
 
Cyber security
Cyber securityCyber security
Cyber security
 
B crisis
B crisisB crisis
B crisis
 
Cloud computing Risk management
Cloud computing Risk management  Cloud computing Risk management
Cloud computing Risk management
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
Sept 2012 data security & cyber liability
Sept 2012   data security & cyber liabilitySept 2012   data security & cyber liability
Sept 2012 data security & cyber liability
 
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwc
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidence
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
 
Cloud security - Publication
Cloud security - Publication Cloud security - Publication
Cloud security - Publication
 
Issue identification cloud computing
Issue identification cloud computingIssue identification cloud computing
Issue identification cloud computing
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurity
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10  - perspectives on risk itWall street journal 22 sept 10  - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk it
 

Plus de Prachyanun Nilsook

Generative Artificial Intelligence for Imagineering in education
Generative Artificial Intelligence for Imagineering in educationGenerative Artificial Intelligence for Imagineering in education
Generative Artificial Intelligence for Imagineering in educationPrachyanun Nilsook
 
3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdf
3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdf3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdf
3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdfPrachyanun Nilsook
 
เทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdf
เทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdfเทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdf
เทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdfPrachyanun Nilsook
 
บทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษา
บทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษาบทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษา
บทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษาPrachyanun Nilsook
 
ระบบธนาคารสะสมหน่วยกิต
ระบบธนาคารสะสมหน่วยกิตระบบธนาคารสะสมหน่วยกิต
ระบบธนาคารสะสมหน่วยกิตPrachyanun Nilsook
 
Instructional Design for Next Normal Education
Instructional Design for Next Normal EducationInstructional Design for Next Normal Education
Instructional Design for Next Normal EducationPrachyanun Nilsook
 
คู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdf
คู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdfคู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdf
คู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdfPrachyanun Nilsook
 
แนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdf
แนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdfแนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdf
แนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdfPrachyanun Nilsook
 
เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.
เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.
เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.Prachyanun Nilsook
 
เทคนิคการเขียนเอกสารประกอบการสอน
เทคนิคการเขียนเอกสารประกอบการสอนเทคนิคการเขียนเอกสารประกอบการสอน
เทคนิคการเขียนเอกสารประกอบการสอนPrachyanun Nilsook
 
การเขียนเอกสารประกอบการสอน
การเขียนเอกสารประกอบการสอนการเขียนเอกสารประกอบการสอน
การเขียนเอกสารประกอบการสอนPrachyanun Nilsook
 
กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์
กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์
กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์Prachyanun Nilsook
 
Online education innovation_new_normal_2022
Online education innovation_new_normal_2022Online education innovation_new_normal_2022
Online education innovation_new_normal_2022Prachyanun Nilsook
 
การจัดการเรียนการสอนอาชีวศึกษา2
การจัดการเรียนการสอนอาชีวศึกษา2การจัดการเรียนการสอนอาชีวศึกษา2
การจัดการเรียนการสอนอาชีวศึกษา2Prachyanun Nilsook
 
การจัดการเรียนการสอนอาชีวศึกษา1
การจัดการเรียนการสอนอาชีวศึกษา1การจัดการเรียนการสอนอาชีวศึกษา1
การจัดการเรียนการสอนอาชีวศึกษา1Prachyanun Nilsook
 
การทำผลงานทางวิชาการ เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการ
การทำผลงานทางวิชาการ  เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการการทำผลงานทางวิชาการ  เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการ
การทำผลงานทางวิชาการ เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการPrachyanun Nilsook
 
แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ
แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ
แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ Prachyanun Nilsook
 

Plus de Prachyanun Nilsook (20)

Generative Artificial Intelligence for Imagineering in education
Generative Artificial Intelligence for Imagineering in educationGenerative Artificial Intelligence for Imagineering in education
Generative Artificial Intelligence for Imagineering in education
 
3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdf
3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdf3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdf
3.เทคนิคการเขียนบทความระดับนานาชาติ_2566_12.pdf
 
เทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdf
เทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdfเทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdf
เทคนิคการเขียนบทความระดับนานาชาติ_2566_10.pdf
 
บทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษา
บทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษาบทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษา
บทบาทของวิชาชีพเทคโนโลยีและสื่อสารการศึกษา
 
ระบบธนาคารสะสมหน่วยกิต
ระบบธนาคารสะสมหน่วยกิตระบบธนาคารสะสมหน่วยกิต
ระบบธนาคารสะสมหน่วยกิต
 
Instructional Design for Next Normal Education
Instructional Design for Next Normal EducationInstructional Design for Next Normal Education
Instructional Design for Next Normal Education
 
BCG Model
BCG ModelBCG Model
BCG Model
 
คู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdf
คู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdfคู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdf
คู่มือการจัดทําแผนการจัดการเรียนรู้มุ่งสมรรถนะ.pdf
 
แนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdf
แนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdfแนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdf
แนวทางการจัดการเรียนรู้แบบโครงงานเป็นฐาน-สอศ.2559.pdf
 
เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.
เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.
เทคนิคการเขียนโครงการวิจัยและนวัตกรรมให้ได้ทุนวิจัยจากสำนักงาน วช.
 
เทคนิคการเขียนเอกสารประกอบการสอน
เทคนิคการเขียนเอกสารประกอบการสอนเทคนิคการเขียนเอกสารประกอบการสอน
เทคนิคการเขียนเอกสารประกอบการสอน
 
การเขียนเอกสารประกอบการสอน
การเขียนเอกสารประกอบการสอนการเขียนเอกสารประกอบการสอน
การเขียนเอกสารประกอบการสอน
 
Digital leadership 2022
Digital leadership 2022Digital leadership 2022
Digital leadership 2022
 
กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์
กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์
กระบวนการร่างบทความวิจัยในวารสารระดับนานาชาติด้านคอมพิวเตอร์
 
Online education innovation_new_normal_2022
Online education innovation_new_normal_2022Online education innovation_new_normal_2022
Online education innovation_new_normal_2022
 
การจัดการเรียนการสอนอาชีวศึกษา2
การจัดการเรียนการสอนอาชีวศึกษา2การจัดการเรียนการสอนอาชีวศึกษา2
การจัดการเรียนการสอนอาชีวศึกษา2
 
การจัดการเรียนการสอนอาชีวศึกษา1
การจัดการเรียนการสอนอาชีวศึกษา1การจัดการเรียนการสอนอาชีวศึกษา1
การจัดการเรียนการสอนอาชีวศึกษา1
 
การทำผลงานทางวิชาการ เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการ
การทำผลงานทางวิชาการ  เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการการทำผลงานทางวิชาการ  เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการ
การทำผลงานทางวิชาการ เกณฑ์และการขอกำหนดตำแหน่งทางวิชาการ
 
Digital transformation
Digital transformation Digital transformation
Digital transformation
 
แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ
แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ
แนวทางการตีพิมพ์บทความวิจัยระดับนานาชาติ
 

Dernier

Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGlokeshwarmaha
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentationbaron83
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxWorkforce Group
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 

Dernier (20)

Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentation
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 

Cloud risk management

  • 1. INTERNET LAW JO U R N A L O F VOLUME 15 NUMBER 12 JUNE 2012 EDITED BY DLA PIPER PROTECTION IN THE CLOUD: RISK MANAGEMENT AND INSURANCE FOR CLOUD COMPUTING By Joshua Gold major technological trend these days is cloud goes “off the rails,” however, the consequences can A computing. Many businesses find themselves faced with the key decision of whether to embrace this technology and migrate their data (and some- times the data of their customers) to a professional “cloud” firm to host and manage this data. While be devastating. Take, for example, a massive cloud-computing breach that occurred in 2011. The cloud security breach affected one of the largest entertainment and electronics companies in the world, its custom- many companies are intrigued with the savings prom- ers, and one of the largest cloud-services firms— ised by sending their information to the cloud, money all at once.1 Specifically, the entertainment firm alone should not be allowed to dictate this decision. had entrusted data to a cloud-computing company Just like any other online endeavor, cloud computing that was in turn infiltrated by computer hackers. is not without risks—many of which are significant. According to reports of the incident, approximately CLOUD PERILS Continued on page 24 When cloud computing goes as planned, it can PROTECTION IN THE CLOUD: RISK MANAGEMENT be an efficient way to outsource a significant part of AND INSURANCE FOR CLOUD COMPUTING . . . . . 1 a business’ management of electronically captured By Joshua Gold information. It may also yield savings, as do other CYBER-TERRITORY AND JURISDICTION out-sourcing strategies. When cloud computing OF NATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 By Georgios I. Zekos ON DOMAIN NAMES AND TRADEMARKS . . . . . . . . .29 By Ana Rac ki Marinkovic ˇ ´ Joshua Gold is a shareholder at Anderson Kill & Olick, P.C. in New York, NY. Mr. Gold regularly represents policyholders, including gaming and hospitality businesses, software companies, and retailers, in insurance coverage matters and disputes concerning contracts, liability, arbitration, time element insurance, electronic data, and related property-casualty insurance coverage issues. He can be reached at jgold@andersonkill.com.
  • 2. J O U R N A L O F I N T E R N E T L AW June 2012 Protection in the Cloud other negative consequences, which may include, Continued from page 1 but are not limited to: 100 million customer account files (including credit • Remediation costs that may include liability and debit card information) were compromised when for stolen assets or information and for repair- the hackers infiltrated the cloud site and improperly ing system damage that may have been caused. accessed the sensitive account information. What Remediation costs may also include incentives was unique in this situation is that the hackers offered to customers or other business partners in actually had a legitimate account set up with the an effort to maintain the business relationships cloud-computing site (albeit with phony identifying after a cyber-attack. information and fraudulent intentions), as opposed to • Increased cyber-security protection costs that hackers who anonymously hack into other networks may be incurred from organizational changes, or systems. deploying additional personnel and protection Another cloud-security breach involved a com- technologies, training employees, and engaging pany that provides e-mail services2 to other busi- third-party experts and consultants. nesses and handles more than 40 billion e-mails • Lost revenues resulting from unauthorized use of annually for more than “2,000 global brands.”3 In a proprietary information or the failure to retain or 2011 statement issued after the breach, the hacked attract customers following a cyber-attack. company indicated that “clients’ customer data • Litigation. were exposed by an unauthorized entry into [the • Reputational damage adversely affecting cus- company’s] email system. The information that was tomer or investor confidence.6 obtained was limited to email addresses and/or cus- tomer names only.”4 Today, for just about any company, a cloud- Among the company’s customers are three of the computing breach means facing financial fraud loss, top ten US banks, as well as other financial institu- privacy invasion claims, business interruption, loss tions. After the breach, numerous customers of the of good will, and litigation, including class action e-mail services company sent warnings to their own litigation. customers alerting them to the existence of the stolen information. C AT E G O R I E S O F DATA ON THE CLOUD L O S S E S , L I T I G AT I O N , A N D L AC K OF CONFIDENCE For any company considering cloud computing, one of the early questions is what information will be Should data in the cloud be hacked, a busi- entrusted to the cloud: Does one allow company trade ness can be certain of the prospects of becoming secrets, employee benefits/medical information, and/ embroiled in class action litigation and insurance or financial information into the cloud? coverage litigation,5 business interruption, a hit to If sensitive information is being considered to be the firm’s good will, remediation costs, customer put into the cloud, then a central question becomes notification costs, government inquiries (both for- the level of due diligence that a firm will perform mal and informal), investigations, litigation brought to ensure that the cloud is both suitable and safe by state attorneys general, and other costs, expenses, to house and manage the data. The level of due and claims. diligence can take many forms, including question- In fairly recent disclosure guidance from naires, attestations, third-party assessment, and on- the US Securities and Exchange Commission site audits. The more sensitive the data in question (SEC), one of its departments identified cer- are, the more comprehensive the due diligence effort tain consequences of cyber-breaches that have must be. As part of this process, firms should also relevance in the context of a cloud-computing consider obtaining from cloud-service companies breach. Registrants who fall victim to successful representations, warranties, insurance, and indem- cyber-attacks may incur substantial costs and suffer nity protection. 24
  • 3. June 2012 J O U R N A L O F I N T E R N E T L AW DATA - S E C U R I T Y S T R AT E G Y their information technology (IT) departments and in-house attorneys to protect data that are created For those considering cloud computing, the data- by the business or entrusted to it by outside entities security risks described above should lead to a check- and individuals. One of the starting points in this list. Specifically, due diligence should be performed endeavor is developing a data-security protocol that to find out how the cloud-computing company erects establishes clear directives regarding the handling safety walls between the data stored and processed for of and access to information within the organization one client versus those supplied by another customer. and to information that might be transmitted outside A checklist of due diligence items will vary from the organization as part of cloud computing. Virtually company to company, but it could include some of the any company will have its own business and employee following efforts: information electronically captured. So too will it have the e-data of its customers, including, often, • Meetings with cloud provider to discuss security account information. strategies. An important step in the risk management • Specific discussions with cloud firms regarding process is to inventory the information possessed their employment of state-of-the-art security and determine its sensitivity. Certain categories of software and techniques. information demand heightened protection, includ- • Establishing clear understandings and obligations ing health information, personally identifying infor- for notices of a security breach. mation of customers and employees, certain types • Reviewing the data-security track records of of nonpublic financial information, trade secrets, those firms under consideration to provide data customer lists, and business processes that yield hosting/management services. competitive advantages. Decisions should be made as • Conducting security audits. to whether this information is to be part of the busi- • Negotiating the right to conduct security audits. nesses’ cloud computing plan or not. If it is, then, as • Seeking the names of references and then inter- noted earlier, due diligence should follow regarding viewing those references as to their experiences the cloud-computing vendor’s security, insurance, and with the cloud firm. indemnification obligations. Once such information is identified for height- Issues regarding indemnification and insurance ened protection, it usually is not enough to simply should also be discussed to be prepared in the event guard against external threats of unauthorized access. that a data breach were to occur. Businesses should It is also important to make intelligent decisions require immediate notification of a data breach about internal access to protected classes of informa- should the cloud firm detect one. Businesses should tion—whether being accessed from on-site servers or also explore whether they would have to disclose to from a cloud firm. Businesses should find out what their own customers, employees, and potentially oth- levels of employees within a cloud-computing firm ers, that certain data that they might have an interest have access to information. Not surprisingly, some in have been supplied, shared, or transmitted to a cloud-computing firms have several other divisions third party for storage or processing. Additionally, and business enterprises. It is important to know businesses may wish to consider whether there are who has access to what categories of information to certain categories of information that are simply too get a handle on both external and internal hacking sensitive to provide to an external source and, there- threats. fore, must remain off the cloud. For example, it can be risky (and unnecessary) to grant company-wide access to sensitive business infor- R I S K M A N AG E M E N T : mation. Instead, under most circumstances, limiting S A F E G UA R D I N G DATA the access internally to such information based upon necessity and security clearance reduces the risk of Businesses can help make informed decisions unauthorized or improper disclosure of sensitive infor- regarding the extent to which they use cloud comput- mation. With cloud computing, this analysis must be ing by having risk managers working in tandem with performed on two different levels. 25
  • 4. J O U R N A L O F I N T E R N E T L AW June 2012 I N S U R A N C E C OV E R AG E reduce cybersecurity risks in the context of the C O N S I D E R AT I O N S industry in which they operate and risks to that security, including threatened attacks of which Insurance coverage is available for losses arising they are aware. from computer fraud or theft under both existing and new stand-alone insurance products. Some of this Consistent with the Regulation S-K Item coverage is quite valuable, but it should never be 503(c) requirements for risk factor disclosures thought of as being “customer-friendly.” generally, cybersecurity risk disclosure provided Policy terms should be closely scrutinized to see must adequately describe the nature of the if the use of cloud computing would alter or reduce material risks and specify how each risk affects coverage. For example, a common feature of recent the registrant. Registrants should not present network security policies involves clauses that pur- risks that could apply to any issuer or any offer- port to condition coverage on the absence of errors or ing and should avoid generic risk factor disclo- omissions in the data-security measures employed by sure.5 Depending on the registrant’s particular the policyholder. Such insurance policy clauses have facts and circumstances, and to the extent the potential to be exploited when insurance compa- material, appropriate disclosures may include: nies argue that a policyholder was somehow derelict in safeguarding computer data from hackers, among • Discussion of aspects of the registrant’s others. Furthermore, some policies may attempt to business or operations that give rise to limit insurance coverage when a data breach occurs material cybersecurity risks and the poten- when a computer is not actively connected to a net- tial costs and consequences; work. Accordingly, policyholders should steer toward • To the extent the registrant outsources selecting insurance policy forms that are devoid of as functions that have material cybersecurity many coverage exclusions (a.k.a. the fine print) as risks, description of those functions and possible. how the registrant addresses those risks; • Description of cyber incidents experienced S E C D I S C L O S U R E G U I DA N C E by the registrant that are individually, or in the aggregate, material, including a As indicated earlier, the SEC has provided guid- description of the costs and other conse- ance to registrants as to what disclosure obligations quences; they may face as a result of their cyber-exposure. In • Risks related to cyber incidents that relevant part: may  remain undetected for an extended period; and In determining whether risk factor disclosure is • Description of relevant insurance coverage. required, we expect registrants to evaluate their cybersecurity risks and take into account all A registrant may need to disclose known or available relevant information, including prior threatened cyber incidents to place the dis- cyber incidents and the severity and frequency cussion of cybersecurity risks in context. For of those incidents. As part of this evaluation, example, if a registrant experienced a material registrants should consider the probability of cyber attack in which malware was embedded cyber incidents occurring and the quantita- in its systems and customer data was compro- tive and qualitative magnitude of those risks, mised, it likely would not be sufficient for the including the potential costs and other con- registrant to disclose that there is a risk that sequences resulting from misappropriation of such an attack may occur. Instead, as part of a assets or sensitive information, corruption of broader discussion of malware or other similar data or operational disruption. In evaluat- attacks that pose a particular risk, the registrant ing whether risk factor disclosure should be may need to discuss the occurrence of the spe- provided, registrants should also consider the cific attack and its known and potential costs adequacy of preventative actions taken to and other consequences.7 26
  • 5. June 2012 J O U R N A L O F I N T E R N E T L AW One large software and cloud-computing com- other practices we follow may not prevent the pany has disclosed certain cloud-computing perils in improper disclosure of personally identifiable its securities disclosures, as follows: information. Improper disclosure of this infor- mation could harm our reputation, lead to legal Security vulnerabilities in our products and exposure to customers, or subject us to liability services could lead to reduced revenues or to under laws that protect personal data, result- liability claims. Maintaining the security of ing in increased costs or loss of revenue. Our computers and computer networks is a critical software products and services also enable our issue for us and our customers. Hackers develop customers to store and process personal data. and deploy viruses, worms, and other malicious Perceptions that our products or services do software programs that attack our products and not adequately protect the privacy of personal gain access to our networks and data centers. information could inhibit sales of our products Although this is an industry-wide problem or services.9 that affects computers across all platforms, it affects our products in particular because D I R E C TO R S A N D O F F I C E R S hackers tend to focus their efforts on the most INSURANCE CONCERNS popular operating systems and programs and we expect them to continue to do so. We devote The SEC’s guidance relates to what disclosures significant resources to address security vulner- should be made by companies subject to the 1933 abilities through: Securities Act and the 1934 Securities Exchange Act. Corporations must now consider what disclosures • engineering more secure products and ser- specific to cyber-security, and to cloud computing, vices; are appropriate in their securities filings. The new dis- • enhancing security and reliability features closure requirements place added focus on directors in our products and services; and officers (D&O) insurance coverage—both at the • helping our customers make the best use of point of purchase and at the point of claim payment our products and services to protect against should a cyber-loss ensue. computer viruses and other attacks; The SEC identifies several aspects of cyber-perils • improving the deployment of software to be disclosed when applicable. These include an updates to address security vulnerabilities; analysis of potential exposure to a data breach or • investing in mitigation technologies that attack, a discussion of material cyber-incidents, a help to secure customers from attacks description of related legal proceedings, and the even when such software updates are not implications for the firm’s finances. deployed; and The issue of cyber-perils has thus been elevated • providing customers online automated from risk management, legal, and IT departments security tools, published security guidance, to the corporate suite. This will entail far greater and security software such as firewalls and scrutiny from investors as to what is disclosed and anti-virus software.8 the quality of the disclosure—all judged with 20/20 hindsight. D&O underwriters will accordingly find The cloud firm goes on to indicate that: new interest in their customers’ cyber-security issues and preventive measures, and they will likely add Improper disclosure of personal data could new or more-tailored questions concerning both past result in liability and harm our reputation. We cyber-incidents and present plans for curtailing or store and process large amounts of personally preventing data breaches. identifiable information as we sell software, As with any insurance application, it is impera- provide support and offer cloud-based ser- tive to answer these new applications carefully. vices to customers. It is possible that our secu- Policyholders should also be aware that some insur- rity controls over personal data, our training of ance applications are purposefully designed to ask employees and vendors on data security, and overly broad questions that are nothing more than 27
  • 6. J O U R N A L O F I N T E R N E T L AW June 2012 a snare and a potential coverage fight. Policyholders indemnity and “hold harmless” protection that the should therefore prepare for negotiation over the cloud company will provide should the entrusted data terms of insurance applications. be hacked. Businesses should also insist on represen- Ensuring that D&O coverage will be avail- tations and warranties regarding the level of security able should a cyber-related lawsuit arise that targets employed by the cloud firm to protect the entrusted management is critical to defraying the significant data against hacks from outsiders, other cloud cus- defense and indemnity costs often involved in law- tomers, and even improper internal access of data suits against directors and officers. Thus, added care from within other segments of the cloud-computing must go into reviewing all D&O insurance policy firm. terms and endorsements (including those contained in the primary, excess layer, and Side A policy forms). CONCLUSION It is likely that some insurance companies will try to insert exclusions into D&O policies akin to those Advanced planning and analysis will not only inserted into many specialty Internet policies. Many ease the burden of navigating the SEC’s new pro- of these terms are vague and may lead to sharp dis- nouncements on data security threats, but it will also agreements over their effect on the scope of insurance prepare a business, should a hacking incident occur, coverage for a cyber-related claim. to cope with state notice laws, shareholder litigation, Beyond D&O insurance issues, companies should and inquiries and potential lawsuits from govern- also have an overall cyber-risk management plan that ment authorities, including the SEC, Federal Trade draws from various departments, including financial, Commission (FTC) and state attorneys general. risk management, legal, and IT departments, and at least some senior managers. N OT E S One key step for a business is to build a com- 1. See Joseph Galante, Olga Kharif & Pavel Alpeyev, “Sony Network puter infrastructure with up-to-date security to guard Breach Shows Amazon Cloud’s Appeal for Hackers,” Bloomberg, May 16, 2011, available at www.bloomberg.com/news/2011-05-15 against hackers, malware, and viruses. Plaintiffs, /sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an regulators, and insurance companies often seize upon -hour.html. accusations that a business has used obsolete or inef- 2. See Erik Sherman, “The Epsilon Email Break-In: A Bad Break for The Cloud,” CBS News Apr. 5, 2011, available at www.cbsnews. fectual security measures to guard against unauthor- com/8301-505124_162-43449742/the-epsilon-email-break-in-a-bad ized data-access events. -break-for-the-cloud/. A second step is that a business should disclose 3. See Paul Ducklin, “Epsilon Email Address Megaleak Hands Customers’ Customers to Spammers,” Naked Security Apr. 4, the extent of its cloud-computing use to its custom- 2011, nakedsecurity.sophos.com/2011/04/04/epsilon-email-address- ers, partners, suppliers, and other parties who may megaleak-hands-customers-customers-to-spammers/; What Effect transmit or share data to conduct business. While Will the Epsilon Data Theft Have on Cloud Computing?, CloudTweaks, Apr. 13, 2011, cloudtweaks.com/2011/04/what-effect such a disclosure may not be mandatory, it can go -will-the-epsilon-data-theft-have-on-cloud-computing/. a long way toward nullifying certain accusations 4. See Jorgen Wouters, “Massive Hack of Top E-Marketer May Leave by third parties. Also, a business should undertake Millions Open to Phishing Attacks,”Daily Finance, Apr. 4, 2011. 5. See generally, Zurich Am. Ins. Co. v. Sony Corp. of Am., No. (and document) due diligence measures regard- 651982/2011 (S. Ct., N.Y.County.). ing the security employed by the company that is 6. Division of Corporation Finance, Securities and Exchange providing the data hosting or management. It is Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity, Oct. 13, 2011. important for a business to demonstrate and make a 7. Division of Corporation Finance, Securities and Exchange record that it has been judicious in its entrustment Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity, of data to any offsite businesses, such as a cloud- Oct. 13, 2011. computing firm. 8. Microsoft Investor Relations, “Risks and Uncertainties,” Item 1A. Risk Factors, http://www.microsoft.com/investor/EarningsAnd A third step, when cloud-computing firms are Financials/Earnings/RisksAndUncertainities/FY11/Q2/RisksAnd utilized, is for a business to make sure that the con- Uncertainties.aspx. tractual agreements expressly set forth the level of 9. Id. 28
  • 7. Copyright of Journal of Internet Law is the property of Aspen Publishers Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.