This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently multi-jurisdictional, encompassing, remote hosting and processing of the data. This gives rise to multiple legal issues including security and privacy of the data, IP Rights, data portability, contractual limitations, risk mitigation and jurisdictional disputes. As the cloud involves remote hosting and data accessibility by multiple parties, security and privacy remains the biggest concern for the companies. Businesses should look at issues ranging from physical location of the data centers, protection of the data against any adversity and intrusion, and access rights management. The cloud servers are often located in different countries, which results in trans- border Data Flow. Each country has its own set of legal rules and regulations regarding data protection and privacy policies and the same can bring in complications in form of conflicting laws and jurisdictional disputes. Issues pertaining to IP rights, trade secrets and ownership of the data placed in the cloud require utmost attention. Termination and exit clauses are critical to the contract in the clouds. Interoperability of the data in the event of termination of services of a vendor is an important aspect to be considered in the contracts.

1. LEGAL NUANCES TO THE CLOUD
CLUBHACK 2012
RITAMBHARA AGRAWAL
01 DECEMBER 2012

2. ISSUES, RISKS & MITIGATION
• Encryption of
• Security & Data
Privacy of Data • Define each
• Confidentiality Risks Party’s liability
• Ownership • Pre-contract
due-
• Liability
• Loss of Data diligence, contra
• Attacks ct
• Choice of Law
• Compliances negotiation, pos
• Disclosure of
• Contracts trade secrets t-contract
• Termination & monitoring, ter
• Recovery
Exit mination
• Data
• Jurisdiction • Right to Audit to
Segregation
check location &
• Portability compliances
Legal Issues • Sharing of Data
with 3rd Party
Mitigation
2

3. LEGAL CHALLENGES IN CLOUD
SECURITY
COMPLIANCES JURISDICTION
CONTRACTUAL
LEGAL ISSUES
TERMINATION
LIMITATIONS & EXIT
ATTACKS
OWNERSHIP
3

4. SECURITY & PRIVACY
Security & Privacy Physical Location of the data centers
Encryption of Data
Multi-tenant architecture
Adversity and intrusion
Data mining by the service provider
Access rights management
Different user data are usually stored
on a single virtual server
Multiple virtual servers run on a single
physical server
4

5. SERVICE LEVEL AGREEMENTS
Service Level Agreements Non-negotiable SLAs (often click wrap agreements)
If the SLA is non-negotiable, higher degree of
reporting should be integrated in the Agreement
Additional options for termination should be
available
Little opportunity to conduct due diligence
Strong limits on liability are included (including direct
liability)
Terms often subject to change without prior
intimation
Risk is usually shifted to user through provider
friendly agreements
5

6. MULTIPLE PARTIES
Involvement of multiple parties makes onus & liability shift on
one another
Multiple Parties
Liability of sub-contractors is often limited or disclaimed in
entirety
Lack of contractual privity makes it difficult to make the
provider accountable for any breach
Liability of provider for the acts of the sub-contractor
Right to conduct due diligence and to understand the model
of delivery of services should be given to the customer.
6

7. DATA PROTECTION, RIGHTS & USAGE
Data Protection & IP Rights Define data clearly, it’s not standard that all
data belongs to the customer
Specify ownership rights
Define rights granted and the restrictions to
monitor and access data by the provider
Third-party access to the data
Non-Disclosure Agreement with the service
provider
Ensuring no rights are transferred to the
service provider
Ensure if back up and transfer of data is
permitted
7

8. JURISDICTION
Cross-Border Data Flow Data flows across various borders
Cloud servers located in different countries, location of
data is uncertain
Complications of conflicting laws
Dispute can be subject to various countries legal system
Jurisdictional Issues & Dispute Resolution Mechanism
8

9. COMPLIANCES
Country and data specific compliances
The owner is equally liable as the service provider to
ensure compliance of law
Compliances
HIPPA, SOX, SAS 70 I & II, GLB, PCI DSS, FERPA and
State Laws
Eg. HIPPA mandates standard practices to ensure
security, confidentiality and data integrity for
healthcare-related data
Default in the respective compliances can bring in
legal implications
9

10. TERMINATION & EXIT
Termination & Exit Interoperability of data after termination
Data portability from one vendor another and bringing it
entirely back-in house
In case of exit, can the records be successfully accessed?
Can data be extracted from the cloud
Obligations of each party in case of exit
10

11. ATTACKS
Hacking, virus, malware disruptions, browser
attacks, tampering, network security attacks, SQL Injection
Attacks
Inducing threats, like data & network security, data locality, data
integrity, data access, data segregation
Authorization & authentication, data confidentiality, web
application security, data breaches, availability & back-up
11

12. CASE STUDIES- SONY
Attacks on Customers
Dozen data
Sony reusing
breaches, ong
Sony laid off Failure to PlayStation passwords, ris
oing customer
many of its protect over Network, Son ks from
relations
security 100 million y Online attackers
fallout &
personnel user records Entertainment accessing
class-action
& Sony their other
lawsuits.
Pictures accounts also
12

13. CASE STUDIES
• Spear-phishing attack leading to breach affecting it’s clients and
customer’s data
EPSILON • Approximately 60 million customer email addresses were breached
• Lesson: The Company outsourcing the job is equally responsible for
security of the customer data
• Hackers used SQL attack method to access the database that fed
the server hosting the site
• Exposing 4,50,000 usernames and passwords
YAHOO • Yahoo didn’t store the data in cryptographic form and left it in plain
text making it vulnerable to attack
• Hackers breached the site, stealing more than 6million customer’s
passwords, which were very lightly encrypted & posted them on a
LINKEDIN Russian hacker forum
13

14. MITIGATION OF RISK
• Evaluation of service provider’s security policy
Security • Encryption to protect confidentiality & integrity of data
• Suspected data breach must be addressed
• Identifying relative risks between the parties, like ownership of data, data
protection guidelines, trade secrets, indemnities, jurisdiction
• Pre-contract due-diligence, negotiable SLA
Contract • Planned & unplanned termination of the Agreement & return of data &
assets
• Liability of each party in the event of breach of contract
• Ownership of data
• Right to audit to check the compliances
Audit • To check the location of the data to ensure compliance of legal & statutory
provisions
14

15. Thank you
INDIA
A-42/6, Sector-62, Noida-201301
Tel: +91-0120-47040722, +91 -0120-4740700
Fax: + 91 11 2741 8595
USA
Suite 119, 2 Davis Drive, Research Triangle
Park, Durham (NC)-27709
Ph: 1 262 432 1718; Fax: 1 877 895 9706
E-mail: info@intelligere.in
www.intelligere.in
15