SlideShare a Scribd company logo

Managing the Legal and Risk Issues of Cloud Computing

J
jonneiditz

This document summarizes a presentation on managing legal and risk issues of cloud computing. It discusses key topics like social networking surpassing email, multi-tenant server models, security breach risks, encryption concerns, and e-discovery obligations in cloud environments. Overall, the presentation outlines major legal considerations and best practices for organizations adopting cloud computing.

1 of 18
Download to read offline
Managing the Legal and Risk Issues of Cloud Computing Jon Neiditz, Nelson Mullins Riley & Scarborough Mitchell Goodman, National Vision Constance Mitchell, Computer Sciences Corp. Eugene Weitz, Moderator Computer Sciences Corp. Chair, In-House Committee, ITechLaw February 10, 2011
2009 - Social Networking Surpasses Email Communication has moved to the cloud Social Networking Users Surpass Email Users on 7/09 Social Networking Users Email Users Source: Morgan Stanley Internet Mobile Report, December 2009 Data is for unique, monthly users of social networking and email usage. 2
The Multi-Tenant Server Public Cloud "If you want a $1.00 hamburger, you don't get to see how the cow was raised" SaaS PaaS IaaS Integrators ? ? Force.com Google ? Salesforce.com ? ? ? 3
The Pros and Cons of Multi-Tenancy Shared infrastructure (NIST “resource pooling”) - but pieces of your data may be left behind all around the world Rapid innovation (IDC 2009: 5 times faster development at half the cost*) - but do you have adequate controls on your development? Real-time scalability (NIST “rapid elasticity”) - but you have no idea WHO has provided it Automatic upgrades - but do you need to know when they're happening? Pay-as-you-go subscription model (NIST “metering”) - but what do you have when you stop paying? Available via any web browser (NIST “broad network access”) See NIST Definition of Cloud Computing v15 http://csrc.nist.gov/groups/SNS/cloud-computing/ 4
Cloud Security Breach Risks Are Different Both in Type and Magnitude • Study the security risks of your cloud • RSA Conference: 2011 top cloud security issues will include: – Collateral damage in cloud breaches – Risks deriving from other customers accepted or rejected by a cloud provider • Large public clouds make large targets • You have no idea what new downstream integrators are coming on board in a large public cloud • The economic downturn has been an upturn for the global black markets in hacked information 5
9/20/10: ABA Ethics Commission Concerns about Cloud and Confidentiality • Considering Changes to: – Model Rule 1.1 (Competency) – Model Rule 1.6 (Duty of Confidentiality) – Model Rule 1.15 (Safeguarding Client Property)… • …or just a "White Paper" • …but many state bars are moving faster. The Commission also asks for input on whether lawyers have an ethical obligation to incorporate certain terms into their cloud contracts…. 6
Required Terms and Conditions Being Considered by the Commission: • the ownership and physical location of stored data • the provider’s backup policies • the accessibility of stored data by the provider’s employees or sub- contractors • the provider’s compliance with particular state and federal laws governing data privacy (including notifications regarding security breaches) • the format of the stored data (and whether it is compatible with software available through other providers) • the type of data encryption • policies regarding the retrieval of data upon the termination of services 7
Biggest Cloud Security Legal Issues: Encryption Easier than Destruction • Payment Card Industry Data Security Standard (PCI-DSS) Many specific security requirements, including: – Immediate, secure destruction of sensitive data – Audit requirement • State and FACTA Secure Destruction Laws – Secure destruction, but not immediate • HIPAA Security – Encryption on a par with destruction • Breach Notification Requirements – Who provides the intrusion detection? 8
Cloud Security Heat Map A. Information Security Laws and Public Cloud Comments/Issues Standards Threat Level PCI Compliance Immediate, secure destruction of all instances of magnetic stripe data, CVV code and PIN; audit requirement Secure Destruction Laws (15 state laws) Secure destruction requirement but no immediacy requirement FACTA Disposal Rule Secure destruction but no immediacy FACTA Red Flags Rule Intrusion detection HIPAA Security More specific documentation requirements and breach notification requirements; NIST encryption suffices State personal information reasonable security Reasonable technical, administrative and physical security laws SSN Protection Laws (state) Specific controls on use and safeguards for social security numbers State Breach Notification Laws Breach detection, immediacy of notification (of individual customer or owner/licensee) SAS 70 Type 2 An audit against organization-specific controls, not a set of standards ISO Comprehensive but flexible security FTC Unfair Trade Practice Case Law Assure at least "reasonable" security 9
Biggest Cloud Privacy Legal Issues Arise Mostly from Pre-Internet Law • EU Data Protection • Electronic Communications Privacy Act – Broad government access, apparently getting broader • Stored Communications Act – Remote Computing Service (RCS) vs. Electronic Communications Service (ECS) vs. both • Newer Law: FTC Deceptive Trade Practices/APEC – Cloud back-end may undermine represented practices • Purpose restrictions and data-mining 10
Cloud Privacy Heat Map B. Privacy Law Public Cloud Comments/Issues Threat Level EU Data Protection https://www.datenschutzzentrum.de/presse/20100618-cloud- computing.htm Is Safe Harbor sufficient? Must data be limited? Must consents be obtained for all processing and transborder data flows? Must model contract be entered with cloud provider? HIPAA Privacy Minimum necessary; rights of access, amendment, accounting of disclosures Employer Medical Privacy:HIPAA, GINA, Preventing inappropriate uses and disclosures ADA, FMLA, ARRA CAN-SPAM Act, Do-Not-Call Laws, Junk No concern Fax Prevention Act State Anti-Wiretapping Laws Remember all-party consent Electronic Communications Privacy Act Obama administration just started advocating clear FBI access to transaction records with desk letter, contrary to longstanding initiative by entire tech industry Stored Communications Act Is cloud-based outsourced messaging a remote computing service (RCS, that may disclose with consent of "subscriber") or electronic communications service (ECS – that may only disclose with the consent of the addressee) or both? (e.g., Quon, Weaver) FTC Cases "Deceptive Trade Practices" Posted privacy policy issues; cloud "back end" may undermine Case Law represented practices State and Federal Drivers' Privacy Disclosure issues from intrusions 11 Protection Acts
Biggest Cloud Records Management & E-Discovery Issues • Willingness and ability of cloud provider to resist production in accordance with customer wishes – Compelled and permitted disclosures under the ECPA • Willingness and ability of cloud provider to preserve and/or produce all instances of Electronically Stored Information (ESI) – Mitigation of production but not preservation duties under Rule 26(b)(2)(B) of FRCP – Spoliation risks and search costs • Ability of cloud provider to limit holds of backup tapes by customer • E-record and e-document retention/destruction programs supported? – Need to assure secure destruction rather than deactivation? • Data integrity, e-admissibility and enforceability of e-signatures – Reliance on encryption, audit trails or hash algorithms? • Preservation of legal privileges 12
E-Discovery/Records Heat Map C. E-Discovery and Investigations Public Cloud Comments/Issues Threat Level Willingness and/or obligation of cloud Willingness and ability to resist production in accordance with vendor to cooperate with customer in customer wishes; compelled and permitted disclosures under responding to discovery, investigations and the ECPA preservation obligations Ability of vendor to comply with Willingness and ability to preserve and/or produce all preservation (hold) and production instances of Electronically Stored Information (ESI); ; requirements imposed on it mitigation of production but not preservation duties under Rule 26(b)(2)(B) of FRCP Willingness/ability of vendor to put only Are backup tapes segregated by customer? backup tapes of particular customer on hold E-record and e-document Need to assure secure destruction rather than deactivation? retention/destruction programs supported? Preservation of replications and other Potential major search cost issue, as well as spoliation issue redundancy Data integrity and metadata As the law of e-evidence develops, will reliance be placed on encryption, audit trails or hash algorithms? Legal privileges Issue now being addressed by many bars 13
Intellectual Property & E-Commerce Heat Map D. E-Commerce Public Cloud Comments/Issues Threat Level Enforceability of Electronic Signatures and Adequate process controls to satisfy UETA, ESIGN and Contracts international laws? PCI Compliance Immediate, secure destruction of all instances of magnetic stripe data, CVV code and PIN; audit requirement E. Intellectual Property Risk of Loss/Theft Large target for theft Legal Risk of Inadequate Control Potentially undermining IP rights 14
Related Data Use and Handling Contractual Provisions • Confidentiality – Is the standard of care sufficient for contractual compliance (NDAs, licenses)? • Trade secret maintenance – What prevents the service provider from learning from a customer’s data? • Secondary uses – Can the service provider use data to develop or improve its products and services? – Different expectations in consumer / business contexts • Are the processes of the service provider audited by a third party? Are those audit reports available to the customer? • Which service provider employees have access to customer data? Do any contractors? 15
Preparing for Defaults and Termination • What happens if Provider disappears? • Cyber-risk and related insurance coverage • Early warning • Source code/technology escrow • Business continuity/exit plans • Transition, migration – Wind-down periods – Return of Customer data or destruction, vs. deactivation, and immediately or eventually – Post-termination services/migration assistance/transferrable formats 16
Summary of Big Due Diligence and Contractual Issues • Location • Security • Subcontractors • How Much Due Diligence/Transparency Possible/Allowed? • Data Ownership and Limitation of Use • Response to Legal Process • Data Retention, Access, Destruction • Incident Response • Indemnification/Risk Allocation • Termination and Transition 17
Questions? Jon Neiditz Eugene Weitz Partner & Information Management Practice Leader Computer Sciences Corporation Nelson Mullins Riley & Scarborough Chair, In-House Committee, ITechLaw Jon.neiditz@nelsonmullins.com eweitz@csc.com 404-322-6139 (908)337-1491 http://www.nelsonmullins.com/attorneys/jon-neiditz Mitchell Goodman Constance Mitchell General Counsel Counsel, Trusted Cloud and Hosting business unit National Vision, Inc. Computer Sciences Corporation mitchell.goodman@nationalvision.com 781-768-3547 770-822-4208 cmitchell5@csc.com Link to us on LinkedIn!

Recommended

IoT, Security & the Path to a Solution
IoT, Security & the Path to a SolutionIoT, Security & the Path to a Solution
IoT, Security & the Path to a SolutionDr Laurent Guiraud
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
A01450131
A01450131A01450131
A01450131IOSR Journals
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant EnterpriseBooz Allen Hamilton
 

Recommended

IoT, Security & the Path to a Solution
IoT, Security & the Path to a SolutionIoT, Security & the Path to a Solution
IoT, Security & the Path to a SolutionDr Laurent Guiraud
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
A01450131
A01450131A01450131
A01450131IOSR Journals
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant EnterpriseBooz Allen Hamilton
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsAirTight Networks
 
Wk White Paper
Wk White PaperWk White Paper
Wk White PaperCreus Moreira Carlos
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce SecurityLindsey Landolfi
 
Data Center Trends And Network Security Impact
Data Center Trends And Network Security ImpactData Center Trends And Network Security Impact
Data Center Trends And Network Security ImpactKingfin Enterprises Limited
 
Disaster Risk Management in the Information Age
Disaster Risk Management in the Information AgeDisaster Risk Management in the Information Age
Disaster Risk Management in the Information Ageglobal
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceOracle
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture Symantec
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsMelissa Lim
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsBooz Allen Hamilton
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsNirmal Misra
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityPhil Agcaoili
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Somasundaram Jambunathan
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?Windstream Enterprise
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceAustin Eppstein
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing InvestmentsCaston Thomas
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Creus Moreira Carlos
 
Revolution Or Evolution Exec Summary
Revolution Or Evolution Exec SummaryRevolution Or Evolution Exec Summary
Revolution Or Evolution Exec SummaryWilliam Beer
 
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enVET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enKarel Van Isacker
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 

More Related Content

What's hot

Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsAirTight Networks
 
Disaster Risk Management in the Information Age
Disaster Risk Management in the Information AgeDisaster Risk Management in the Information Age
Disaster Risk Management in the Information Ageglobal
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceOracle
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture Symantec
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsMelissa Lim
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsBooz Allen Hamilton
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsNirmal Misra
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityPhil Agcaoili
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Somasundaram Jambunathan
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?Windstream Enterprise
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceAustin Eppstein
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing InvestmentsCaston Thomas
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Creus Moreira Carlos
 
Revolution Or Evolution Exec Summary
Revolution Or Evolution Exec SummaryRevolution Or Evolution Exec Summary
Revolution Or Evolution Exec SummaryWilliam Beer
 

What's hot (20)

Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—Recommendations
 
Wk White Paper
Wk White PaperWk White Paper
Wk White Paper
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
Data Center Trends And Network Security Impact
Data Center Trends And Network Security ImpactData Center Trends And Network Security Impact
Data Center Trends And Network Security Impact
 
Disaster Risk Management in the Information Age
Disaster Risk Management in the Information AgeDisaster Risk Management in the Information Age
Disaster Risk Management in the Information Age
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
 
Maloney slides
Maloney slidesMaloney slides
Maloney slides
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace Finds
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber Analysts
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber Security
 
Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4Addressing security and privacy in io t ecosystem v0.4
Addressing security and privacy in io t ecosystem v0.4
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012
 
Revolution Or Evolution Exec Summary
Revolution Or Evolution Exec SummaryRevolution Or Evolution Exec Summary
Revolution Or Evolution Exec Summary
 

Similar to Managing the Legal and Risk Issues of Cloud Computing

VET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enVET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enKarel Van Isacker
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...Tom Kulik
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAmazon Web Services
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameJanine Anthony Bowen, Esq.
 
Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011Cloud Legal Project
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
The Weakest Point of Security in IoT
The Weakest Point of Security in IoTThe Weakest Point of Security in IoT
The Weakest Point of Security in IoTnsangary
 
Machine learning presentation in using pyhton
Machine learning presentation in using pyhtonMachine learning presentation in using pyhton
Machine learning presentation in using pyhtonmasukmia.com
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 

Similar to Managing the Legal and Risk Issues of Cloud Computing (20)

VET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enVET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
htcia-5-2015
htcia-5-2015htcia-5-2015
htcia-5-2015
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of Things
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the Game
 
Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
The Weakest Point of Security in IoT
The Weakest Point of Security in IoTThe Weakest Point of Security in IoT
The Weakest Point of Security in IoT
 
Machine learning presentation in using pyhton
Machine learning presentation in using pyhtonMachine learning presentation in using pyhton
Machine learning presentation in using pyhton
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data security
 

Managing the Legal and Risk Issues of Cloud Computing

  • 1. Managing the Legal and Risk Issues of Cloud Computing Jon Neiditz, Nelson Mullins Riley & Scarborough Mitchell Goodman, National Vision Constance Mitchell, Computer Sciences Corp. Eugene Weitz, Moderator Computer Sciences Corp. Chair, In-House Committee, ITechLaw February 10, 2011
  • 2. 2009 - Social Networking Surpasses Email Communication has moved to the cloud Social Networking Users Surpass Email Users on 7/09 Social Networking Users Email Users Source: Morgan Stanley Internet Mobile Report, December 2009 Data is for unique, monthly users of social networking and email usage. 2
  • 3. The Multi-Tenant Server Public Cloud "If you want a $1.00 hamburger, you don't get to see how the cow was raised" SaaS PaaS IaaS Integrators ? ? Force.com Google ? Salesforce.com ? ? ? 3
  • 4. The Pros and Cons of Multi-Tenancy Shared infrastructure (NIST “resource pooling”) - but pieces of your data may be left behind all around the world Rapid innovation (IDC 2009: 5 times faster development at half the cost*) - but do you have adequate controls on your development? Real-time scalability (NIST “rapid elasticity”) - but you have no idea WHO has provided it Automatic upgrades - but do you need to know when they're happening? Pay-as-you-go subscription model (NIST “metering”) - but what do you have when you stop paying? Available via any web browser (NIST “broad network access”) See NIST Definition of Cloud Computing v15 http://csrc.nist.gov/groups/SNS/cloud-computing/ 4
  • 5. Cloud Security Breach Risks Are Different Both in Type and Magnitude • Study the security risks of your cloud • RSA Conference: 2011 top cloud security issues will include: – Collateral damage in cloud breaches – Risks deriving from other customers accepted or rejected by a cloud provider • Large public clouds make large targets • You have no idea what new downstream integrators are coming on board in a large public cloud • The economic downturn has been an upturn for the global black markets in hacked information 5
  • 6. 9/20/10: ABA Ethics Commission Concerns about Cloud and Confidentiality • Considering Changes to: – Model Rule 1.1 (Competency) – Model Rule 1.6 (Duty of Confidentiality) – Model Rule 1.15 (Safeguarding Client Property)… • …or just a "White Paper" • …but many state bars are moving faster. The Commission also asks for input on whether lawyers have an ethical obligation to incorporate certain terms into their cloud contracts…. 6
  • 7. Required Terms and Conditions Being Considered by the Commission: • the ownership and physical location of stored data • the provider’s backup policies • the accessibility of stored data by the provider’s employees or sub- contractors • the provider’s compliance with particular state and federal laws governing data privacy (including notifications regarding security breaches) • the format of the stored data (and whether it is compatible with software available through other providers) • the type of data encryption • policies regarding the retrieval of data upon the termination of services 7
  • 8. Biggest Cloud Security Legal Issues: Encryption Easier than Destruction • Payment Card Industry Data Security Standard (PCI-DSS) Many specific security requirements, including: – Immediate, secure destruction of sensitive data – Audit requirement • State and FACTA Secure Destruction Laws – Secure destruction, but not immediate • HIPAA Security – Encryption on a par with destruction • Breach Notification Requirements – Who provides the intrusion detection? 8
  • 9. Cloud Security Heat Map A. Information Security Laws and Public Cloud Comments/Issues Standards Threat Level PCI Compliance Immediate, secure destruction of all instances of magnetic stripe data, CVV code and PIN; audit requirement Secure Destruction Laws (15 state laws) Secure destruction requirement but no immediacy requirement FACTA Disposal Rule Secure destruction but no immediacy FACTA Red Flags Rule Intrusion detection HIPAA Security More specific documentation requirements and breach notification requirements; NIST encryption suffices State personal information reasonable security Reasonable technical, administrative and physical security laws SSN Protection Laws (state) Specific controls on use and safeguards for social security numbers State Breach Notification Laws Breach detection, immediacy of notification (of individual customer or owner/licensee) SAS 70 Type 2 An audit against organization-specific controls, not a set of standards ISO Comprehensive but flexible security FTC Unfair Trade Practice Case Law Assure at least "reasonable" security 9
  • 10. Biggest Cloud Privacy Legal Issues Arise Mostly from Pre-Internet Law • EU Data Protection • Electronic Communications Privacy Act – Broad government access, apparently getting broader • Stored Communications Act – Remote Computing Service (RCS) vs. Electronic Communications Service (ECS) vs. both • Newer Law: FTC Deceptive Trade Practices/APEC – Cloud back-end may undermine represented practices • Purpose restrictions and data-mining 10
  • 11. Cloud Privacy Heat Map B. Privacy Law Public Cloud Comments/Issues Threat Level EU Data Protection https://www.datenschutzzentrum.de/presse/20100618-cloud- computing.htm Is Safe Harbor sufficient? Must data be limited? Must consents be obtained for all processing and transborder data flows? Must model contract be entered with cloud provider? HIPAA Privacy Minimum necessary; rights of access, amendment, accounting of disclosures Employer Medical Privacy:HIPAA, GINA, Preventing inappropriate uses and disclosures ADA, FMLA, ARRA CAN-SPAM Act, Do-Not-Call Laws, Junk No concern Fax Prevention Act State Anti-Wiretapping Laws Remember all-party consent Electronic Communications Privacy Act Obama administration just started advocating clear FBI access to transaction records with desk letter, contrary to longstanding initiative by entire tech industry Stored Communications Act Is cloud-based outsourced messaging a remote computing service (RCS, that may disclose with consent of "subscriber") or electronic communications service (ECS – that may only disclose with the consent of the addressee) or both? (e.g., Quon, Weaver) FTC Cases "Deceptive Trade Practices" Posted privacy policy issues; cloud "back end" may undermine Case Law represented practices State and Federal Drivers' Privacy Disclosure issues from intrusions 11 Protection Acts
  • 12. Biggest Cloud Records Management & E-Discovery Issues • Willingness and ability of cloud provider to resist production in accordance with customer wishes – Compelled and permitted disclosures under the ECPA • Willingness and ability of cloud provider to preserve and/or produce all instances of Electronically Stored Information (ESI) – Mitigation of production but not preservation duties under Rule 26(b)(2)(B) of FRCP – Spoliation risks and search costs • Ability of cloud provider to limit holds of backup tapes by customer • E-record and e-document retention/destruction programs supported? – Need to assure secure destruction rather than deactivation? • Data integrity, e-admissibility and enforceability of e-signatures – Reliance on encryption, audit trails or hash algorithms? • Preservation of legal privileges 12
  • 13. E-Discovery/Records Heat Map C. E-Discovery and Investigations Public Cloud Comments/Issues Threat Level Willingness and/or obligation of cloud Willingness and ability to resist production in accordance with vendor to cooperate with customer in customer wishes; compelled and permitted disclosures under responding to discovery, investigations and the ECPA preservation obligations Ability of vendor to comply with Willingness and ability to preserve and/or produce all preservation (hold) and production instances of Electronically Stored Information (ESI); ; requirements imposed on it mitigation of production but not preservation duties under Rule 26(b)(2)(B) of FRCP Willingness/ability of vendor to put only Are backup tapes segregated by customer? backup tapes of particular customer on hold E-record and e-document Need to assure secure destruction rather than deactivation? retention/destruction programs supported? Preservation of replications and other Potential major search cost issue, as well as spoliation issue redundancy Data integrity and metadata As the law of e-evidence develops, will reliance be placed on encryption, audit trails or hash algorithms? Legal privileges Issue now being addressed by many bars 13
  • 14. Intellectual Property & E-Commerce Heat Map D. E-Commerce Public Cloud Comments/Issues Threat Level Enforceability of Electronic Signatures and Adequate process controls to satisfy UETA, ESIGN and Contracts international laws? PCI Compliance Immediate, secure destruction of all instances of magnetic stripe data, CVV code and PIN; audit requirement E. Intellectual Property Risk of Loss/Theft Large target for theft Legal Risk of Inadequate Control Potentially undermining IP rights 14
  • 15. Related Data Use and Handling Contractual Provisions • Confidentiality – Is the standard of care sufficient for contractual compliance (NDAs, licenses)? • Trade secret maintenance – What prevents the service provider from learning from a customer’s data? • Secondary uses – Can the service provider use data to develop or improve its products and services? – Different expectations in consumer / business contexts • Are the processes of the service provider audited by a third party? Are those audit reports available to the customer? • Which service provider employees have access to customer data? Do any contractors? 15
  • 16. Preparing for Defaults and Termination • What happens if Provider disappears? • Cyber-risk and related insurance coverage • Early warning • Source code/technology escrow • Business continuity/exit plans • Transition, migration – Wind-down periods – Return of Customer data or destruction, vs. deactivation, and immediately or eventually – Post-termination services/migration assistance/transferrable formats 16
  • 17. Summary of Big Due Diligence and Contractual Issues • Location • Security • Subcontractors • How Much Due Diligence/Transparency Possible/Allowed? • Data Ownership and Limitation of Use • Response to Legal Process • Data Retention, Access, Destruction • Incident Response • Indemnification/Risk Allocation • Termination and Transition 17
  • 18. Questions? Jon Neiditz Eugene Weitz Partner & Information Management Practice Leader Computer Sciences Corporation Nelson Mullins Riley & Scarborough Chair, In-House Committee, ITechLaw Jon.neiditz@nelsonmullins.com eweitz@csc.com 404-322-6139 (908)337-1491 http://www.nelsonmullins.com/attorneys/jon-neiditz Mitchell Goodman Constance Mitchell General Counsel Counsel, Trusted Cloud and Hosting business unit National Vision, Inc. Computer Sciences Corporation mitchell.goodman@nationalvision.com 781-768-3547 770-822-4208 cmitchell5@csc.com Link to us on LinkedIn!