Don t miss the Legal Aspects in Cloud Computing

Transcription

1 Don t miss the Legal Aspects in Cloud Computing Nicole Beranek Zanon Lic. iur., EMBA HSG 2 About me

2 3 Agenda Why Cloud Computing? Risks & Responsibilities Overview on the most important legal topics Asset and Data Protection Acceptance & Termination Summary 4 1 IBM

3 5 Don t compare apples and oranges! Use strategic opportunities But, know your risks: What kind of risks do I have with our current on-premise solution? Are we changing as fast as the world / competition does? What kind of flexibility / stability do we need? What kind of data do we have? Is IT our key competence? What legal and regulatory framework applies to Cloud solutions? 6 Cloud-Ecosystem Internet- Accessprovider CH / Abroad IaaS PaaS SaaS XaaS Cloud-Supplier Encryption-Provider IAM-Provider Company Cloud-User CH Abroad

4 7 Operation Modells of the Cloud IaaS/SaaS Szenario 1 Szenario 2 Szenario 3 Szenario 4 Szenario 5 Legende: Service Provider Service Provider Service Provider Service Provider Service Provider Service Provider Software Provider Betrieb Software Middleware Hosting Hardware Netzwerk RZ Infrastruktur Betrieb Software Middleware Hosting Hardware Netzwerk RZ Infrastruktur Betrieb Appl.-SW & Middleware Betrieb Hosting Hardware Netzwerk RZ Infrastruktur & Betrieb Software Middleware Hardware Housing Netzwerk RZ Infrastruktur & Betrieb Software Middleware Hardware Housing Netzwerk RZ Infrastruktur Hosting Provider Szenario 4 SaaS: von Drittanbieter wird bei Hosting Partner auf dessen Hardware in einem RZ eines Dritten betrieben und als Gesamtlösung dem Kunden verkauft 8 2

5 9 Risks and Responsibilities Risks Reputation risk Claims Fines Responsibilities The board of directors has the non-transferable and inalienable duty to determine the company's organisation Art. 716a para. 1 cl. 1 CO Each company needs to have a Internal risk control system (IKS) Periodic check by auditor of such IKS Art. 961c OR Swiss Code of Best Practice Corporate Governance Ziff. 19 IKS Not only financial, but in my opinion also technical and legal risks need to be addressed Foto: delux fotalia.com

6 11 Overview on the most important legal topics What law and forum applies? Who is the supplier + his subcontractors and where are the data hosted? Do we have personal data involved or other critical data categories? If yes, is there the same protection level in place as required by Swiss law or our own standards? How does the supplier deal with acceptance / SLA Termination / Termination Assistance / Escrow / Data destruction 12 Asset and Data Protection 4

7 11 Data Protection I Classification/Categorization Data User categories Access authorization, Access by which tool (App/Device) App Management Device Management Legal & Regulatory Compliance IT Security Use Case Tech./Implementation Techn. Management Management 14 Data Protection I applicable norms and standards according Swiss law Norms Art. 13 Abs. 2 BV Art. 7 DSG Art. 8-12, VDSG Recommendation of Swiss DPA Standards Stand der Technik Certificates such as ISO 27001/27002

8 15 Data Protection II Data Categories Personal data (data): all information relating to an identified or identifiable person (Art. 3 lit. a DSG) Sensitive personal data: data on i) religious, ideological, political or trade union-related views or activities ii) health, the intimate sphere or the racial origin, iii) social security measures, iv) administrative or criminal proceedings and sanctions (Art. 3 lit. c DSG) Personality profile: a collection of data that permits an assessment of essential characteristics of the personality of a natural person (Art. 3 lit. d DSG) 16 Data Protection III principles Justification Data Processing must be processed lawfully Processing only for the purpose indicated at the time of collection, evident from the circumstances, or that is provided for by law. In good faith and proportionate Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Transparency The collection and processing of personal data must be evident to the data subject. Consent only valid with adequate transparent information. For sensitive personal data or personality profiles consent must be given expressly. Cross-Boarder / Third Parties Equivalence with Swiss DPA for cross boarder transactions and third party suppliers. Appropriate Technical and Organizational Measures According state of the Art.

9 17 Data Protection IV Cross Boarder Disclosure Art. 6 DPA Cross Boarder Disclosure is allowed, if: sufficient safeguards User consent Connected with the conclusion or the performance of a contract public interest or for the establishment, exercise or enforcement of legal claims before the courts to protect the life or the physical integrity of the data subject the data subject has made the data generally accessible + no expressly prohibition (public profiles Facebook/Xing); Disclosure within the same legal person /company or between legal persons or companies with Corporate Binding Rules 18 Data Protection V Data Processing by third parties Art. 10a DPA Assignment of data processing to third parties is allowed, if: the data is processed only in the manner permitted for the instructing party itself; and it is not prohibited by a statutory or contractual duty of confidentiality. The instructing party must in particular ensure that the third party guarantees data security.! Also for Subcontractsors / Supplier Affiliates

10 19 Data Protection VI Data Security Art. 7 DPA Personal data must be protected against unauthorised processing through adequate technical and organisational measures. The Federal Council issues detailed provisions on the minimum standards for data security. 20 Data Protection VII Technical and Organizational Measures Confidentiality, Availability, Integrity In particular unauthorised or accidental destruction; accidental loss; forgery, theft or unlawful use; technical faults; unauthorised alteration, copying, access or other unauthorised processing. Adequacy in light of: the purpose of the data processing; the nature and extent of the data processing; an assessment of the possible risks to the data subjects; the current state of the art. Periodical review

11 21 Data Protection VIII Anonymization / Pseudonymization Different consequences regarding security / consent Anonymisation might solve the issue, but does not help Pseudonymisation data still personal data. -> Segregations -> Additional Access Policies, Chinese Walls etc. -> consequent security (Logs etc.) 22 5 Tom Bayer Fotolia.com

12 23 Acceptance & Termination Cloud IaaS and SaaS have major leasing contracts components Acceptance as a principle in SaaS not scalable, unless consequence is not warranty, but service credit No adequate protection for termination especially for bankruptcy cases. Possible means in case of SaaS: Termination Assistance Escrow Step-in Rights 24 6

13 25 Summary The more confidential, important or sentive data is, the more the cross boarder transfer and the assignment to a third party, the more likely this shouldn t be done or if so the stricter and complete should contractual and security measures and their checks be. Swiss DPA Deep technical, security and legal assessment necessary if going to the cloud Process is an interdisciplinary one between business, procurement, legal, security et al. Process of contract negotiation needs to be aligned to enable interdisciplinary negotiations) Reduction of the complexity by: Trustworthy partner and contact person Do a legal and security check (including a vendor risk assessment) Best is, to consider Legal Compliance already in the strategy Categorization of data Thank you for your attention!