Privacy Implications of Cloud Computing in Israel

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Privacy Implications of Cloud Computing in Israel"

Transcription

1 January 2012 Privacy Implications of Cloud Computing in Israel Adv. Naomi Assia Co-chairman of the Data Protection Committee -ITECHLAW

2 Cloud Computing One widely accepted definition of Cloud Computing has been offered by the U.S National Institute of Standards and Technology (NIST): Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g. servers, storage, networks, applications and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.

3

4 Cloud Computing Vendors and Service Providers are investing in solutions and services in terms of efficiency gains, cost reduction, productivity and scalability. Many technical, commercial and legal issues will require a thorough examination.

5 Cloud Computing A great deal of information that once stored on local computer hard drives is now being stored on remote servers, sometimes referred to the Clouds. Outsourcing of data processing functions to servers which are connected via the internet. Cloud Computing cover peaks in demand that overburden internal IT infrastructures.

6 Types of Cloud Services SaaS (Software as a Service)- application software that is not installed on the local computer but is made available as needed through external servers. IaaS (Infrastructure as a Service)- allows the cloud services provider to host entire IT infrastructure. PaaS (Platform as a Service)- allows the cloud provider to access the entire data processing environment, device management and database controller software. Storage as a Service- data backup and archiving services.

7 Moving into Cloud Computing Things to be considered Internal IT Security Controls Data processing on the cloud brings with it an inherent level of risk due to the bypass of the physical, logical, personal and technical controls of the internal IT personal. Server Elasticity Servers hosting personal data may be reconfigured or decommissioned frequently to accommodate capacity requirements. This means that the person/entity which uses Cloud Services can never be sure where the data resides at a given time.

8 Moving into Cloud Computing Things to be considered (continue) Compliance with Laws and Regulations Companies are ultimately responsible for the security and integrity of data entrusted to them, even when the data is stored in the Cloud.

9 Moving into Cloud Computing Things to be considered (continue) Monitoring Cloud Providers administrators Encryption, tokenizations, masking, auditing and monitoring can reduce the risk of an unauthorized use by the Cloud Service Provider. Physical Infrastructure It is important to determine the physical security measurements that the Cloud Services Provider should implement in the physical place of which the data is being stored.

10 Cloud Services Legislation Today, there is lack of worldwide legislation for drafting Cloud Services Agreements. On the other hand, there is a widespread legislation with regard to the outcome of such Cloud Services Agreements mainly in Privacy and Data Protection issues.

11 ISRAEL - Legislation The Israeli Law, Information and Technology Authority (ILITA), was established by the Ministry of Justice of Israel on September 2006 to become Israel's data protection authority. ILITA missions are, among other, to reinforce personal data protection and increase the enforcement of privacy and IT-related offences

12 ISRAEL - Legislation The adequacy of Israeli data protection law Following a detailed assessment of Israel s data protection law, at its December 2009 meeting, the Article 29 Working Party (which consists of EU data protection authorities) deemed Israel s law to be adequate. Data controller within the European Economic Area can now transfer personal data to Israel wthout breaching the EU data protection Directive s restriction on the transfer of personal data to third countries.

13 ISRAEL - Regulation While using Cloud Services, information may be also transferred to an overseas entities and kept on overseas servers. Such information can contain sensitive and confidential information of the Cloud Services consumers or even third parties information which is stored on the Cloud Services consumers databases.

14 ISRAEL - Regulation Legally, submitting sensitive or confidential information for storage or processing to a Cloud Service Provider, will not dismiss the service consumer from its obligation or responsibility to protect the information in accordance with the Privacy and Data Protection laws, regulations and agreements. An Israeli consumer of Cloud Services is subjected also to the foreign legislation of the Cloud Service Provider.

15 ISRAEL applicable legislation Protection of Privacy Act 1981 Protection of Privacy (Transfer of Data Abroad) Regulations. Protection of Privacy (conditions for keeping, safeguarding and transferring information between public bodies) Regulations. Database Registrar instruction 2/2011* the use of outsource services for personal information processing. * According to the 2/2011 instruction, the Database Registrar will issue a specific instruction for Cloud Computing which will complete the 2/2011 instruction. The 2/2011 Instruction will become valid and enforceable from May 19 th 2012.

16 Database Registrar Instruction 2/2011 Background Section B to the Protection of Privacy Act of 1981 (the Law ) regularizes the authorized use of personal information and determines the liability for prevention of misuse, leakage or theft of the information. While using Cloud Services it is important to pre-evaluate the level of the data sensitivity. The liabilities according to the Law on database s owner and/or database s holder, shall apply also while using Cloud Services.

17 Database Registrar Instruction 2/2011 (continue) Instruction - summary Preliminary exam of Cloud Service (scope and service model) The Service Provider - proved experience in processing personal data, background check and reputation, preliminary check for conflict of interests or the possibility for misuse of the stored information. Drafting the Cloud Services Agreement according to the applicable laws of the parties and the place which the servers are being stored.

18 Database Registrar instruction 2/2011 Instruction summary (continue) Data Protection and controlling the Cloud Services Provider activity. Determine the rights of the Data Subjects to review and make amendments to the data. To determine the period which the personal data is being stored with the service provider and the mechanism for data elimination.

19 Cloud Services Agreements As in any multinational agreements, the parties should determine the jurisdiction and governing law. Determining the above will not release the parties from other enforceable local laws and regulations with regard to Privacy and Data Protection issues. Also the place of which the servers are being stored have a significant influence on the parties responsibilities while executing the agreement.

20 Cloud Services Agreements (continue) Any database (as defined in the Israeli Privacy Protection Act of 1981) transfer to an overseas server, is subjected to the Protection of Privacy (Transfer of Data Abroad) Regulations and thus the transfer should be only to a server located in countries with adequate legislation. Cloud Services Agreements should include specific clauses which shall determine the responsibilities of the Cloud Service Provider for confidentiality, privacy and data protection and shall also determine controlling and reporting mechanism to verify standing by to the responsibilities.

21 The Business Software Alliance (BSA) has presented its Cloud Computing Policy Agenda for the EU. BSA identifies 10 concrete policy actions to boost users privacy and security in the cloud. The actions are aimed to promote the development of necessary standards and infrastructures and ensure an adequate degree of regulatory clarity in EU Cloud Computing Services.

22 Privacy and Data Transfer In order for Cloud Computing Services to develop to their full potential, it is essential to harmonize EU s data protection framework across the EU. That review provide the opportunity to clarify the rules related to privacy and data protection with regard to Cloud Computing. That should include a single definition of Personal Data across the EU and a simplified Data Protection Authority notification system. Efforts to clarify the applications of data retention rules across the EU would ensure a single, coherent and cost effective retention period within the EU market.

23 At the World Economic Forum in Davos on 2011, Neelie Kroes, VP of the EU Commission responsible for the Digital Agenda, reaffirmed that facilitating the take up of cloud computing is a priority in the EU, as it will help a new generation of services to emerge and to boost economic growth across a wide range of sectors.

24

25 CLOUD COMPUTING Overview of the responses given by ITECHLAW (France) and AFDIT to some of the issues raised in the CNIL open consultation of 17 October to 17 November 2011 Claire Bernier - ALTANA - Co-founding Partner Co-chairman of the Data Protection Committee - ITECHLAW Co-local representative for France - ITECHLAW Chairman of the Data Protection Commission - AFDIT Member of the Board - AFDIT

26 Definition of Cloud Computing

27 Creation of a specific legal status for Cloud providers? The CNIL is considering the creation of a specific legal status for Cloud providers Response from ITECHLAW and AFDIT: The creation of a specific legal status for Cloud providers is not necessary: The French Data Protection Act (loi informatique et libertés) excludes Cloud providers from any liability relating to obligations incumbent on data controllers. The various provisions currently laid down in French law, with regard to both the specific provisions contained in the French Data Protection Act(Articles 34 and 35) and criminal law and civil law (contract and tort), already cover the various situations that could arise in the context of Cloud computing services. Cloud providers are bound by all obligations incumbent on IT solution providers, including in particular a duty to provide full information regarding the service ( obligation d information ), a duty to give advice and due warning ( obligation de conseil et de mise en garde ) and a duty to render the data secure and confidential. Any increase in the number of services provided must not result in the transformation of the Cloud provider into a data controller (while the purpose of the data processing and the means implemented are unknown to the client, they are accepted by the latter and implemented at his/her instruction on his/her behalf). Suggestions by ITECHLAW and AFDIT: Given the client s lack of knowledge and/or control over the technical means implemented, it should be looked at how could be reinforced the Cloud provider s obligations and its liability broaden.

28 Applicable law with respect to Cloud computing providers The CNIL raises the question as to applicable law Response from ITECHLAW and from AFDIT: In terms of criminal law: French criminal law is applicable to both data controllers and sub-contractors where: One of the essential elements of the offence is committed on French territory (Cf. Article of the French Criminal Code [Code pénal]) The victim is French at the time of the offence (Cf. Article of the Criminal Code) The offence is committed outside French territory but by a French national and the acts are punishable by the legislation of the country in which they are committed (Cf. Article of the Criminal Code). In terms of civil law: The parties to a contract for the provision of a Cloud solution can include a choice of forum clause with a clause attributing jurisdiction. In the absence of such provisions in the contract, the French court before which the dispute is brought applies the provisions laid down in private international law, referring in particular to Article 4 of the Rome I Regulation, which provides that where the parties have not chosen the applicable law for the contract, the latter is governed by the law of the country relating most closely thereto. The contract is generally presumed to be most closely related to the country in which the party providing the characteristic performance of the contract has its habitual residence at the time the contract is entered into. Some service providers have, in the absence of international agreement on the matter, proposed that the characteristic performance of a Cloud should be the place where the servers are geographically localised and that, consequently, the law of the country in which the servers are located should apply. Observations by ITECHLAW and AFDIT: These solutions do not appear adequate with respect to Cloud because: clients are generally bound by membership agreements, clients would have to face high costs in order to defend their rights due to the high level of legal uncertainly surrounding the determination of applicable law. In terms of tort, the question remains unresolved by applicationof the conflict-of-law rules laid down in the Rome II Regulation.

29 Obligation to conduct a prior risk analysis? The CNIL would like data controllers to perform a risk analysis in order to assess the impact of resorting to a Cloud solution Response from ITECHLAW and AFDIT: From an economic point of view: imposing a legal risk analysis obligation on data controllers risks to make them incurring significant costs, which would contradict Cloud s primary aim, i.e. to rationalise costs. From a legal standpoint: If the risk analysis is conducted by a third party, the Cloud provider could rely on said analysis and seek for the liability of the third party that conducted it in order to avoid its duties to give advice and due warning. If the risk analysis is carried out by the provider itself: possibility that the service provider seeks to minimise the real risks incurred, a situation that would only be revealed in the event of a dispute and that would be difficult to dispute out of court, incurring therefore very high costs (expertise, etc.).

30 Questions?

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS

CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS CCBE guidelines on the use of cloud computing services by lawyers TABLE OF CONTENTS I. INTRODUCTION... 3 1. Scope of the guidelines...

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Israeli Law Information and Technology Authority. Privacy and Data Security in the Cloud - The Israeli Perspective

Israeli Law Information and Technology Authority. Privacy and Data Security in the Cloud - The Israeli Perspective הרשות למשפט, טכנולוגיה ומידע Israeli Law Information and Technology Authority Privacy and Data Security in the Cloud - The Israeli Perspective Amit Ashkenazi, Head of the Legal Department Outline Introduction

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

The Keys to the Cloud: The Essentials of Cloud Contracting

The Keys to the Cloud: The Essentials of Cloud Contracting The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Information Technology: This Year s Hot Issue - Cloud Computing

Information Technology: This Year s Hot Issue - Cloud Computing Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved.

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Privacy, the Cloud and Data Breaches

Privacy, the Cloud and Data Breaches Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, Information Integrity Solutions Legalwise Seminars Sydney, 20 March 2013 About IIS Building trust and privacy through global

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

on Electronic Signature and change to some other laws (Electronic Signature Act) The Parliament has hereby agreed on this Act of the Czech Republic:

on Electronic Signature and change to some other laws (Electronic Signature Act) The Parliament has hereby agreed on this Act of the Czech Republic: 227/2000 Coll. ACT of 29 th June 2000 on Electronic Signature and change to some other laws (Electronic Signature Act) Amendment: 226/2002 Coll. Amendment: 517/2002 Coll. Amendment :440/2004 Coll. Amendment:

More information

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012 Presentation by: Dr. Nathalie Moreno Partner Cloud Computing and Data Protection: an Update 4 October 2012 Our team Speechly Bircham is an ambitious, international mid-size fullservice law firm head-quartered

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

Cloud Computing in a Government Context

Cloud Computing in a Government Context Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important

More information

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com GAIN CLARITY CRITICAL ISSUES Your Data in the Cloud : Benefits & Risks berrydunn.com AGENDA Defining Cloud Services Benefits and Risks Core Requirements Myths about Clouds Is Your Data in the Cloud Secure?

More information

The Cloud and Cross-Border Risks - Singapore

The Cloud and Cross-Border Risks - Singapore The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in

More information

T-CY Guidance Note #10 (DRAFT)

T-CY Guidance Note #10 (DRAFT) www.coe.int/tcy Strasbourg, version 4 May 2016 T-CY(2015)16 Cybercrime Convention Committee (T-CY) T-CY Guidance Note #10 (DRAFT) Production orders for subscriber information (Article 18 Budapest Convention)

More information

Data Management Session: Privacy, the Cloud and Data Breaches

Data Management Session: Privacy, the Cloud and Data Breaches Data Management Session: Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, IIS President, iappanz IACCM APAC Australia Sydney, 1 August 2012 Overview Changing privacy regulation

More information

Cloud Computing. What is Cloud Computing?

Cloud Computing. What is Cloud Computing? Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited

More information

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data Salesforce s Processor Binding Corporate Rules for the Processing of Personal Data Table of Contents 1. Introduction 3 2. Definitions 3 3. Scope and Application 4 4. Responsibilities Towards Customers

More information

HIPAA and HITECH Compliance Simplification. Sol Cates CSO @solcates scates@vormetric.com

HIPAA and HITECH Compliance Simplification. Sol Cates CSO @solcates scates@vormetric.com HIPAA and HITECH Compliance Simplification Sol Cates CSO @solcates scates@vormetric.com Quick Agenda Why comply? What does Compliance look like? New Cares vs Rental Cars vs Custom Cars Vormetric Q&A Slide

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)

More information

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013 INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Draft Model Legislative text on Privacy and Data Protection

Draft Model Legislative text on Privacy and Data Protection The views expressed in this presentation are those of the author and do not necessarily reflect the opinions of the ITU or its Membership. This document has been produced with the financial assistance

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

Privacy in the Cloud A Microsoft Perspective

Privacy in the Cloud A Microsoft Perspective A Microsoft Perspective November 2010 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.segal@usitc.gov Reference

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Making Sense of Cloud Computing in the Public Sector. By EVA OlSAKER

Making Sense of Cloud Computing in the Public Sector. By EVA OlSAKER Making Sense of Cloud Computing in the Public Sector By EVA OlSAKER Every other article or news clip about government Platform as a Service. PaaS allows customers to use hardware, operating systems, storage,

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Cloud Computing. Hot topics in relation to security, liability and privacy. Steven De Schrijver

Cloud Computing. Hot topics in relation to security, liability and privacy. Steven De Schrijver Cloud Computing Hot topics in relation to security, liability and privacy Steven De Schrijver Cloud Computing : who and what is involved? Data Cloud Service Provider (e.g. SaaS, PaaS, IaaS) Sub-contractor

More information

Cloud Computing Contracts. October 11, 2012

Cloud Computing Contracts. October 11, 2012 Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best

More information

LSSA Guidelines on the Use of Internet-Based Technologies in Legal Practice

LSSA Guidelines on the Use of Internet-Based Technologies in Legal Practice LSSA Guidelines on the Use of Internet-Based Technologies in Legal Practice LSSA 2014 1 Use of Internet-Based Technologies in Legal Practice LSSA Guidelines Version 1.0 November 2014 2 Foreword Please

More information

information systems security policy...

information systems security policy... sales assessment.com information systems security policy... Approved: 2nd February 2010 Last updated: 2nd February 2010 sales assessment.com 2 index... 1. Policy Statement 2. IT Governance 3. IT Management

More information

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012 A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

Data Privacy, Security, and Risk Management in the Cloud

Data Privacy, Security, and Risk Management in the Cloud Data Privacy, Security, and Risk Management in the Cloud Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University David W. Opderbeck, Counsel, Gibbons P.C. Robin Rosenberg,

More information

Overview of Topics Covered

Overview of Topics Covered How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA

More information

ACT. of 15 March 2002

ACT. of 15 March 2002 215 ACT of 15 March 2002 on electronic signature and on the amendment and supplementing of certain acts as amended by Act No. 679/2004 Coll., Act No. 25/2006 Coll., Act No. 275/2006 Coll., Act No. 214/2008

More information

REALISTIC REGULATION OF DATA PROTECTION IN THE EDUCATION SECTOR

REALISTIC REGULATION OF DATA PROTECTION IN THE EDUCATION SECTOR REALISTIC REGULATION OF DATA PROTECTION IN THE EDUCATION SECTOR CONNECT 2016 April 28, 2016 Kelly Friedman kelly.friedman@dlapiper.com @kellyddrive www.the-d-drive.com AGENDA 1. What the data shows about

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting

More information

CISCO MERAKI EU DATA PROCESSING ADDENDUM

CISCO MERAKI EU DATA PROCESSING ADDENDUM Meraki LLC 500 Terry Francois Blvd. San Francisco, CA 94158 T 415.432.1000 CISCO MERAKI EU DATA PROCESSING ADDENDUM This EU Data Processing Addendum ( DPA ) forms part of the End Customer Agreement (the

More information

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES

More information

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

FAQ: HIPAA AND CLOUD COMPUTING (v1.0) FAQ: HIPAA AND CLOUD COMPUTING (v1.0) 7 August 2013 Cloud computing outsourcing core infrastructural computing functions to dedicated providers holds great promise for health care. It can result in more

More information

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Jason R. Baron Director of Litigation National Archives and Records Administration 1 Overview Cloud Computing Defined

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK SECURITY AND THEFT OF DATA COVERAGE APPLICATION Name of Insurance Company to which application is made NOTICE: THIS POLICY PROVIDES CLAIMS MADE COVERAGE.

More information

Welcome & Introductions

Welcome & Introductions Addressing Data Privacy and Security Compliance in Cloud Computing Benjamin Hayes, Director of Legal Services, Data Privacy Compliance North America Accenture Copyright 2011 Accenture All Rights Reserved.

More information

CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM

CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM This form is reserved for agencies and brokers acting on their own account and for designers of EDM systems for those agencies and

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015 Identity & Management The Cloud Perspective Andrea Themistou 08 October 2015 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud

More information

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with

More information

SELECTED LEGAL ISSUES

SELECTED LEGAL ISSUES SELECTED LEGAL ISSUES OF CLOUD COMPUTING Geneva, June 26, 2014 Internet Law Summer School Michel Jaccard Juliette Ancelle id est avocats, Lausanne www.idest.pro @idestavocats 1 What is «cloud computing»?

More information

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station What is Cloud Computing? http://www.agent-x.com.au/ Wikipedia - the use of computing resources (hardware and software)

More information

Privacy and Security Guidance Cloud Computing in the MUSH Sector

Privacy and Security Guidance Cloud Computing in the MUSH Sector dentons.com Privacy and Security Guidance Cloud Computing in the MUSH Sector Operational Privacy Risks and Opportunities in Cloud Computing: A Focus on Municipalities, Universities, School Boards, and

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Information Management Compliance and Data protection.

Information Management Compliance and Data protection. Information Management Compliance and Data protection. Technology, Media & Telecommunications Information is the life blood of every business. Yet how you use that information is increasingly regulated.

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA

More information

The newly adopted Luxembourg Law on electronic archiving. Luxembourg has taken a crucial step towards a paperless office.

The newly adopted Luxembourg Law on electronic archiving. Luxembourg has taken a crucial step towards a paperless office. The newly adopted Luxembourg Law on electronic archiving Luxembourg has taken a crucial step towards a paperless office. In July 2015, after two years of discussions, the Law relating to electronic archiving

More information

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release) CHARLES LUCE S LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release) A. Cloud Computing Defined: n. A loosely defined term for any system providing access

More information

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies

More information

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot

More information

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

International Data Transfer Agreement

International Data Transfer Agreement International Data Transfer Agreement Standard Contractual Clauses (processors) For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third

More information

Cloud Computing: The Wave of the Future

Cloud Computing: The Wave of the Future Bernice Karn Cloud Computing: The Wave of the Future June 9, 2010 What is Cloud Computing? National Institute of Standards & Technology Definition*: 5 characteristics 3 service models 4 deployment models

More information

DATA PROTECTION LAWS OF THE WORLD. UAE - General

DATA PROTECTION LAWS OF THE WORLD. UAE - General DATA PROTECTION LAWS OF THE WORLD UAE - General Date of Download: 10 January 2017 UAE - GENERAL Last modified 21 March 2016 LAW IN UAE - GENERAL Note: Please also see 'UAE Dubai (DIFC)'. In December 2015

More information

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case

More information

Cloud Services Overview

Cloud Services Overview Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture

More information

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud? East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management

More information

Key Considerations of Regulatory Compliance in the Public Cloud

Key Considerations of Regulatory Compliance in the Public Cloud Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,

More information

FRANCE. Chapter XX OVERVIEW

FRANCE. Chapter XX OVERVIEW Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection

More information

LOCALIZATION OF PERSONAL DATA PROCESSING IN RUSSIA: THE CLARIFICATATIONS OF THE MINISTRY OF TELECOM AND MASS COMMUNICATIONS

LOCALIZATION OF PERSONAL DATA PROCESSING IN RUSSIA: THE CLARIFICATATIONS OF THE MINISTRY OF TELECOM AND MASS COMMUNICATIONS LOCALIZATION OF PERSONAL DATA PROCESSING IN RUSSIA: THE CLARIFICATATIONS OF THE MINISTRY OF TELECOM AND MASS COMMUNICATIONS Starting from 1 September 2015 the requirement established by the Federal Law

More information

LAW ON ELECTRONIC TRANSACTIONS

LAW ON ELECTRONIC TRANSACTIONS Lao People s Democratic Republic Peace Independence Democracy Unity Prosperity National Assembly No 20/NA Vientiane Capital, Date: 7 December 2012 (Unofficial Translation) LAW ON ELECTRONIC TRANSACTIONS

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information