1 From PLI s Online Program Cloud Computing: Pointers for Addressing the New Legal Issues Arising from this Emerging Technology # PREPACKAGED BANKRUPTCY AND PREARRANGED BANKRUPTCY PROCESS Deryck Palmer Jessica Fink Cadwalader, Wickersham & Taft LLP Disclaimers and Suggested References: The outline that follows provides a general overview of retiree medical benefit VEBAs, with specific focus on the VEBAs recently proposed by the Big Three U.S. automakers. The author is by no means an expert on medical benefit plans or VEBAs. Nor can the author claim special insight into any aspect of the Big Three VEBAs. The information in this outline is gleaned entirely from public sources. For two very practical references on retiree medical and VEBAs see: (1) the ABA-JCEB teleconference Shifting Retiree Health Benefits from Employers to VEBAs (December 6, 2007 available in archived teleconf format or CD), in which Nell Hennessey, Douglas Greenfield, Karen Handorf and Vicki Hood do a terrific job describing the background on union retiree medical and the Big Three VEBAs and (2) Jones Day Commentary Who Killed Yard-Man (Apr. 2007), a Jones Day client newsletter
2 Cloud Computing: Pointers for Addressing New Legal Issues Arising from this Emerging g Technology March 19, 2009 PLI Conference Jeffrey D. Neuburger Proskauer Rose LLP Steven J. Soucar IBM The views and opinions expressed by Steven J. Soucar are his own and not necessarily those of IBM The views and opinions expressed by Jeffrey D. Neuburger are his own and not necessarily those of Proskauer Rose LLP
3 What is cloud computing? Cloud computing is Internet ("cloud") based development and use of computer technology ("computing") ). It is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure "in the cloud" that supports them. Wikipedia An emerging computing model by which users can gain access to their applications from anywhere, through any connected device. A user-centric interface makes the cloud infrastructure supporting the applications transparent to users. The applications reside in massively scalable data centers where computational resources can be dynamically provisioned and shared to achieve significant economies of scale. - IBM
4 Is Cloud Computing New? Cloud Computing evolved from existing technologies Not the same as Grid Computing but similar goals Not the same as Utility Computing but clouds can provide utility computing Not just Provisioning but clouds use provisioning
5 Evolution to Cloud Computing Service Bureau Punch Cards Mailed to Processor Location Finished i Results Sent Back Outsourcing Remote Committed Location for Processing /Storage Data Transferred to/ from on Dedicated Lines Cloud Remote Location for Processing / Storage Not Committed Data Transferred by Public Internet t 1950s 1990s 2000s 2010
6 What Does Cloud Computing Mean to the Various Constituencies? IT Customers: Public clouds / Private clouds - Flexible pricing / business models - On demand provisioning - Unlimited scaling - SW developer platform -Flexible Common Attributes of Clouds Elastic scaling Rapid provisioning Advanced virtualization Flexible pricing IT Analysts: - Variable pricing - No long term commitments - Hosted, on demand provisioning - Massive, elastic scaling - Standard Internet technology - Abstracted infrastructure - Service-oriented Press: Financial Analysts: - Pay by consumption - Lower costs - Utility pricing - Hosted, a-a-s provisioning ii i - On demand provisioning - Parallel, on demand processing - Grid and SaaS combination - Scalable - Massive scaling - Virtualized, efficient infrastructure - Efficient infrastructure -Flexible - Simple and easy - No capital outlay for user - Better utilization of capital expenditures for provider
7 Privacy and Data Security Private clouds Assuming data remains within the organization, is it different from any other internal technology implementation involving sensitive information? Pi Privacy and ddata security laws and agreements impose obligations to maintain the privacy of personally identifiable information and protect personally identifiable information from theft or unauthorized access. Regulatory Issues HIPPA, GLB, FACTA; Contractual Obligations; Breach Notification; Disaster Recovery; SOX. Technical Issues and Solutions.
8 Privacy and Data Security Public clouds Regulatory Issues HIPPA, GLB, FACTA; Contractual Obligations; Breach Notification; Disaster Recovery; SOX. Customers may be subject to contractual obligations to maintain data security and may be required to impose those obligations on service providers. Customers may seek contract provisions to conform with requirements, e.g., notification of a breach in the security of data, encryption of data, secure deletion of data when no longer required. The nature of a public cloud complicates the technical issues The nature of a public cloud complicates the technical issues and solutions.
9 Privacy and Data Security Federal Trade Commission Has brought enforcement actions under the FTC Act against companies for failure to maintain the security of consumer data. Failure to comply with published security promises is deceptive. Failure to use reasonable means to secure data is an unfair trade practice. FTC Workshop Securing Personal Data in the Global Economy March 16-17, 2009 "We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us." --- Hugh Stephenson, FTC deputy director for international consumer protection. Electronic Privacy Information Center (EPIC) called upon the FTC to investigate t privacy and data security safeguards of public cloud computing services offered to consumers (e.g., Google Docs, etc.)
10 Privacy and Data Security State Breach Notification Laws Generally: Obligate owners or licensors of computerized data containing personal information to give notice to customers in the event of a breach in the security of data. Business that maintain computerized data that includes personal information that they do not own must give notice to owner or licensor of the data of a breach in the security of data. Approximately 47 states have enacted such laws. Generally, these laws cover personal and financial data. Only two states (California and Arkansas) cover health and insurance information. Encryption as Safe Harbor.
11 Privacy and Data Security Federal Breach Notification Law No general federal data breach notification law has yet been enacted, despite bill introductions and hearings. However, the HITECH Act, (signed into law on Feb. 17 as part of H.R. 1, the stimulus legislation ), contains data security breach notification provisions applicable to health information. Amends the Health Insurance Portability and Accountability Act (HIPAA) to require covered entities (i.e., health care providers) to give notice of a breach in the security of unsecured health information. Also directly obligates business associates of covered entities to give notice of a breach to the covered entity. Further amends HIPAA to impose general data security obligations directly on business associates of covered entities.
12 Privacy and Data Security International Issues EU Data Protection Law Utilizing cloud computing providers that store data outside the EU could be problematic. Prohibits transfer of personal data from EU countries to countries whose data protection laws are not judged to be adequate under EU law. U.S. law is deemed not adequate by EU data protection authorities. Transfer of EU data to the U.S. is permitted, however, if: The U.S. entity to which the data is being transferred has entered the U.S. EU Safe Harbor program; or Use of standard contractual clauses approved by the EU; or The U.S. entity has adopted binding corporate rules to ensure compliance with EU data protection standards. But, even these means are used, a U.S. entity may not transfer EU data to a service provider that may further transfer the data to another provider or store it in a jurisdiction not covered by EU law.
13 International Data Transfer From the customer perspective. Customers may seek provisions designating where data can be stored, or may seek services that store data in specified locations. Several eral providers have established data centers within the EU to address this issue.
14 Legal Issues - Data Access From the customer perspective. Customers may wish to control where data is stored to avoid exposure of data to undisclosed scrutiny or legal process emanating from foreign governments. Concerns raised in Canada over the privacy of Canadian PII contained in data stored on servers located in the U.S. caused the Canadian government to issue a report in 2004 addressing the issue. Google has had ongoing conflicts with law enforcement authorities in Brazil over request for turnover of user data for Google-owned social networking site Orkut, where the data was hosted on servers in the U.S. E-Discovery Issues.
15 Legal Issues - Data Access From the customer perspective. Customers may wish to be notified when law enforcement authorities seek access to their data. Customers may wish to protect against service provider use of fdata for non-customer related purposes. Customers may seek to ensure that they can comply with E-Discovery requirements at no extra cost.
16 Legal Issues - Copyright Does Section 512(c) of the DMCA apply? DMCA 512(c) affords a provider a safe harbor from liability for copyright infringement for content that is stored at the direction of a user (provided statutory prerequisites are met.) If the provider s service entails certain processing in connection with storing the information and making it available to third parties, is the safe harbor still available? UMG Recordings, Inc. v. Veoh Networks (C.D. Cal. Dec. 29, 2008). Online video upload services processed user-provided video files by chunking into smaller segments, converting to another format, and made the processed files available to third parties. Court ruled the service could still claim the safe harbor because the processes were narrowly directed toward providing access to material stored at the direction of users and affected only the form and not the content of the videos. Providing access to third parties by streaming and downloading also falls within the safe harbor.
17 Legal Issues - Copyright What is the scope of possible liability? Cartoon Network LP v. CSC Holdings, Inc. (2d Cir. 2008) (petition for certiorari on hold pending comment from U.S. Justice Department) Is a cable TV provider that provides a networked digital video recorder (DVR) to subscribers that enables them to make copies of copyrighted content and store them on a networked drive directly liable for copyright infringement? When it is the subscriber that pushes the copy button on the DVR and a copy is made and stored on the networked drive, who is making the copy, the subscriber or the cable TV provider? Are ephemeral copies of copyrighted content that are automatically generated by virtue of the technical operation of the networked DVR copies that can subject the operator of the system to copyright liability?
18 Legal Issues - Copyright Cartoon Network LP v. CSC Holdings, Inc. (cont.) In a declaratory judgment action brought by the cable TV provider who planned to deploy such a system, the 2d Circuit ruled that the provider would not be a direct infringer if it provided the networked DVR system to its customers. The necessary volitional act for imposing copyright liability was undertaken by the customer who actually pressed the copy button, not the provider that deployed and operated the system The provider was not liable for ephemeral (i.e., buffer copies generated by the operation of the system. The ephemeral copies were not copies within the meaning of the Copyright Act because they were not sufficiently permanent to be fixed in a tangible medium of expression for a period of more than transitory duration.
19 Legal Issues - Copyright Cartoon Network LP v. CSC Holdings, Inc. (cont.) Caution The issue of cable TV provider as secondary infringer not addressed. > Impact of Betamax ruling (Sony Corp. v. Universal City Studios 464 U.S. 417 (1984). Analysis of Mai v. Peak Computer (9 th Cir. 1993). > Interim copies are not infringing copies. > Technical issue.
20 Patent Issues Depending on how the applicable patent claims are written, the infringer may be the party that supplies the cloud as opposed to the user. Consider applicable indemnification. Method claims can only be infringed if a single party performs or causes the performance of all claimed steps. If the cloud provider performs a step without the user s s direction or control, there may be no infringement where by there might have been if the user owned and controlled the computer. A number of companies have patents that may pose issues for cloud computing implementation. Consider clearance issues and portfolio acquisition.
21 Contract considerations Standards / openness Family Pictures User: Lock in to proprietary interfaces, infrastructure ok Provider: Non-negotiable terms, low price, may or may not comply with standards, have proprietary interfaces, infrastructure HR Records User: Lock in to proprietary interfaces, infrastructure t not ok Provider: Negotiable terms, higher price, more likely to comply with standards, may or may not have proprietary interfaces, infrastructure Service level agreements Family Pictures User: SLAs probably not important. Provider: SLAs limited, non-negotiable, negotiable, HR Records User: SLAs important Provider: Negotiate SLAs. SLAs a factor in the price
22 Contract Considerations Export Regulations US - International Traffic in Arms Regulation (ITAR) US Export Administration Regulations NonUS regulations Who is responsible for compliance? User? Provider?
23 Conclusions Cloud Computing is an evolutionary step. At an industry level, public clouds are getting most of the press but will evolve slowly. Private clouds are getting less press but will likely evolve more quickly given the ability to impose necessary controls to address security, privacy and compliance needs. Important to address need for common standards. Industry still nascent.