Contemporary Legal Notes

Size: px
Start display at page:

Download "Contemporary Legal Notes"

Transcription

1 Contemporary Legal Notes CLOUD COMPUTING: RAPID COMMERCIAL ADOPTION ESCALATES LEGAL ISSUES by Gerard M. Stegmaier* Wilson Sonsini Goodrich & Rosati, P.C. Christopher Shiplett* Randolph Law, PLLC WLF Washington Legal Foundation Advocate for freedom and justice 2009 Massachusetts Avenue, NW Washington, DC Washington Legal Foundation CONTEMPORARY LEGAL NOTE Series Number 69 February 2011

2 TABLE OF CONTENTS ABOUT THE AUTHORS...ii INTRODUCTION...1 I. UNDERSTANDING CLOUD COMPUTING... 2 II. MOTIVATIONS FOR CLOUD COMPUTING... 3 III. SCALABILITY AND DEMAND-BASED COMPUTING... 4 IV. COMMON LEGAL CONCERNS IN CLOUD TRANSACTIONS... 5 A. Researching and Establishing the Contractual Relationship with a Cloud Service Provider... 7 B. Compliance Audits and Cloud Computing...11 V. LITIGATION AND CLOUD COMPUTING CONCLUSION Copyright 2011 Washington Legal Foundation

3 ABOUT THE AUTHORS Gerard M. Stegmaier is an attorney in Washington, D.C. He also serves as an adjunct professor at George Mason University School of Law where he created and has taught one of the first courses on information privacy law for over ten years. He has represented many of the Internet's pioneers on important questions of first impression. He regularly assists enterprises of all sizes with strategic privacy and information governance issues in transactional, regulatory, and litigation matters. Christopher Shiplett is the founder of Randolph Law, PLLC and a graduate of George Mason University School of Law. He advises software and technology companies on emerging issues of law as applied to software businesses and the Internet. * The views expressed herein are solely those of the authors and do not necessarily reflect the views of their firm, clients, or any other organizations with which they may be affiliated. This article is not intended to constitute legal advice and readers are advised to consult an attorney for any such advice. Copyright 2011 Washington Legal Foundation

4 CLOUD COMPUTING: RAPID COMMERCIAL ADOPTION ESCALATES LEGAL ISSUES by Gerard M. Stegmaier Wilson Sonsini Goodrich & Rosati, P.C. Christopher Shiplett Randolph Law, PLLC INTRODUCTION The phrase cloud computing often refers to the concept of outsourcing significant aspects of a company s technology infrastructure. Over the past few years, this idea has become a reality for more and more companies of all sizes. Yet, the very characteristics of cloud computing that make it such an attractive option for managing computing resources give rise to complex legal issues. As cloud computing takes a recognized place in the information technology manager s toolbox, attorneys must increasingly confront the legal questions inherent in the practice. This CONTEMPORARY LEGAL NOTE identifies several important and common issues that in-house and outside counsel encounter when advising clients who outsource computing to the cloud, and presents strategies that companies can employ to mitigate the risks inherent in the relationship between a purchaser of cloud computing services and the suppliers of those services. Copyright 2011 Washington Legal Foundation 1

5 I. UNDERSTANDING CLOUD COMPUTING The Information Technology Laboratory at the National Institute of Standards and Technology defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 1 For many lawyers, this definition may seem familiar because it sounds similar to many sourcing arrangements. Thus, legal departments may best be served by focusing upon the aspects of cloud computing that are legally similar to outsourcing, rather than focusing on the technical aspects of the practice. On an operational level, cloud computing services range from familiar software applications such as Google s Gmail service for and Salesforce.com s services for customer-relationship management, to more complex and esoteric base level data storage services, data transfer, and licensing of computing power, such as can be accomplished through Amazon s Elastic Computer Cloud (EC2). 2 For this article s purposes, it is enough to recognize that despite cloud computing s many forms, the most common legal 1 PETER MELL AND TIM GRANCE, THE NIST DEFINITION OF CLOUD COMPUTING (Version 15, Oct. 7, 2009), available at (last accessed Dec. 1, 2010). 2 Paul T. Yeager, Jimmy Lin, and Justin M. Grimes, Cloud Computing and Information Policy: Computing in a Policy Cloud?, 5 JOURNAL OF INFORMATION TECHNOLOGY & POLITICS 1, 7 (Fall 2008). Copyright 2011 Washington Legal Foundation 2

6 issues arise nearly universally. Helpfully, despite the breadth of cloud offerings, certain common categories of classification have begun to emerge that may be useful for lawyers. They include: 1) cloud software as a service, in which the provider s applications are used over a network; 2) cloud platform as a service, in which customer-created applications are deployed to a cloud; and 3) cloud infrastructure as a service, in which rent processing, storage, network capacity, and other fundamental computing resources are outsourced to the cloud. II. MOTIVATIONS FOR CLOUD COMPUTING Moving from an intranet based, capital-purchase dependent model of IT infrastructure to a utility-style demand and cloud-based service is attractive to businesses for a number of reasons. First, a cloud-based IT infrastructure is by its very nature more scalable than local, intranet-based infrastructure. It allows a company to match incremental changes in computing requirements by purchasing incremental increases in computing services. 3 Second, cloud-based IT infrastructure is in theory more reliable than intranet-based infrastructure, in that a cloud vendor can build more redundancy into a system than a company could build into its own intranet. The cloud vendor is able to spread the cost of its infrastructure investment across its entire customer base, allocating resources as necessary. 4 Third, cloud-based IT infrastructure can be 3 Id. 4 Id. Copyright 2011 Washington Legal Foundation 3

7 virtualized and geographically dislocated, meaning a company is theoretically no longer required to consider the physical location of its IT infrastructure and data centers in business operations decisions. 5 Finally, features that might be unavailable to smaller companies under traditional IT infrastructures may be offered to cloud computing customers at substantial discounts. Many of these benefits are often thought to derive from the notion that the marginal cost to the cloud computing provider of many features (such as enhanced security) may be very low, or even negligible. In the case of negligible marginal costs, services that might be out of the price range of a company running a traditional intranet-based IT infrastructure may be offered for free to cloud computing customers. III. SCALABILITY AND DEMAND-BASED COMPUTING The New York Times experience offers a successful example of cloud computing s potential value. The New York Times converted its entire archive of articles from from a series of pictures of the articles to Adobe s Portable Document Format ( PDF ). 6 The process involved loading four terabytes of data onto Amazon s cloud computing infrastructure, running a process that converted the files and created another 1.5 terabytes of data, and 5 Id. 6 Derek Gottfrid, Self -service, Prorated Super Computing Fun!, OPEN ALL THE CODE THAT'S FIT TO PRINT, N.Y. TIMES, Nov. 1, 2007, (last accessed Mar. 21, 2010). Copyright 2011 Washington Legal Foundation 4

8 transferring all of that information back into the Times data repository. 7 Using the Amazon EC2 cloud, The New York Times was able to purchase temporary access to the processing power and storage necessary to complete this project and then release it at the end of the project with no further payment obligation. 8 Abstract proof-of-concept-style success stories aside, the benefits offered by cloud computing come with some very real risks that counsel frequently encounter as they assist clients in adopting these solutions. IV. COMMON LEGAL CONCERNS IN CLOUD TRANSACTIONS Legal issues in cloud computing, like legal issues in any business relationship, may arise from almost any conceivable event, situation, or characteristic of the relationship. However, most cloud computing issues will cluster around three scenarios relating to the purchasing company s relationship with its service providers and others. First, the close working relationship between a purchasing company and a cloud provider will give rise to specific contractual issues that the parties should resolve at the outset of the relationship. Second, the myriad nature of government regulation of data may substantially constrain or alter the relationship between the company and its service providers. Third, the rules of e-discovery and electronic evidence raise 7 Id. 8 Id. Copyright 2011 Washington Legal Foundation 5

9 specific complications when applied to electronic data stored in the cloud. The legal issues that accompany the implementation of cloud computing infrastructure arise from two basic aspects inherent to the technology: 1) contracting with a cloud computing service provider requires a company to delegate significant control over its data and computing infrastructure to that service provider; and 2) data stored in the cloud may cross jurisdictional and operational barriers, subjecting a company to multiple, potentially unanticipated, and/or completely unknown regulatory requirements and compliance risks. An enterprise typically encounters these legal issues in one of three scenarios: 1) the company is researching, negotiating, or creating the contractual relationship between itself and the service provider; 2) the company is performing periodic or ongoing audits for regulatory compliance with the laws and rules of any governmental body whose jurisdiction covers the company; or 3) the company is anticipating or is currently involved in litigation, or it is subject to a court-ordered information request and seeks to ensure proper compliance with the request. This article considers each of these situations in turn and summarizes the relevant issues and potential responses. The contractual relationship between the company seeking to outsource its IT infrastructure and the cloud computing vendor potentially raises a number of legal issues. At its base, a contract is a means of allocating risk. In Copyright 2011 Washington Legal Foundation 6

10 traditional intranet-based corporate computing, responsibility for any damages arising out of a computing failure and the underlying equipment and software from which the failure may arise, i.e., the server computers, typically remain under the enterprise s direct control. In cloud computing, a company still generally assumes the responsibility for the damages caused by a computing failure, but it no longer exclusively controls the potential sources of failure, and it does not control the failure-mitigation process. Moreover, the underlying controls that may be available to the enterprise may differ significantly. A. Researching and Establishing the Contractual Relationship with a Cloud Service Provider The potential for an operational disruption caused by elements entirely outside of a cloud computing customer s control represents one of the primary risks resulting from delegation of control. For example, the service itself could become unavailable, and underlying users might have little if any direct control regarding when and whether service may be restored. 9 If a company is dependent on cloud-based services for core-business communications or processes, even a minor interruption in service can translate to significant 9 Paul McNamera, DDoS attack against Bitbucket darkens Amazon cloud, BUZZBLOG, NETWORKWORLD, Oct. 5, 2009, (last accessed Mar. 21, 2010); see also Ben Traynor, More on today s Gmail issue, THE OFFICIAL GMAIL BLOG (Sept. 01, 2009, 6:59 pm), (last accessed Mar. 21, 2010); Cade Metz, Gmail users howl over Halloween outage, THE REGISTER (Nov. 1, 2009, 5:50 GMT), (last accessed Mar. 21, 2010) (discussing Gmail outages on September 1, 2009 and October 31, 2009 respectively). Copyright 2011 Washington Legal Foundation 7

11 business interruption. In what might be the worst-case-scenario, a company s cloud-stored data could be lost seemingly without possibility of recovery. This is a situation that users of the Sidekick mobile phone, which stores user data in the cloud, experienced. 10 Additionally, this delegation of control implicates data protection issues. For example, a cloud vendor could fail to use reasonable measures to protect trade secrets, or a cloud vendor could fail to provide adequate protection for personally-identifiable consumer information the company collects. A company can re-assert some control over the risk of operational disruption by carefully evaluating the prospective relationship and the potential impact on core business processes prior to beginning negotiations with a particular service provider. Some of the issues enterprises consider often when preparing to enter into a cloud computing relationship include: Service levels: To what minimum level of uptime is the service provider bound: 97%, 99%, or 99.99%? 11 And, what are the consequences or recourse if the vendor fails to deliver? Future service credits may offer little comfort to a retailer that suffers an outage during the holiday shopping season. 10 David Sarno, Microsoft Says Lost Sidekick Data Will Be Restored to Users, L.A.TIMES, TECHNOLOGY, (Oct. 15, 2009), (last accessed Mar. 21, 2010). 11 See, e.g., Amazon EC2 SLA, (last accessed Mar. 21, 2010). Amazon s Service Level Agreement for its EC2 service promises that Amazon Web Services will use commercially reasonable efforts to make Amazon EC2 available with an Annual Uptime Percentage... of at least 99.95% during the Service Year. Copyright 2011 Washington Legal Foundation 8

12 Security: What measures does the service provider take to ensure the security of company data in transit and company data at rest. Many service providers encrypt data in transit but do not encrypt data at rest. Where the underlying service processes or hosts personal information, regulatory issues are increasingly complicated. 12 Incident response: In the event of a security breach, or a service failure of some form, what are the service provider s processes for assessing, responding to, and repairing the breach or failure? What is the company s role in the incident response process? Are incidents related to other customers of the same service reportable? Use limitations: Does the company s current relationships with suppliers, employees, and clients somehow limit its ability to outsource datastorage processing to the cloud, or shape the manner in which that can be done; and what is the service provider allowed to do with data in its possession? Auditing, reporting, and recourse: Does the contract with the provider address each of the above considerations individually, or does the company intend to rely upon the provider s terms of service? Additionally, does 12 For example some uncertainty exists regarding the application of privacy and data security provisions of the Health Insurance Portability and Accountability Act to providers of services and applications that may be used by covered entities. See Dept. of Health and Human Serv. Business Associates, available at tml (last accessed Dec. 1, 2010) (discussing what entities are subject to HIPAA regulations). Copyright 2011 Washington Legal Foundation 9

13 the contract address the vendor s obligation to report its performance against its obligations and the purchaser s recourse in the event the vendor fails to perform an obligation? Data de-coupling and transfer: Is the company s data at least partially de-coupled from the cloud service? If the company decides to change service providers, or if the service provider is no longer able to fulfill the contract, a clear process should exist by which the company can transition to other services including accessing its data. Risk Mitigation Planning: Has the company integrated into its business continuity plan a scenario addressing full or partial failure of the cloud service? Insurance: Does the company carry insurance covering business losses and liability to third parties stemming from a full or partial failure of the cloud service? Many of the issues that arise from the contractual relationship between a company and a cloud computing service provider represent permutations of common issues that arise in any business relationship. An emerging difference between a contract for cloud computing services and a more typical service contract is the increasing importance that enterprises place on the very data storage, transfer, and processing capability that cloud computing simultaneously makes available to a company which then in turn may be Copyright 2011 Washington Legal Foundation 10

14 removed from the enterprise s direct control. A company which cannot access its computing resources cannot function. To the extent that a cloud computing provider takes the responsibility for the functioning of a company s computing resources out of the company s direct control, ensuring that the underlying contract reflects the importance of those resources (and availability) to the operation of the company represents an important consideration for counsel. At the same time, it may be imprudent to rely solely on the contract itself to provide recourse in the event the underlying services are lost or unavailable. B. Compliance Audits and Cloud Computing Loss of direct control over data and infrastructure, as well as the multijurisdictional nature of many offerings, frequently presents special regulatory considerations that must be addressed. In many cases, the service provider determines the physical location of data at rest and the route of transmission. 13 And in some of those cases, data may be transferred through and stored in two or more geographic locations, serially or in parallel, subject to two or more sets of laws and regulations. 14 Accordingly, depending on the content or data, users of cloud services can easily face challenges relating to jurisdictionally-based data requirements. For example, the European Union s member states regulate 13 See, e.g., Matthew Caesar and Jennifer Rexford, BGP Routing Policies in ISP Networks, 19 IEEE NETWORK MAGAZINE 3-4, Nov./Dec. 2005; see also JEFF DOYLE AND JENNIFER CARROLL, ROUTING TCP/IP (2d. ed. 2005). 14 Miranda Mowbray, The Fog over the Grimpen Mire: Cloud Computing and the Law, 6 SCRIPTED JOURNAL OF LAW, TECHNOLOGY AND SOCIETY (Apr. 2009), available at (last accessed Mar. 21, 2010). Copyright 2011 Washington Legal Foundation 11

15 the export of personally identifiable information about their residents and prohibit generally the export of such information to countries that have not been deemed to have adequate data protection requirements. 15 The U.S. has not been deemed adequate generally. As a result, companies processing personal data in the U.S. often must determine an appropriate legal and compliance solution to meet the adequacy requirements. 16 The sheer volume of regulation regarding protection of personally identifiable information can be daunting. In the U.S. alone, personal data storage and transmittal may be regulated under the USA - PATRIOT Act, 17 the Stored Communications Act, 18 the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 19 the Gramm-Leach-Bliley Act, 20 the Fair Credit Reporting Act, 21 and the Video Privacy Protection Act for video rental records, 22 as well as under any other applicable Federal Trade Commission 15 See Council Directive 95/46/EC, 1995 O.J. (L 281) While detailing options available for compliance with the EU Directive s requirements are beyond the scope of this article, a number of solutions remain available. Obtaining consent from the data subject, executing model contracts, participating in the EU- US Safe Harbor program of the U.S. Department of Commerce and creating and having approved binding corporate rules are among the many strategies enterprises use to facilitate importation of personal data to the United States from the European Union. 17 See, e.g. Titles II and V of the USA PATRIOT Act, Pub. L. No , 115 Stat. 272 (codified as amended in scattered sections of the United States Code) U.S.C (2006) U.S.C et seq; 42 U.S.C. 300gg et seq. 20 Pub. L , 113 Stat (also referred to as the Financial Services Monetization Act of 1999) U.S.C et seq. (2006) U.S.C (2006). Copyright 2011 Washington Legal Foundation 12

16 rules and regulations, and/or state laws and regulations. For federal government records, the Privacy Act will also dictate the means and location of storage. 23 Finally, many state laws may come into play include breach notification laws enacted by nearly every state. For data types present on the United States Munitions List, International Traffic in Arms Regulations ( ITAR ) and Export Administration Regulations ( EAR ) will not only limit the means and location of storage but may also limit the nationalities of persons with hypothetical access to the information, regardless of the physical location of the data or the physical location of the person. 24 A company dealing with the regulation of its stored data must confront not only the multi-jurisdictional location and flow of that data in the cloud, but, again, the loss of direct control over the placement of data storage and the transmission of data. Some vendors allow purchasers to dictate the geographic locations in which their services are located. 25 However, it is not clear that this local instance feature guarantees that data will never be stored or transmitted outside the requested geographic area, or whether, conversely, the local instance concept is mainly a functional innovation for solving geography- 23 The Privacy Act of 1974, 5 U.S.C. 552a (2006) C.F.R (discussing foreign national licensing issues). 25 See, e.g., Amazon Elastic Compute Cloud, (last accessed Mar. 21, 2010). Copyright 2011 Washington Legal Foundation 13

17 based technical problems. A company seeking to outsource data storage to the cloud should carefully consider its responsibilities to comply with the various regulations governing its outsourced data in any jurisdiction in which that data rests or may rest, and it should factor those considerations into its choice of a cloud provider, its creation of an outsourcing plan with that provider, its contract negotiation, and its ongoing management of the mutual relationship. V. LITIGATION AND CLOUD COMPUTING A third scenario by which legal issues may arise in the cloud computing relationship is through a company s duty to comply with information requests, including government and private party subpoenas and discovery rules for anticipated, pending, or active litigation. As in the first two scenarios, the delegation of control over outsourced data and the potential for multijurisdictional data storage and transfer potentially complicate matters. A preliminary consideration in e-discovery is whether placing information in a cloud that physically and electronically resides outside the company eliminates a party s obligation to identify it or produce it under the relevant rules of civil procedure. 26 Some authority suggests it does not. In both Tomlinson v. El Paso Corporation 27 and Flagg v. City of Detroit, 28 courts have 26 See FED. R. CIV. P. 26(a)(1)(ii) and FED. R. CIV. P. 34(a)(1) U.S. Dist. LEXIS (D. Colo. Aug. 31, 2007) F.R.D. 346 (E.D. Mich. 2008). Copyright 2011 Washington Legal Foundation 14

18 respectively held that an outsourced data provider is a location that must be identified, and that data in a cloud remains under the party s control, per Rules 26 and 34 respectively of the Federal Rules of Civil Procedure. 29 The U.S. Court of Appeals for the Second Circuit has held that a party is responsible for producing documents it has the practical ability to obtain. 30 In most cases, vendors who provide cloud services will desire to structure their offerings so that they can persuade a party seeking discovery directly that the data is not in their care, custody, or control. Similarly, cloud providers may attempt to invoke privacy or related laws in order to limit or help manage discovery requests and other legal process more properly directed at their customers. As a general rule, electronic evidence in litigation may be treated like any other evidence; thus, parties can be subject to significant sanctions for failing to turn over such information. 31 A safe harbor exists in the Federal Rules of Civil Procedure that immunizes a company from responsibility for electronic data that has been destroyed in the good-faith and routine operation of an electronic system. 32 A company should consider either examining the cloud 29 FED. R. CIV. P. 26; FED. R. CIV. P. 34; see Mark L. Austrian and W. Michael Ryan, Cloud Computing Meets e-discovery, 14 CYBERSPACE LAWYER, July 2009 (citing Flagg and Tomlinson). 30 See Shcherbakovskiy v. Da Capo Al Fine, Ltd., 490 F.3d 130 (2d. Cir. 2007); see also Shari Claire Lewis, Cloud Computing Brings New Legal Challenges, NEW YORK LAW JOURNAL, July 8, 2009, available at (last accessed Mar. 21, 2009). 31 See, e.g. SHARON NELSON, BRUCE A. OLSON AND JOHN W. SIMEK, THE ELECTRONIC EVIDENCE AND DISCOVERY HANDBOOK (American Bar Association, 2006). 32 FED. R. CIV. P. 37(e). Copyright 2011 Washington Legal Foundation 15

19 vendor s document retention and discovery response policies to ensure they conform with the company s requirements, or it should make compliance with the company s policies a part of the service contract during the negotiation phase. A consequence of these requirements is that many cloud vendors will only delete data expressly on the instruction of their customers because they may take the position that they do not control the data. If a litigation hold is put in place, a company faces the additional burden of taking reasonable steps to ensure that electronic data is preserved. 33 When a company outsources certain functions to the cloud, the technical challenges of creating workable hold implementations and allowing for the termination of such holds can be significant. A company s legal obligation to preserve data and maintain access to it may trump the contractual relationship between the party and a cloud computing vendor. For example, in Cyntegra, Inc. v. Idexx Labs, Inc., 34 a cloud computing vendor deleted the data belonging to one of the parties from its servers because the party failed to make its required payments. The court sanctioned that party whose data was deleted for failure to maintain access to its business records. 35 A company outsourcing its data processing may want to ensure that it is aware of any duty to maintain records, regardless of the state of 33 FED. R. CIV. P. 26(b)(5)(B). 34 A322 F. App x. 569 (9th Cir. 2009). 35 Id. at **1. Copyright 2011 Washington Legal Foundation 16

20 the contract or the service provider s ability to supply the records. Therefore, in the context of general operational risk management, companies should contemplate agreements for the return or transfer of the data for transitional and future use by the customer. 36 When seeking to admit evidence in litigation, a company may be questioned about the authenticity of data stored in a cloud. Data authentication is not an issue unique to cloud computing; it is a general concern of any practitioner seeking to admit electronic evidence or dispute an opposing party s electronic evidence. 37 Like each of the other issues common to cloud computing, the core authentication concern for electronic evidence stored in the cloud is the company s loss of direct control over the information. A way to address this concern is through both the terms of the service contract and the management of the service contract. The service contract may include terms requiring the cloud service provider to store data, secure data, and manage and limit access to data in a way that the authenticity of the data can be proven if questioned. In managing the contract with the cloud vendor, purchasers may 36 See, e.g., AWS Customer Agreement, (last accessed Mar. 21, 2010). The Customer Agreement for Amazon Web Services states: In the event of any termination by us of any Service or any set of Services, or termination of this Agreement in its entirety, other than a for cause termination... (i) we will not take any action to intentionally erase any of your data stored on the Services for a period of thirty (30) days after the effective date of termination; and (ii) your post termination retrieval of data stored on the Services will be conditioned on your payment of Service data storage charges for the period following termination, payment in full of any other amounts due us, and your compliance with terms and conditions we may establish with respect to such data retrieval. 37 Tom Klaff, The E-Discovery Conundrum: Proving the Authenticity of your Electronic Evidence, COMPUTER TECHNOLOGY REVIEW, Apr. 29, 2008, available at Copyright 2011 Washington Legal Foundation 17

Insights into Cloud Computing

Insights into Cloud Computing This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid

More information

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013 CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

THIS WEBCAST WILL BEGIN SHORTLY

THIS WEBCAST WILL BEGIN SHORTLY If you have any technical problems with the Webcast or the streaming audio, please contact us via email at: webcast@acc.com Thank You! THIS WEBCAST WILL BEGIN SHORTLY Cloud-Based vs. On-Premise ediscovery

More information

DATA SECURITY AGREEMENT. Addendum # to Contract #

DATA SECURITY AGREEMENT. Addendum # to Contract # DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the

More information

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1 Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1 Taking a Deeper Look at the Cloud: Solution or Security Risk? LoyCurtis Smith East Carolina University TAKING A DEEPER LOOK AT THE CLOUD:

More information

A LEGAL GUIDE TO CLOUD COMPUTING

A LEGAL GUIDE TO CLOUD COMPUTING A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The

More information

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Jason R. Baron Director of Litigation National Archives and Records Administration 1 Overview Cloud Computing Defined

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division Benjamin Young, Assistant General Counsel U.S. Department of Agriculture 1 Disclaimer The views expressed in this presentation

More information

The Keys to the Cloud: The Essentials of Cloud Contracting

The Keys to the Cloud: The Essentials of Cloud Contracting The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Agenda Cloud Computing Technical Overview Cloud Related Applications Identified Risks Assessment Criteria Cloud Computing What Is It? National

More information

E-Discovery Roundtable: Buyers Perspectives on the Impact of Technology Innovation

E-Discovery Roundtable: Buyers Perspectives on the Impact of Technology Innovation E-Discovery Roundtable: Buyers Perspectives on the Impact of Technology Innovation TABLE OF CONTENTS Introduction... 3 IMPACT OF CLOUD COMPUTING... 3 Enforcing data management policies... 3 Protecting

More information

Page 1 of 15. VISC Third Party Guideline

Page 1 of 15. VISC Third Party Guideline Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision

More information

Department of Veterans Affairs VA Directive 6311 VA E-DISCOVERY

Department of Veterans Affairs VA Directive 6311 VA E-DISCOVERY Department of Veterans Affairs VA Directive 6311 Washington, DC 20420 Transmittal Sheet June 15, 2012 VA E-DISCOVERY 1. REASON FOR ISSUE: To establish policy concerning the care and handling of documents

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

E-Discovery: New to California 1

E-Discovery: New to California 1 E-Discovery: New to California 1 Patrick O Donnell and Martin Dean 2 Introduction The New Electronic Discovery Act The new Electronic Discovery Act, Assembly Bill 5 (Evans), has modernized California law

More information

Why You Should Consider Cloud- Based Email Archiving. A whitepaper by The Radicati Group, Inc.

Why You Should Consider Cloud- Based Email Archiving. A whitepaper by The Radicati Group, Inc. . The Radicati Group, Inc. 1900 Embarcadero Road, Suite 206 Palo Alto, CA 94303 Phone 650-322-8059 Fax 650-322-8061 http://www.radicati.com THE RADICATI GROUP, INC. Why You Should Consider Cloud- Based

More information

E-Discovery Quagmires An Ounce of Prevention is Worth a Pound of Cure Rebecca Herold, CISSP, CISA, CISM, FLMI Final Draft for February 2007 CSI Alert

E-Discovery Quagmires An Ounce of Prevention is Worth a Pound of Cure Rebecca Herold, CISSP, CISA, CISM, FLMI Final Draft for February 2007 CSI Alert E-Discovery Quagmires An Ounce of Prevention is Worth a Pound of Cure Rebecca Herold, CISSP, CISA, CISM, FLMI Final Draft for February 2007 CSI Alert While updating the two-day seminar Chris Grillo and

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Security Considerations for Public Mobile Cloud Computing

Security Considerations for Public Mobile Cloud Computing Security Considerations for Public Mobile Cloud Computing Ronnie D. Caytiles 1 and Sunguk Lee 2* 1 Society of Science and Engineering Research Support, Korea rdcaytiles@gmail.com 2 Research Institute of

More information

Requirements for Technology Outsourcing

Requirements for Technology Outsourcing Requirements for Technology Outsourcing Table of Contents Revision History... 3 Overview... 4 Service Provider Selection... 5 Service Delivery Models... 5 Legal Considerations... 5 Security Assessments...

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Cloud Computing and its Security in Higher Education

Cloud Computing and its Security in Higher Education Cloud Computing and its Security in Higher Education Samir Tout stout@emich.edu School of Technology Studies, Information Assurance Eastern Michigan University (EMU) William Sverdlik wsverdlik@emich.edu

More information

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1 CLOUD COMPUTING (outsourcing records storage) TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 1 Cloud computing A style of computing where scalable and elasticity ITenabled capabilities

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of

More information

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 1 Cloud Computing Decision Making Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table

More information

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World Every Cloud Has A Silver Lining Protecting Privilege Data In A Hosted World May 7, 2014 Introduction Lindsay Stevens Director of Software Development Liquid Litigation Management, Inc. lstevens@llminc.com

More information

Blueprint for Cloud-Based ediscovery. An evaluation framework for companies and firms bringing ediscovery in-house via the cloud

Blueprint for Cloud-Based ediscovery. An evaluation framework for companies and firms bringing ediscovery in-house via the cloud Blueprint for Cloud-Based ediscovery An evaluation framework for companies and firms bringing ediscovery in-house via the cloud Blueprint for Cloud-Based ediscovery A Framework for Cloud Computing Security,

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

BEWARE: LEGAL PRIVILEGE RULES DIFFER BETWEEN THE U.S. AND THE EU

BEWARE: LEGAL PRIVILEGE RULES DIFFER BETWEEN THE U.S. AND THE EU CLIENT MEMORANDUM BEWARE: LEGAL RULES DIFFER BETWEEN THE U.S. AND THE EU I. Introduction Jurisdictions in the United States and Europe differ significantly in their approach to the privilege afforded to

More information

Cloud Computing A Silver Lining or Ethical Thunderstorm for Lawyers?

Cloud Computing A Silver Lining or Ethical Thunderstorm for Lawyers? Consultus Electronica Cloud Computing A Silver Lining or Ethical Thunderstorm for Lawyers? by James M. McCauley, Ethics Counsel, Virginia State Bar Because of the flagging economy, businesses and professionals

More information

Predictability in E-Discovery

Predictability in E-Discovery Predictability in E-Discovery Presented by: John G. Roman, Jr. National Manager, Practice Group Technology Services Nixon Peabody LLP Tom Barce Assistant Director of Practice Support Fulbright & Jaworski

More information

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key

More information

Best Practices in Electronic Record Retention

Best Practices in Electronic Record Retention A. Principles For Document Management Policies Arthur Anderson, LLD v. U.S., 544 U.S. 696 (2005) ( Document retention policies, which are created in part to keep certain information from getting into the

More information

REALITY BYTES: A NEW ERA OF ELECTRONIC DISCOVERY

REALITY BYTES: A NEW ERA OF ELECTRONIC DISCOVERY REALITY BYTES: A NEW ERA OF ELECTRONIC DISCOVERY Steven M. Gruskin Carl J. Pellegrini Sughrue Mion, PLLC 2100 Pennsylvania Ave. NW Washington, DC 20037 www.sughrue.com On December 1, 2006, the Federal

More information

Electronic Discovery and the New Amendments to the Federal Rules of Civil Procedure: A Guide For In-House Counsel and Attorneys

Electronic Discovery and the New Amendments to the Federal Rules of Civil Procedure: A Guide For In-House Counsel and Attorneys Electronic Discovery and the New Amendments to the Federal Rules of Civil Procedure: A Guide For In-House Counsel and Attorneys By Ronald S. Allen, Esq. As technology has evolved, the federal courts have

More information

Cloud Computing and HIPAA Privacy and Security

Cloud Computing and HIPAA Privacy and Security Cloud Computing and HIPAA Privacy and Security This is just one example of the many online resources Practical Law Company offers. Christine A. Williams, Perkins Coie LLP, with PLC Employee Benefits &

More information

Kaiser Permanente Affiliate Link Provider Web Site Application

Kaiser Permanente Affiliate Link Provider Web Site Application Kaiser Foundation Health Plan of Colorado Kaiser Permanente Affiliate Link Provider Web Site Application FOR PROVIDERS CONTRACTED WITH KAISER IN THE COLORADO REGION ONLY Page 1 of 7 Kaiser Permanente Affiliate

More information

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) David J. Chavolla, Esq. and Gary L. Kemp, Esq. Casner & Edwards, LLP 303 Congress Street Boston, MA 02210 A. Document and Record Retention Preservation

More information

WHY YOU SHOULD CONSIDER CLOUD BASED EMAIL ARCHIVING.

WHY YOU SHOULD CONSIDER CLOUD BASED EMAIL ARCHIVING. WHY YOU SHOULD CONSIDER CLOUD BASED EMAIL ARCHIVING. INTRODUCTION A vast majority of information today is being exchanged via email. In 2011, the average corporate user will send and receive about 112

More information

Legal Challenges for U.S. Healthcare Adopters of Cloud Computing

Legal Challenges for U.S. Healthcare Adopters of Cloud Computing Legal Challenges for U.S. Healthcare Adopters of Cloud Computing by Kevin Erdman and Nigel Stark of Baker & Daniels LLP 1 ABSTRACT U.S. Healthcare companies have begun experimenting with taking business-critical

More information

White Paper. Why Should You Archive Your Email With a Hosted Service?

White Paper. Why Should You Archive Your Email With a Hosted Service? White Paper Why Should You Archive Your Email With a Hosted Service? An Osterman Research White Paper Published January 2008 Executive Summary Email is the primary communication system and file transport

More information

University of Alaska. Cloud Computing Guidelines

University of Alaska. Cloud Computing Guidelines University of Alaska Cloud Computing Guidelines Guidelines for the Use of 3 rd Party or Cloud Computing Services at the University of Alaska Why is this important to me? If you manage a service and plan

More information

Cloud Computing Contracts Top Issues for Healthcare Providers

Cloud Computing Contracts Top Issues for Healthcare Providers Cloud Computing Contracts Top Issues for Healthcare Providers North Carolina Bar Association Health Law Section Annual Meeting NC Bar Center Cary, North Carolina April 23, 2015 Presenters Kathryn Brucks,

More information

3 "C" Words You Need to Know: Custody - Control - Cloud

3 C Words You Need to Know: Custody - Control - Cloud 3 "C" Words You Need to Know: Custody - Control - Cloud James Christiansen Chief Information Security Officer Evantix, Inc. Bradley Schaufenbuel Director of Information Security Midland States Bank Session

More information

Our Customer Relationship Agreement VIRTUAL PRIVATE SERVER SERVICE DESCRIPTION

Our Customer Relationship Agreement VIRTUAL PRIVATE SERVER SERVICE DESCRIPTION Our Customer Relationship Agreement VIRTUAL PRIVATE SERVER SERVICE Internode Pty Ltd ABN 82 052 008 581 Phone: 13 66 33 1/502 Hay Street, Subiaco WA 6008 15 October 2013 Rules of interpretation and capitalised

More information

Title: Number: Responsible Office: Last Revision:

Title: Number: Responsible Office: Last Revision: Title: Number: Responsible Office: Last Revision: Cloud Computing: Opportunities Used Safely G4 004D Information Security and Privacy Office July 2011 The following guidance was developed and published

More information

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009 Legal Issues Associated with Cloud Computing Laurin H. Mills May 13, 2009 What Is Cloud Computing? The cloud is a metaphor for the Internet Leverages the connectivity of the Internet to optimize the utility

More information

POWER PROTECT PROMOTE. Information Governance In The Cloud

POWER PROTECT PROMOTE. Information Governance In The Cloud Information Governance In The Cloud Galina Datskovsky, Ph. D., CRM President of ARMA International SVP Information Governance Solutions Topics Cloud Characteristics And Risks Information Management In

More information

Cloud Computing. What is Cloud Computing?

Cloud Computing. What is Cloud Computing? Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited

More information

Cloud Computing: Implications and Guidelines for Records Management in Kentucky State Government

Cloud Computing: Implications and Guidelines for Records Management in Kentucky State Government Cloud Computing: Implications and Guidelines for Records Management in Kentucky State Government (Version 1.0 August 2012) Many information technology (IT) departments and resource allocators are considering

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES

More information

Privacy Policy. February, 2015 Page: 1

Privacy Policy. February, 2015 Page: 1 February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met

More information

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER THE FEDERAL TRADE COMMISSION. In the Matter of Myspace, LLC. FTC File No. 102 3058.

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER THE FEDERAL TRADE COMMISSION. In the Matter of Myspace, LLC. FTC File No. 102 3058. COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER to THE FEDERAL TRADE COMMISSION In the Matter of Myspace, LLC FTC File No. 102 3058 June 8, 2012 By notice published on May 14, 2012, the Federal Trade

More information

Preservation and Production of Electronic Records

Preservation and Production of Electronic Records Policy No: 3008 Title of Policy: Preservation and Production of Electronic Records Applies to (check all that apply): Faculty Staff Students Division/Department College _X Topic/Issue: This policy enforces

More information

PBGC-19: Office of General Counsel Case Management System

PBGC-19: Office of General Counsel Case Management System PBGC-19: Office of General Counsel Case Management System Excerpted from Federal Register: Sept. 9, 2014 (Volume 79, Number 174) General Routine Uses System Name: Office of General Counsel Case Management

More information

ETHICS for Lawyers and Law Firms Using Cloud Technology

ETHICS for Lawyers and Law Firms Using Cloud Technology ETHICS for Lawyers and Law Firms Using Cloud Technology Donna Kirk Seyle ~ Legal Tech Advisor: Law Practice Strategy 108 MONTESANO ST SANTA CRUZ, CA 95062 (831) 332-2243 Donna Seyle is an attorney, author,

More information

Metadata, Electronic File Management and File Destruction

Metadata, Electronic File Management and File Destruction Metadata, Electronic File Management and File Destruction By David Outerbridge, Torys LLP A. Metadata What is Metadata? Metadata is usually defined as data about data. It is a level of extra information

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

THE DUTY TO PRESERVE, COLLECT, AND PRODUCE ELECTRONICALLY STORED INFORMATION HELD BY THIRD PARTIES

THE DUTY TO PRESERVE, COLLECT, AND PRODUCE ELECTRONICALLY STORED INFORMATION HELD BY THIRD PARTIES ESI Discovery THE DUTY TO PRESERVE, COLLECT, AND PRODUCE ELECTRONICALLY STORED INFORMATION HELD BY THIRD PARTIES Ronald C. Wernette, Bowman and Brooke LLP Introduction The legal landscape is now littered

More information

Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement

Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement You may be aware that the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) requires health plans

More information

The Ethics of E-Discovery. computer technologies in civil litigation, courts are faced with a myriad of issues

The Ethics of E-Discovery. computer technologies in civil litigation, courts are faced with a myriad of issues The Ethics of E-Discovery By John M. Barkett Chicago, Illinois, 2009; ISBN 978-1-60442-256-6 Price $69.95, pp. 125 Reviewed by Tracy Flynn Journal of High Technology Law Suffolk University Law School E-discovery

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its

More information

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

A PRIMER ON THE NEW ELECTRONIC DISCOVERY PROVISIONS IN THE ALABAMA RULES OF CIVIL PROCEDURE

A PRIMER ON THE NEW ELECTRONIC DISCOVERY PROVISIONS IN THE ALABAMA RULES OF CIVIL PROCEDURE A PRIMER ON THE NEW ELECTRONIC DISCOVERY PROVISIONS IN THE ALABAMA RULES OF CIVIL PROCEDURE Effective February 1, 2010, the Alabama Rules of Civil Procedure were amended to provide for and accommodate

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Electronic Discovery

Electronic Discovery Electronic Discovery L. Amy Blum, Esq. UCLA University of California, Los Angeles 1 Topics Not Covered Best practices for E-mail E use and retention in the ordinary course of business Records Disposition

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

More information

Outsourcing Transactions in the Insurance Industry ADVISORY

Outsourcing Transactions in the Insurance Industry ADVISORY Outsourcing Transactions in the Insurance Industry ADVISORY The insurance industry has long been focused on reducing costs and improving operational efficiencies. With the turbulence in today s insurance

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

New E-Discovery Rules: Is Your Company Prepared?

New E-Discovery Rules: Is Your Company Prepared? November 2006 New E-Discovery Rules: Is Your Company Prepared? By Maureen O Neill, Kirby Behre and Anne Nergaard On December 1, 2006, amendments to the Federal Rules of Civil Procedure ( FRCP ) concerning

More information

Recordkeeping Policy

Recordkeeping Policy Public Record Office Victoria Standards and Policy Recordkeeping Policy Cloud Computing: Implications for Records Management Version Number: 1.0 Issue date: 04/04/2012 Closing for comments: 31/05/2012

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT Western Student E-Communications Outsourcing Paul Eluchok - University Privacy Officer David Ghantous - Associate Director of Technical Services Dated: August

More information

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq. Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity Amy Mushahwar, Esq. What s New? Not That Much. Some have their heads in the cloud we prefer to stay down in the weeds and know

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Paychex Accounting Online Terms of Use

Paychex Accounting Online Terms of Use Paychex Accounting Online Terms of Use Paychex recommends that Client read the Terms of Use prior to using the Paychex Accounting Online Software ( Software ). If Client does not accept and agree with

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

Use of Check Images By Customers of Financial Institutions. Version Dated: July 14, 2006

Use of Check Images By Customers of Financial Institutions. Version Dated: July 14, 2006 Use of Check Images By Customers of Financial Institutions Version Dated: July 14, 2006 This document provides an overview of the treatment of check images under the Check 21 Act and laws and regulations

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

retained in a form that accurately reflects the information in the contract or other record,

retained in a form that accurately reflects the information in the contract or other record, AL 2004 9 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Electronic Record Keeping TO: Chief Executive Officers of All National Banks, Federal Branches and Agencies,

More information

Overview Software Assurance is an annual subscription that includes: Technical Support, Maintenance and Software Upgrades.

Overview Software Assurance is an annual subscription that includes: Technical Support, Maintenance and Software Upgrades. Software Maintenance & Support Agreement This agreement ( Support Agreement, Software Assurance, Agreement ) is for the purpose of defining the terms and conditions under which Technical Support, Maintenance

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

Office of the Chief Information Officer

Office of the Chief Information Officer Office of the Chief Information Officer Online File Storage BACKGROUND Online file storage services offer powerful and convenient methods to share files among collaborators, various computers, and mobile

More information

COURSE DESCRIPTION AND SYLLABUS LITIGATING IN THE DIGITAL AGE: ELECTRONIC CASE MANAGEMENT (994-001) Fall 2014

COURSE DESCRIPTION AND SYLLABUS LITIGATING IN THE DIGITAL AGE: ELECTRONIC CASE MANAGEMENT (994-001) Fall 2014 COURSE DESCRIPTION AND SYLLABUS LITIGATING IN THE DIGITAL AGE: ELECTRONIC CASE MANAGEMENT (994-001) Professors:Mark Austrian Christopher Racich Fall 2014 Introduction The ubiquitous use of computers, the

More information

Chapter 2.82 - RECORDS MANAGEMENT Sections:

Chapter 2.82 - RECORDS MANAGEMENT Sections: Chapter 82 - RECORDS MANAGEMENT Sections: 8010 - Government records findings Recognition of public policy. The council of Salt Lake County finds the following: A. It is in the best interests of Salt Lake

More information