Cloud Computing: Legal Risks and Best Practices
|
|
- Gwenda French
- 8 years ago
- Views:
Transcription
1 Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012
2 Introduction Security and Data Privacy Recent OPC Guidelines Compliance Issues Negotiating Contracts with Cloud Providers New Trends and Challenges Practical Tips
3 Security and Data Privacy Access to and security of the data stored in the cloud. When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so. There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada).
4 Security and Data Privacy The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing or cross-border data transfer, even when the cloud service provider is in another country. However, PIPEDA (and other privacy laws) establishes rules governing use of the cloud and data transfer particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.
5 Security and Data Privacy Cloud providers often serve multiple customers simultaneously. Many parties may have access to the data. Risk of exposure to possible breaches, both accidental and deliberate. Cloud computing may lead to function creep uses of data by cloud providers that, were not anticipated when the information was originally collected and for which consent has typically not been obtained. Given how inexpensive it is to keep data, there is little incentive to remove the information from the cloud and more reasons to find other things to do with it.
6 Security and Data Privacy Need security protocols maintained at every stage Strict policies as well as enforcement measures need to be reviewed to ensure that the data is being kept confidential A detailed audit assessment may be required of the security protocols before an organization signs up with the service Tools such as Privacy Impact Assessments (PIA) or Threat Risk Assessments (TRA) could be valuable to help make assessments of safeguards Use of external auditors to ensure the industry standards of security protocols are being met by the service provider
7 Recent OPC Guidelines Office of the Privacy Commissioner of Canada (OPC), along with the Privacy Commissioner of Alberta and BC, developed a Guidance Document for Cloud Computing for Small and Mediumsized Enterprises: Privacy Responsibilities and Considerations Organizations must ensure they fully understand their obligations under Canada s private sector privacy legislation, including those under certain provincial privacy legislation, and they need to carefully assess the risks against the benefits. Organizations considering a cloud computing service should carefully consider what information will be stored in the cloud and why.
8 Recent OPC Guidelines Organizations must consider the sensitivity of the personal information and carefully assess all the risks and implications involved in outsourcing personal data to the cloud. This assessment should also take into account whether the cloud is a public cloud, community cloud, private cloud or hybrid cloud, as defined in the OPC s Introduction to Cloud Computing. The sensitivity of the information, the type of cloud, and the contractual arrangements should all play a key role in an organization s decision to move, or not to move, personal information to the cloud. The Guideline recommends seeking professional advice in assessing the risks of using a cloud service provider.
9 Recent OPC Guidelines In order to ensure that personal information is protected, organizations using cloud computing services should: Limit access to the information and restrict further uses by the provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information. Find out if personal information will be segregated or stored in the same database as information from the cloud provider s other clients. Ensure access to personal information is only granted to those who need it to do their job. Ensure that access to personal information is logged in protected audit trails. Do not assume that the provider s general terms of service or policies will be adequate to establish such restrictions, review them carefully.
10 Recent OPC Guidelines Ensure that the provider has in place appropriate authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication. The level of authentication should be commensurate with the risk to the personal information being protected. Ensure there are procedures and technical controls to manage who has access rights to the personal information. Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Conduct an assessment of the risks associated with any lack of encryption. Determine if the encryption method is adequate and the access to encryption keys is properly managed. Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider.
11 Recent OPC Guidelines Ensure that there are procedures in place in the event of a personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information. Ensure there are provisions in the agreement with the cloud provider that specify when it will provide notification to the organization in the event of a security breach. Organizations subject to breach notification requirements will want to ensure the contract is clear about when the cloud provider is to provide reports on breaches in order for it to meet its legal obligations. Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract.
12 Recent OPC Guidelines Ensure periodic audits are performed. It is important for an organization to have some measure of oversight over a cloud provider s policies and practices. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected. Organizations should verify practices and procedures to ensure the provider is handling personal information in accordance with the agreements in place and request evidence of effective auditing and timely response to security incidents. Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.
13 Compliance Issues Statutes, regulations and guidelines that apply to a particular industry sector in a particular jurisdiction, may require specific compliance, such as service level terms, data recovery terms, data security regimes, audit provisions and processes for retaining and selecting any third party service provider. The organization transferring data to the cloud provider is ultimately accountable for its protection. It needs to ensure that the data is appropriately handled in compliance with any regulatory requirements.
14 Compliance Issues Cloud service provider may not have standards, controls or notification process that meet OSFI, PIPEDA or other statutory or regulatory requirements In Alberta for example, there are specific breach notification requirements and requirements to notify individuals when personal information is transferred to a service provider located outside of Canada.
15 Compliance Issues International issues cross-border data transfer, compliance with foreign jurisdiction laws, export controls It is important to note that many non-canadian based cloud providers may also be subject to PIPEDA. To the extent that a cloud provider has a real and substantial connection to Canada, and collects, uses or discloses personal information in the course of a commercial activity, the provider is expected to protect personal information, in keeping with PIPEDA.
16 Compliance Issues For more information on outsourcing of personal data processing across borders, please see Privacy Commissioner's Guidelines for Processing Personal Data Across Borders. These considerations apply whether moving data in the cloud or otherwise.
17 Negotiating Contracts with Cloud Providers Unlike outsourcing, many more parties are involved in a cloud based service model a platform provider a provider of servers the data centre provider data centre operator(s) OS provider applications software providers a reseller, distributor or broker Disaster Recovery or Business Continuity Provider As a result it is a complex contracting environment No contractual privity between the customer and many of the parties involved in the cloud services
18 Negotiating Contracts with Cloud Providers Typical contract structures that may be encountered in a cloud service arrangement are: Terms of Service Service Level Agreement Acceptable Use Policies Privacy Policies Important points need to be negotiated before contract is executed
19 Negotiating Contracts with Cloud Providers As a low cost commodity service the service provider seeks to keep transaction costs down and simplify managing obligations to the customers services provided by the cloud service provider are usually on standard terms terms are often non-negotiable tend to strongly favour the service provider cloud provider often leaves open the option to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other providers.
20 Negotiating Contracts with Cloud Providers Organizations sometimes find that cloud providers present take it or leave it contracts. In other words, the provider sets the parameters of the relationship, and the contracting organization is required to go along with it in order to use the service. This tends to be the case with low cost online services offered by cloud providers. The risk is that the terms of service that govern the relationship with the cloud service provider sometimes allow for more liberal usage of personal information and retention practices, and these standard contract clauses may not be sufficient to allow organizations to meet their privacy obligations.
21 Negotiating Contracts with Cloud Providers Many cloud agreements do not take responsibility for the customer's data Ultimate responsibility for the preservation of confidentiality and integrity of data is on the customer Some standard terms reserve the right to delete customer data for breach of term of the contract i.e. non-payment
22 Negotiating Contracts with Cloud Providers Warranties in general are limited Even when warranties are available, they often exclude any data loss, corruption or service Need to still have traditional representations and warranties, e.g. performance of the service must not interfere with or breach third party rights whether intellectual property, contractual or other rights
23 Negotiating Contracts with Cloud Providers If you are not comfortable with what a particular cloud provider is proposing, you should not transfer personal information entrusted to you by your customers to that provider. You should push back, or take the time to shop around for a better solution. Since the data and processing infrastructure will be outside the customer's control and influence, the vital issues a customer seeks to address include: Service security Trade secret protection, information confidentiality Data integrity Compliance with privacy laws and regulations Potential secondary uses of the data Assurance of data segregation and isolation
24 Negotiating Contracts with Cloud Providers Other terms dealing with data management include: Data ownership provisions Determining of how the data is being used. For example, whether the data that is being stored on the servers of the cloud service providers is also going to be used by the service provider, or accessed by others When can the customer (who owns the data) obtain copies of information that are stored on the cloud Data backup and recovery At what time intervals the copies of information or data are to be transmitted to the Customer Data breach notification, whether by cloud provider or data host Geographical locations of data Compliance with local security and data protection laws and regulations, including positive data breach notification statutes
25 Negotiating Contracts with Cloud Providers Organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices. These types of obligations and controls need to be in contracts with any subcontractor, outsourcer or cloud service provider, that is engaging in any of these activities on behalf of an organization.
26 Negotiating Contracts with Cloud Providers You must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.
27 Negotiating Contracts with Cloud Providers Service level agreements are critical Outages, downtimes, response times During an outage, one may not be able to access data or software and disruption of business operations may occur SLA should state what happens when data is lost due to a service interruption Most SLAs contain no guarantee of quality of the service and the sole remedy may be service credits, subject to cap on liability Service levels are typically subject to scheduled downtime for maintenance and are also subject to internet or 3rd party down time need to review and assess impact on business
28 Negotiating Contracts with Cloud Providers SLAs should include a duty of care, diligence and professionalism that is reasonably commensurate with the standards and practices that such services are performed and delivered in the customer's jurisdiction Performance risk transfers to the service provider who is better able to mitigate those risks Therefore performance outcomes and results need to be clearly stated as obligations of the provider in the contract
29 Negotiating Contracts with Cloud Providers Dealing with termination of the cloud services: provisions relating to changing of service providers exit strategy or transition plan how and when the data is to be delivered delivery of data as per the agreed delivery format commitment by the vendor to destroy all customer data Need express disaster recovery and contingency planning obligations on the cloud service provider
30 Negotiating Contracts with Cloud Providers Problematic terms to watch out for: Limits on service provider's liability very low, disclaimers, short limitation periods Exclusion of liability even if service provider had knowledge No indemnities by service provider for third party claims; broad indemnities by customer for violation, conduct, content Terms not visible, may be cross-referenced and unilaterally amended by service provider, deemed acceptance by use, especially if dependencies on other providers
31 Negotiating Contracts with Cloud Providers Problematic terms to watch out for (cont.): hidden fees (e.g. for data backup, retrieval), service failures data encryption, cleansing and backup obligations pushed onto customer no restrictions on subcontracting, no background checks indefinite term of contract, termination by provider failure to notify of data breach freezing of accounts and no access to data upon termination or deletion (data hijacking until fees paid or dispute resolved)
32 New Trends and Challenges Cloud computing can significantly reduce the cost and complexity of owning and operating computers and networks. If an organization uses a cloud provider, it does not need to spend money on information technology infrastructure, or buy hardware or software licences. Pay-per-use or consumption based pricing has been one of the most attractive features of cloud computing Cloud services can often be customized and flexible to use, providing scalability, better service levels and offer advanced services that an individual company might not have the money or expertise to develop.
33 New Trends and Challenges For businesses that are considering using a cloud service, cloud computing could offer better protection of personal information compared with current security and privacy practices. Through economies of scale, large cloud providers may be able to use better security technologies than individuals or small companies can, and have better backup and disaster-recovery capabilities. Cloud providers may also be motivated to build privacy protections into new technology, and to support better audit trails.
34 New Trends and Challenges On the other hand, while cloud computing may not increase the risk that personal information will be misused or improperly exposed, it could increase the scale of exposure. The aggregation of data in a cloud provider can make that data very attractive to cybercriminals, for example. Moreover, given how inexpensive it is to keep data in the cloud, there may be a tendency to retain it indefinitely, thereby increasing the risk and scale of breaches.
35 New Trends and Challenges Frequently, organizations find that employees have already moved personal information to a cloud service without IT staff or management being aware. For example: Employees may be using a cloud-based service for business correspondence Employees may be using an online service to collaborate on documents Client databases that are accessible online from any location could be hosted in the cloud An organization that outsources personal data for processing or other services to a cloud service provider remains accountable for protecting its customers personal information and it must be transparent about its information management and privacy practices. Corporate policies need to be implemented.
36 Practical Tips Due diligence of cloud provider, processes, systems and controls - audits, certifications, testing Insist on transparency. Identify the Cloud support parties, type, processes, data flow, locations/jurisdictions, security, business resumption planning Select configurations and controls Specify ownership and obtain assignments of rights if needed Analyze contracts and if can t negotiate necessary changes, implement internal process changes or controls of what gets onto Cloud Think way ahead contractual requirements should be part of any RFP
37 Conclusion Cloud computing offers benefits for organizations and individuals. There are also privacy and security concerns. If you are considering a cloud service, you should think about how personal information and data can best be protected. Carefully review the terms of service or contracts, and challenge the cloud service provider to meet your needs.
38 Questions? Lisa K. Abe- Oldenburg, B.Comm., J.D. Tel.: This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyer who will provide analysis and advice on a specific matter.
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationINFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationCloud Computing. Introduction
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
More informationThe Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationAnnex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationGUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987
GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
More informationAdding Cloud Solutions to Customer Contracts Robert J. Scott
Adding Cloud Solutions to Customer Contracts Robert J. Scott MSP vs. Cloud Who owns the hardware? Where does the data reside? Dedicated vs. Multi tenant? Who contracts with 3 rd parties? How are services
More informationLEGAL ISSUES IN CLOUD COMPUTING
LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing
More informationCLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1
CLOUD COMPUTING (outsourcing records storage) TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 1 Cloud computing A style of computing where scalable and elasticity ITenabled capabilities
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationCloud Computing: Trust But Verify
Cloud Computing: Trust But Verify 14th Annual Privacy and Security Conference February 8, 2013, Victoria Martin P.J. Kratz, QC Bennett Jones LLP Cloud Computing Provision of services available on the Internet
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationGUIDANCE NOTE ON OUTSOURCING
GN 14 GUIDANCE NOTE ON OUTSOURCING Office of the Commissioner of Insurance Contents Page I. Introduction.. 1 II. Application...... 1 III. Interpretation.... 2 IV. Legal and Regulatory Obligations... 3
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationHow not to lose your head in the Cloud: AGIMO guidelines released
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationCloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.
Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity Amy Mushahwar, Esq. What s New? Not That Much. Some have their heads in the cloud we prefer to stay down in the weeds and know
More informationCloud Computing: Privacy and Other Risks
December 2013 Cloud Computing: Privacy and Other Risks by George Waggott, Michael Reid and Mitch Koczerginski, McMillan LLP Introduction While the benefits of outsourcing organizational data storage to
More informationStatement of Guidance: Outsourcing All Regulated Entities
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
More informationPrivacy and Cloud Computing for Australian Government Agencies
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationSRG Security Services Technology Report Cloud Computing and Drop Box April 2013
SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing
More informationCloud Computing and HIPAA Privacy and Security
Cloud Computing and HIPAA Privacy and Security This is just one example of the many online resources Practical Law Company offers. Christine A. Williams, Perkins Coie LLP, with PLC Employee Benefits &
More informationFinancial Services Guidance Note Outsourcing
Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14
More informationAnatomy of a Cloud Computing Data Breach
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationAPES GN 30 Outsourced Services
APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationLegal Issues in the Cloud: A Case Study. Jason Epstein
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
More informationMICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing
MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT Western Student E-Communications Outsourcing Paul Eluchok - University Privacy Officer David Ghantous - Associate Director of Technical Services Dated: August
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationPractice Resource. Cloud computing checklist. Introduction
Practice Resource Cloud computing checklist Cloud computing offers many benefits to lawyers including the ability to access an exploding array of new software services and applications, the offloading
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationConsiderations for Outsourcing Records Storage to the Cloud
Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage
More informationPaychex Accounting Online Terms of Use
Paychex Accounting Online Terms of Use Paychex recommends that Client read the Terms of Use prior to using the Paychex Accounting Online Software ( Software ). If Client does not accept and agree with
More informationWhat Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.
What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationType of Personal Data We Collect and How We Use It
Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the
More informationHealthcare Payment Processing: Managing Data Security and Privacy Risks
Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationHow To Ensure Health Information Is Protected
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationPRIVACY POLICY. Consent
PRIVACY POLICY car2go N.A. LLC and car2go Canada Ltd. (collectively, car2go ) recognize the importance of protecting your personal information. We take the protection of your personal information seriously
More informationGUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK
GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationMobile App Developer Agreements
Mobile App Developer Agreements By Alan L. Friel Many companies that have had disputes with developers have been surprised to discover that the agreements signed, often without input from legal, failed
More informationCloud Services and Business Process Outsourcing
Cloud Services and Business Process Outsourcing What security concerns surround Cloud Services and Outsourcing? Prepared for the Western NY ISACA Conference April 28 2015 Presenter Kevin Wilkins, CISSP
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationCPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationEthical Considerations for Lawyers Using the Cloud
Ethical Considerations for Lawyers Using the Cloud Presentation by Peter J. Guffin, Esq. Pierce Atwood LLP pguffin@pierceatwood.com (207) 791-1199 Maine State Bar Association Summer Meeting June 22, 2012
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationThis form may not be modified without prior approval from the Department of Justice.
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationPIPEDA and Online Backup White Paper
PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect
More informationSELECTING AN ENTERPRISE-READY CLOUD SERVICE
21 Point Checklist for SELECTING AN ENTERPRISE-READY CLOUD SERVICE Brought to you by Introduction The journey to the cloud is well underway, and it s easy to see why when 84% of CIOs report cutting application
More informationThe problem of cloud data governance
The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationProposed Principles to be addressed in APES GN 20 Outsourced Accounting Services
Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Roles and Responsibilities The proposed Guidance Note 20 Outsourced Accounting Services (GN 20) will set out the various
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationHow To Deal With Cloud Computing
A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationNOTICE ON OUTSOURCING
CONSULTATION PAPER P018-2014 SEPTEMBER 2014 NOTICE ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing in 2004 1 ( Guidelines ) to promote sound risk management practices for the outsourcing
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationNSW Government. Cloud Services Policy and Guidelines
NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationCloud Computing. What is Cloud Computing?
Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More informationAdopting Cloud Computing with a RISK Mitigation Strategy
Adopting Cloud Computing with a RISK Mitigation Strategy TS Yu, OGCIO 21 March 2013 1. Introduction 2. Security Challenges Agenda 3. Risk Mitigation Strategy Before start using When using 4. Policy & Guidelines
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationEvolving Technology Issues: Cloud Computing
Evolving Technology Issues: Cloud Computing Michael Bennett October 16, 2011 2011 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP Cloud Computing Does compliance with applicable laws fall to
More informationCloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1
Cloud Computing and Privacy Toolkit Protecting Privacy Online May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Table of Contents ABOUT THIS TOOLKIT... 4 What is this Toolkit?... 4 Purpose of this Toolkit...
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationLegal Cloud Computing: Concepts and Ramifications
Legal Cloud Computing: Concepts and Ramifications April 27, 2010 Sébastien Lapointe, Holmested & Associés s.e.n.c. Legal Aspects of Cloud Computing Normal businesses using cloud computing ( CC ) face a
More informationCloud computing Alessandro Galtieri Pavel Klimov Severin Loeffler
Cloud computing Alessandro Galtieri, Senior Lawyer, Colt Technology Services, London, UK Pavel Klimov, General Counsel EMEA, Unisys, London, UK Severin Loeffler, Assistant General Counsel, Central Eastern
More informationProtecting Official Records as Evidence in the Cloud Environment. Anne Thurston
Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after
More information