1 Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012
2 Introduction Security and Data Privacy Recent OPC Guidelines Compliance Issues Negotiating Contracts with Cloud Providers New Trends and Challenges Practical Tips
3 Security and Data Privacy Access to and security of the data stored in the cloud. When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so. There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada).
4 Security and Data Privacy The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing or cross-border data transfer, even when the cloud service provider is in another country. However, PIPEDA (and other privacy laws) establishes rules governing use of the cloud and data transfer particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.
5 Security and Data Privacy Cloud providers often serve multiple customers simultaneously. Many parties may have access to the data. Risk of exposure to possible breaches, both accidental and deliberate. Cloud computing may lead to function creep uses of data by cloud providers that, were not anticipated when the information was originally collected and for which consent has typically not been obtained. Given how inexpensive it is to keep data, there is little incentive to remove the information from the cloud and more reasons to find other things to do with it.
6 Security and Data Privacy Need security protocols maintained at every stage Strict policies as well as enforcement measures need to be reviewed to ensure that the data is being kept confidential A detailed audit assessment may be required of the security protocols before an organization signs up with the service Tools such as Privacy Impact Assessments (PIA) or Threat Risk Assessments (TRA) could be valuable to help make assessments of safeguards Use of external auditors to ensure the industry standards of security protocols are being met by the service provider
7 Recent OPC Guidelines Office of the Privacy Commissioner of Canada (OPC), along with the Privacy Commissioner of Alberta and BC, developed a Guidance Document for Cloud Computing for Small and Mediumsized Enterprises: Privacy Responsibilities and Considerations Organizations must ensure they fully understand their obligations under Canada s private sector privacy legislation, including those under certain provincial privacy legislation, and they need to carefully assess the risks against the benefits. Organizations considering a cloud computing service should carefully consider what information will be stored in the cloud and why.
8 Recent OPC Guidelines Organizations must consider the sensitivity of the personal information and carefully assess all the risks and implications involved in outsourcing personal data to the cloud. This assessment should also take into account whether the cloud is a public cloud, community cloud, private cloud or hybrid cloud, as defined in the OPC s Introduction to Cloud Computing. The sensitivity of the information, the type of cloud, and the contractual arrangements should all play a key role in an organization s decision to move, or not to move, personal information to the cloud. The Guideline recommends seeking professional advice in assessing the risks of using a cloud service provider.
9 Recent OPC Guidelines In order to ensure that personal information is protected, organizations using cloud computing services should: Limit access to the information and restrict further uses by the provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information. Find out if personal information will be segregated or stored in the same database as information from the cloud provider s other clients. Ensure access to personal information is only granted to those who need it to do their job. Ensure that access to personal information is logged in protected audit trails. Do not assume that the provider s general terms of service or policies will be adequate to establish such restrictions, review them carefully.
10 Recent OPC Guidelines Ensure that the provider has in place appropriate authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication. The level of authentication should be commensurate with the risk to the personal information being protected. Ensure there are procedures and technical controls to manage who has access rights to the personal information. Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Conduct an assessment of the risks associated with any lack of encryption. Determine if the encryption method is adequate and the access to encryption keys is properly managed. Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider.
11 Recent OPC Guidelines Ensure that there are procedures in place in the event of a personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information. Ensure there are provisions in the agreement with the cloud provider that specify when it will provide notification to the organization in the event of a security breach. Organizations subject to breach notification requirements will want to ensure the contract is clear about when the cloud provider is to provide reports on breaches in order for it to meet its legal obligations. Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract.
12 Recent OPC Guidelines Ensure periodic audits are performed. It is important for an organization to have some measure of oversight over a cloud provider s policies and practices. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected. Organizations should verify practices and procedures to ensure the provider is handling personal information in accordance with the agreements in place and request evidence of effective auditing and timely response to security incidents. Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.
13 Compliance Issues Statutes, regulations and guidelines that apply to a particular industry sector in a particular jurisdiction, may require specific compliance, such as service level terms, data recovery terms, data security regimes, audit provisions and processes for retaining and selecting any third party service provider. The organization transferring data to the cloud provider is ultimately accountable for its protection. It needs to ensure that the data is appropriately handled in compliance with any regulatory requirements.
14 Compliance Issues Cloud service provider may not have standards, controls or notification process that meet OSFI, PIPEDA or other statutory or regulatory requirements In Alberta for example, there are specific breach notification requirements and requirements to notify individuals when personal information is transferred to a service provider located outside of Canada.
15 Compliance Issues International issues cross-border data transfer, compliance with foreign jurisdiction laws, export controls It is important to note that many non-canadian based cloud providers may also be subject to PIPEDA. To the extent that a cloud provider has a real and substantial connection to Canada, and collects, uses or discloses personal information in the course of a commercial activity, the provider is expected to protect personal information, in keeping with PIPEDA.
16 Compliance Issues For more information on outsourcing of personal data processing across borders, please see Privacy Commissioner's Guidelines for Processing Personal Data Across Borders. These considerations apply whether moving data in the cloud or otherwise.
17 Negotiating Contracts with Cloud Providers Unlike outsourcing, many more parties are involved in a cloud based service model a platform provider a provider of servers the data centre provider data centre operator(s) OS provider applications software providers a reseller, distributor or broker Disaster Recovery or Business Continuity Provider As a result it is a complex contracting environment No contractual privity between the customer and many of the parties involved in the cloud services
18 Negotiating Contracts with Cloud Providers Typical contract structures that may be encountered in a cloud service arrangement are: Terms of Service Service Level Agreement Acceptable Use Policies Privacy Policies Important points need to be negotiated before contract is executed
19 Negotiating Contracts with Cloud Providers As a low cost commodity service the service provider seeks to keep transaction costs down and simplify managing obligations to the customers services provided by the cloud service provider are usually on standard terms terms are often non-negotiable tend to strongly favour the service provider cloud provider often leaves open the option to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other providers.
20 Negotiating Contracts with Cloud Providers Organizations sometimes find that cloud providers present take it or leave it contracts. In other words, the provider sets the parameters of the relationship, and the contracting organization is required to go along with it in order to use the service. This tends to be the case with low cost online services offered by cloud providers. The risk is that the terms of service that govern the relationship with the cloud service provider sometimes allow for more liberal usage of personal information and retention practices, and these standard contract clauses may not be sufficient to allow organizations to meet their privacy obligations.
21 Negotiating Contracts with Cloud Providers Many cloud agreements do not take responsibility for the customer's data Ultimate responsibility for the preservation of confidentiality and integrity of data is on the customer Some standard terms reserve the right to delete customer data for breach of term of the contract i.e. non-payment
22 Negotiating Contracts with Cloud Providers Warranties in general are limited Even when warranties are available, they often exclude any data loss, corruption or service Need to still have traditional representations and warranties, e.g. performance of the service must not interfere with or breach third party rights whether intellectual property, contractual or other rights
23 Negotiating Contracts with Cloud Providers If you are not comfortable with what a particular cloud provider is proposing, you should not transfer personal information entrusted to you by your customers to that provider. You should push back, or take the time to shop around for a better solution. Since the data and processing infrastructure will be outside the customer's control and influence, the vital issues a customer seeks to address include: Service security Trade secret protection, information confidentiality Data integrity Compliance with privacy laws and regulations Potential secondary uses of the data Assurance of data segregation and isolation
24 Negotiating Contracts with Cloud Providers Other terms dealing with data management include: Data ownership provisions Determining of how the data is being used. For example, whether the data that is being stored on the servers of the cloud service providers is also going to be used by the service provider, or accessed by others When can the customer (who owns the data) obtain copies of information that are stored on the cloud Data backup and recovery At what time intervals the copies of information or data are to be transmitted to the Customer Data breach notification, whether by cloud provider or data host Geographical locations of data Compliance with local security and data protection laws and regulations, including positive data breach notification statutes
25 Negotiating Contracts with Cloud Providers Organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices. These types of obligations and controls need to be in contracts with any subcontractor, outsourcer or cloud service provider, that is engaging in any of these activities on behalf of an organization.
26 Negotiating Contracts with Cloud Providers You must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.
27 Negotiating Contracts with Cloud Providers Service level agreements are critical Outages, downtimes, response times During an outage, one may not be able to access data or software and disruption of business operations may occur SLA should state what happens when data is lost due to a service interruption Most SLAs contain no guarantee of quality of the service and the sole remedy may be service credits, subject to cap on liability Service levels are typically subject to scheduled downtime for maintenance and are also subject to internet or 3rd party down time need to review and assess impact on business
28 Negotiating Contracts with Cloud Providers SLAs should include a duty of care, diligence and professionalism that is reasonably commensurate with the standards and practices that such services are performed and delivered in the customer's jurisdiction Performance risk transfers to the service provider who is better able to mitigate those risks Therefore performance outcomes and results need to be clearly stated as obligations of the provider in the contract
29 Negotiating Contracts with Cloud Providers Dealing with termination of the cloud services: provisions relating to changing of service providers exit strategy or transition plan how and when the data is to be delivered delivery of data as per the agreed delivery format commitment by the vendor to destroy all customer data Need express disaster recovery and contingency planning obligations on the cloud service provider
30 Negotiating Contracts with Cloud Providers Problematic terms to watch out for: Limits on service provider's liability very low, disclaimers, short limitation periods Exclusion of liability even if service provider had knowledge No indemnities by service provider for third party claims; broad indemnities by customer for violation, conduct, content Terms not visible, may be cross-referenced and unilaterally amended by service provider, deemed acceptance by use, especially if dependencies on other providers
31 Negotiating Contracts with Cloud Providers Problematic terms to watch out for (cont.): hidden fees (e.g. for data backup, retrieval), service failures data encryption, cleansing and backup obligations pushed onto customer no restrictions on subcontracting, no background checks indefinite term of contract, termination by provider failure to notify of data breach freezing of accounts and no access to data upon termination or deletion (data hijacking until fees paid or dispute resolved)
32 New Trends and Challenges Cloud computing can significantly reduce the cost and complexity of owning and operating computers and networks. If an organization uses a cloud provider, it does not need to spend money on information technology infrastructure, or buy hardware or software licences. Pay-per-use or consumption based pricing has been one of the most attractive features of cloud computing Cloud services can often be customized and flexible to use, providing scalability, better service levels and offer advanced services that an individual company might not have the money or expertise to develop.
33 New Trends and Challenges For businesses that are considering using a cloud service, cloud computing could offer better protection of personal information compared with current security and privacy practices. Through economies of scale, large cloud providers may be able to use better security technologies than individuals or small companies can, and have better backup and disaster-recovery capabilities. Cloud providers may also be motivated to build privacy protections into new technology, and to support better audit trails.
34 New Trends and Challenges On the other hand, while cloud computing may not increase the risk that personal information will be misused or improperly exposed, it could increase the scale of exposure. The aggregation of data in a cloud provider can make that data very attractive to cybercriminals, for example. Moreover, given how inexpensive it is to keep data in the cloud, there may be a tendency to retain it indefinitely, thereby increasing the risk and scale of breaches.
35 New Trends and Challenges Frequently, organizations find that employees have already moved personal information to a cloud service without IT staff or management being aware. For example: Employees may be using a cloud-based service for business correspondence Employees may be using an online service to collaborate on documents Client databases that are accessible online from any location could be hosted in the cloud An organization that outsources personal data for processing or other services to a cloud service provider remains accountable for protecting its customers personal information and it must be transparent about its information management and privacy practices. Corporate policies need to be implemented.
36 Practical Tips Due diligence of cloud provider, processes, systems and controls - audits, certifications, testing Insist on transparency. Identify the Cloud support parties, type, processes, data flow, locations/jurisdictions, security, business resumption planning Select configurations and controls Specify ownership and obtain assignments of rights if needed Analyze contracts and if can t negotiate necessary changes, implement internal process changes or controls of what gets onto Cloud Think way ahead contractual requirements should be part of any RFP
37 Conclusion Cloud computing offers benefits for organizations and individuals. There are also privacy and security concerns. If you are considering a cloud service, you should think about how personal information and data can best be protected. Carefully review the terms of service or contracts, and challenge the cloud service provider to meet your needs.
38 Questions? Lisa K. Abe- Oldenburg, B.Comm., J.D. Tel.: This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyer who will provide analysis and advice on a specific matter.
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
Cloud Computing: Trust But Verify 14th Annual Privacy and Security Conference February 8, 2013, Victoria Martin P.J. Kratz, QC Bennett Jones LLP Cloud Computing Provision of services available on the Internet
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
CLOUD COMPUTING (outsourcing records storage) TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 1 Cloud computing A style of computing where scalable and elasticity ITenabled capabilities
Adding Cloud Solutions to Customer Contracts Robert J. Scott MSP vs. Cloud Who owns the hardware? Where does the data reside? Dedicated vs. Multi tenant? Who contracts with 3 rd parties? How are services
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity Amy Mushahwar, Esq. What s New? Not That Much. Some have their heads in the cloud we prefer to stay down in the weeds and know
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
December 2013 Cloud Computing: Privacy and Other Risks by George Waggott, Michael Reid and Mitch Koczerginski, McMillan LLP Introduction While the benefits of outsourcing organizational data storage to
Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited
Mobile App Developer Agreements By Alan L. Friel Many companies that have had disputes with developers have been surprised to discover that the agreements signed, often without input from legal, failed
SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT Western Student E-Communications Outsourcing Paul Eluchok - University Privacy Officer David Ghantous - Associate Director of Technical Services Dated: August
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage
Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the
Ethical Considerations for Lawyers Using the Cloud Presentation by Peter J. Guffin, Esq. Pierce Atwood LLP email@example.com (207) 791-1199 Maine State Bar Association Summer Meeting June 22, 2012
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
CONSULTATION PAPER P018-2014 SEPTEMBER 2014 NOTICE ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing in 2004 1 ( Guidelines ) to promote sound risk management practices for the outsourcing
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing
Doing Business in Canada 1 O: PRIVACY LAW THE ROCKIES Canada s most visited mountain range, the Rockies, is an international destination for sports, sightseeing and escape from the daily grind. Privacy
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
21 Point Checklist for SELECTING AN ENTERPRISE-READY CLOUD SERVICE Brought to you by Introduction The journey to the cloud is well underway, and it s easy to see why when 84% of CIOs report cutting application
Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel
PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 firstname.lastname@example.org www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in
A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
Cloud Services and Business Process Outsourcing What security concerns surround Cloud Services and Outsourcing? Prepared for the Western NY ISACA Conference April 28 2015 Presenter Kevin Wilkins, CISSP
Evolving Technology Issues: Cloud Computing Michael Bennett October 16, 2011 2011 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP Cloud Computing Does compliance with applicable laws fall to
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
Adopting Cloud Computing with a RISK Mitigation Strategy TS Yu, OGCIO 21 March 2013 1. Introduction 2. Security Challenges Agenda 3. Risk Mitigation Strategy Before start using When using 4. Policy & Guidelines
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010
Cloud computing Alessandro Galtieri, Senior Lawyer, Colt Technology Services, London, UK Pavel Klimov, General Counsel EMEA, Unisys, London, UK Severin Loeffler, Assistant General Counsel, Central Eastern