1 Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012
2 Introduction Security and Data Privacy Recent OPC Guidelines Compliance Issues Negotiating Contracts with Cloud Providers New Trends and Challenges Practical Tips
3 Security and Data Privacy Access to and security of the data stored in the cloud. When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so. There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada).
4 Security and Data Privacy The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing or cross-border data transfer, even when the cloud service provider is in another country. However, PIPEDA (and other privacy laws) establishes rules governing use of the cloud and data transfer particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.
5 Security and Data Privacy Cloud providers often serve multiple customers simultaneously. Many parties may have access to the data. Risk of exposure to possible breaches, both accidental and deliberate. Cloud computing may lead to function creep uses of data by cloud providers that, were not anticipated when the information was originally collected and for which consent has typically not been obtained. Given how inexpensive it is to keep data, there is little incentive to remove the information from the cloud and more reasons to find other things to do with it.
6 Security and Data Privacy Need security protocols maintained at every stage Strict policies as well as enforcement measures need to be reviewed to ensure that the data is being kept confidential A detailed audit assessment may be required of the security protocols before an organization signs up with the service Tools such as Privacy Impact Assessments (PIA) or Threat Risk Assessments (TRA) could be valuable to help make assessments of safeguards Use of external auditors to ensure the industry standards of security protocols are being met by the service provider
7 Recent OPC Guidelines Office of the Privacy Commissioner of Canada (OPC), along with the Privacy Commissioner of Alberta and BC, developed a Guidance Document for Cloud Computing for Small and Mediumsized Enterprises: Privacy Responsibilities and Considerations Organizations must ensure they fully understand their obligations under Canada s private sector privacy legislation, including those under certain provincial privacy legislation, and they need to carefully assess the risks against the benefits. Organizations considering a cloud computing service should carefully consider what information will be stored in the cloud and why.
8 Recent OPC Guidelines Organizations must consider the sensitivity of the personal information and carefully assess all the risks and implications involved in outsourcing personal data to the cloud. This assessment should also take into account whether the cloud is a public cloud, community cloud, private cloud or hybrid cloud, as defined in the OPC s Introduction to Cloud Computing. The sensitivity of the information, the type of cloud, and the contractual arrangements should all play a key role in an organization s decision to move, or not to move, personal information to the cloud. The Guideline recommends seeking professional advice in assessing the risks of using a cloud service provider.
9 Recent OPC Guidelines In order to ensure that personal information is protected, organizations using cloud computing services should: Limit access to the information and restrict further uses by the provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information. Find out if personal information will be segregated or stored in the same database as information from the cloud provider s other clients. Ensure access to personal information is only granted to those who need it to do their job. Ensure that access to personal information is logged in protected audit trails. Do not assume that the provider s general terms of service or policies will be adequate to establish such restrictions, review them carefully.
10 Recent OPC Guidelines Ensure that the provider has in place appropriate authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication. The level of authentication should be commensurate with the risk to the personal information being protected. Ensure there are procedures and technical controls to manage who has access rights to the personal information. Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Conduct an assessment of the risks associated with any lack of encryption. Determine if the encryption method is adequate and the access to encryption keys is properly managed. Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider.
11 Recent OPC Guidelines Ensure that there are procedures in place in the event of a personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information. Ensure there are provisions in the agreement with the cloud provider that specify when it will provide notification to the organization in the event of a security breach. Organizations subject to breach notification requirements will want to ensure the contract is clear about when the cloud provider is to provide reports on breaches in order for it to meet its legal obligations. Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract.
12 Recent OPC Guidelines Ensure periodic audits are performed. It is important for an organization to have some measure of oversight over a cloud provider s policies and practices. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected. Organizations should verify practices and procedures to ensure the provider is handling personal information in accordance with the agreements in place and request evidence of effective auditing and timely response to security incidents. Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.
13 Compliance Issues Statutes, regulations and guidelines that apply to a particular industry sector in a particular jurisdiction, may require specific compliance, such as service level terms, data recovery terms, data security regimes, audit provisions and processes for retaining and selecting any third party service provider. The organization transferring data to the cloud provider is ultimately accountable for its protection. It needs to ensure that the data is appropriately handled in compliance with any regulatory requirements.
14 Compliance Issues Cloud service provider may not have standards, controls or notification process that meet OSFI, PIPEDA or other statutory or regulatory requirements In Alberta for example, there are specific breach notification requirements and requirements to notify individuals when personal information is transferred to a service provider located outside of Canada.
15 Compliance Issues International issues cross-border data transfer, compliance with foreign jurisdiction laws, export controls It is important to note that many non-canadian based cloud providers may also be subject to PIPEDA. To the extent that a cloud provider has a real and substantial connection to Canada, and collects, uses or discloses personal information in the course of a commercial activity, the provider is expected to protect personal information, in keeping with PIPEDA.
16 Compliance Issues For more information on outsourcing of personal data processing across borders, please see Privacy Commissioner's Guidelines for Processing Personal Data Across Borders. These considerations apply whether moving data in the cloud or otherwise.
17 Negotiating Contracts with Cloud Providers Unlike outsourcing, many more parties are involved in a cloud based service model a platform provider a provider of servers the data centre provider data centre operator(s) OS provider applications software providers a reseller, distributor or broker Disaster Recovery or Business Continuity Provider As a result it is a complex contracting environment No contractual privity between the customer and many of the parties involved in the cloud services
18 Negotiating Contracts with Cloud Providers Typical contract structures that may be encountered in a cloud service arrangement are: Terms of Service Service Level Agreement Acceptable Use Policies Privacy Policies Important points need to be negotiated before contract is executed
19 Negotiating Contracts with Cloud Providers As a low cost commodity service the service provider seeks to keep transaction costs down and simplify managing obligations to the customers services provided by the cloud service provider are usually on standard terms terms are often non-negotiable tend to strongly favour the service provider cloud provider often leaves open the option to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other providers.
20 Negotiating Contracts with Cloud Providers Organizations sometimes find that cloud providers present take it or leave it contracts. In other words, the provider sets the parameters of the relationship, and the contracting organization is required to go along with it in order to use the service. This tends to be the case with low cost online services offered by cloud providers. The risk is that the terms of service that govern the relationship with the cloud service provider sometimes allow for more liberal usage of personal information and retention practices, and these standard contract clauses may not be sufficient to allow organizations to meet their privacy obligations.
21 Negotiating Contracts with Cloud Providers Many cloud agreements do not take responsibility for the customer's data Ultimate responsibility for the preservation of confidentiality and integrity of data is on the customer Some standard terms reserve the right to delete customer data for breach of term of the contract i.e. non-payment
22 Negotiating Contracts with Cloud Providers Warranties in general are limited Even when warranties are available, they often exclude any data loss, corruption or service Need to still have traditional representations and warranties, e.g. performance of the service must not interfere with or breach third party rights whether intellectual property, contractual or other rights
23 Negotiating Contracts with Cloud Providers If you are not comfortable with what a particular cloud provider is proposing, you should not transfer personal information entrusted to you by your customers to that provider. You should push back, or take the time to shop around for a better solution. Since the data and processing infrastructure will be outside the customer's control and influence, the vital issues a customer seeks to address include: Service security Trade secret protection, information confidentiality Data integrity Compliance with privacy laws and regulations Potential secondary uses of the data Assurance of data segregation and isolation
24 Negotiating Contracts with Cloud Providers Other terms dealing with data management include: Data ownership provisions Determining of how the data is being used. For example, whether the data that is being stored on the servers of the cloud service providers is also going to be used by the service provider, or accessed by others When can the customer (who owns the data) obtain copies of information that are stored on the cloud Data backup and recovery At what time intervals the copies of information or data are to be transmitted to the Customer Data breach notification, whether by cloud provider or data host Geographical locations of data Compliance with local security and data protection laws and regulations, including positive data breach notification statutes
25 Negotiating Contracts with Cloud Providers Organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices. These types of obligations and controls need to be in contracts with any subcontractor, outsourcer or cloud service provider, that is engaging in any of these activities on behalf of an organization.
26 Negotiating Contracts with Cloud Providers You must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.
27 Negotiating Contracts with Cloud Providers Service level agreements are critical Outages, downtimes, response times During an outage, one may not be able to access data or software and disruption of business operations may occur SLA should state what happens when data is lost due to a service interruption Most SLAs contain no guarantee of quality of the service and the sole remedy may be service credits, subject to cap on liability Service levels are typically subject to scheduled downtime for maintenance and are also subject to internet or 3rd party down time need to review and assess impact on business
28 Negotiating Contracts with Cloud Providers SLAs should include a duty of care, diligence and professionalism that is reasonably commensurate with the standards and practices that such services are performed and delivered in the customer's jurisdiction Performance risk transfers to the service provider who is better able to mitigate those risks Therefore performance outcomes and results need to be clearly stated as obligations of the provider in the contract
29 Negotiating Contracts with Cloud Providers Dealing with termination of the cloud services: provisions relating to changing of service providers exit strategy or transition plan how and when the data is to be delivered delivery of data as per the agreed delivery format commitment by the vendor to destroy all customer data Need express disaster recovery and contingency planning obligations on the cloud service provider
30 Negotiating Contracts with Cloud Providers Problematic terms to watch out for: Limits on service provider's liability very low, disclaimers, short limitation periods Exclusion of liability even if service provider had knowledge No indemnities by service provider for third party claims; broad indemnities by customer for violation, conduct, content Terms not visible, may be cross-referenced and unilaterally amended by service provider, deemed acceptance by use, especially if dependencies on other providers
31 Negotiating Contracts with Cloud Providers Problematic terms to watch out for (cont.): hidden fees (e.g. for data backup, retrieval), service failures data encryption, cleansing and backup obligations pushed onto customer no restrictions on subcontracting, no background checks indefinite term of contract, termination by provider failure to notify of data breach freezing of accounts and no access to data upon termination or deletion (data hijacking until fees paid or dispute resolved)
32 New Trends and Challenges Cloud computing can significantly reduce the cost and complexity of owning and operating computers and networks. If an organization uses a cloud provider, it does not need to spend money on information technology infrastructure, or buy hardware or software licences. Pay-per-use or consumption based pricing has been one of the most attractive features of cloud computing Cloud services can often be customized and flexible to use, providing scalability, better service levels and offer advanced services that an individual company might not have the money or expertise to develop.
33 New Trends and Challenges For businesses that are considering using a cloud service, cloud computing could offer better protection of personal information compared with current security and privacy practices. Through economies of scale, large cloud providers may be able to use better security technologies than individuals or small companies can, and have better backup and disaster-recovery capabilities. Cloud providers may also be motivated to build privacy protections into new technology, and to support better audit trails.
34 New Trends and Challenges On the other hand, while cloud computing may not increase the risk that personal information will be misused or improperly exposed, it could increase the scale of exposure. The aggregation of data in a cloud provider can make that data very attractive to cybercriminals, for example. Moreover, given how inexpensive it is to keep data in the cloud, there may be a tendency to retain it indefinitely, thereby increasing the risk and scale of breaches.
35 New Trends and Challenges Frequently, organizations find that employees have already moved personal information to a cloud service without IT staff or management being aware. For example: Employees may be using a cloud-based service for business correspondence Employees may be using an online service to collaborate on documents Client databases that are accessible online from any location could be hosted in the cloud An organization that outsources personal data for processing or other services to a cloud service provider remains accountable for protecting its customers personal information and it must be transparent about its information management and privacy practices. Corporate policies need to be implemented.
36 Practical Tips Due diligence of cloud provider, processes, systems and controls - audits, certifications, testing Insist on transparency. Identify the Cloud support parties, type, processes, data flow, locations/jurisdictions, security, business resumption planning Select configurations and controls Specify ownership and obtain assignments of rights if needed Analyze contracts and if can t negotiate necessary changes, implement internal process changes or controls of what gets onto Cloud Think way ahead contractual requirements should be part of any RFP
37 Conclusion Cloud computing offers benefits for organizations and individuals. There are also privacy and security concerns. If you are considering a cloud service, you should think about how personal information and data can best be protected. Carefully review the terms of service or contracts, and challenge the cloud service provider to meet your needs.
38 Questions? Lisa K. Abe- Oldenburg, B.Comm., J.D. Tel.: This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyer who will provide analysis and advice on a specific matter.