Proudly presents Cloudy With a Chance Of Risk Management Toby Merrill, ACE USA John Mullen, Nelson Levine de Luca & Hamilton Shawn Melito, Immersion Ltd. Michael Trendler, ACE INA Canada
What is Cloud Computing?
Traditional Computing Cloud Computing The Evolution Traditionally all the applications we used and the storage we had access to was located on site. Data and information resided on the computer we used or on the server we connected directly to. Products were purchased by us directly and typically we had to install and maintain them ourselves.
Cloud Computing Cloud Computing The Evolution With the evolution of cloud computing there is no longer a need for the software and hardware we use to exist locally. Products are sold as a service which means an individual or organization no longer needs to purchase them outright. The cloud provider is now responsible for service upgrades, maintenance, etc.
Cloud Computing Defined
Cloud computing
Cloud Computing Defined
Cloud Computing Defined
The Three Service Models of Cloud Computing
The Three Service Models of Cloud Computing
Risk Management Considerations of Cloud Computing
Benefits of the Cloud
Risk Management Considerations of Cloud Computing
Risk Management Considerations of Cloud Computing
Canadian Legislation
Relevant Canadian Legislation Privacy Act (Federal Government Agencies) Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar Provincial legislation: 1. Alberta Personal Information Protection Act (PIPA) 2. British Columbia Personal Information Protection Act (PIPA & PIPA Regulations) 3. Ontario Personal Health Information Protection Act (PHIPA Healthcare information only) 4. Quebec Protection of Personal Information in the Private Sector (PPIPS) NB - BC s Freedom of Information and Protection of Privacy Act (FIPPA Public Bodies only): Cannot store or access PI outside of Canada without consent
Relevant Canadian Legislation - Definitions Personal Information (PI): related to an identifiable individual Data Controller = company Data Processor = cloud service provider Storing of data considered processing under PIPEDA Data controller is always responsible for PI, not processor. Shall use contractual or other means to provide a comparable level of protection. Principal Based Laws Notice: explain to customers data storage procedures Consent: customers must provide explicit (opt-in) consent Security: An organization shall take physical, organizational and technological measures to ensure PI is protected.
Relevant Canadian Legislation Data Breach Alberta Notify Commissioner if a reasonable person would consider there exists a real risk of significant harm. Commissioner orders notification Ontario, New Brunswick & Nova Scotia (Healthcare data breaches only) Guidance - Key Steps for Organizations in Responding to Privacy Breaches
U.S. STATE REGULATORY State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. EXPOSURES Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies
EVOLVING EXPOSURES California Expanded definition of PII includes user name/email address in combination with password or security question and answer Vermont Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) Texas Notice to affected individuals pursuant to law of individual s state of residence or, if none, then pursuant to TX Massachusetts Written information security plan for businesses storing MA resident personal information Connecticut Notice to CT AG not later than time when notice provided to Connecticut residents New Jersey, Maryland Notice to regulators prior to notice being provided to residents Nevada Data collectors doing business in NV to comply with PCI-DSS
FACTA Red Flags Program Regulatory Exposures Mandates creditors create Identity Theft Prevention Program. HITECH Act SEC/SOX Must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. Ability of creditor to monitor red flag on a cloud? First national breach notification requirement > 500 HHS < 500 year end Permits state Attorneys General to enforce HIPAA Extends HIPAA to business associates of HIPAA covered entities Is cloud provider permitted access to PHI? Mandate certain disclosures in Financial Statements and to shareholders related to data security/exposure and data breach. Mass. CMR 17.00 GLBA Shift (increasing) exposure and risk to cloud docs not relieve duties Mandate written info security plan (specific requirements like encrypted portable devices). If using cloud, should address cloud providers info security plan. For financial institutions ---> security, notice duties, written security plan. Again, shift in IT location is not shift in responsibility to comply with law.
DEFENSE ERODING Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft resulting from actual theft of personal information constitutes an injury-in-fact Claridge v. RockYou breach of PII is sufficient basis for harm in common law contract/negligence claims because PII contains inherent property right Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) Resnick v. AvMed when ID theft is fairly traceable to defendant s actions, monetary loss and financial injury related to restoration are cognizable injuries under FL law In re Heartland economic loss doctrine under NJ law does not preclude negligence claim Yunker v. Pandora no standing where no allegation of actual identity theft or harm exists ---------------------------------------------------------------------------------------------------------------------- ITERA (Identity Theft Enforcement and Restitution Act) pay an amount equal to the value of the time reasonably spent In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But if there is fraud, credit monitoring damages may be due. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response
Legal Considerations in the Cloud Contract Issues Be aware of aggregate risk scenarios. Ensure that language makes clear data cannot/will not be used by the cloud provider other than for insured... even if de-identified. Don t waive right to subrogate. Are indemnity clauses fair? (Defense and indemnity.) If indemnity fair, trigger should be possible event not just lawsuit. Notice duty regarding possible security event. Require appropriate responsive insurance and proof from carrier (not just cert from broker.) Choice of Law. Definitions: event. Access Right to pre-event audit and review of security and ongoing policies and procedures relating to data security Cooperation in the event of a security incident (forensic access?)
Legal Considerations in the Cloud Event Response Efficiency and timing are critical when responding to a possible compromise event. How does the introduction of a cloud service into a data compromise scenario impact these factors? Timing of notice of breach event from cloud service to data owner Level of cooperation between cloud service and data owner following a possible compromise. Access granted to third party forensics team; or Responsiveness to requests for information from forensics.
Proactive Measures - Considerations Governance corporate policies, procedures and standards. Identity and Access Management controls surrounding access by cloud provider employees as well as employees and users of the public body s systems. Infrastructure Security the management and ongoing maintenance of network, system and application security including layered security controls and patch management. Encryption encryption during transmission as well as in storage at the cloud provider s facilities. Contractual provisions Include a requirement to notify as soon as possible in the event of an actual or suspected breach. Conduct site visits. Ability to ask employees about the ways in which the third party is managing PI. Contracts should also limit the right of the third party to use or disclose the personal information. Paraphrased from the Office of the Privacy Commissioner of British Columbia s document: CLOUD COMPUTING GUIDELINES FOR PUBLIC BODIES - UPDATED JUNE 2012
Proactive Measures Questions to Ask Does the cloud provider guarantee the security and privacy of your data? Who owns the data once it is in the cloud? What are the procedures should there be a data breach? Will you have the ability to investigate the breach? Who will handle (and pay for) the breach response? And how much of all of the above can you actually get in a contract? Has anyone done a Privacy Impact Assessment (PIA)?
Enjoy the rest of the 2013 RIMS Canada Conference!