Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister



Similar documents
Appendix 1: Full Country Rankings

World Consumer Income and Expenditure Patterns

How To Get A New Phone System For Your Business

Foreign Taxes Paid and Foreign Source Income INTECH Global Income Managed Volatility Fund

MAUVE GROUP GLOBAL EMPLOYMENT SOLUTIONS PORTFOLIO

Know the Facts. Aon Hewitt Country Profiles can help: Support a decision to establish or not establish operations in a specific country.

Consolidated International Banking Statistics in Japan

INFORMATION ECONOMY REPORT 2015: Unlocking The E-commerce Potential For Developing Countries

Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features

CMMI for SCAMPI SM Class A Appraisal Results 2011 End-Year Update

Report on Government Information Requests

Supported Payment Methods

Supported Payment Methods

CNE Progress Chart (CNE Certification Requirements and Test Numbers) (updated 18 October 2000)

Taking a Data-Centric Approach to Security in the Cloud

Digital TV Research. Research-v3873/ Publisher Sample

Enterprise Mobility Suite (EMS) Overview

Brochure More information from

Market Briefing: S&P 500 Revenues & the Economy

BT Premium Event Call and Web Rate Card

E-Seminar. Financial Management Internet Business Solution Seminar

Region Country AT&T Direct Access Code(s) HelpLine Number. Telstra: Optus:

INTERNACIONAL REGISTRY IN ORGAN DONATION AND TRANSPLANTATION -IRODaT

OPPORTUNITIES FOR E-COMMERCE IN DEVELOPING COUNTRIES Lessons from the Information Economy Report 2015

Excerpt Sudan Fixed Telecommunications: Low Penetration Rates Get a Boost from Broadband Internet and VoIP Services

Software Tax Characterization Helpdesk Quarterly June 2008

Energy Briefing: Global Crude Oil Demand & Supply

Can Cloud Providers Guarantee Data Privacy & Sovereignty?

Report on Government Information Requests

Cisco Conference Connection

Global Effective Tax Rates

Introducing Clinical Trials Insurance Services Ltd

Sybase Solutions for Healthcare Adapting to an Evolving Business and Regulatory Environment

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Global Dialing Comment. Telephone Type. AT&T Direct Number. Access Type. Dial-In Number. Country. Albania Toll-Free

SuccessFactors Employee Central: Cloud Core HR Introduction, Overview, and Roadmap Update Joachim Foerderer, SAP AG

CISCO METRO ETHERNET SERVICES AND SUPPORT

NetFlow Feature Acceleration

Triple-play subscriptions to rocket to 400 mil.

Doing Business in Australia and Hong Kong SAR, China

PUBLIC KEY INFRASTRUCTURE CERTIFICATE REVOCATION LIST VERSUS ONLINE CERTIFICATE STATUS PROTOCOL

The face of consistent global performance

Carnegie Mellon University Office of International Education Admissions Statistics for Summer and Fall 2015

Fall 2015 International Student Enrollment

Cisco Blended Agent: Bringing Call Blending Capability to Your Enterprise

FACT SHEET Global Direct Selling

360 o View of. Global Immigration

Cisco Global Cloud Index Supplement: Cloud Readiness Regional Details

CISCO CONTENT SWITCHING MODULE SOFTWARE VERSION 4.1(1) FOR THE CISCO CATALYST 6500 SERIES SWITCH AND CISCO 7600 SERIES ROUTER

Global Network Access International Access Rates

Foreign Corrupt Practices Act (FCPA)/Bribery Act Integrity Due-Diligence & Investigations

DSV Air & Sea, Inc. Aerospace Sector. DSV Air & Sea, Inc. Aerospace

UNCITRAL legislative standards on electronic communications and electronic signatures: an introduction

The big pay turnaround: Eurozone recovering, emerging markets falter in 2015

Introducing GlobalStar Travel Management

International Financial Reporting Standards

Global Economic Briefing: Global Inflation

CISCO IP PHONE SERVICES SOFTWARE DEVELOPMENT KIT (SDK)

Report on Government Information Requests

Reporting practices for domestic and total debt securities

Data Protection and Cloud Computing: an Overview of the Legal Issues

AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

Cisco IT Data Center and Operations Control Center Tour

Performance 2015: Global Stock Markets

THE CISCO CRM COMMUNICATIONS CONNECTOR GIVES EMPLOYEES SECURE, RELIABLE, AND CONVENIENT ACCESS TO CUSTOMER INFORMATION

It looks like your regular telephone.

List of tables. I. World Trade Developments

Addressing Information Protection, Privacy & Sovereignty Concerns in Cloud Applications

CISCO NETWORK CONNECTIVITY CENTER

Carnegie Mellon University Office of International Education Admissions Statistics for Summer and Fall 2013

CISCO PIX SECURITY APPLIANCE LICENSING

Overview menu: ArminLabs - DHL Medical Express Online-Pickup: Access to the Online System

Report on Government Information Requests

Performance 2013: Global Stock Markets

Raveh Ravid & Co. CPA. November 2015

Cisco CNS NetFlow Collection Engine Version 4.0

Four steps to improving cloud security and compliance

PANDUIT Physical Layer Infrastructure Management. EMC Smarts Integration Module

COST Presentation. COST Office Brussels, ESF provides the COST Office through a European Commission contract

Consumer Credit Worldwide at year end 2012

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Cisco Router and Security Device Manager File Management

Cloud Security Strategies. Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems

Senate Committee: Education and Employment. QUESTION ON NOTICE Budget Estimates

International Call Services

Data Loss Prevention. Keeping sensitive data out of the wrong hands*

GLOBAL DATA CENTER INVESTMENT 2013

Software Tax Characterization Helpdesk Quarterly April 2012

Carnegie Mellon University Office of International Education Admissions Statistics for Summer and Fall 2010

Agenda. Company Platform Customers Partners Competitive Analysis

Global Education Office MSC , 1 University of New Mexico Albuquerque, NM Phone: (505) , FAX: (505)

Transcription:

2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

Presenter Miriam Wugmeister Morrison & Foerster LLP New York Office +1 212 506 7213 MWugmeister@mofo.com This is MoFo. 2

North America Canada Mexico United States Central & South America Argentina Brazil (Pending) Chile Colombia Costa Rica (Pending) Ecuador (Pending) Paraguay Peru (Pending) Uruguay Middle East Israel UAE (DIFC) Privacy Is a Global Issue Africa South Africa (Pending) Tunisia Asia-Pacific Rim Australia Hong Kong India Japan Malaysia New Zealand Philippines (Pending) Singapore South Korea Taiwan Thailand (Pending) Vietnam Europe 27 EU Member States Norway Russia Serbia Switzerland Turkey (Pending) Ukraine 3

U.S. laws affecting use of cloud: U.S. Privacy Compliance Sector-specific privacy laws regulate sharing with third parties, including vendors State data security laws require specific security safeguards when using vendors State security breach notification laws over 45 states These laws have a fairly narrow scope: They typically cover name plus Social Security number, driver s license number, credit or debit card number or financial account number, health information, etc. Thus, higher risk in placing these types of U.S. data in the cloud 4

International Privacy Compliance Broad privacy laws, typically covering all sectors and all types of Personal Information As little as a person s name or email address Consumers, employees, consultants, vendors, service providers, individuals at business partners Comprehensive obligations to individuals whose PI is outsourced to a cloud provider: Establishing a legal basis for the outsourcing Notifying the individual; in some cases (e.g., Korea), obtaining consent Maintaining data integrity Registration requirements in some countries Providing access and correction rights Ensuring permanent deletion of PI when no longer required 5

Cross-Border Issues for the Cloud Many countries limit transfers of PI to other countries European Union offers multiple options for cross-border transfers: Safe Harbor program, model contracts, binding corporate rules, consent Other jurisdictions offer fewer options; consent may be the only permissible basis or specific contractual provisions Important to understand high level data flows Companies want to understand where data will be hosted and potentially understand data flow (affects cross border regulatory solutions) 6

Growing Cloud Privacy Concerns Data protection authorities ( DPAs ) are increasingly concerned about privacy and security in the cloud Schleswig-Holstein, Germany: DPA opinion arguing that use of cloud located outside EU requires pen-on-paper consent of each individual Denmark: DPA opinion finding that Google Apps did not provide sufficient data protection EU Working Party 29 expected to issue guidance about cloud computing Main areas of concern: Cross-border data transfers Limited oversight; limited ability to conduct inspections or audits Data security Controller-to-processor agreements (or lack thereof) Data security Governing law 7

Contractual Obligations Data Security Data protection laws require obtaining contractual assurances that the vendor will use appropriate technical, physical and administrative measures to protect PII against unauthorized access, use, disclosure, modification, or deletion Cloud vs. Outsourcing Cloud providers tend to provide no greater protections for PI than any other hosted data, and provide few assurances about data protection or security Data Breach While U.S. breach laws focus on discrete categories of high-risk data, international breach laws often cover all PI obligations include notifying government regulators as well as affected individuals These risks and obligations remain with the data owner, even if the incident occurs at the vendor 8

PCI compliance Due Diligence: Security All systems used to store and process payment card data PCI compliant? Necessary to transfer payment card data to the cloud? Has the provider obtained a third-party certification of its PCI compliance? Encryption Will the data be encrypted? Will the provider have the encryption key? Possible to encrypt the data before sending it to the cloud? Backdoor access Will provider use customer data to gather analytics? Secured connection Will the cloud storage be accessible only through an encrypted tunnel? 9

Due Diligence: Security Data security involves both internal, company-sensitive information (e.g., employee information, company data, trade secrets) and the security of PI Emerging standards for third party certification may help to alleviate some data security concerns ISO 27001 -- Information Security Management System (ISMS) standard, requiring specific internal controls and audits to maintain third-party certification SSAE 16 an attestation standard now being utilized to assess internal security controls (replaces SAS 70) Enterprise Cloud Leadership Council and Cloud Security Alliance may help push for standards in this area 10

Survey Security Issues A May 12, 2011 survey revealed that a majority of cloud providers do not believe data security is their responsibility, but the customer s. [P]roviders of cloud computing resources are not focused on security in the cloud. Rather, their priority is delivering the features their customers want such as low cost solutions with fast deployment that improves customer service and increases the efficiency of the IT function. As a result, providers in our study conclude that they cannot warrant or provide complete assurance that their products or services are sufficiently secure. The study further reported that the majority of cloud providers surveyed admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms. 11

Confidentiality Moving certain information to a third-party cloud environment may violate existing confidentiality obligations of customers Especially with respect to older data and relationships, hosting information in the cloud was simply not contemplated Carefully determine what types of information will be hosted and who will have access to it such access may be outside the scope of what is acceptable pursuant to existing NDAs or other obligations to keep information confidential Internal due diligence can help decide what information can be hosted in a public cloud What can Cloud Vendor do with data from customers? 12

Access by Customer Does the vendor offer service levels sufficient to allow customer to meet contractual obligations and business needs? Upon termination/expiration, how will customer receive/access data? Periodic customer backups Offsite storage Escrow Deletion obligations Format of data upon return? Who has obligation to back-up data (vendor or customer)? 13

Outsourcing Email to the Cloud Privacy considerations Types of data included in email: PI, confidential business information. Obligations to affiliates, personnel in other countries Contractual and other measures required by applicable privacy laws Can it be viewed/used by vendor Data security considerations Adequate protections under U.S. and international data security laws? Adequate protections given sensitivity of the information? Intellectual property considerations Does email contain confidential information of another party? Can such information be shared with the cloud provider? Will the cloud provider comply with any deletion obligations imposed on company? 14

Resources Mofoprivacy.com Summitprivacy.com 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information