Cloud Computing: Trust But Verify 14th Annual Privacy and Security Conference February 8, 2013, Victoria Martin P.J. Kratz, QC Bennett Jones LLP
Cloud Computing Provision of services available on the Internet Cloud based services widely used for consumer applications increasingly being adopted for business applications Services typically provided on demand and scalable user can expand use of the services dramatically Services typically provided on a per usage basis (a pooled resource / utility model) although many consumer based services may be provided without charge and on terms where the user agrees to accept ads in exchange for the service
TODAY S DISCUSSION Which rules apply? Cloud Computing in the Private Sector Cloud Computing for the Public Sector Questions
WHICH RULES APPLY? To assess law that is applicable need to determine: Public or Private? Federally or provincially regulated activity? What information does the organization collect, use and disclose? Is it health information? Is it personal employee information? Is it information collected, used or disclosed on behalf of another party (are they Public or Private?) Is the information collected, used or disclosed by a third party on behalf of the organization? Focus on manageable solutions
CLOUD COMPUTING & PRIVATE SECTOR PRIVACY
PRIVATE SECTOR OVERLAP Federal: Personal Information Protection and Electronic Documents Act ( PIPEDA ) NWT: PIPEDA BC: Personal Information Protection Act Alberta: Personal Information Protection Act Man: PIPEDA Sask: PIPEDA
ACTIVITIES MATTER Legislation is activity based Nature and location of the activity (not the organization) dictates applicable legislation Consider all applicable jurisdictions Consider scope of obligations
Which Laws are Applicable? Businesses doing business in multiple jurisdictions need to be aware of the applicable law in each jurisdiction Businesses with operations and customers solely located in a province - likely look to the law of that province Alberta, BC Personal Information Protection Act Quebec - Loi sur la protection des renseignements personnels dans le secteur privé Quebec Other - PIPEDA Need to consider inter-provincial transfers of personal information Contemplation of blended multi-jurisdictional privacy compliance programs
PRIVATE SECTOR ENTITIES MAY USE CLOUD COMPUTING
PIPEDA Case #145 It is not a disclosure if the personal information is in the control of the customer Railway has agreement providing for provision of personnel files and training records to the managing organization for management purposes PIPEDA 4.1.3 organization is responsible for personal information in its possession or custody, including information transferred to a third party for processing Organization to use contractual or other means to provide comparable level of protection Organization only provides information necessary to be processed Service provider limits internal disclosure on a need-to-know basis Agreement includes control by organization, confidentiality and other precautions reinforcing the organization s control of the data / personal information
PIPEDA Case #394 Email operation services provided by US service provider PIPEDA does not prohibit one from obtaining services across international borders Important for the customer to assess risks to security and confidentiality of customer personal information when transferred to a service provider protection measures must be formalized by contract or other means Must be transparent about information handling practices and notify customers that information may be available to governments of the other county under lawful orders The sharing of information with the 3 rd party service provider seen as a 'use' under PIPEDA that requires consent Once consent was obtained - change in service providers would not require a further consent
AB/BC PIPA It is not a disclosure if the personal information is in the control of the organization PIPA (BC) Exemption permits collection, use and disclosure of personal information without consent for services provider to assist organization to carry out work Organization must have consent Service providers processing limited to the purposes in consent PIPA (AB) Definition 1(h) organization includes any person acting on behalf of a corporation, unincorporated association, trade union or partnership or an individual acting in a commercial capacity
FOCUS ON CLOUD COMPUTING SERVICE PROVIDERS
KEY PRINCIPLE - YOU RE RESPONSIBLE An organization is responsible for personal information that is in its custody or under its control. Where an organization engages the services of a person, whether as an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person s compliance with this Act. An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
CLEAR ACCOUNTABILITY 5(6) Nothing in subsection (2) is to be construed so as to relieve any person from that person s responsibilities or obligations under this Act 5(2) affirms that a person or agent retained by an organization, whether under contract or otherwise, is not relieved of its own responsibilities or obligations because it has been retained by another organization. The end result is that there can be accountability by on the part of both principal and agent, organization and contractor. Para 40, P2005-IR-005 Builder's case AB PIPA
CONSENT & NOTICE Consider consent / notice requirements: Initial transfer of personal information to service provider Distinction between transfer of information for processing and disclosure? "use" per PIPEDA Case #394? Future collection, use and/or disclosure by third-party suppliers Is properly obtained consent / notice to collection, use and/or disclosure by a company sufficient consent / notice for performance of those activities by a company s cloud service providers?
CLOUD COMPUTING TERMS Appropriate terms in contract with cloud computing service providers are critical
TERMS TO CONSIDER Contracts with cloud computing service providers should ideally include some or all of the following: Covenants restricting collection, use and disclosure of information other than for purposes for which third party is expressly retained Typically addressed in the confidentiality provisions, but must assess that definition of confidential information is broad enough to capture all personal information Covenants requiring the service provider to maintain specific privacy, safety, security and backup standards for the personal information that meet the company s standards A right to audit the privacy & security practices of the cloud service provider
FURTHER TERMS If a cloud service provider is collecting information directly for which consent / notice has not already been obtained, detailed requirements regarding the form and content of the consent / notice, and the manner in which it must be recorded Obligations to provide access to personal information to the company and its customers/employees A right to require the cloud service provider to modify its privacy practices at the company s request An indemnity for breach of privacy (may be carved out of limitation of liability) Sensitivity of the personal information will dictate extent of contractual protection required
AB OIPC Investigation P2006-IR-004 Complaint re Union International Union maintains personal information about members in system in Las Vegas Assessment of safeguards found: Union implemented reasonable administrative and technical safeguards at both local and international levels Union's policies, procedures, technical security and response to a security breach incident were compliant with PIPA Report assessed preventive measures used to protect personal information including: Training of all users, special training of system operators Servers and data in locked secured data centre 5 levels of security of data firewalls, virus, spyware, denial of service & intrusion protection Data encrypted during transmission System subject to audits
AB PIPA Mandatory requirements for organizations using foreign service providers include: Notification of individuals if service provider outside of Canada will collect personal information on behalf of organization Notification if organization will be transferring personal information to service provider outside of Canada Including information on the outsourcing practice in organizations policies and practices
PIPEDA Case #313 CIBC, amending cardholder agreement, notifies VISA customers on use of a US service provider and possibility that US law enforcement agencies may be able to obtain access to personal information No opt out possible CPC's findings: PIPEDA does not prohibit use of foreign based 3 rd party service providers Canadian organizations must have provisions in place when using 3 rd party service providers to ensure a comparable level of protection CIBC contract provided security & confidentially guarantees Oversight, monitoring and audit of services CIBC maintains custody and control of information
PIPEDA Case #313 personal information in the hands of a foreign 3 rd party service provider, is subject to the laws of that country and no contractual provision can override those laws clear that there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider be it Canadian or US can be obtained by government agencies, whether through the provisions of U.S. law or Canadian law at the very least, a company in Canada that outsources information processing to the US should notify its customers that the information may be available to the US agencies under a lawful order made in that country CIBC did so complaint not well founded
CLOUD COMPUTING - THE PUBLIC SECTOR LANDSCAPE
THE CHANGING LANDSCAPE 9/11 Terror Attacks Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) BC Govt Serv. Employ Union vs British Columbia (Minster of Health Services) Issue arises in the context of an effort by the Government to outsource certain processing But access for law enforcement is normal in other jurisdictions including Canada Hogan Lovells study of numerous countries [Summary reproduced with consent]
THE BC Response Bill 73 provides provincial offences, with fines of up to $500,000, for outsourcing service providers who: Store, access or disclose personal information of a British Columbia public sector body outside of Canada, subject to a few narrowly defined exceptions Fail to provide notice to the Minister of Management Services of any foreign demand for disclosure of personal information held by the service provider; or Discipline, suspend, demote, harass or otherwise disadvantage an employee who, acting in good faith and on the basis of reasonable belief, complies with the notice obligations above or acts to insure compliance with the British Columbia legislation
BC Govt Serv Empl Union v. BC No Charter or statutory breach by outsourcing to US linked service provider Outsourcing of implementation and development of technology services confirmed Province retained ultimate responsibility for all administration and operation, assessments and final approvals "More than reasonable security" in structure of outsource transaction including: Trust provisions Province to obtain shares of opco if risk of disclosure occurs Restrictions on use and control of electronic equipment by employees $35M penalty for breach of confidentiality Whistle blowing requirements (contractually and legislatively by FOIPPA) Extensive FOIPPA provisions (Bill 73) to ensure records kept in private and in BC All information remains property of Province Prohibition on disclosure of data Subject to laws of BC
Features post Bill 73 in BC contracts Requirements for segregated data access Requirements to keep individual user logs More use of non-disclosure agreements (between individual service provider employees and the public body, between employees of a sub-contractor and the service provider, and between employees of the sub-contractor and the public body) Annual oath requirements for service provider and subcontractor employees Restrictions on access of foreign-based employees to personal information, where these employees work on transition and transformation activities Limitations on data access generally, including data remote access
Features post Bill 73 in BC contracts Corporate internal limitations on data access, cutting off extra-provincial access Alarm notification facilities to alert the public body to copying or unusual access activity Prohibitions on service provider staff outbound web and email access Restrictions on data portability hardware to only designated personnel Dedicated service provider privacy officers to monitor compliance Financial penalties in contract in the event of disclosure or privacy breaches List per OIPC Alberta s report Public-sector Outsourcing and Risks to Privacy" Feb 2006
Mission School District No. 75 Use of US based on line assessment tool Unions allege breach of FOIPPA to BC OIPC: Security arrangements reasonable? Adequate consent to storage and access of the personal information? Commissioner finds: S. 30 FOIPPA requirement to make reasonable security arrangements does not foreclose contracting out of services Public body cannot contract out of its privacy obligations Must provide reasonable security having regard to the nature of the personal information involved and seriousness of consequences if unauthorized disclosure Found adequate consent through click to agree mechanism
Nova Scotia Response Personal Information International Disclosure Protection Act 2006 SNS 2006, c 3 Requires that information under the custody and control of a public or government body be stored only in Canada and accessed only in Canada Unless individual has consented to its storage or disclosure outside of Canada Unless for permitted disclosure Permits public body or service provider to disclose personal information out of Canada for many lawful purposes including for law enforcement
AB Suggestions Alberta's commissioner recommended creation of an Alberta government checklist or model outsourcing contract, which would be applicable to consider in a cloud computing context : A prohibition on the assignment or subcontracting of the outsourcing contract without the written consent of the public body A requirement of notification by the outsourcer in the event of a notice of creditor's remedies or Court applications for bankruptcy or protection from creditors A requirement of notice on any demand for access to or disclosure of personal information received by the outsourcer
AB Suggestions A requirement of notice of any loss or unauthorized access to personal information by the outsourcer or its employees A right to audit for both compliance with the contract and with any legislation stipulated to be applicable to it (i.e. Alberta FOIPPA, the Health Information Act, etc.) A requirement for the outsourcer to have in place a system to monitor or audit its own use and disclosure of the personal information, with an access provision for the public body to review those logs on certain conditions Stipulated consequences for breach including mandatory return of all copies of personal information and assistance in recovering lost or otherwise disclosed personal information
The Federal Response Federal Treasury Board Secretariat released: A policy guidance document Taking Privacy into Account Before Making Contracting Decisions A strategy paper entitled Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows
Review of Licensing Automation System PC 12-39 Ont. Priv. Comm. Ministry of Natural Resources uses US licensing automation system to manage hunting & fishing licenses Privacy Impact Assessment conducted before proceeding OPC: Ontario has no legislative prohibition on storing personal information outside of Ontario or Canada Prov. Institution obligated to ensure reasonable measures in place to protect privacy and security of records containing personal information Risks of PATRIOT ACT similar to those of law enforcement access in Canada rely on PIPEDA case #2005-313
Review of Licensing Automation System Safeguards found sufficient and include: All data owned by the Ministry Agent cannot use, collect or disclose personal information for unauthorized purposes All personal information is subject to confidentiality obligations Require notice of compelled disclosure No subcontracting without Ministry consent Agent to ensure security and integrity of all personal information in its possession Agent to return all information at end of term, retaining none Provision for audit of privacy and security compliance Governing law Ontario
Existing Practices The segregation of personal information being handled under the contract from other records held by the contractor Audit trails to closely monitor how information is being handled The limiting of right-to-access based upon specific user profiles Approval by the government of any subcontracting The return or approved destruction of all records at the end of a contract The signing of non-disclosure agreements The use of encryption technology allowing only government officials to view the decrypted data
New Practices The inclusion of a new step in the solicitation checklist for service contracts that asks for the review of direct and indirect risks involving personal and proprietary information Use of multi-disciplinary teams to review proposed contracting arrangements Monitoring of all contracts where foreign companies have access to personal or other sensitive information Adding contractual requirements that part or all of the work be completed within the institution (especially when health information is involved) or within Canada Ensuring by contract that personal information or other protected or classified information is shared with third parties only where warranted
New Practices Consultation with legal services for all future contracts where personal or sensitive information will be exchanged or provided to third parties to consider inclusion of provisions that prevent disclosure under any foreign legislation Modification of contract forms to allow contract authorities to better assess risk Exploration of technological solutions to protect information flows Amendment of training plans to increase department-wide assessment of risks Development of risk management approaches related to business and personal information to mitigate risks associated with foreign legislation, which will in turn be incorporated in the institution's corporate risk management framework
FINAL COMMENTS
Final Comments Do your Due Diligence know your service provider / customer know your jurisdiction(s) know your transaction Understand the obligations Design the cloud computing service relationship to address privacy and security safeguards Look to public sector guidelines as checklist
QUESTIONS? Martin P.J. Kratz, QC kratzm@bennettjones.com