CLOUD COMPUTING, TRADE SECRET / KNOW-HOW & EUROPEAN LEGAL FRAMEWORK AIPPI 2012 SEOUL XX October 2012 Alexandra NERI, Partner, TMT, +33 1 53 57 70 70, alexandra.neri@hsf.com
TOPICS What is cloud computing? What barriers (I) Information as Trade Secret and Know-How (II) Trade Secret, Know-How in the Cloud: from unvoluntary free fall to sky surfing! (III) Dispute aspects(iv) 2
WHAT IS CLOUD COMPUTING? - «Buzzword» of the decade! - Like the, no defined or stable form. No clear limits. Difficult to grasp - Associated to hype alphabet soup and IT marketing Voodoo: IaaS, PaaS, SaaS, STaaS, SECaaS, DaaS, DaaS, etc anything «as a service»; - Unavoidable? From Fog to Cloud 3
WHAT IS CLOUD COMPUTING? Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf 4
WHAT IS CLOUD COMPUTING? Service models / Type (Iaas, Paas, SaaS) [1] «Infrastructure as a service» (IaaS): - Provision of processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software (operating systems and applications) ; - The consumer has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls) ; Ex: Amazon S3 / EC2, Windows Azur (VM) 5
WHAT IS CLOUD COMPUTING? [2] «Platform as a service» (PaaS): - The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. - The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the applicationhosting environment. Ex : Google App Engine, Windows Azure 6
WHAT IS CLOUD COMPUTING? [3] «Software as a service» (SaaS): - The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface ; - The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Ex: Gmail, Hotmail, Salesforce, Amazon Webstore webapps 7
WHAT IS CLOUD COMPUTING? 8
WHAT IS CLOUD COMPUTING? Deployment / Modes - Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. - Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. 9
WHAT IS CLOUD COMPUTING? - Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). - Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology. 10
WHAT IS CLOUD COMPUTING? Essential characteristics / Features - On-demand self-service. A consumer can unilaterally provision computing capabilities. - Broad network access. Capabilities are available over the network and accessed through standard mechanisms. - Resource pooling. The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model. - Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. - Measured service. Cloud systems automatically control and optimize resource use. Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer. 11
WHAT IS CLOUD COMPUTING? «the future of cloud computing», Expert Group Report, EC 12
WHAT IS CLOUD COMPUTING? SOUNDS GOOD! TIME TO MOVE MY DATA INTO THE CLOUD AND MAKE SAVINGS ALL MY DATA? 13
INFORMATION AS TRADE SECRET TRIPS AGREEMENT (art 39) EU France Natural and legal persons shall have the possibility of preventing information ( ) so long as such information: - is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; - has commercial value because it is secret; and - has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret No specific EU law No specific law. Draft law (Criminal Code). Art. 325-1. The trade secrets of an undertaking are defined as all processes, items, documents, data or files of a commercial, industrial, financial, scientific, technical or strategic nature not in the public domain and that if disclosed without permission would substantially compromise the interests of that undertaking by damaging its scientific or technical potential, strategic positioning, commercial or financial interests or its ability to compete and for which specific protection measures have therefore been taken with a view to identifying such processes, items, documents, data or files as confidential and to keeping them confidential. Unauthorized disclosure is liable to imprisonment for a term of three years and a fine of EUR 375,000 14
INFORMATION AS KNOW-HOW COMMISSION REGULATION (EC) No 330/2010 - art 1 France A package of non-patented practical information, No specific laws on know-how. resulting from experience and testing by the supplier, which is secret, ( ) in this context, secret means that the know-how is not generally known or easily accessible Substantial ( ) substantial means that the know-how is significant and useful to the buyer for the use, sale or resale of the contract goods or services identified ( ) identified means that the know-how is described in a sufficiently comprehensive manner so as to make it possible to verify that it fulfils the criteria of secrecy and substantiality; "Manufacturing secrecy" (rarely used) defined by case law with the following cumulative conditions: Patentable or non-patentable industrial process Secret Original Specific to the undertaking/company Any manager or employee found to have disclosed or attempted to disclose a trade secret is liable to imprisonment for a term of two years and a fine of EUR 30,000 (Article L621-1 of FIPC). 15
INFORMATION AS KNOW-HOW / TRADE SECRET - Trade secret (TRIPS) and know-how (EU): overlap and differences; - In France, know-how can consist in technical information but also trade secret (CA Paris, 26 April 2006 and 17 oct 2007), commercial or economical information. - Limited direct remedies («violation du secret de fabrique» in France limited scope). Indirect remedies based on various grounds: computer crime, data thief, unfair competition, etc. 16
INFORMATION AS KNOW-HOW / TRADE SECRET Secrecy is the key condition. Distinction between: - Secrecy by nature: information not generally known or easily accessible / discoverable by the public or interested third parties; - Secrecy as measures (technical, human, processes, etc.) to «keep the secret secret»; 17
CONFIDENTIALITY / SECURITY IN THE CLOUD? KNOW-HOW AND TRADE SECRETS IN THE CLOUD? 18
CONFIDENTIALITY / SECURITY IN THE CLOUD? Source IDC 2012 - IDC Final Report, 13 July 2012 19
CONFIDENTIALITY / SECURITY IN THE CLOUD? EUROPEAN COMPANIES FIND SERIOUS BARRIERS TO MOVE TO THE CLOUD - IN PARTICULAR FOR THEIR SENSITIVE DATA 20
CONFIDENTIALITY / SECURITY IN THE CLOUD? CONTRACT - Security and confidentiality requirements must be clearly disclosed at the RFP stage and specified in the contract and in the SLA; - The split between customers and providers as to security obligations must take into account the type (IaaS, PaaS, SaaS) and the mode (public, private, hybrid) of the cloud computing solution and probably the functions supported by the cloud solution deployed. - «take-it-or-leave-it» agreement, regardless of the cloud computing types standard (low) levels of security that may not fit all needs/requirements, in particular for trade secrets. EU Commission to support «Safe and Fair Contract Terms and Conditions» (consumers/smes) Key Action. - There is always some room for negociation! 21
CONFIDENTIALITY / SECURITY IN THE CLOUD? STANDARDS - EU Commission, in its communication on «unleashing the potential of cloud computing» (25 sept 2012) is aiming at creating «trust» in the «chain of confidence» by identifying and promoting «necessary standards» (security, interoperability, etc.); - ETSI recommandations, guides and standards; - ENISA issued in 2012 a «guide to monitoring of security levels in the cloud contracts» which stresses in details SLA parameters that may be part of the security monitoring framework big advantage: it is readable! 22
CONFIDENTIALITY / SECURITY IN THE CLOUD? SERVICE LEVEL AGREEMENT - «Secrecy» of information means not only confidentiality but also ensuring the security of all steps surrounding the access and use of such information, including monitoring and evidence management ; - SLA is the cornerstone to ensure appropriate level of confidentiality and security; - Monitoring security framework listing in details parameters should be mandatory and should answer to the following questions: what security parameters to measure? How to measure them and how to get independent measurements? When to raise the flag? Who s responsible for what? 23
CONFIDENTIALITY / SECURITY IN THE CLOUD? A few security parameters to consider: Incident response Data life cycle management Technical compliance and vulnerability management Data isolation (incl. confidentiality) Log management and forensics 24
CONFIDENTIALITY / SECURITY IN THE CLOUD? THERE IS NO STANDARD ANSWER WILL DEPEND ON THE PROJECT THE COUNTERPARTIES AND WARRANTIES THE SENSITIVNESS OF THE DATA TO BE MOVED TO THE CLOUD RISKS & CONSEQ ASSESSMENT 25
COMMISSION KEY ACTIONS FOR THE CLOUD - Key Action 1: Cutting through the Jungle of Standards - Key Action 2 : Safe and Fair Contract Terms and Conditions - Key Action 1: Establishing a European Cloud Partnership to drive innovation and growth from the public sector. 26
DISPUTES : WITH REGARD TO CONTRACTUAL OBLIGATIONS The applicable law The rule under ROME I Article 3 : A contract shall be governed by the law chosen by the parties. Article 4 : To the extent that the law applicable to the contract has not been chosen, a contract for the provision of services shall be governed by the law of the country where the service provider has his usual residence. 27
DISPUTES : WITH REGARD TO CONTRACTUAL OBLIGATIONS The rule under Bruxelles I The competent jurisdiction Article 23: If the parties, one or more of whom is domiciled in a Member State, have agreed that a court or the courts of a Member State are to have jurisdiction to settle any disputes which have arisen or which may arise in connection with a particular legal relationship, that court or those courts shall have jurisdiction. 28
DISPUTES : WITH REGARD TO CONTRACTUAL OBLIGATIONS Article 5 1) b): To the extent that the jurisdiction has not been chosen, a person domiciled in a Member State may, in another Member State, be sued: in the courts for the place of performance of the obligation in question which is in the case of the provision of services, the place in a Member State where, under the contract, the services were provided or should have been provided. The freedom of choice depends of the contract s nature : a preformulated standard contract is not negotiable 29
DISPUTES : WITH REGARD TO NON-CONTRACTUAL OBLIGATIONS The rule under Rome II The applicable law Article 4 : The law applicable to a non-contractual obligation arising out of a tort/delict shall be the law of the country in which the damage occurs irrespective of the country in which the event giving rise to the damage occurred and irrespective of the country or countries in which the indirect consequences of that event occur. 30
DISPUTES : WITH REGARD TO NON-CONTRACTUAL OBLIGATIONS The rule under Bruxelles I The competent jurisdiction Article 5, 3): A person domiciled in a Member State may, in another Member State, be sued, in matters relating to tort, delict or quasi-delict, in the courts for the place where the harmful event occurred or may occur. If none of the mentioned Regulations applies, each country shall apply its own International Private Law. 31
CONFIDENTIALITY / SECURITY IN THE CLOUD? THANK YOU 32
Paragraph Bullet Bullet indent