Data Privacy in the Cloud: A Dozen Myths & Facts

Similar documents
The HR Skinny: Effectively managing international employee data flows

Drawing Lines in the Cloud: Jurisdictional Access to Data. Nancy Libin Mary Ellen Callahan

Client Alert. Global Information Technology & Communications Privacy, Data Protection and Information Management

Jeanne Kelly, Partner Cloud Computing: The Legal Issues

Administrative Policy No. AD 2.26 Title:

PIPEDA and Online Backup White Paper

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

Credit Union Liability with Third-Party Processors

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Article 29 Working Party Issues Opinion on Cloud Computing

Privacy & Data Security: The Future of the US-EU Safe Harbor

The USA Patriot Act Government Briefing. Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004

Global Information Technology & Communications Global Privacy and Data Protection

Legal Challenges for U.S. Healthcare Adopters of Cloud Computing

The Cloud and Cross-Border Risks - Singapore

OCC 98-3 OCC BULLETIN

The PerspecSys PRS Solution and Cloud Computing

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

THE TRANSFER OF PERSONAL DATA ABROAD

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?

Third Party Security: Are your vendors compromising the security of your Agency?

Committee on Civil Liberties, Justice and Home Affairs - The Secretariat - Background Note on

Cloud Security Trust Cisco to Protect Your Data

Cloud Computing: Privacy and Other Risks

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

Data Protection, Software Licenses and other Legal Issues in the Cloud

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

Help for ADP s Mobile App

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

PAYMENT SERVICES AND SYSTEMS ACT (ZPlaSS) CHAPTER 1 GENERAL PROVISIONS SUBCHAPTER 1 CONTENT OF THE ACT. Article 1. (scope)

12 Considerations for Managing Foreign Supplier Risk

DASSAULT SYSTEMES GROUP HUMAN RESOURCES DATA PRIVACY POLICY

Response to the European Commission consultation on. European Data Protection Legal Framework

ISO/IEC Safeguarding Personal Information in the Cloud. Whitepaper

Statement of Guidance

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012

Privacy Implications of Cloud Computing in Israel

Trust in the Cloud Legal and Regulatory Framework

Cloud Computing Contract Clauses

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Capital Policy and Safeguards Statement for Merchant Acquirer Limited Purpose Banks

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Isaac Willett April 5, 2011

The Hidden Risks: Managing Risks in Outsourcing Relationships. Bruce Jones Global IT Security, Compliance & Risk Manager Eastman Kodak Company

Data Processing Agreement for Oracle Cloud Services

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Using AWS in the context of Australian Privacy Considerations October 2015

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

WELCOME TO SECURE

EUROPEAN CENTRAL BANK

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions

How To Protect Your Data In The Cloud

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

(a) the kind of data and the harm that could result if any of those things should occur;

Cloud Computing: Legal Risks and Best Practices

NATIONAL CYBER SECURITY AWARENESS MONTH

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

Paychex Accounting Online Terms of Use

UK Cloud Computing Interception - nothing new. Clive Gringras. Olswang LLP

MOVING TO THE CLOUD. ebook. Moving to new heights - an analysis of the good and the bad when moving ERP into the Cloud.

Cloud Computing. Introduction

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Office 365 Data Processing Agreement with Model Clauses

LATISYS SAFE HARBOR POLICY

Welcome & Introductions

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Risk Management of Remote Deposit Capture

Considerations for Outsourcing Records Storage to the Cloud

Worldwide Anti-Corruption Policy

Data Protection Policy.

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Insights into Cloud Computing

Warranties, Surety Bonds and Correction Periods: How To Get Defects Repaired

The potential legal consequences of a personal data breach

Myths About Moving to the Cloud. What small and medium-sized businesses really need to know about moving to Microsoft Office 365

Implications for Cloud Computing & Data Privacy

United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT)

SELECTED LEGAL ISSUES

Insights and Commentary from Dentons

Cloud Computing: Privacy & Jurisdiction from a Canadian Perspective

Norwegian Data Inspectorate

Contact: Henry Torres, (870)

GSK Public policy positions

Privacy Law in Canada

Directors and officers liability best practices guidelines

Why Encryption is Essential to the Safety of Your Business

GENERAL TERMS AND CONDITIONS FOR SAP CLOUD SERVICES ( GTC )

WASHINGTON STATE EMPLOYEES CREDIT UNION ONLINE BANKING AGREEMENT

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Transcription:

Data Privacy in the Cloud: A Dozen Myths & Facts March 7-9 Washington DC Presented by: Barbara Cosgrove, Chief Security Officer, Workday, Inc. Lothar Determann, Partner, Baker & McKenzie LLP

We re taking on the most common concerns raised against cloud computing solutions as two leading privacy experts provide practical guidance and dispel myths about privacy in the cloud. Hear seasoned experts test the notion that cloud computing presents fundamentally unique data privacy challenges, argue that increased data sharing in the cloud can actually be good for privacy and assert that legal compliance does not fall under service provider purview. These and other major questions are tackled in this session, where you ll get the information you need to confidently maneuver your organization through the cloud.

What you ll take away: A solid understanding of pros and cons of cloud computing for privacy compliance An increased ability to discuss challenges with customers and providers Practical guidance for contracts between vendors and customers

A DOZEN MYTHS Myth 1: Cloud Computing Presents Fundamentally New and Unique Challenges for Data Privacy and Security Compliance Myth 2: Cloud Computing Involves More Data Sharing, Which Is Inherently Bad for Privacy Myth 3: Cloud Computing Is Bad for Data Security Myth 4: Cloud Computing Causes Additional Issues Under Privacy Law Because Data Is Transmitted Internationally Myth 5: Data in the United States Is Endangered by the USA Patriot Act Myth 6: Record Keeping Laws Require Data to Stay Local Myth 7: US-EU Safe Harbor Does Not Apply to Service Provider Arrangements Myth 8: Contractual Clauses Are Unnecessary If the Service Provider Is Safe Harbor-Certified Myth 9: Data Privacy & Security Law Compliance Is the Provider s Responsibility Myth 10: Cloud Service Providers Cannot Cede Control to Their Customers Myth 11: Vendor Has and Should Accept Unlimited Liability for Data Security Breaches Myth 12: Customer Must Have the Right to Access the Provider s Data Centers and Systems for Audit Purposes

Myth 1: Cloud Computing Presents Fundamentally New and Unique Challenges for Data Privacy and Security Compliance

Myth 1: Cloud Computing Presents Fundamentally New and Unique Challenges for Data Privacy and Security Compliance Fact is that consumers and companies have been entrusting specialized service providers with personal data for a long time: - including telecommunications companies, payment processors, accountants, and various outsourcing service providers ( e.g., payroll, call centers, and IT support) - Internet is founded on the principle of decentralized transfer of data across geographies, devices, and connections. Remember application service providers?

Myth 2: Cloud Computing Involves More Data Sharing, Which Is Inherently Bad for Privacy

Myth 2: Cloud Computing Involves More Data Sharing, Which Is Inherently Bad for Privacy Fact is sharing with processors transfers to controllers. companies never act without people, and people can be statutory employees, individual independent contractors or employees or contractors of corporate suppliers neither option is per se harmful to data privacy. data sharing with data processing agents is not inherently bad or good for privacy; it is neutral most multiational companies transfer data across geographies anyhow.

Myth 3: Cloud Computing Is Bad for Data Security

Myth 3: Cloud Computing Is Bad for Data Security Fact is whether personal data is safer on a system secured by you or your vendor depends on who you and your vendor are, depends on the security measures deployed by each particular organization.

Myth 3: Cloud Computing Is Bad for Data Security Contd. For example regarding a global HRIS, each multinational employer needs to ask itself whether its own IT capabilities and security policies are superior to the measures deployed by a specialized vendor that can leverage economies of scale and is motivated by the risk of reputational harm to keep data of its customers secure.

Myth 4: Cloud Computing Causes Additional Issues Under Privacy Law Because Data Is Transmitted Internationally

Myth 4: Cloud Computing Causes Additional Issues Under Privacy Law Because Data Is Transmitted Internationally Fact is that most companies are already transmitting data internationally because they use the Internet (for example, to email spreadsheets to various office locations) or because they have subsidiaries, customers, suppliers, or channel partners in other jurisdictions.

Myth 5: Data in the United States Is Endangered by the USA Patriot Act

Myth 5: Data in the United States Is Endangered by the USA Patriot Act The United States enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA Patriot Act) in October 2001 following the September 11 terrorist attacks to help fight terrorism and money laundering activities and to provide certain additional investigative powers to US law enforcement officials.

Myth 5: Data in the United States Is Endangered by the USA Patriot Act Contd. But: these powers are not relevant for most types of data in cloud computing arrangements; the government is much more likely to obtain the data directly from the data controllers ( i.e., users of cloud computing services); if the data controller is not based in the United States and lacks a strong nexus to the United States, chances are the US government is not interested in the data regardless of whether the data is hosted in the United States; if the US government is interested, it can usually obtain access to the data through foreign governments through judicial assistance and cooperation treaties, regardless of where the data is hosted; similar powers exist in most other countries and data is typically much more at risk of being accessed by governments at the place where the data controller is based; and the USA Patriot Act issue is cited to support unrelated agendas, such as protecting local companies or unionized jobs from global competition.

Myth 5: Data in the United States Is Endangered by the USA Patriot Act Contd. The information that the US government seeks to fight terrorism and money-laundering is not what most companies store or process in the cloud In some cases, the additional hurdles established by jurisdictional complications will make a difference, but this difference works both ways. For example, a US bankruptcy court recently refused to hand over emails to and from a German resident to the German government

Myth 5: Data in the United States Is Endangered by the USA Patriot Act Contd. In this case, the German resident s privacy was better protected due to the fact that his emails were stored in the United States: The German government would have easily gotten access to his email if he had used a German Internet service provider. Most countries around the world allow law enforcement access to private information to a similar extent as in the United States, and many countries have updated their privacy laws to provide for minimum data retention requirements (European telecommunications laws go beyond US requirements) and otherwise lowered privacy protection standards

Myth 6: Record Keeping Laws Require Data to Stay Local

Myth 6: Record Keeping Laws Require Data to Stay Local Fact is that some tax, bookkeeping, and corporate laws in some jurisdictions historically required certain records to stay in country. But such requirements apply only to certain kinds of records and they do not prohibit the transfer of data into the cloud so long as originals or back-up copies are also kept local.

Myth 7: US-EU Safe Harbor Does Not Apply to Service Provider Arrangements

Myth 7: US-EU Safe Harbor Does Not Apply to Service Provider Arrangements Fact is that the safe harbor principles expressly state that data processors may participate and achieve adequacy through certification and that the EU Commission ordered EEA member states to consider companies adequate if they certify under the US-EU safe harbor program, whether they act as data controllers or processors. Consider is data really safer in every EEA Member State than anywhere in the USA?

Myth 8: Contractual Clauses Are Unnecessary If the Service Provider Is Safe Harbor- Certified

Myth 8: Contractual Clauses Are Unnecessary If the Service Provider Is Safe Harbor-Certified Fact is that the safe harbor certification qualifies a service provider outside the EEA as adequate as a service provider within the EEA is presumed to be. But, European laws require particular contractual clauses for data transfers to any service provider, whether the provider is in the EEA or outside You have to clear three hurdles

Myth 9: Data Privacy & Security Law Compliance Is the Provider s Responsibility

Myth 9: Data Privacy & Security Law Compliance Is the Provider s Responsibility Fact is that data privacy and security laws primarily hold the data controller responsible for compliance, that is, the customer in a service provider relationship. The service provider has typically only two duties under data privacy laws: The processor has to follow its customer s instructions and keep the data secure against unauthorized access. It is important for customer and vendor to reach a reasonable agreement about what level of security is appropriate for particular types of data and who should be doing what

Myth 10: Cloud Service Providers Cannot Cede Control to Their Customers

Myth 10: Cloud Service Providers Cannot Cede Control to Their Customers Fact is that many organizations find it difficult to stay in control over modern IT systems, whether they hire service providers to provide IT infrastructure or whether they host, operate, and maintain systems themselves.

Myth 11: Vendor Has and Should Accept Unlimited Liability for Data Security Breaches

Myth 11: Vendor Has and Should Accept Unlimited Liability for Data Security Breaches Fact is that service providers may not always be able to limit their liability vis-à-vis the data subjects. But, data protection laws do not prescribe the allocation of commercial liabilities between the parties. Sophisticated companies usually slice and dice exposure in various ways in indemnification, limitation of liability, and warranty clauses. It is quite common to differentiate in risk allocation clauses based on whether customer and/or service provider contributed primarily to a breach or resulting harm, whether the service provider was in compliance with its contractual obligations, its information security policies, and applicable law, and whether a risk materialized that could have affected any other company, including the customer.

Myth 12: Customer Must Have the Right to Access the Provider s Data Centers and Systems for Audit Purposes

Myth 12: Customer Must Have the Right to Access the Provider s Data Centers and Systems for Audit Purposes Fact is that customers need to reserve a right to audit the cloud service provider s compliance measures... the service provider may not let customers into its data centers or systems because that would impair the security of other customers data individual audits can be unnecessarily disruptive and costly

Myth 12: Customer Must Have the Right to Access the Provider s Data Centers and Systems for Audit Purposes Contd. Possible compromise: Cloud service providers can arrange for routine, comprehensive audits of their systems by a generally accepted audit firm and make the results available to all customers. If customers demand additional topics on the audit list, providers can expand the scope of the next scheduled audit, provided that the customers are willing to pay for the additional effort and the controls are within the scope of the service.

Questions

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information