Legal issues in the Cloud Renzo Marchini, Dechert LLP, London, UK Gene K. Landy, Ruberto, Israel & Weiner, PC Boston, MA, USA Portions 2010 Dechert LLP. Portions 2010 Ruberto, Israel & Weiner, PC.
Attorneys and Authors
Cloud Overview What is Cloud Computing? Setting the scene Data Protection and Information Security Who is responsible for data protection compliance? What are the security requirements? Does it matter where the data is? Issues in Cloud Contracts Comparison with other IT models Service changes Service level agreements Liability for data Ownership/use of data Other Cloud Legal Issues
Concepts of Cloud Computing Cloud computing is a simple idea with a huge impact. Instead of running your apps yourself, they run on a shared data center that s managed by the service provider. You just log in, customize, and start using an app. Source: SalesForce.com What [cloud computing] has come to mean now is a synonym for the return of the mainframe, and the mainframe is a set of computers. You never visit them, you never see them. But they're out there. They're in a cloud somewhere. They're in the sky, and they're always around. That's roughly the metaphor. Source: Google CEO Eric Schmidt
Why Cloud?
Many Business and Consumer Cloud Services Business Services e.g. Net Suite Media Services e.g. Bright Cove Online Application Add-Ins e.g. Google Maps Social Media e.g. Facebook, Twitter Small Business Services e.g. Constant Contact Consumer Services Gmail Development Platforms Microsoft Azure
Cloud Digital Media Issues Search Engine Issues Excerpts and thumbnails Google News Cases / Google Book Litigation and Settlement Notice and Takedown Rules Viacom v. YouTube Cartoon Network v. CSC Holdings, 536 F.3d 121 (2nd Cir. 2008)
Entrepreneurship in the Public Cloud No Server startups. Scaling up and scaling down in the cloud. Functionality that works best in the cloud. Operational advantages and challenges. The Customers: Consumer. Small business. Enterprise.
Some Types of Cloud Services Software as a Service (SaaS) (eg Salesforce.com) Platform as a Service (PaaS) (eg Microsoft Azure) Infrastructure as a Service (IaaS) (eg Amazon EC2) Storage Servers Networks Virtualisation
Typical SaaS Business Solution Hosted and Accessed Remotely via Internet or Mobile Specially Built for SaaS Web Technology Multi-Tenanted
Typical Cloud Solution - A Complex Environment Mobile Client Browser Presentation Data, Media, or Other Third Party Services Process Services Business or Consumer Services Security Services Directory Services Data / Media File System Databases Chart Adapted from Microsoft
Key Data Protection Issues Who is responsible for data protection compliance? Who is the controller? What are the security requirements? Can that be delegated to the cloud provider? Does it matter where the data is? Cross border issues
Controller or Processor? Directive 95/46 on protection of personal data data controller: person which alone or jointly with others determines the purposes and means of the processing of personal data data processor: person which processes personal data on behalf of the controller Controllers have obligations under the Directive; processors (in most member states) have none. of course, controllers take responsibility for processors controllers/processors may well want indemnities
SWIFT US Government Data Controller Bank Bank Data Controller
SWIFT Irrelevant what contract says SWIFT determined what personal data was processed. functionality eg determining standards as to the form and content of messages. security standard the location of its data centres SWIFT decided to negotiate with the US authorities in relation to the warrants. Article 29 Working Party (February 2010) technical decisions can be delegated but not the essential elements of the means ISP providing hosting services is in principle a processor
Who is the Data Controller in the Cloud? Services may be presented almost on a take it or leave it basis Purpose behind cloud is to shift data to locations where resources are available According to working party criteria: doesn t this sound like a controller? Still a risk that a cloud provider (an SaaS) will be found to be a controller. Perhaps less so for an IaaS provider
What if the provider is a controller? The provider has no contractual relationship with the individuals How can it comply with Directive obligations? Individuals (eg employee/customer) Of course, it may be outside of the EU, but if not. Article 7 legitimisation of processing Article 11 Information to be provided to the data subject Article 12 Rights of Access Cloud Customer SaaS Provider (eg Salesforce.com). and so on.
Key Data Protection Issues Who is responsible for data protection compliance? Who is the controller? What are the security requirements? Can that be delegated to the cloud provider? Does it matter where the data is? Cross border issues
Article 17 Security of Processing.. the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Data controller must: carry out diligence take reasonable steps to ensure compliance with those measures written contract under which (i) processor acts only upon instructions from controller and (ii) equivalent security obligation accepted by processor
Security in practice in the cloud (1) Due Diligence cloud providers inundated by questionnaires being more and more open; increasing use of FAQs Security Policy Physical Security - policy on access restrictions Network Security - firewalling technology and so on Server Security - how servers have been hardened against attack, policies for continuing improvement. Data Segregation policies multi-tenancy implies that no physical segregation but how is logical segregation achieved user (client) authentication policies, etc. Encryption - what algorithms and what strength data at rest data in transit
Security in practice in the cloud (2) Audit/Certification How can you undertake diligence of audit, when you don t know where the data is? Will regulators accept certification by accredited third parties as an alternative ISO 27001 (and series) Security standard Careful with Conforms with this is self-assessment Ensure it is certified by a recognised, third party accredited body SAS 70 Statement on Auditing Standards No. 70 (SAS 70) Accounting standard, not a security standard Need to see actual report (ensure it is a Type II report) Need to examine the controls which are in place and have been described and commented on.
Key Data Protection Issues Who is responsible for data protection compliance? Who is the controller? What are the security requirements? Can that be delegated to the cloud provider? Does it matter where the data is? Cross border issues
Transborder Issues Transfers out of the EEA Article 25 of Directive 95/46: The Member States shall provide that the transfer to a third country of personal data may take place only if the third country in question ensures an adequate level of protection Adequate countries Argentina, Canada, Switzerland, and Jersey, Guernsey and the Isle of Man, Faroe Islands Soon Andora and Israel Fundamental point here is that you need to know where the data is.
What to do if Transferee Country not Adequate? US Safe Harbor Model Contracts Controller to Controller (two sets) Controller to Processor (the new set makes it easier for outsourcing) BCRs not applicable except for private clouds perhaps Self-assessment OK in the UK
Problems of onward transfers Customer (in Europe) SaaS Provider (in a third country) IaaS Provider (in a third country) US Safe Harbor: onward transfers allowed to sub-processors under written contract. Model Clauses for controller to controller (set II): allows onward transfers to processors (with no additional formality) Model Clauses for controller to processor (new set): allowed if sub-processor signs own contract! (and many other hoops)
US Data Protection Issues Many Different Laws Federal Trade Commission Cases Children s Online Data Privacy Protection Act (COPPA) State Data Breach Notification Acts. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 Federal Trade Commission Red Flag Rules regarding personal financial and payment data. Massachusetts Data Privacy Regulations
Comparison SaaS and Software Licensing Software as a Service Provider Infrastructure Remote Access Subscription Based Continuous Update Data with Provider (or Provider s Hosting Provider) Software Licence Customer s Server Physical Delivery (Media or Download) License Fee Release Schedules Data with Customer
Comparison SaaS and Managed Services Software as a Service Provider Infrastructure/ Remote Access Data with Provider Usage Based Fees Normally Virtualised Scalable On-Demand Managed Service Provider Infrastructure/ Remote Access Data with Provider Negotiable Fixed Infrastructure (may be Virtualized) Normally not Dynamically Scalable
Contracting Issues Pricing Models Google Maps Commercial Service Per User Per Access Per Transaction Try and Buy Terminable at Will? Configuration and Customization? Acceptance?
Service Level Agreements (SLAs) Aspects of SLAs Downtime Response / Fix Remedies
Contracting Issues - Liability for Data One breach might affect several or all customers because of multi-tenancy Customer wants (but likely cannot get) indemnity for cost of breach of security including: Investigation and repair of data Notification of data subjects Advertising / public relations Customer ID theft insurance Help desks, etc. Claims from customers or shareholders Is security transparent and auditable?
Contracting Issues - Liability for Data, cont d Provider Normally Accepts no Liability for: Loss of data Breach of security of data Integrity of data US Provider may have SAS 70 Certification (Statement on Auditing Standards No. 70: Service Organizations of the AICPA) or the hosting provider may have this certification. Backup and Recovery Manner and frequency of backing-up? Access to data backups. Data recovery site Fail-over protection?
Contracting Issues Access to Data Data retrieval / migration to new vendor on termination (and lock in ). Where is the data? Customer contracts with a SaaS provider who in turn contracts with a PaaS provider who in turn contracts with an IaaS provider What happens if the SaaS provider is insolvent? Third party access to data via compulsory legal process. Customer Software as a Service Platform as a Service Infrastructure as a Service Data is somewhere The software escrow conundrum.
Bad User Data Infringing, libelous, obscene, threatening, stolen, restricted, etc. supplied by customer or users Mass mailings of unsolicited mail Spam Can provider use self-help without prior notice?
Issues in Partnering Between SaaS Vendors User data in multiple places in the cloud Additional security/data breach failure points Technical / business dependencies / more failure modes Integration - Do APIs exist or do they have to be built? At whose cost? Bottom line: need a workable technical and contingency strategy that is documented in the agreement
Other Cloud/Legal Issues to Note Taxation / Investment Expense vs. capital investment Continuous Improvement Model Shifting definition of the SaaS service, defined by online documentation that is continually updated. Multi-SaaS Vendor Solutions Who has service responsibility? IP / Infringement Risk Shift from Customer to Cloud Vendor. Open Source (Copy Left) Problems Providing cloud services can be a magic bullet solution. Trade Secret Protection Much easier if the vendor never ships the code. Reverse engineering rights don t apply. Vendor s Contractual Rights to Use Data. The value of data aggregation.
Questions?
Want to Know More? Just Contact: Renzo Marchini Dechert LLP 160 Queen Victoria Street London EC4V 4QQ renzo.marchini@dechert.com 020 7184 7563 Gene Landy Ruberto Israel & Weiner, PC 100 No. Washington Street Boston MA USA gkl@riw.com 617 742 4200