Cloud Computing: Managing the Legal Risks Mitigating Liabilities When Outsourcing Virtual Storage and Applications Today’s faculty features: 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10. WEDNESDAY, APRIL 25, 2012 Presenting a live 90-minute webinar with interactive Q&A Janine Anthony Bowen, Partner, Jack Attorneys & Advisors, Atlanta Lora L. Fong, Managing Counsel, salesforce.com, inc., New York Daniel A. Masur, Partner, Mayer Brown, Washington, D.C.
82
Embed
Cloud Computing: Managing the Legal Risksmedia.straffordpub.com/products/cloud-computing-managing...2012/04/25 · have any questions, please contact Customer Service at 1-800-926-7926
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cloud Computing: Managing the Legal Risks Mitigating Liabilities When Outsourcing Virtual Storage and Applications
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
Cloud Computing:
Managing the Legal Risks
Primer and Risk Mitigation
Janine Anthony Bowen, Esq., CIPP [email protected] (678) 823-6611 April 25, 2012
6 6
Agenda
•Brief Overview of Cloud Computing
•Later…Minimizing & Mitigating Legal Risk
7
Cloud Computing Plain English Definition
• From the User’s Perspective – Data processing and storage, application development, and
software hosting over the Internet instead of on a personal computer or over a business’ network
– Available on an ‘on demand’ basis
– Location of information stored ‘in the Cloud’ is potentially unknown at any given point in time
– Relatively inexpensive
8
National Institute of Standards & Technology’s Definition
• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
SaaS (Software as a Service) The consumer uses the provider’s applications running on a cloud infrastructure. (e.g. Google Apps) PaaS (Platform as a Service) The consumer has control over the deployed applications and possibly application hosting environment configurations. (e.g. Force.com) IaaS (Infrastructure as a Service) The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3)
10
The Cloud…in all its Glory!
11
12
Virtual Server
Consolidation
Human
Resources
Sales
Asset
Management
Facilities
Management
Purchasing
Multiple Separate
Physical Servers and
Software Licenses
Single Physical Server
with Multiple Software
Licenses
Real
Servers
Virtual
Server
13
Multi-tenant
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
Contracting for Cloud Computing
Services — Key Considerations
April 25, 2012 Dan Masur Mayer Brown LLP Partner 202 263 3329 [email protected]
Top Secret The Real Value of Cloud Computing!
15
Contracting for Cloud Computing Services The Road to the Cloud!
16
Breadth of Cloud-Based Offerings
“Nice to have” business tools
Routine, non-sensitive data
Limited scope of business use
Mission critical applications
Regulated or business sensitive data
Enterprise-wide use
Each end of the spectrum presents different legal and contractual challenges, options and trade-offs
17
Cloud Customers Must Make Informed Tradeoffs
• There is no standard contract “form” that will work for each situation
– Traditional outsourcing and software licensing terms may be useful, but can not be inflexibly applied to cloud computing
• More robust contractual protection may or may not be the correct answer — it depends
• Prospective cloud customers must take into account – Criticality of the software, data and services in question
– Unique issues associated with cloud computing
– Availability and pricing of various alternatives
• For “nice-to-have” business tools or routine data, a low cost solution may outweigh contractual protections
• Requiring robust contractual protections may increase the price and eliminate certain providers altogether
18
Key Issues in Cloud Computing
19
Data security is by far the largest concern as the market has yet to address enterprise security requirements – source: TPI
78%
51%
49%
49%
48%
34%
33%
29%
27%
26%
25%
25%
11%
Data security
Failing regulatory requirements
Integration risks with legacy systems
Unclear who has access to my data
Disaster recovery
Co-mingling of data
Up-time availability
Connectivity / bandwidth
Service provider viability
Unclear where data is stored
Response time
Migration to different service
Ill defined business case n=73
20
Privacy, Security and the Cloud
We are the intersection of privacy regulation dramatically increasing at the same time that cloud computing will exponentially increase.
Enterprises need to understand and prepare for entry into cloud computing – requires assessment, planning (including for regulatory requirements) and careful transformation.
Privacy Cloud
21
Issues with Cloud Computing Privacy and Security — the Elephant in the Room
• Data transfer issues (EU and similar jurisdictions)
• Data location issues
• Location of users accessing data
• Movement and storage of data
• Use of subcontractors
• Use of multiple platforms
• Lack of transparency and control
• Data breach issues
• Data destruction issues
• Ability to impose security and privacy requirements
22
Issues with Cloud Computing Privacy and Security — US
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH)
• Fair Credit Reporting Act/FACT Act
• Federal Trade Commission Act (FTCA)
• ID Theft Red Flags
• State Privacy Security Laws (Breach Notification — 46 States and Encryption (MA and NV), use of SSN’s, etc.)
• Industry Standards (PCI)
• Litigation and enforcement cases
23
Issues with Cloud Computing Privacy and Security — US
• General security of personal information laws (e.g., Arkansas, California, Indiana, Maryland, Massachusetts, Nevada, Rhode Island, Texas and Utah).
• Standard: reasonable security procedures and practices appropriate to the nature of the information.
• Massachusetts regulations far exceed most other laws and regs. – Create duty to protect and have detailed system requirements
– Require a written security program
– Requires that companies oversee service providers by selecting providers who are capable of maintaining appropriate security measures consistent with the MA regs
– Requires that service provider contracts require them to implement and maintain appropriate security measures
– Requires encryption of personal information across public networks, wireless networks and portable devices (laptops, hard drives, etc.)
24
Issues with Cloud Computing Privacy and Security — Non-US
In EEA and other jurisdictions where data protection and data transfer regulation is strict, cloud computing challenges and issues increase
25
Privacy, Security and Compliance Issues with Cloud Computing: —Non-US
• Numerous countries prohibit or restrict the transfer of personal data out of a certain area, and require additional formalities before the data may be transferred
• Examples: EU and EEA countries, Argentina, Canada, Dubai, Israel, New Zealand, Uruguay
26
Covers EU to US Data Transfers
This works well for companies who
don’t have numerous worldwide affiliates,
and in third party contract situations
Safe Harbor
Data Controller to Data Controller or Data
Controller to Data Processor
Not the best solution for
multinational companies who
transfer data around the world
Approved
Clauses
Rules that apply to all affiliated companies
regarding personal data
Best solution for multi-nationals with
many inter-company data transfers, however,
process is long and cumbersome
Binding
Corporate
Rules
When Derogations do not apply, and Consent cannot be obtained, what are the options for Data Transfer?
Issues with Cloud Computing: Privacy and Security —Non-US
27
Overview of Approved Clauses
Use ensures satisfaction of “adequate protection”
Controller to Controller, or recently updated Controller to Processor Contractual Clauses
Data controller = determines the purposes and means of processing personal data
Data processor = processes personal data on behalf of a controller
Data controller to data processor (2010) clauses have some significant differences from
the prior version
Intercompany Transfers and Third
Parties
Easiest of the data transfer options to use
Must be used “as is”
Nicely covers transfers to third parties (e.g., outsourcers)
Benefits
Must be filed with DPAs in certain countries — cumbersome
Must be used “as is”
For multi-nationals, each company must sign a set with each other company or third party
provider — very cumbersome – unless delegations of authority are properly made
Drawbacks
Issues with Cloud Computing: Privacy and Security —Non-US
28
Issues with Cloud Computing: Privacy and Security —Non-US : EU Approved Clauses
• Must be used after May 15, 2010
• Old clauses still work unless changes made regarding data or new subcontract
• Data Controller must agree in writing to sub-processors (subcontracting), and are entitled to see sub-processing contracts
• Data subjects can make claims directly against sub-processors
29
German DPA Statements on Cloud Computing
• DPA of Federal State of Schleswig-Holstein new white paper on cloud computing
• Paper is not legally binding, but indicates how German states will most likely analyze cloud computing
• Conclusion is that transfer of personal data in most cloud computing arrangements is not permitted by German data protection law – with a focus on public clouds
• Companies using cloud computing services must control whether cloud computing service providers observe the data protection laws
• Look for more developments and interpretation of the white paper
30
Other Critical Contracting Issues for Cloud Customers
Regulatory and Compliance Challenges
• Auditability
• Lack of transparency and control
• Subcontracting and flow down of provisions
• Export control issues
• Electronic discovery issues
• Record retention issues
Other Key Issues and Challenges
•Service levels
• Disaster recovery and business continuity
• Intellectual property issues
• Change management issues
• Exit rights
• Financial stability of providers/due diligence
31
Cloud Computing So now what? Can we even do this?
32
Contracting for Cloud Computing YES! • Keep your eye on
– Criticality of the software, data and services
– Unique issues associated with cloud computing
– Availability and pricing of various alternatives
• Look to traditional outsourcing contracts and software and data use agreements as a good starting point
33
Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings
Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)
Need for diligence on provider
Physical diligence/inspection not permitted, and not possible if sub-processors are used
Basic diligence information is available – certifications, audit reports, etc.
Know where your data is processed and stored
Data may be processed and stored anywhere
Location of data can be fixed in contract
Know places where your data may be transferred
Data may be transferred to or accessed from anywhere
Location of data can be fixed in contract
Rights to approve of subprocessors
Frequent use of subprocessors (scalability, flexibility, variable use)
Notice of subprocessors as necessary for compliance (EU), and approval in some cases
34
Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings
Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)
Response to data security incidents
Standardized offering, use of sub-processors and other limits may delay discovery of breaches, and ability to provide information regarding extent of breach
Notification of security incidents is offered, although extent of liability remains an item of negotiation
Audit rights
Typically not available, especially not for sub-processors
Some rights available, but may not include physical access
Proper disposal and destruction of data
No guarantee all data will be found and erased or returned
Data will be returned or destroyed
Change Control Provider may make changes without notice or consent
Notification of changes provided, but customer may have to terminate or leave cloud if changes cause issues
35
Balancing Privacy, Security and Compliance Requirements with Current Cloud Offerings
Customer Need Pure Utility Cloud Solution Enterprise Cloud Solution (Leveraged Private Cloud)
Established Contract Terms
Incorporation of additional online terms, subject to change by provider
Contract terms are established and should not materially change
Provider has some liability exposure for breaches and non-compliance
Extremely limited liability More standard (ITO like) liability, although with different caps for security and confidentiality breaches around personal data
Controls on data and security standards
Standardized offering with use of cloud provider controls
Customer must review provider standards and determine sufficiency
36
37
Minimizing and Mitigating Risks
•Agenda – Considerations in
Vendor Selection
– Contracting Models
– Impact of Industry Standards
38 38
Why not just rely on the contract? Who you are drives what you can expect
• Cloud users should clearly understand what they are getting and getting into: – Generally speaking, only the largest implementations get negotiated
contract terms (particularly wrt to SaaS)
– Minimum negotiation flexibility likely in most cases – risk mitigation analysis should establish ‘business level’ comfort
• Where negotiation is possible, risk mitigation should drive negotiation of key provisions – The best bang for the buck is internal process risk mitigation
39
But first, how’s cloud computing different?
• Geography – Data in the cloud can be anywhere; multiple copies can be in multiple locations
• In current state of play cloud providers assume as little liability as possible – bulk of contract risk resides with the user
• Difficult for a user to know where liability rests, even if it were properly assigned (e.g. Global Payments data breach earlier this year)
• The nature of the potential legal issue depends on where a user plugs into the cloud (issues with SaaS may be different than with IaaS)
• Virtually complete loss of control by data owner (who holds it and where is it?)
• Relatively inexpensive OPEX instead of CAPEX
40
Quick List of Potential Mitigation Considerations
Functionality of solution Pricing
Uptime Response time
Quality of service Data Security/Privacy
Backup and disaster recovery Integration with existing systems
Data access
Customer service/support
Insurance coverage
Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid-sized Enterprises” http://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf
41 41
Some Areas of Concern
•Service quality/SLAs/Availability
•Disaster recovery
•Provider competence
•Provider Viability
42 42
Mitigation Considerations: SLAs
• Control-oriented
– System availability – System response time – Fail-over for disaster recovery
• Operations-oriented
– Data retrieval – Data integrity – Transition assistance
• Business-oriented
– Error resolution time – Timeliness re: professional services around cloud solutions
• How are backup systems architected? – Complete redundancy? Multiple redundancies? Duplicate systems? Real-
time backup?
• Where are backup systems located geographically?
• Are third party backup systems utilized (partially/totally)?
• How long would a catastrophic event at a data center affect system availability?
• Concerns for physical assets based on geography (exactly where is that data center located?)
• Ultimately, whose responsibility is it anyway?
44
Mitigation Considerations: Competence Issues
• Provider track record of success? • Views of commentators/bloggers • Is the pricing right for the breadth of offering? • Perceived level of sophistication of the vendor
– Knowledge of industry vertical – Mastery of technology
• If vendor is an early stage company, who is supporting it financially? (speaks to both competence and viability)
• For SaaS in particular, are there integration partners?
44
45
Mitigation Considerations: Viability of the Cloud Provider
• Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example: – Integrating cloud services into business processes
– Migrating data from its environment
• Lack of industry standardization makes moving to a new cloud provider difficult
• What happens to a cloud user’s data in the event of:
– Bankruptcy
– M&A
– Escrow
46
Cloud Contracting Preliminaries: Comparing Cloud to What We Knew Before
Cloud
Computing
Traditional
Software
Licensing
Co-
location
Hosting ASP
Location of
Service/Data
unknown known known known known
Owner of
HW/SW
provider/
provider
company/
company
(license)
Company/
Company
(license)
Provider/
Company
(license)
Provider/
provider
Contract Virtually
non-
negotiable
negotiated negotiated negotiated negotiated
Contract Risk company shared shared shared shared
Scalability yes maybe maybe maybe maybe
Understanding the Legal Risk Profile
47
Cloud Contracting Models: License vs. Service Agreement
48
49
Cloud Contracting Models: Online Agreement vs. Standard Contract
Online Agreement Standard Contract
Negotiable No. Yes, generally.
Limits Placed on
Provider’s Liability
Yes. Very little
or no liability to
provider.
Yes. Risk
shared by
provider and
user.
Risk in the Event
of Problems
Born by user. Born by party
responsible.
Who Controls
Contracting
Ultimate End
User
Contracting
Party
50
Impact of Industry Standards
• What standards applicable to cloud computing exist? – Payment Card Industry Data Security Standards
•A set of requirements for enhancement of payment account data security – ISO 27000 Series Standards
•An information security standard that provides best practices for those implementing an information security management system
– Open Cloud Manifesto
•Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integration
51 51
Take Aways
• Be thoughtful about which parts of your business are cloud-worthy. All business processes are not suitable.
• Have a plan to deal with mistakes that will happen in the cloud (business, technology, legal). What level of risk can you tolerate?
• Work with your key internal and external advisors to think through your cloud strategy. A cross-functional strategy is in order.
52 52
Contact Me
•Janine Anthony Bowen, Esq., CIPP/US [email protected] www.visualcv.com/jdabowen www.linkedin.com/in/jdabowen
•678-823-6611
•Twitter - @cloudlawyer
•www.jack-law.com
JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology - Quite Simply, We Get It.