Portions © 2010 Dechert LLP. Portions © 2010 Ruberto, Israel & Weiner, PC. Legal issues in the Cloud Renzo Marchini, Dechert LLP, London, UK Gene K. Landy, Ruberto, Israel & Weiner, PC Boston, MA, USA
Jan 21, 2015
Portions © 2010 Dechert LLP. Portions © 2010 Ruberto, Israel & Weiner, PC.
Legal issues in the Cloud
Renzo Marchini, Dechert LLP, London, UK
Gene K. Landy, Ruberto, Israel & Weiner, PCBoston, MA, USA
Attorneys and Authors
Cloud Overview• What is Cloud Computing?
– Setting the scene
• Data Protection and Information Security
– Who is responsible for data protection compliance?
– What are the security requirements?
– Does it matter where the data is?
• Issues in Cloud Contracts
– Comparison with other IT models
– Service changes
– Service level agreements
– Liability for data
– Ownership/use of data
• Other Cloud Legal Issues
Cloud computing is a simple idea with a huge impact. Instead of running your apps yourself, they run on a shared data center that’s managed by the service provider. You just log in, customize, and start using an app.
Source: SalesForce.com
What [cloud computing] has come to mean now is a synonym for the return of the mainframe, … and the mainframe is a set of computers. You never visit them, you never see them. But they're out there. They're in a cloud somewhere. They're in the sky, and they're always around. That's roughly the metaphor.
Source: Google CEO Eric Schmidt
Concepts of Cloud Computing
Why “Cloud”?
Many Business and Consumer Cloud Services
• Business Services – e.g. Net Suite
• Media Services – e.g. Bright Cove
• Online Application Add-Ins – e.g. Google Maps
• Social Media – e.g. Facebook, Twitter
• Small Business Services – e.g. Constant Contact
• Consumer Services – Gmail
• Development Platforms – Microsoft Azure
Cloud Digital Media Issues
• Search Engine Issues – Excerpts and thumbnails – Google News Cases / Google Book Litigation and Settlement
• Notice and Takedown Rules – Viacom v. YouTube
• Cartoon Network v. CSC Holdings, 536 F.3d 121 (2nd Cir. 2008)
Entrepreneurship in the Public Cloud
• “No Server” startups.
• Scaling up and scaling down in the cloud.
• Functionality that works best in the cloud.
• Operational advantages and challenges.
• The Customers: Consumer. Small business. Enterprise.
Some Types of Cloud Services
Software as a Service (SaaS)(eg Salesforce.com)
Platform as a Service (PaaS)(eg Microsoft Azure)
Infrastructure as a Service (IaaS)(eg Amazon EC2)
Storage Servers Networks Virtualisation
• Hosted and Accessed Remotely via Internet or Mobile
• Specially Built for SaaS
• Web Technology
• Multi-Tenanted
Typical SaaS Business Solution
Typical Cloud Solution - A Complex Environment
Browser Mobile Client
Presentation
Process Services
Business or Consumer Services
Data, Media, or Other Third Party Services
Security Services
DatabasesFile System
Data / Media
DirectoryServices
Chart Adapted from
Microsoft®
Key Data Protection Issues
• Who is responsible for data protection compliance?
– Who is the controller?
• What are the security requirements?
– Can that be delegated to the cloud provider?
• Does it matter where the data is?
– Cross border issues
Controller or Processor?
• Directive 95/46 on protection of personal data
• data controller: “person … which alone or jointly with others determines the purposes and means of the processing of personal data”
• data processor: “person … which processes personal data on behalf of the controller”
• Controllers have obligations under the Directive; processors (in most member states) have none.
– of course, controllers take responsibility for processors
– controllers/processors may well want indemnities
SWIFT
US Government
Bank Bank
Data Controller
Data Controller
SWIFT
• Irrelevant what contract says
• SWIFT determined
– what personal data was processed.
– functionality eg determining standards as to the form and content of messages.
– security standard
– the location of its data centres
• SWIFT decided to negotiate with the US authorities in relation to the warrants.
• Article 29 Working Party (February 2010)
– technical decisions can be delegated
– but not “the essential elements of the means”
– ISP providing hosting services is ”in principle” a “processor”
Who is the Data Controller in the Cloud?
• Services may be presented almost on a “take it or leave it” basis
• Purpose behind cloud is to shift data to locations where resources are available
• According to working party criteria: doesn’t this sound like a controller?
• Still a risk that a cloud provider (an SaaS) will be found to be a controller.
• Perhaps less so for an IaaS provider
What if the provider is a controller?
• The provider has no contractual relationship with the individuals
• How can it comply with Directive obligations?
– Of course, it may be outside of the EU, but if not ….
• Article 7 – legitimisation of processing
• Article 11 – Information to be provided to the data subject
• Article 12 – Rights of Access
• …. and so on.
Individuals (eg employee/customer)
Cloud Customer
SaaS Provider(eg Salesforce.com)
Key Data Protection Issues
• Who is responsible for data protection compliance?
– Who is the controller?
• What are the security requirements?
– Can that be delegated to the cloud provider?
• Does it matter where the data is?
– Cross border issues
Article 17 – Security of Processing
• “.. the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access ….
• Data controller must:
– carry out diligence
– take reasonable steps to ensure compliance with those measures
– written contract under which
(i) processor acts only upon instructions from controller and
(ii) equivalent security obligation accepted by processor
Security in practice in the cloud (1)
• Due Diligence
– cloud providers inundated by questionnaires
– being more and more open; increasing use of FAQs
• Security Policy
– Physical Security - policy on access restrictions
– Network Security - firewalling technology and so on
– Server Security - how servers have been hardened against attack, policies for continuing improvement.
– Data Segregation policies
• multi-tenancy implies that no physical segregation
• …… but how is logical segregation achieved
• user (client) authentication policies, etc.
– Encryption - what algorithms and what strength
• data at rest
• data in transit
Security in practice in the cloud (2)
• Audit/Certification
– How can you undertake diligence of audit, when you don’t know where the data is?
– Will regulators accept certification by accredited third parties as an alternative
• ISO 27001 (and series)
– Security standard
– Careful with “Conforms with” – this is self-assessment
– Ensure it is “certified by” a recognised, third party accredited body
• SAS 70
– Statement on Auditing Standards No. 70 (SAS 70)
– Accounting standard, not a security standard
– Need to see actual report (ensure it is a “Type II” report)
– Need to examine the controls which are in place and have been described and commented on.
Key Data Protection Issues
• Who is responsible for data protection compliance?
– Who is the controller?
• What are the security requirements?
– Can that be delegated to the cloud provider?
• Does it matter where the data is?
– Cross border issues
Transborder Issues – Transfers out of the EEA• Article 25 of Directive 95/46:
– “The Member States shall provide that the transfer to a third country of personal data … may take place only if … the third country in question ensures an adequate level of protection”
• Adequate countries
– Argentina, Canada, Switzerland, and Jersey, Guernsey and the Isle of Man, Faroe Islands
– Soon Andora and Israel
• Fundamental point here is that you need to know where the data is.
What to do if Transferee Country not Adequate?
• US – Safe Harbor
• Model Contracts
– Controller to Controller (two sets)
– Controller to Processor (the new set – makes it easier for outsourcing)
• BCRs – not applicable
– except for “private clouds” perhaps
• Self-assessment
– OK – in the UK
Problems of onward transfers
• US Safe Harbor: onward transfers allowed to sub-processors under written contract.
• Model Clauses for controller to controller (set II): allows onward transfers to processors (with no additional formality)
• Model Clauses for controller to processor (new set): allowed if sub-processor signs own contract ! (and many other hoops)
SaaS Provider(in a third country)
IaaSProvider
(in a third country)
Customer(in Europe)
US Data Protection Issues – Many Different Laws
• Federal Trade Commission Cases
• Children’s Online Data Privacy Protection Act (COPPA)
• State Data Breach Notification Acts.
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999
• Federal Trade Commission “Red Flag Rules” regarding personal financial and payment data.
• Massachusetts Data Privacy Regulations
Comparison – SaaS and Software Licensing
Software as a Service Software Licence
Provider Infrastructure Customer’s Server
Remote Access Physical Delivery (Media or Download)
Subscription Based License Fee
Continuous Update Release Schedules
Data with Provider (or Provider’s Hosting Provider)
Data with Customer
Comparison – SaaS and Managed Services
Software as a Service Managed Service
Provider Infrastructure/ Remote Access
Provider Infrastructure/ Remote Access
Data with Provider Data with Provider
Usage Based Fees Negotiable
Normally Virtualised Fixed Infrastructure (may be Virtualized)
Scalable On-Demand Normally not Dynamically Scalable
Contracting Issues – Pricing Models
• Google Maps Commercial Service
– Per User
– Per Access
– Per Transaction
• Try and Buy
• Terminable at Will?
• Configuration and Customization?
• Acceptance?
Service Level Agreements (SLAs)
• Aspects of SLAs
– Downtime
– Response / Fix
– Remedies
Contracting Issues - Liability for Data
• One breach might affect several or all customers because of multi-tenancy
• Customer wants (but likely cannot get) indemnity for cost of breach of security including:
– Investigation and repair of data– Notification of data subjects– Advertising / public relations– Customer ID theft insurance– Help desks, etc.– Claims from customers or shareholders
• Is security transparent and auditable?
Contracting Issues - Liability for Data, cont’d
• Provider Normally Accepts no Liability for:
– Loss of data
– Breach of security of data
– Integrity of data
• US Provider may have SAS 70 Certification (Statement on
Auditing Standards No. 70: Service Organizations of the AICPA) or the hosting provider may have this certification.
• Backup and Recovery
– Manner and frequency of backing-up? Access to data backups.
– Data recovery site – Fail-over protection?
Contracting Issues – Access to Data
• Data retrieval / migration to new vendor on termination (and “lock in”).
• Where is the data?
– Customer contracts with a SaaS provider
– who in turn contracts with a PaaS provider
– who in turn contracts with an IaaS provider
• What happens if the SaaS provider is insolvent?
• Third party access to data via compulsory legal process.
• The software escrow conundrum.
Software as a Service
Platform as a Service
Infrastructure as a Service
“Data is somewhere”
Customer
“Bad” User Data
• Infringing, libelous, obscene, threatening, stolen, restricted, etc. supplied by customer or users
• Mass mailings of unsolicited mail – Spam
• Can provider use self-help without prior notice?
Issues in Partnering Between SaaS Vendors
• User data in multiple places in the cloud
• Additional security/data breach failure points
• Technical / business dependencies / more failure modes
• Integration - Do APIs exist or do they have to be built? At whose cost?
• Bottom line: need a workable technical and contingency strategy that is documented in the agreement
Other Cloud/Legal Issues to Note
• Taxation / Investment – Expense vs. capital investment
• Continuous Improvement Model – Shifting definition of the SaaS service, defined by online documentation that is continually updated.
• Multi-SaaS Vendor Solutions – Who has service responsibility?
• IP / Infringement Risk – Shift from Customer to Cloud Vendor.
• Open Source (Copy Left) Problems – Providing cloud services can be a “magic bullet” solution.
• Trade Secret Protection – Much easier if the vendor never ships the code. Reverse engineering rights don’t apply.
• Vendor’s Contractual Rights to Use Data. The value of data aggregation.
Questions?
Want to Know More? Just Contact:
Renzo Marchini
Dechert LLP
160 Queen Victoria Street
London EC4V 4QQ
020 7184 7563
Gene Landy
Ruberto Israel & Weiner, PC
100 No. Washington Street
Boston MA USA
617 742 4200