Legal issues in the cloud renzo marchini & gene landy

Portions © 2010 Dechert LLP. Portions © 2010 Ruberto, Israel & Weiner, PC.

Legal issues in the Cloud

Renzo Marchini, Dechert LLP, London, UK

Gene K. Landy, Ruberto, Israel & Weiner, PCBoston, MA, USA

Attorneys and Authors

Cloud Overview• What is Cloud Computing?

– Setting the scene

• Data Protection and Information Security

– Who is responsible for data protection compliance?

– What are the security requirements?

– Does it matter where the data is?

• Issues in Cloud Contracts

– Comparison with other IT models

– Service changes

– Service level agreements

– Liability for data

– Ownership/use of data

• Other Cloud Legal Issues

Cloud computing is a simple idea with a huge impact. Instead of running your apps yourself, they run on a shared data center that’s managed by the service provider. You just log in, customize, and start using an app.

Source: SalesForce.com

What [cloud computing] has come to mean now is a synonym for the return of the mainframe, … and the mainframe is a set of computers. You never visit them, you never see them. But they're out there. They're in a cloud somewhere. They're in the sky, and they're always around. That's roughly the metaphor.

Source: Google CEO Eric Schmidt

Concepts of Cloud Computing

Why “Cloud”?

Many Business and Consumer Cloud Services

• Business Services – e.g. Net Suite

• Media Services – e.g. Bright Cove

• Online Application Add-Ins – e.g. Google Maps

• Social Media – e.g. Facebook, Twitter

• Small Business Services – e.g. Constant Contact

• Consumer Services – Gmail

• Development Platforms – Microsoft Azure

Cloud Digital Media Issues

• Search Engine Issues – Excerpts and thumbnails – Google News Cases / Google Book Litigation and Settlement

• Notice and Takedown Rules – Viacom v. YouTube

• Cartoon Network v. CSC Holdings, 536 F.3d 121 (2nd Cir. 2008)

Entrepreneurship in the Public Cloud

• “No Server” startups.

• Scaling up and scaling down in the cloud.

• Functionality that works best in the cloud.

• Operational advantages and challenges.

• The Customers: Consumer. Small business. Enterprise.

Some Types of Cloud Services

Software as a Service (SaaS)(eg Salesforce.com)

Platform as a Service (PaaS)(eg Microsoft Azure)

Infrastructure as a Service (IaaS)(eg Amazon EC2)

Storage Servers Networks Virtualisation

• Hosted and Accessed Remotely via Internet or Mobile

• Specially Built for SaaS

• Web Technology

• Multi-Tenanted

Typical SaaS Business Solution

Typical Cloud Solution - A Complex Environment

Browser Mobile Client

Presentation

Process Services

Business or Consumer Services

Data, Media, or Other Third Party Services

Security Services

DatabasesFile System

Data / Media

DirectoryServices

Chart Adapted from

Microsoft®

Key Data Protection Issues

• Who is responsible for data protection compliance?

– Who is the controller?

• What are the security requirements?

– Can that be delegated to the cloud provider?

• Does it matter where the data is?

– Cross border issues

Controller or Processor?

• Directive 95/46 on protection of personal data

• data controller: “person … which alone or jointly with others determines the purposes and means of the processing of personal data”

• data processor: “person … which processes personal data on behalf of the controller”

• Controllers have obligations under the Directive; processors (in most member states) have none.

– of course, controllers take responsibility for processors

– controllers/processors may well want indemnities

SWIFT

US Government

Bank Bank

Data Controller

Data Controller

SWIFT

• Irrelevant what contract says

• SWIFT determined

– what personal data was processed.

– functionality eg determining standards as to the form and content of messages.

– security standard

– the location of its data centres

• SWIFT decided to negotiate with the US authorities in relation to the warrants.

• Article 29 Working Party (February 2010)

– technical decisions can be delegated

– but not “the essential elements of the means”

– ISP providing hosting services is ”in principle” a “processor”

Who is the Data Controller in the Cloud?

• Services may be presented almost on a “take it or leave it” basis

• Purpose behind cloud is to shift data to locations where resources are available

• According to working party criteria: doesn’t this sound like a controller?

• Still a risk that a cloud provider (an SaaS) will be found to be a controller.

• Perhaps less so for an IaaS provider

What if the provider is a controller?

• The provider has no contractual relationship with the individuals

• How can it comply with Directive obligations?

– Of course, it may be outside of the EU, but if not ….

• Article 7 – legitimisation of processing

• Article 11 – Information to be provided to the data subject

• Article 12 – Rights of Access

• …. and so on.

Individuals (eg employee/customer)

Cloud Customer

SaaS Provider(eg Salesforce.com)

Key Data Protection Issues

• Who is responsible for data protection compliance?

– Who is the controller?

• What are the security requirements?

– Can that be delegated to the cloud provider?

• Does it matter where the data is?

– Cross border issues

Article 17 – Security of Processing

• “.. the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access ….

• Data controller must:

– carry out diligence

– take reasonable steps to ensure compliance with those measures

– written contract under which

(i) processor acts only upon instructions from controller and

(ii) equivalent security obligation accepted by processor

Security in practice in the cloud (1)

• Due Diligence

– cloud providers inundated by questionnaires

– being more and more open; increasing use of FAQs

• Security Policy

– Physical Security - policy on access restrictions

– Network Security - firewalling technology and so on

– Server Security - how servers have been hardened against attack, policies for continuing improvement.

– Data Segregation policies

• multi-tenancy implies that no physical segregation

• …… but how is logical segregation achieved

• user (client) authentication policies, etc.

– Encryption - what algorithms and what strength

• data at rest

• data in transit

Security in practice in the cloud (2)

• Audit/Certification

– How can you undertake diligence of audit, when you don’t know where the data is?

– Will regulators accept certification by accredited third parties as an alternative

• ISO 27001 (and series)

– Security standard

– Careful with “Conforms with” – this is self-assessment

– Ensure it is “certified by” a recognised, third party accredited body

• SAS 70

– Statement on Auditing Standards No. 70 (SAS 70)

– Accounting standard, not a security standard

– Need to see actual report (ensure it is a “Type II” report)

– Need to examine the controls which are in place and have been described and commented on.

Key Data Protection Issues

• Who is responsible for data protection compliance?

– Who is the controller?

• What are the security requirements?

– Can that be delegated to the cloud provider?

• Does it matter where the data is?

– Cross border issues

Transborder Issues – Transfers out of the EEA• Article 25 of Directive 95/46:

– “The Member States shall provide that the transfer to a third country of personal data … may take place only if … the third country in question ensures an adequate level of protection”

• Adequate countries

– Argentina, Canada, Switzerland, and Jersey, Guernsey and the Isle of Man, Faroe Islands

– Soon Andora and Israel

• Fundamental point here is that you need to know where the data is.

What to do if Transferee Country not Adequate?

• US – Safe Harbor

• Model Contracts

– Controller to Controller (two sets)

– Controller to Processor (the new set – makes it easier for outsourcing)

• BCRs – not applicable

– except for “private clouds” perhaps

• Self-assessment

– OK – in the UK

Problems of onward transfers

• US Safe Harbor: onward transfers allowed to sub-processors under written contract.

• Model Clauses for controller to controller (set II): allows onward transfers to processors (with no additional formality)

• Model Clauses for controller to processor (new set): allowed if sub-processor signs own contract ! (and many other hoops)

SaaS Provider(in a third country)

IaaSProvider

(in a third country)

Customer(in Europe)

US Data Protection Issues – Many Different Laws

• Federal Trade Commission Cases

• Children’s Online Data Privacy Protection Act (COPPA)

• State Data Breach Notification Acts.

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999

• Federal Trade Commission “Red Flag Rules” regarding personal financial and payment data.

• Massachusetts Data Privacy Regulations

Comparison – SaaS and Software Licensing

Software as a Service Software Licence

Provider Infrastructure Customer’s Server

Remote Access Physical Delivery (Media or Download)

Subscription Based License Fee

Continuous Update Release Schedules

Data with Provider (or Provider’s Hosting Provider)

Data with Customer

Comparison – SaaS and Managed Services

Software as a Service Managed Service

Provider Infrastructure/ Remote Access

Provider Infrastructure/ Remote Access

Data with Provider Data with Provider

Usage Based Fees Negotiable

Normally Virtualised Fixed Infrastructure (may be Virtualized)

Scalable On-Demand Normally not Dynamically Scalable

Contracting Issues – Pricing Models

• Google Maps Commercial Service

– Per User

– Per Access

– Per Transaction

• Try and Buy

• Terminable at Will?

• Configuration and Customization?

• Acceptance?

Service Level Agreements (SLAs)

• Aspects of SLAs

– Downtime

– Response / Fix

– Remedies

Contracting Issues - Liability for Data

• One breach might affect several or all customers because of multi-tenancy

• Customer wants (but likely cannot get) indemnity for cost of breach of security including:

– Investigation and repair of data– Notification of data subjects– Advertising / public relations– Customer ID theft insurance– Help desks, etc.– Claims from customers or shareholders

• Is security transparent and auditable?

Contracting Issues - Liability for Data, cont’d

• Provider Normally Accepts no Liability for:

– Loss of data

– Breach of security of data

– Integrity of data

• US Provider may have SAS 70 Certification (Statement on

Auditing Standards No. 70: Service Organizations of the AICPA) or the hosting provider may have this certification.

• Backup and Recovery

– Manner and frequency of backing-up? Access to data backups.

– Data recovery site – Fail-over protection?

Contracting Issues – Access to Data

• Data retrieval / migration to new vendor on termination (and “lock in”).

• Where is the data?

– Customer contracts with a SaaS provider

– who in turn contracts with a PaaS provider

– who in turn contracts with an IaaS provider

• What happens if the SaaS provider is insolvent?

• Third party access to data via compulsory legal process.

• The software escrow conundrum.

Software as a Service

Platform as a Service

Infrastructure as a Service

“Data is somewhere”

Customer

“Bad” User Data

• Infringing, libelous, obscene, threatening, stolen, restricted, etc. supplied by customer or users

• Mass mailings of unsolicited mail – Spam

• Can provider use self-help without prior notice?

Issues in Partnering Between SaaS Vendors

• User data in multiple places in the cloud

• Additional security/data breach failure points

• Technical / business dependencies / more failure modes

• Integration - Do APIs exist or do they have to be built? At whose cost?

• Bottom line: need a workable technical and contingency strategy that is documented in the agreement

Other Cloud/Legal Issues to Note

• Taxation / Investment – Expense vs. capital investment

• Continuous Improvement Model – Shifting definition of the SaaS service, defined by online documentation that is continually updated.

• Multi-SaaS Vendor Solutions – Who has service responsibility?

• IP / Infringement Risk – Shift from Customer to Cloud Vendor.

• Open Source (Copy Left) Problems – Providing cloud services can be a “magic bullet” solution.

• Trade Secret Protection – Much easier if the vendor never ships the code. Reverse engineering rights don’t apply.

• Vendor’s Contractual Rights to Use Data. The value of data aggregation.

Questions?

Want to Know More? Just Contact:

Renzo Marchini

Dechert LLP

160 Queen Victoria Street

London EC4V 4QQ

[email protected]

020 7184 7563

Gene Landy

Ruberto Israel & Weiner, PC

100 No. Washington Street

Boston MA USA

[email protected]

617 742 4200