The document discusses key legal and security considerations for cloud computing transactions. It addresses determining jurisdiction and choice of law, defining security responsibilities, handling data access and breaches, and disposing of data upon termination. Specifically, it emphasizes the need to understand data flows, split jurisdiction if possible, include enforceable security policies and breach notification requirements, limit third party access, and ensure deletion of data after termination.
Current Ethical Issues for Legal Professionals.ppt
12 02-14 information security managers - unannotated
1. · Cloud workshop
· How is the cloud structured?
· Understanding cloud functions
· Framework for data analysis
2. Cloud workshop
· What will you use the cloud for?
· Three functions that the cloud provides.
· Three functions the cloud does not provide.
· Three cloud providers.
3.
4. · Do it yourself shop
· System integrator
· Reseller
· Collaborator
5. · What is Amazon providing?
· What is Brand X providing?
· Are there any other vendors?
· What is the “demarc line” for
responsibilities?
· How much negotiating
power do you have?
· What do you want?
6. ·Platform as a Service - PaaS
·Software as a Service – SaaS
·Professional Services as a Service -
PSaaS
·Infrastructure as a Service - IaaS
7. • Platform as a Service - PaaS
• Infrastructure
• computing platform
• “solution stack”
• uses distributed infrastructure components
• Supports cloud applications
• allows deployment of customer applications
• vendor assumes management of underlying
hardware and basic software
8. • Software as a Service – SaaS
• Professional Services as a Service
• Distributed delivery
• Web access
• One to many distribution
• Software / Services as a selling point
• COTS software
• Centralized patch management
• Data preservation / backup
9. • Infrastructure as a Service - IaaS
• Cloud is the platform
• Virtual data center
• No capital outlay
• A-la-cartre hardware use
• Billed as a utility
•Pricing feature or use based
19. • Is security binary?
• What is a breach?
• Who are the parties to a breach?
• Who has to be notified?
• Who are the parties to a data transaction?
• Which societal emphases prevail?
• How do we make security a societal
determining factor in purchase decisions?
• How do you measure security?
• What role should government play?
• Are you a special snowflake?
26. • Sectoral Based
• Reactive
• Generally state
based
• Narrowly tailored
• Issue Based
• Proactive
• National
implementation
27. • Legislative and regulatory
• Breach – both benign and malicious
• Breach notification
• Transfer of risk
• Security policies
• Contracting parties, third parties and vendors
28. • Specific Safeguards
• Protect against reasonably
anticipated uses
• Ensure that workforce
complies with rule
• Civil penalties
• Actions by state AG
• HHS investigations
HIPAA
29. · Security and
confidentiality of customer
information
· Protect against anticipated
threats or hazards to
security and integrity
· Protect against
unauthorized access or
use.
GLB
30. · Identification /
Authentication procedures
· Disposal rules
· Procedures to ensure
accuracy
· Integrity / accuracy of
information sent out
· Attempts to prevent
impersonation fraud.
FCRA
31. · Secure webservers
· Delete personal
information after use
· Limit employee access to
day
· Provide training
· Screen third parties
COPPA
32. · Protect the confidentiality
of CPNI
· Reasonable measures to
prevent and discover
unauthorized access
FCC
34. • Massachusetts leads the way
• Generally address confidentiality
• Typically only include information tied to numbers
• Beginning to include biometric data
• Nexus requirement – except for Massachusetts
• Exceptions for minor breaches / encrypted data
35. • U.S. continues to prefer sectoral
• Breach approached from confidentiality
• Private rights of action disfavored
• FTC likely to have overall responsibility
• Nexus requirement still the norm
• Privacy / security interaction involves
identification numbers.
36. • Data governance laws are here to stay
• Expectation that in some format data breach will be extended to
cover not just telecoms
• General data breach requirements in some EU Member States
already
• Accountability and transparency principles
• Broad scope of definition of personal data
• Cloud and jurisdictional challenges
• The role of controllers and processors
37. • A couple of deal-breaking elements from our daily experience:
DATA PROTECTION/SECURITY COMPLIANCE
1. Personal Data Processing Agreements (where duties and
obligations are clearly identified)
AS A
2. Transparency and control over the personal data flow
COMPETITIVE MARKET ADVANTAGE
(circulation/transfer of personal data)
• These elements are requested by customers for 2 main reasons:
1. COMPLIANCE: to establish enough control by the customer (Controller)
on the personal data processing carried out by the provider (Processor)
2. INTERNAL RESPONSIBILITIES: to internally show that protection and
control over personal data, as a company asset, have been considered in the
choice of a provider that offers enough guarantees
38. EU data protection/security checklist
A Service Provider (SP) will have to share:
① Information about its identity (and the representative in the EU, if
applicable), its data protection role, and the contact details of the Data
Protection Officer or of a “privacy contact person”
② SP will have to describe in which ways the data will be processed and
provide information on data location and subcontractors
③ How data transfers may take place and on which legal ground (mainly
model contracts, binding corporate rules – SH principles have been under
revision)
39. ④ Data security measure in place, with special reference to:
- availability of data
- integrity
- confidentiality
- transparency
- isolation (purpose limitation)
- intervenability
⑤ Way to monitor SP data security / possibility to run audits for clients or
trusted third-parties
40. ⑥ Personal data breach notification policy
⑦ Data portability, migration, and transfer back assistance
⑧ Data retention, restitution and deletion policies
⑨ Accountability, meaning the policies and procedures SP has in place to
ensure and demonstrate compliance, throughout the SP value chain (e.g.,
sub-contractors)
41. ⑩ Cooperation with clients to respect data protection law, e.g., to assure the
exercise of data protection rights
11 Management of law enforcement request of access to personal data
12 Remedies available for the customer in case of CSP breach of contract
42. • EU continues to prefer industry
regulation
• Breach approached from a confidentiality
viewpoint
• Private rights of action disfavored
• National laws lag
• Privacy tied to individual data
43.
44. Break down your cloud transaction.
Understand what security means to you.
Define breach.
Decide what kind of snowflake you are.
45. · What is risk?
· Deciding what risks to take.
· Free legal advice
46. General risk analysis. • SLA
How does the cloud operate?
Who has access to the cloud?
• Choice of Law
• Contract
• Security
• Breach
• Termination
• Compliance
• Regulations
49. Reliability
• Demonstrated by metrics
• Objective criteria used
• Third party vendors considered
Contract
• Standard SLA may need additional
clauses for response time, fallback
options, standards of service
• Static v. flexible SLA
50. In what country is the provider located?
Where is the provider’s infrastructure?
Will other providers be used?
51. Where will the data be physically located?
Should jurisdiction be split?
How will data be collected, processed, transferred?
What will happen to the data on termination?
53. Jurisdiction over the
contract
Whose Jurisdiction law governs
over the
data
Where the dispute is heard
Change in judicial
presumptions
Jurisdiction over the
data
Data protection directive
Export control laws
54. Choice of law
This Agreement shall be governed by the laws of the District of
Columbia, without reference to its choice of law provisions.
Jurisdiction and venue shall be proper before the U.S. District Court
for the District of Split Columbia choice located of in Washington, law if you
D.C. The parties
agree not to contest have notice differing from, or regulatory
the jurisdiction of, this court.
Notwithstanding the preceding sentences, the parties agree that all
issues regarding the processing, obligations.
transfer, protection and privacy of
any information transferred from X or any End User to Vendor shall
be governed by the laws of the United Kingdom. All disputes
between the parties, and between a party and an End User
regarding Vendor’s access to this data shalll be heard before the
appropriate court located in London, United Kingdom
55. Security
• Define “breach”
• Determine when a breach happens
• Assume there will be data breach laws
• Review any laws that my currently exist
• Understand who will be responsible for security
• Create enforceable contract terms
• Remember post termination issues
• Understand that you may not be made whole
56. • What is a breach?
• Who are the parties to a breach?
• Who has to be notified?
• Who are the parties to a data transaction?
57. Contract provisions
• Breach: benign and malicious.
• Breach: parties, third parties, subcontractors, vendors
• Breach laws: state and federal
• Responsibility for security: parties, third parties, subcontractors vendors
• Post termination issues: data belongs to customer, breach liability
extends post termination.
• Security policy: made part of contract. Revisions subject to customer
review. Flow down to subcontractors and vendors
58. Vendor has provided X with a copy of its current security policy
(Policy) as it applies to the services to be performed by Vendor
pursuant to this Agreement. Vendor represents and warrants that
this security policy represents best of breed security procedures in
its industry. Vendor Require shall give your X no less vendor than sixty to
days prior written
notices of any have changes skin in the in Policy the that game.
impact the services
provided to X. Should X determine that these changes
materially impact the security of the services, X shall have the right
to terminate this Agreement. In such a case, Vendor shall provide
reasonable assistance to X to transition its services to another
provider.
59. Access
• Document data to which you have access
• Limit the number of employees who have access to data
• Create and implement access policies
• Require written notice
• Don’t assume validity
• Create and implement access policies
• Include legal advisor
60. Access
• Understand and define law enforcement access
• Don’t assume your country’s laws will prevail
• Don’t let stereotypes interfere with a legal analysis
• Try to create definition
61. Vendor shall provide X with no less than ten days prior written notice
of any governmental request for access to the data. For the purposes
of this paragraph only, the term “governmental” includes any law
enforcement or similar Understand entity. Should who Vendor has
be prohibited by law
from providing this access notice, Vendor to data shall strictly limit any disclosure of
the data to that which is required by the and law and under
the written document
upon which disclosure what is circumstances.
based. Under no circumstances shall
Vendor provide access without a written request of disclosure which
cites the law requiring such disclosure. Vendor shall require this
provision, or one similarly protective of X’s rights in all its contracts
with suppliers or other vendors who provide aspects of the Services.
62. Termination
• Create and implement deletion policies
• Flow down contract terms to vendors
• Do not assume security ends upon termination
• Create and implement deletion policies
63. Upon termination or expiration of this Agreement, Vendor shall delete
all data and provide X with written confirmation of this deletion.
Vendor shall also instruct any entities who have had access to the
data to also delete it When and provide agreement
Vendor with written certification of
this deletion. The security obligations set out in this Agreement
relating to the data terminates, shall survive your termination rights
or expiration of this
Agreement until such time terminate.
as the data is completely deleted by
Vendor and/or Vendor’s suppliers. Vendor shall require this provision,
or one similarly protective of X’s rights in all its contracts with
suppliers or other vendors who provide aspects of the Services.
64. Determine how services will be used
Evaluate cloud structure
Understand data collection, processing and transfer
Security breach notification
High risk regulatory areas
Disposition of data on termination
65. W. David Snead
Attorney + Counselor
Tactical Legal Advice for Internet Business
david.snead@dsnead.com
@wdsneadpc / Twitter
dsnead.com / Blog