SlideShare a Scribd company logo

12 02-14 information security managers - unannotated

W
wdsnead

The document discusses key legal and security considerations for cloud computing transactions. It addresses determining jurisdiction and choice of law, defining security responsibilities, handling data access and breaches, and disposing of data upon termination. Specifically, it emphasizes the need to understand data flows, split jurisdiction if possible, include enforceable security policies and breach notification requirements, limit third party access, and ensure deletion of data after termination.

Law
1 of 65
Download to read offline
· Cloud workshop · How is the cloud structured? · Understanding cloud functions · Framework for data analysis
Cloud workshop · What will you use the cloud for? · Three functions that the cloud provides. · Three functions the cloud does not provide. · Three cloud providers.
· Do it yourself shop · System integrator · Reseller · Collaborator
· What is Amazon providing? · What is Brand X providing? · Are there any other vendors? · What is the “demarc line” for responsibilities? · How much negotiating power do you have? · What do you want?
·Platform as a Service - PaaS ·Software as a Service – SaaS ·Professional Services as a Service - PSaaS ·Infrastructure as a Service - IaaS
• Platform as a Service - PaaS • Infrastructure • computing platform • “solution stack” • uses distributed infrastructure components • Supports cloud applications • allows deployment of customer applications • vendor assumes management of underlying hardware and basic software
• Software as a Service – SaaS • Professional Services as a Service • Distributed delivery • Web access • One to many distribution • Software / Services as a selling point • COTS software • Centralized patch management • Data preservation / backup
• Infrastructure as a Service - IaaS • Cloud is the platform • Virtual data center • No capital outlay • A-la-cartre hardware use • Billed as a utility •Pricing feature or use based
Distributed delivery Central location of information Distributed infrastructure
· Controller · Processor · Transferor / Transferrer
What will you use the cloud for? What does your cloud provider do? What type of provider do you have? Who is controller, transferor, processor?
· Case study · What is breach? · Cost of a breach · Regulation in the cloud
· Controller · Processor · Transferor / Transferrer
• Is security binary? • What is a breach? • Who are the parties to a breach? • Who has to be notified? • Who are the parties to a data transaction? • Which societal emphases prevail? • How do we make security a societal determining factor in purchase decisions? • How do you measure security? • What role should government play? • Are you a special snowflake?
• Confidentiality • Integrity • Access
• Stability? • Confidentiality? • Law enforcement? • Compensation / making whole?
• Transparency • Imperfect information • Competitive pressures • Lack of definition • Imperfection in software • Risk perception
• Social engineering • Risks perceived incorrectly
• Mitigation? • Avoid? • Transfer? • Retain?
• Sectoral Based • Reactive • Generally state based • Narrowly tailored • Issue Based • Proactive • National implementation
• Legislative and regulatory • Breach – both benign and malicious • Breach notification • Transfer of risk • Security policies • Contracting parties, third parties and vendors
• Specific Safeguards • Protect against reasonably anticipated uses • Ensure that workforce complies with rule • Civil penalties • Actions by state AG • HHS investigations HIPAA
· Security and confidentiality of customer information · Protect against anticipated threats or hazards to security and integrity · Protect against unauthorized access or use. GLB
· Identification / Authentication procedures · Disposal rules · Procedures to ensure accuracy · Integrity / accuracy of information sent out · Attempts to prevent impersonation fraud. FCRA
· Secure webservers · Delete personal information after use · Limit employee access to day · Provide training · Screen third parties COPPA
· Protect the confidentiality of CPNI · Reasonable measures to prevent and discover unauthorized access FCC
FTC · Unfair or deceptive acts
• Massachusetts leads the way • Generally address confidentiality • Typically only include information tied to numbers • Beginning to include biometric data • Nexus requirement – except for Massachusetts • Exceptions for minor breaches / encrypted data
• U.S. continues to prefer sectoral • Breach approached from confidentiality • Private rights of action disfavored • FTC likely to have overall responsibility • Nexus requirement still the norm • Privacy / security interaction involves identification numbers.
• Data governance laws are here to stay • Expectation that in some format data breach will be extended to cover not just telecoms • General data breach requirements in some EU Member States already • Accountability and transparency principles • Broad scope of definition of personal data • Cloud and jurisdictional challenges • The role of controllers and processors
• A couple of deal-breaking elements from our daily experience: DATA PROTECTION/SECURITY COMPLIANCE 1. Personal Data Processing Agreements (where duties and obligations are clearly identified) AS A 2. Transparency and control over the personal data flow COMPETITIVE MARKET ADVANTAGE (circulation/transfer of personal data) • These elements are requested by customers for 2 main reasons: 1. COMPLIANCE: to establish enough control by the customer (Controller) on the personal data processing carried out by the provider (Processor) 2. INTERNAL RESPONSIBILITIES: to internally show that protection and control over personal data, as a company asset, have been considered in the choice of a provider that offers enough guarantees
EU data protection/security checklist A Service Provider (SP) will have to share: ① Information about its identity (and the representative in the EU, if applicable), its data protection role, and the contact details of the Data Protection Officer or of a “privacy contact person” ② SP will have to describe in which ways the data will be processed and provide information on data location and subcontractors ③ How data transfers may take place and on which legal ground (mainly model contracts, binding corporate rules – SH principles have been under revision)
④ Data security measure in place, with special reference to: - availability of data - integrity - confidentiality - transparency - isolation (purpose limitation) - intervenability ⑤ Way to monitor SP data security / possibility to run audits for clients or trusted third-parties
⑥ Personal data breach notification policy ⑦ Data portability, migration, and transfer back assistance ⑧ Data retention, restitution and deletion policies ⑨ Accountability, meaning the policies and procedures SP has in place to ensure and demonstrate compliance, throughout the SP value chain (e.g., sub-contractors)
⑩ Cooperation with clients to respect data protection law, e.g., to assure the exercise of data protection rights 11 Management of law enforcement request of access to personal data 12 Remedies available for the customer in case of CSP breach of contract
• EU continues to prefer industry regulation • Breach approached from a confidentiality viewpoint • Private rights of action disfavored • National laws lag • Privacy tied to individual data
Break down your cloud transaction. Understand what security means to you. Define breach. Decide what kind of snowflake you are.
· What is risk? · Deciding what risks to take. · Free legal advice
General risk analysis. • SLA How does the cloud operate? Who has access to the cloud? • Choice of Law • Contract • Security • Breach • Termination • Compliance • Regulations
Breach Consequence
Breach Consequence
Reliability • Demonstrated by metrics • Objective criteria used • Third party vendors considered Contract • Standard SLA may need additional clauses for response time, fallback options, standards of service • Static v. flexible SLA
In what country is the provider located? Where is the provider’s infrastructure? Will other providers be used?
Where will the data be physically located? Should jurisdiction be split? How will data be collected, processed, transferred? What will happen to the data on termination?
Jurisdiction over the contract Whose law governs
Jurisdiction over the contract Whose Jurisdiction law governs over the data Where the dispute is heard Change in judicial presumptions Jurisdiction over the data Data protection directive Export control laws
Choice of law This Agreement shall be governed by the laws of the District of Columbia, without reference to its choice of law provisions. Jurisdiction and venue shall be proper before the U.S. District Court for the District of Split Columbia choice located of in Washington, law if you D.C. The parties agree not to contest have notice differing from, or regulatory the jurisdiction of, this court. Notwithstanding the preceding sentences, the parties agree that all issues regarding the processing, obligations. transfer, protection and privacy of any information transferred from X or any End User to Vendor shall be governed by the laws of the United Kingdom. All disputes between the parties, and between a party and an End User regarding Vendor’s access to this data shalll be heard before the appropriate court located in London, United Kingdom
Security • Define “breach” • Determine when a breach happens • Assume there will be data breach laws • Review any laws that my currently exist • Understand who will be responsible for security • Create enforceable contract terms • Remember post termination issues • Understand that you may not be made whole
• What is a breach? • Who are the parties to a breach? • Who has to be notified? • Who are the parties to a data transaction?
Contract provisions • Breach: benign and malicious. • Breach: parties, third parties, subcontractors, vendors • Breach laws: state and federal • Responsibility for security: parties, third parties, subcontractors vendors • Post termination issues: data belongs to customer, breach liability extends post termination. • Security policy: made part of contract. Revisions subject to customer review. Flow down to subcontractors and vendors
Vendor has provided X with a copy of its current security policy (Policy) as it applies to the services to be performed by Vendor pursuant to this Agreement. Vendor represents and warrants that this security policy represents best of breed security procedures in its industry. Vendor Require shall give your X no less vendor than sixty to days prior written notices of any have changes skin in the in Policy the that game. impact the services provided to X. Should X determine that these changes materially impact the security of the services, X shall have the right to terminate this Agreement. In such a case, Vendor shall provide reasonable assistance to X to transition its services to another provider.
Access • Document data to which you have access • Limit the number of employees who have access to data • Create and implement access policies • Require written notice • Don’t assume validity • Create and implement access policies • Include legal advisor
Access • Understand and define law enforcement access • Don’t assume your country’s laws will prevail • Don’t let stereotypes interfere with a legal analysis • Try to create definition
Vendor shall provide X with no less than ten days prior written notice of any governmental request for access to the data. For the purposes of this paragraph only, the term “governmental” includes any law enforcement or similar Understand entity. Should who Vendor has be prohibited by law from providing this access notice, Vendor to data shall strictly limit any disclosure of the data to that which is required by the and law and under the written document upon which disclosure what is circumstances. based. Under no circumstances shall Vendor provide access without a written request of disclosure which cites the law requiring such disclosure. Vendor shall require this provision, or one similarly protective of X’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services.
Termination • Create and implement deletion policies • Flow down contract terms to vendors • Do not assume security ends upon termination • Create and implement deletion policies
Upon termination or expiration of this Agreement, Vendor shall delete all data and provide X with written confirmation of this deletion. Vendor shall also instruct any entities who have had access to the data to also delete it When and provide agreement Vendor with written certification of this deletion. The security obligations set out in this Agreement relating to the data terminates, shall survive your termination rights or expiration of this Agreement until such time terminate. as the data is completely deleted by Vendor and/or Vendor’s suppliers. Vendor shall require this provision, or one similarly protective of X’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services.
Determine how services will be used Evaluate cloud structure Understand data collection, processing and transfer Security breach notification High risk regulatory areas Disposition of data on termination
W. David Snead Attorney + Counselor Tactical Legal Advice for Internet Business david.snead@dsnead.com @wdsneadpc / Twitter dsnead.com / Blog

Recommended

Analytics in Action - Data Protection
Analytics in Action - Data ProtectionAnalytics in Action - Data Protection
Analytics in Action - Data ProtectionLee Schlenker
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findwise
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developersBozhidar Bozhanov
 
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good BusinessStrong Host Security Policies are Good Business
Strong Host Security Policies are Good BusinessHostingCon
 
Game changing legislation
Game changing legislationGame changing legislation
Game changing legislationIRIS
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysTrustArc
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 

Recommended

Analytics in Action - Data Protection
Analytics in Action - Data ProtectionAnalytics in Action - Data Protection
Analytics in Action - Data ProtectionLee Schlenker
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findwise
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developersBozhidar Bozhanov
 
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good BusinessStrong Host Security Policies are Good Business
Strong Host Security Policies are Good BusinessHostingCon
 
Game changing legislation
Game changing legislationGame changing legislation
Game changing legislationIRIS
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysTrustArc
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Informed consent and cloud computing
Informed consent and cloud computingInformed consent and cloud computing
Informed consent and cloud computingClio - Cloud-Based Legal Technology
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Privacy 101
Privacy 101Privacy 101
Privacy 101Trish McGinity, CCSK
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?walescva
 
Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal IssuesIkuo Takahashi
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practiceslisaabe
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies Benoît De Nayer
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017isc2-hellenic
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsTrustArc
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
Cloud primer
Cloud primerCloud primer
Cloud primerZeno Idzerda
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionTrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPRMyComplianceOffice
 
Modelling the General Data Protection Regulation
Modelling the General Data Protection RegulationModelling the General Data Protection Regulation
Modelling the General Data Protection RegulationSabrina Kirrane
 
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the RiskPrivacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the Riskduffeeandeitzen
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityRussell_Kennedy
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomBrendon Noney
 

More Related Content

What's hot

Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?walescva
 
Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal IssuesIkuo Takahashi
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practiceslisaabe
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsTrustArc
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionTrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
Modelling the General Data Protection Regulation
Modelling the General Data Protection RegulationModelling the General Data Protection Regulation
Modelling the General Data Protection RegulationSabrina Kirrane
 
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the RiskPrivacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the Riskduffeeandeitzen
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 

What's hot (20)

Informed consent and cloud computing
Informed consent and cloud computingInformed consent and cloud computing
Informed consent and cloud computing
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?
 
Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal Issues
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
Cloud primer
Cloud primerCloud primer
Cloud primer
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
Modelling the General Data Protection Regulation
Modelling the General Data Protection RegulationModelling the General Data Protection Regulation
Modelling the General Data Protection Regulation
 
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the RiskPrivacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 

Similar to 12 02-14 information security managers - unannotated

Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityRussell_Kennedy
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomBrendon Noney
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowRachel Roach
 
The Impact of Cloud: Cloud Computing Security and Privacy
The Impact of Cloud: Cloud Computing Security and PrivacyThe Impact of Cloud: Cloud Computing Security and Privacy
The Impact of Cloud: Cloud Computing Security and PrivacyCharles Mok
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Managed Service Provider Contracts
Managed Service Provider ContractsManaged Service Provider Contracts
Managed Service Provider ContractsWhitmeyerTuffin
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
Safe Harbor Webinar
Safe Harbor WebinarSafe Harbor Webinar
Safe Harbor WebinarEthisphere
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesPeister
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudGurbir Singh
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Brian Miller, Solicitor
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsNCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsWhitmeyerTuffin
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...acemindia
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposalDale White
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 

Similar to 12 02-14 information security managers - unannotated (20)

Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the Boardroom
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to Know
 
The Impact of Cloud: Cloud Computing Security and Privacy
The Impact of Cloud: Cloud Computing Security and PrivacyThe Impact of Cloud: Cloud Computing Security and Privacy
The Impact of Cloud: Cloud Computing Security and Privacy
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
 
Managed Service Provider Contracts
Managed Service Provider ContractsManaged Service Provider Contracts
Managed Service Provider Contracts
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 
Safe Harbor Webinar
Safe Harbor WebinarSafe Harbor Webinar
Safe Harbor Webinar
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
 
Risks and Benefits of Cloud Computing
Risks and Benefits of Cloud ComputingRisks and Benefits of Cloud Computing
Risks and Benefits of Cloud Computing
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsNCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing Vendors
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposal
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
 

Recently uploaded

Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsAbdul-Hakim Shabazz
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxjennysansano2
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiBlayneRush1
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeBlayneRush1
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791BlayneRush1
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791BlayneRush1
 
Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,18822020000445musaib
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
Current Ethical Issues for Legal Professionals.ppt
Current Ethical Issues for Legal Professionals.pptCurrent Ethical Issues for Legal Professionals.ppt
Current Ethical Issues for Legal Professionals.pptVidyaAdsule1
 

Recently uploaded (20)

Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docx
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791Alexis O'Connell Lexileeyogi 512-840-8791
Alexis O'Connell Lexileeyogi 512-840-8791
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791Alexis OConnell mugshot Lexileeyogi 512-840-8791
Alexis OConnell mugshot Lexileeyogi 512-840-8791
 
Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
Current Ethical Issues for Legal Professionals.ppt
Current Ethical Issues for Legal Professionals.pptCurrent Ethical Issues for Legal Professionals.ppt
Current Ethical Issues for Legal Professionals.ppt
 

12 02-14 information security managers - unannotated

  • 1. · Cloud workshop · How is the cloud structured? · Understanding cloud functions · Framework for data analysis
  • 2. Cloud workshop · What will you use the cloud for? · Three functions that the cloud provides. · Three functions the cloud does not provide. · Three cloud providers.
  • 3.
  • 4. · Do it yourself shop · System integrator · Reseller · Collaborator
  • 5. · What is Amazon providing? · What is Brand X providing? · Are there any other vendors? · What is the “demarc line” for responsibilities? · How much negotiating power do you have? · What do you want?
  • 6. ·Platform as a Service - PaaS ·Software as a Service – SaaS ·Professional Services as a Service - PSaaS ·Infrastructure as a Service - IaaS
  • 7. • Platform as a Service - PaaS • Infrastructure • computing platform • “solution stack” • uses distributed infrastructure components • Supports cloud applications • allows deployment of customer applications • vendor assumes management of underlying hardware and basic software
  • 8. • Software as a Service – SaaS • Professional Services as a Service • Distributed delivery • Web access • One to many distribution • Software / Services as a selling point • COTS software • Centralized patch management • Data preservation / backup
  • 9. • Infrastructure as a Service - IaaS • Cloud is the platform • Virtual data center • No capital outlay • A-la-cartre hardware use • Billed as a utility •Pricing feature or use based
  • 10. Distributed delivery Central location of information Distributed infrastructure
  • 11. · Controller · Processor · Transferor / Transferrer
  • 12.
  • 13. What will you use the cloud for? What does your cloud provider do? What type of provider do you have? Who is controller, transferor, processor?
  • 14. · Case study · What is breach? · Cost of a breach · Regulation in the cloud
  • 15.
  • 16.
  • 17.
  • 18. · Controller · Processor · Transferor / Transferrer
  • 19. • Is security binary? • What is a breach? • Who are the parties to a breach? • Who has to be notified? • Who are the parties to a data transaction? • Which societal emphases prevail? • How do we make security a societal determining factor in purchase decisions? • How do you measure security? • What role should government play? • Are you a special snowflake?
  • 20. • Confidentiality • Integrity • Access
  • 21. • Stability? • Confidentiality? • Law enforcement? • Compensation / making whole?
  • 22. • Transparency • Imperfect information • Competitive pressures • Lack of definition • Imperfection in software • Risk perception
  • 23. • Social engineering • Risks perceived incorrectly
  • 24. • Mitigation? • Avoid? • Transfer? • Retain?
  • 25.
  • 26. • Sectoral Based • Reactive • Generally state based • Narrowly tailored • Issue Based • Proactive • National implementation
  • 27. • Legislative and regulatory • Breach – both benign and malicious • Breach notification • Transfer of risk • Security policies • Contracting parties, third parties and vendors
  • 28. • Specific Safeguards • Protect against reasonably anticipated uses • Ensure that workforce complies with rule • Civil penalties • Actions by state AG • HHS investigations HIPAA
  • 29. · Security and confidentiality of customer information · Protect against anticipated threats or hazards to security and integrity · Protect against unauthorized access or use. GLB
  • 30. · Identification / Authentication procedures · Disposal rules · Procedures to ensure accuracy · Integrity / accuracy of information sent out · Attempts to prevent impersonation fraud. FCRA
  • 31. · Secure webservers · Delete personal information after use · Limit employee access to day · Provide training · Screen third parties COPPA
  • 32. · Protect the confidentiality of CPNI · Reasonable measures to prevent and discover unauthorized access FCC
  • 33. FTC · Unfair or deceptive acts
  • 34. • Massachusetts leads the way • Generally address confidentiality • Typically only include information tied to numbers • Beginning to include biometric data • Nexus requirement – except for Massachusetts • Exceptions for minor breaches / encrypted data
  • 35. • U.S. continues to prefer sectoral • Breach approached from confidentiality • Private rights of action disfavored • FTC likely to have overall responsibility • Nexus requirement still the norm • Privacy / security interaction involves identification numbers.
  • 36. • Data governance laws are here to stay • Expectation that in some format data breach will be extended to cover not just telecoms • General data breach requirements in some EU Member States already • Accountability and transparency principles • Broad scope of definition of personal data • Cloud and jurisdictional challenges • The role of controllers and processors
  • 37. • A couple of deal-breaking elements from our daily experience: DATA PROTECTION/SECURITY COMPLIANCE 1. Personal Data Processing Agreements (where duties and obligations are clearly identified) AS A 2. Transparency and control over the personal data flow COMPETITIVE MARKET ADVANTAGE (circulation/transfer of personal data) • These elements are requested by customers for 2 main reasons: 1. COMPLIANCE: to establish enough control by the customer (Controller) on the personal data processing carried out by the provider (Processor) 2. INTERNAL RESPONSIBILITIES: to internally show that protection and control over personal data, as a company asset, have been considered in the choice of a provider that offers enough guarantees
  • 38. EU data protection/security checklist A Service Provider (SP) will have to share: ① Information about its identity (and the representative in the EU, if applicable), its data protection role, and the contact details of the Data Protection Officer or of a “privacy contact person” ② SP will have to describe in which ways the data will be processed and provide information on data location and subcontractors ③ How data transfers may take place and on which legal ground (mainly model contracts, binding corporate rules – SH principles have been under revision)
  • 39. ④ Data security measure in place, with special reference to: - availability of data - integrity - confidentiality - transparency - isolation (purpose limitation) - intervenability ⑤ Way to monitor SP data security / possibility to run audits for clients or trusted third-parties
  • 40. ⑥ Personal data breach notification policy ⑦ Data portability, migration, and transfer back assistance ⑧ Data retention, restitution and deletion policies ⑨ Accountability, meaning the policies and procedures SP has in place to ensure and demonstrate compliance, throughout the SP value chain (e.g., sub-contractors)
  • 41. ⑩ Cooperation with clients to respect data protection law, e.g., to assure the exercise of data protection rights 11 Management of law enforcement request of access to personal data 12 Remedies available for the customer in case of CSP breach of contract
  • 42. • EU continues to prefer industry regulation • Breach approached from a confidentiality viewpoint • Private rights of action disfavored • National laws lag • Privacy tied to individual data
  • 43.
  • 44. Break down your cloud transaction. Understand what security means to you. Define breach. Decide what kind of snowflake you are.
  • 45. · What is risk? · Deciding what risks to take. · Free legal advice
  • 46. General risk analysis. • SLA How does the cloud operate? Who has access to the cloud? • Choice of Law • Contract • Security • Breach • Termination • Compliance • Regulations
  • 49. Reliability • Demonstrated by metrics • Objective criteria used • Third party vendors considered Contract • Standard SLA may need additional clauses for response time, fallback options, standards of service • Static v. flexible SLA
  • 50. In what country is the provider located? Where is the provider’s infrastructure? Will other providers be used?
  • 51. Where will the data be physically located? Should jurisdiction be split? How will data be collected, processed, transferred? What will happen to the data on termination?
  • 52. Jurisdiction over the contract Whose law governs
  • 53. Jurisdiction over the contract Whose Jurisdiction law governs over the data Where the dispute is heard Change in judicial presumptions Jurisdiction over the data Data protection directive Export control laws
  • 54. Choice of law This Agreement shall be governed by the laws of the District of Columbia, without reference to its choice of law provisions. Jurisdiction and venue shall be proper before the U.S. District Court for the District of Split Columbia choice located of in Washington, law if you D.C. The parties agree not to contest have notice differing from, or regulatory the jurisdiction of, this court. Notwithstanding the preceding sentences, the parties agree that all issues regarding the processing, obligations. transfer, protection and privacy of any information transferred from X or any End User to Vendor shall be governed by the laws of the United Kingdom. All disputes between the parties, and between a party and an End User regarding Vendor’s access to this data shalll be heard before the appropriate court located in London, United Kingdom
  • 55. Security • Define “breach” • Determine when a breach happens • Assume there will be data breach laws • Review any laws that my currently exist • Understand who will be responsible for security • Create enforceable contract terms • Remember post termination issues • Understand that you may not be made whole
  • 56. • What is a breach? • Who are the parties to a breach? • Who has to be notified? • Who are the parties to a data transaction?
  • 57. Contract provisions • Breach: benign and malicious. • Breach: parties, third parties, subcontractors, vendors • Breach laws: state and federal • Responsibility for security: parties, third parties, subcontractors vendors • Post termination issues: data belongs to customer, breach liability extends post termination. • Security policy: made part of contract. Revisions subject to customer review. Flow down to subcontractors and vendors
  • 58. Vendor has provided X with a copy of its current security policy (Policy) as it applies to the services to be performed by Vendor pursuant to this Agreement. Vendor represents and warrants that this security policy represents best of breed security procedures in its industry. Vendor Require shall give your X no less vendor than sixty to days prior written notices of any have changes skin in the in Policy the that game. impact the services provided to X. Should X determine that these changes materially impact the security of the services, X shall have the right to terminate this Agreement. In such a case, Vendor shall provide reasonable assistance to X to transition its services to another provider.
  • 59. Access • Document data to which you have access • Limit the number of employees who have access to data • Create and implement access policies • Require written notice • Don’t assume validity • Create and implement access policies • Include legal advisor
  • 60. Access • Understand and define law enforcement access • Don’t assume your country’s laws will prevail • Don’t let stereotypes interfere with a legal analysis • Try to create definition
  • 61. Vendor shall provide X with no less than ten days prior written notice of any governmental request for access to the data. For the purposes of this paragraph only, the term “governmental” includes any law enforcement or similar Understand entity. Should who Vendor has be prohibited by law from providing this access notice, Vendor to data shall strictly limit any disclosure of the data to that which is required by the and law and under the written document upon which disclosure what is circumstances. based. Under no circumstances shall Vendor provide access without a written request of disclosure which cites the law requiring such disclosure. Vendor shall require this provision, or one similarly protective of X’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services.
  • 62. Termination • Create and implement deletion policies • Flow down contract terms to vendors • Do not assume security ends upon termination • Create and implement deletion policies
  • 63. Upon termination or expiration of this Agreement, Vendor shall delete all data and provide X with written confirmation of this deletion. Vendor shall also instruct any entities who have had access to the data to also delete it When and provide agreement Vendor with written certification of this deletion. The security obligations set out in this Agreement relating to the data terminates, shall survive your termination rights or expiration of this Agreement until such time terminate. as the data is completely deleted by Vendor and/or Vendor’s suppliers. Vendor shall require this provision, or one similarly protective of X’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services.
  • 64. Determine how services will be used Evaluate cloud structure Understand data collection, processing and transfer Security breach notification High risk regulatory areas Disposition of data on termination
  • 65. W. David Snead Attorney + Counselor Tactical Legal Advice for Internet Business david.snead@dsnead.com @wdsneadpc / Twitter dsnead.com / Blog