View
216
Download
0
Category
Preview:
Citation preview
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
1/32
Cloud Legal Issues: Contracts,
Regulatory Matters, E-Discovery
Topics
Cloud Security Alliance NY Metro
ChapterFebruary 21, 2013
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
2/32
Agenda
Overview of provider and customer positions
What should go into written contracts?
What are the legal and regulatory concerns forthe provider and the customer?
What are the issues regarding E-discovery?
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
3/32
Context for moving into the cloud
The move into private and public cloud
(including SaaS, IaaS, PaaS, continues
Gartner had projected the worldwide market
for SaaS in 2012 was $14.4B.
A continuing central issue is that as adoption
of cloud increases, privacy regulation is also
increasing.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
4/32
Context
When the rollout to cloud began, the sense
from customers was that many providers did
not negotiate the contracts. They offered take-
it-or-leave-it services that customers saw asprotecting the provider from everything, and
which transferred much of the responsibility,
liability and risk to the customer.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
5/32
Context
Especially at the beginning, small and medium sizedbusinesses and startups accepted such contracts.Governmental bodies (City of Los Angeles, USDOD,etc.) and larger enterprises with negotiating power,
sought to negotiate changes. On a parallel track, industry and customers also
negotiated community clouds and private clouds forindividual customers. Private clouds are tailored to theuser and user community and can be much responsive
to customers needs regarding data security, privacy,and service level issues. The customer will pay morefor such individualized service.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
6/32
Context
A big concern that customers mention is thatmany boiler plate agreements have no restrictionon where the services provider may processor
store a customers data as a result, a providerworking on a global basis can move that data toservers anywhere in the providers system.Multiple copies of the data can be in multiple
locations. It may be difficult for the provider orthe customer to know where the data is thereare consequential risk allocation issues.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
7/32
Context
Some providers (the first was Amazon Web
Services) have contracts that allow customers
to geographically restrict where their data
may flow. The data will be processed andstored only in particular jurisdictions chosen
by the customer.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
8/32
Context
Companies need to be able to control how
and where their data flows in order to comply
with particular legal and regulatory
requirements.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
9/32
Regulatory issues
In US, financial services companies need to complywith the Gramm-Leach-Bliley Act (GLBA), which holdscompanies responsible for developing, implementingand maintaining a comprehensive information security
program to protect nonpublic customer information. Companies which process or store non-financial
personally identifiable information, or other sensitivedata, including health services related information, orwhich proved services accessed or used by minors
under the age of thirteen, need to comply with,respectively, HIPAA and the HITECH Act of 2009, andthe Childrens Online Privacy Protection Act of 1998.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
10/32
Regulatory issues
Regarding the access by government or law
enforcement in the US, the applicable laws
include the Electronic Communications Privacy
Act and the USA Patriot Act. In addition to the federal requirements, 46 states,
plus Puerto Rico, the US Virgin Islands, and the
District of Columbia have laws regarding datagovernance, breach notification, encryption, and
stored and moving data.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
11/32
Regulatory issues
In Europe, laws regarding privacy and data
protection are similarly layered. The EU Data
Protection Directive (1995) provides that
transfers of personal data originating in anyone of the 27 members states of the EU may
be made only to other member states and to
jurisdictions which have been determined bythe EU to have adequate data protection
standards.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
12/32
Regulatory issues
To meet the adequacy test, US companies
moving personal information and data from
Europe to the US can do so lawfully by:
US Department of Commerce Safe Harbor provision
EU Standard Model Contracts
Binding Contractual Rules
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
13/32
Regulatory issues
Because of strong privacy rights reserved to Europeancitizens under European privacy laws, there may be ageneral presumption against the legitimacy of cloudcomputing in Europe. On June 18, 2010, it was
reported that the Data Protection Authority ofSchleswig-Holstein, one of the sixteen German states,issued a legal opinion that clouds located outside ofthe EU with are used in connection with a Europeandata subject, were unlawful per se, even if the EU
Commission had issued an adequacy determination infavor of the foreign country in question or if thecompany moving the data had certified to the USDepartment of Commerces Safe Harbor framework.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
14/32
Regulatory issues
Under this ruling, for example, it would be
illegal for a European company to use a
Canadian (Canada has adequate safeguards)
cloud services provider or Amazon WebServices (which has certified that it complies
with the US Safe Harbor data security
requirements) to process, transport, or storedata belonging to a European data subject.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
15/32
Regulatory issues
As of this writing, there is a lot of discussion in
the EU regarding the use of cloud computing.
In July 2012, the Schleswig-Holstein DPA
released recommendations on how cloud
providers and customers can conform to
German and EU data protection requirements.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
16/32
Regulatory issues
In late September 2012, the EU Commissionpublished a report, Unleashing the Potential ofCloud Computing in Europe. This product is
being studied and commented by data protectionauthorities within the EU.
The Data Protection Directive of 1995 is itselfproposed to be replaced by a data protection
regulation. The regulation would allow for moreuniform application of the rules across Europeand less autonomy for individual country DPAs.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
17/32
Besides regulatory issues, other topics of high concernto customers and providers are:
Integration regarding legacy systems, disaster recoveryand business continuity, breach response
responsibilities, possible co-mingling of data, serviceprovider viability, data ownership and accessibility,termination rights including the return of data upontermination.
Intellectual property rights regarding content. Some
provider contracts indicate that content provided tothem is theirs. This, of course, conflicts with howcompanies see content, which is proprietary to them.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
18/32
Organization of contracts
Customer obligations
Maintaining customer side security
(administration of passwords, secure access)
Responsibility of accuracy and legality of
customer content (data is collected by
customer, not service provider)
Use of service in accord with applicable law
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
19/32
Organization of contracts
Provider obligations
Maintaining adequate security system
Being transparent regarding its use of dataand information handling practices
Disclosing data to third parties only as
authorized by law
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
20/32
Organization of contracts
Many agreements provide standard boiler platelegal terms with drill down of many of the servicespecifications left to the schedules and the SLAs.Typically, boiler plate legal terms include:
Term of the agreement Scope of the agreement
Fees and billing terms
Relationship management
Confidentiality terms
Intellectual property terms
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
21/32
Organization of contracts
Privacy and data protection terms
Reps and Warranties
Limitation of liability terms (risk allocation,
liability cap, carveouts, exclusions)
Indemnifications
Dispute resolution
Choice of law
Termination
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
22/32
Organization of contracts
The schedules to the agreement provide the drilldown and often address the operational andtechnical side of the agreement including:
Change control
Support services and service levels
Applicable policies and procedures
Detailed security provisions
Detailed regulatory, audit and record retentionrequirements
Exit management and termination assistance
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
23/32
Developments to manage risk
Providers have developed technical solutions to somesecurity issues faced by customers, including enhancedsecurity technologies and encryption, and otherprocesses and monitoring as an integral and critical
component of the offered service. The CSAs Cloud Controls Matrix provides guidance for
companies looking to compare among providers byproviding a standard framework for analysis.
Cyberinsurance policies are being developed and arebeing bought by customers.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
24/32
E-Discovery
The basic requirement is that a client mustpreserve evidence when that client has noticeof pending litigation.
There are sanctions for spoliation ofinformation, including electronically storedinformation. Under 34(a) of the US FederalRules of Civil Procedure, electronically storedinformation in a partys possession, custody orcontrol, must be preserved.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
25/32
E-Discovery issues
Regarding electronically stored information ande-discovery, the NYS Bar provides the followingguideline:
In determining what ESI should be preserved,clients should consider: the facts upon which thetriggering event is based and the subject matterof the triggering event; whether the ESI isrelevant to that event; the expense and burden
incurred in preserving the ESI; and whether theloss of ESI would be prejudicial to an opposingparty.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
26/32
E-Discovery issues
However, due to the nature of cloudcomputing, data saved in the cloud may notbe clearly in the possession, custody or
control of any one party. Because there is nodedicated resource allocated to any particularcustomer of cloud services, and the resourcesare shared, isolating and then retrieving the
data of one customer can adversely affect thedata of another customer that is not involvedin the litigation.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
27/32
E-Discovery issues
Therefore, ESI discovery in the cloud may create
liabilities because an unrelated third partys data
may necessarily be accessed or processed in
order to respond to the original request. Courts need to balance requests for ESI with the
privacy and data security rights of non-parties to
the litigation who may be inadvertently drawn into the dispute because of the way their data
resides in the cloud.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
28/32
E-Discovery issues
In addition to the above issues, courts are
requiring the production of metadata, which is
hidden or deleted information, in an
electronic file that is not apparent to thereader viewing a hard copy or screen image.
Metadata includes information about authors,
origins, dates, comments, document versions,comments and embedded notes.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
29/32
E-Discovery issues
A service contract should include safeguards
for both the customer and the provider so
that there are procedural guidelines (i) to
facilitate the discovery process, (ii) tominimize the risk of inadvertent discovery of
ESI of a third party, and (iii) to avoid placing
the provider in a position to either supply therequested ESI or become a focus of the
litigation itself.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
30/32
E-Discovery issues
Reasonable provisions might include:
A description of the types and amounts of ESIincluding metadata that will be preserved in a
dedicated repository. A customers rights toaccess those materials should be clearly setforth.
A restriction on the providers ability tounilaterally access, view or provide acustomers ESI to government or third parties.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
31/32
E-Discovery issues
A requirement that the provider notifycustomers in advance of the providers accessof the ESI (this would allow time for the
customer to challenge the access to the ESI, orto otherwise secure privileged information).
A restriction on the location of data centersstoring a customers ESI to avoid less favorable
privacy and data security laws in foreignjurisdictions.
7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics
32/32
Questions?
Contact: Walter Delacruz, Esq.
walterdelacruz1@gmail.com
Disclaimer: This presentation does not constitute legaladvice or an opinion of the Cloud Security Alliance NYMetro Chapter or any member of the CSA. It does notcreate or invite and attorney-client privilege and may berendered incorrect by future developments. It is
recommended that it not be relied upon in connection withany dispute or other matter but that professional advice besought.
Copyright 2013 Cloud Security Alliance. All rights reserved.
mailto:walterdelacruz1@gmail.commailto:walterdelacruz1@gmail.comRecommended