Cloud Computing: What You Don't Know Can Hurt You
PatrickFowler1
263 views
35 slides
Apr 25, 2013
Slide 1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
About This Presentation
An introduction to some of the legal issues surrounding cloud computing
Slide Content
Patrick X. Fowler, Esq.
Snell & Wilmer LLP
Phoenix, Arizona
602.382.6213 | [email protected]
Cloud Computing:
What You Don’t Know Can
Hurt You
© 2012 Snell & Wilmer L.L.P 1
Snell & Wilmer LLP
Phoenix, Arizona
602.382.6213 | [email protected]
Cloud Computing:
What You Don’t Know Can
Hurt You
© 2012 Snell & Wilmer L.L.P 1
Today’s Topics
•What is cloud computing?
•Common cloud computing applications
•How does it work?
•Cloud computing concerns
◦Data Ownership and Access
◦Data Location and Security
◦Data Privacy in the US and EU
© 2012 Snell & Wilmer L.L.P 2
•What is cloud computing?
•Common cloud computing applications
•How does it work?
•Cloud computing concerns
◦Data Ownership and Access
◦Data Location and Security
◦Data Privacy in the US and EU
© 2012 Snell & Wilmer L.L.P 2
What is Cloud Computing?
•Using the internet…
•to access remotely- located computer servers…
•for scalable, on- demand software applications,
computing power and data storage…
•that you might pay a fee for, but don’t own.
© 2012 Snell & Wilmer L.L.P 3
•Using the internet…
•to access remotely- located computer servers…
•for scalable, on- demand software applications,
computing power and data storage…
•that you might pay a fee for, but don’t own.
© 2012 Snell & Wilmer L.L.P 3
Common Cloud Applications
•Webmail – Gmail, Hotmail, AOL
•Productivity – Microsoft Office 365, GoogleDocs
•Data Sharing – Dropbox, GoToMeeting
•Data Storage – iCloud, Amazon, Carbonite
•Social Media – Facebook, LinkedIn, YouTube
•Retailing – Amazon, Apple, eBay
•Banking – Chase, Bank of America
•Government – www.apps.gov
© 2012 Snell & Wilmer L.L.P 4
•Webmail – Gmail, Hotmail, AOL
•Productivity – Microsoft Office 365, GoogleDocs
•Data Sharing – Dropbox, GoToMeeting
•Data Storage – iCloud, Amazon, Carbonite
•Social Media – Facebook, LinkedIn, YouTube
•Retailing – Amazon, Apple, eBay
•Banking – Chase, Bank of America
•Government – www.apps.gov
© 2012 Snell & Wilmer L.L.P 4
Most Common Use of the Cloud?
•Social Networking – By Far
© 2012 Snell & Wilmer L.L.P 5
•Social Networking – By Far
© 2012 Snell & Wilmer L.L.P 5
“Official” Government Definition
National Institute of
Standards and Technology
Responsible for developing
standards and guidelines for
providing information security
for all federal gov’t agencies
and assets.
NIST Special Publication 800-
145 (September 2011)
© 2012 Snell & Wilmer L.L.P 6
National Institute of
Standards and Technology
Responsible for developing
standards and guidelines for
providing information security
for all federal gov’t agencies
and assets.
NIST Special Publication 800-
145 (September 2011)
© 2012 Snell & Wilmer L.L.P 6
Why Are We Moving to the Cloud?
•It’s much cheaper to rent than to own.
◦Outsourcing to the cloud reduces corporate data
storage costs by 80%, and requires a smaller IT staff
•It’s more flexible/scalable/elastic.
◦Quickly expand and contract storage and computing
needs, based on demand.
◦Faster access to improved technology.
•It’s more secure – in some respects.
◦Remote, redundant data back-ups in case of disaster
© 2012 Snell & Wilmer L.L.P 7
•It’s much cheaper to rent than to own.
◦Outsourcing to the cloud reduces corporate data
storage costs by 80%, and requires a smaller IT staff
•It’s more flexible/scalable/elastic.
◦Quickly expand and contract storage and computing
needs, based on demand.
◦Faster access to improved technology.
•It’s more secure – in some respects.
◦Remote, redundant data back-ups in case of disaster
© 2012 Snell & Wilmer L.L.P 7
How Does Cloud Computing Work?
•Major cloud providers:
◦Amazon
◦Google
◦Microsoft
◦Apple
•Major cloud providers have multiple, distant
data centers (i.e. server farms) where data is
redundantly stored/processed.
© 2012 Snell & Wilmer L.L.P 8
•Major cloud providers:
◦Amazon
◦Microsoft
◦Apple
•Major cloud providers have multiple, distant
data centers (i.e. server farms) where data is
redundantly stored/processed.
© 2012 Snell & Wilmer L.L.P 8
Cloud Data Center Locations
•Amazon:
◦North America (CA, OR)
◦EU (Ireland)
◦Asia (Singapore, Tokyo)
◦South America (Brazil)
◦Future: Buried in Siberian permafrost?
•Google:
◦USA (SC, NC, GA, OK, IA, OR)
◦Finland, Belgium
◦Hong Kong, Singapore, Taiwan
◦Future: Cargo ships powered & cooled by the sea?
© 2012 Snell & Wilmer L.L.P 9
•Amazon:
◦North America (CA, OR)
◦EU (Ireland)
◦Asia (Singapore, Tokyo)
◦South America (Brazil)
◦Future: Buried in Siberian permafrost?
•Google:
◦USA (SC, NC, GA, OK, IA, OR)
◦Finland, Belgium
◦Hong Kong, Singapore, Taiwan
◦Future: Cargo ships powered & cooled by the sea?
© 2012 Snell & Wilmer L.L.P 9
How is Data Stored in the Cloud?
Per Google’s web site:
•Data is not stored on a single machine or set of
machines; data from all Google customers is distributed
amongst a shared infrastructure composed of many
computers located across Google’s many data centers.
•Data is chunked and replicated over multiple systems so
that no one system is a single point of failure. Data
chunks are given random file names and they’re not stored in clear text, so they’re not humanly readable.
Source: http://www.google.com/about/datacenters/inside/data-security.html#
© 2012 Snell & Wilmer L.L.P 10
Per Google’s web site:
•Data is not stored on a single machine or set of
machines; data from all Google customers is distributed
amongst a shared infrastructure composed of many
computers located across Google’s many data centers.
•Data is chunked and replicated over multiple systems so
that no one system is a single point of failure. Data
chunks are given random file names and they’re not stored in clear text, so they’re not humanly readable.
Source: http://www.google.com/about/datacenters/inside/data-security.html#
© 2012 Snell & Wilmer L.L.P 10
Cloud Computing Concerns
•Data Ownership & Access
•Data Location and Security
•Data Privacy
•What Law Governs?
•E-Discovery Obligations
If possible, your
contract with the
cloud provider
should address
these issues.
© 2012 Snell & Wilmer L.L.P 11
•Data Ownership & Access
•Data Location and Security
•Data Privacy
•What Law Governs?
•E-Discovery Obligations
If possible, your
contract with the
cloud provider
should address
these issues.
© 2012 Snell & Wilmer L.L.P 11
Data Ownership & Access
© 2012 Snell & Wilmer L.L.P 12
© 2012 Snell & Wilmer L.L.P 12
Cloud Data Ownership & Access
•Who owns the data once it has been uploaded?
◦Short Answer: Should not be the cloud provider!
•Who owns the servers where the data is stored?
◦Is it the party with whom you contracted? A third
party? How many links in the contract chain?
•How often will the data be accessible?
◦Industry custom is 99.99% of the time.
•What happens if access is interrupted?
◦Are fee credits provided?
© 2012 Snell & Wilmer L.L.P 13
•Who owns the data once it has been uploaded?
◦Short Answer: Should not be the cloud provider!
•Who owns the servers where the data is stored?
◦Is it the party with whom you contracted? A third
party? How many links in the contract chain?
•How often will the data be accessible?
◦Industry custom is 99.99% of the time.
•What happens if access is interrupted?
◦Are fee credits provided?
© 2012 Snell & Wilmer L.L.P 13
Cloud Data Ownership & Access
•If you terminate the agreement with the cloud
provider, what happens to your data?
◦How long will your data remain on the cloud servers?
◦Is it then deleted from the cloud provider’s servers?
-Important when dealing with customer data, credit card
information, HIPAA data, etc.
•What if the cloud provider goes bankrupt or is
shut down by a government?
◦Example: MegaUpload seized by DOJ in January ’12
•E-discovery obligations?
© 2012 Snell & Wilmer L.L.P 14
•If you terminate the agreement with the cloud
provider, what happens to your data?
◦How long will your data remain on the cloud servers?
◦Is it then deleted from the cloud provider’s servers?
-Important when dealing with customer data, credit card
information, HIPAA data, etc.
•What if the cloud provider goes bankrupt or is
shut down by a government?
◦Example: MegaUpload seized by DOJ in January ’12
•E-discovery obligations?
© 2012 Snell & Wilmer L.L.P 14
Data Storage Location &
Security
© 2012 Snell & Wilmer L.L.P 15
Security
© 2012 Snell & Wilmer L.L.P 15
Data Storage Location & Security
•In what countries are the cloud data centers
located that will store your data?
◦Evaluate the data privacy laws where the data
centers are located.
◦Consider potential jurisdictional and choice of law
issues.
•
Is the data required to be maintained within a
certain country?
◦E.g., Government records, national defense
materials.
© 2012 Snell & Wilmer L.L.P 16
•In what countries are the cloud data centers
located that will store your data?
◦Evaluate the data privacy laws where the data
centers are located.
◦Consider potential jurisdictional and choice of law
issues.
•
Is the data required to be maintained within a
certain country?
◦E.g., Government records, national defense
materials.
© 2012 Snell & Wilmer L.L.P 16
Data Storage Location & Security
•What physical and digital security standards
does the cloud provider adhere to? Will it tell
you?
•How do they compare to the security
procedures used by Amazon, Google and
Microsoft?
•Do outside auditors certify the proper storage
and use of data by the cloud provider?
© 2012 Snell & Wilmer L.L.P 17
•What physical and digital security standards
does the cloud provider adhere to? Will it tell
you?
•How do they compare to the security
procedures used by Amazon, Google and
Microsoft?
•Do outside auditors certify the proper storage
and use of data by the cloud provider?
© 2012 Snell & Wilmer L.L.P 17
Data Storage Location & Security
•Physical security measures:
◦Non-descript facilities, restricted physical access,
video surveillance, biometric clearance;
◦Fire detection and suppression, uninterrupted power
supply, climate and temperature control;
◦Redundant data storage in different locations;
◦A business continuity and disaster recovery plan to
ensure service is maintained & to recover any data
loss.
© 2012 Snell & Wilmer L.L.P 18
•Physical security measures:
◦Non-descript facilities, restricted physical access,
video surveillance, biometric clearance;
◦Fire detection and suppression, uninterrupted power
supply, climate and temperature control;
◦Redundant data storage in different locations;
◦A business continuity and disaster recovery plan to
ensure service is maintained & to recover any data
loss.
© 2012 Snell & Wilmer L.L.P 18
Data Storage Location & Security
•Digital security measures:
◦Is your data securely stored when “at rest” and
securely moved between locations?
◦Does the cloud provider have rights to access your
data? If so, why
?
◦Is your data stored in aggregate with other
customers? If so, how good is the disaggregation?
◦How does the cloud provider decommission old
storage devices that once held your data?
© 2012 Snell & Wilmer L.L.P 19
•Digital security measures:
◦Is your data securely stored when “at rest” and
securely moved between locations?
◦Does the cloud provider have rights to access your
data? If so, why
?
◦Is your data stored in aggregate with other
customers? If so, how good is the disaggregation?
◦How does the cloud provider decommission old
storage devices that once held your data?
© 2012 Snell & Wilmer L.L.P 19
Data Storage Location & Security
•What if your data is corrupted, lost or stolen?
◦Caveat emptor. Let the buyer beware.
◦Terms of service typically disclaim all warranties and
exclude liability for any damages
.
•Example:
◦“WE AND OUR AFFILIATES OR LICENSORS WILL
NOT BE LIABLE TO YOU FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL,
CONSEQUENTIAL, OR EXEMPLARY DAMAGES
(INCLUDING DAMAGES FOR LOSS OF PROFITS,
GOODWILL, USE OR DATA), EVEN IF A PARTY
HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES….”
© 2012 Snell & Wilmer L.L.P 20
•What if your data is corrupted, lost or stolen?
◦Caveat emptor. Let the buyer beware.
◦Terms of service typically disclaim all warranties and
exclude liability for any damages
.
•Example:
◦“WE AND OUR AFFILIATES OR LICENSORS WILL
NOT BE LIABLE TO YOU FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL,
CONSEQUENTIAL, OR EXEMPLARY DAMAGES
(INCLUDING DAMAGES FOR LOSS OF PROFITS,
GOODWILL, USE OR DATA), EVEN IF A PARTY
HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES….”
© 2012 Snell & Wilmer L.L.P 20
Choose your cloud provider wisely!
•If you have little or no leverage in negotiating
terms with the cloud provider…
◦Is the cloud provider reputable & reliable?
-How transparent is the cloud provider willing to be?
-Quality vs. price – you probably get what you pay for.
-Is the cost savings worth the risk of data loss/interruption?
◦
What contingency plan do you have if the service
fails?
-Separate, independent digital back-up?
-Hard copy back-up?
◦What remedies, if any, do you have against the cloud
provider if there is data loss or service failure?
© 2012 Snell & Wilmer L.L.P 21
•If you have little or no leverage in negotiating
terms with the cloud provider…
◦Is the cloud provider reputable & reliable?
-How transparent is the cloud provider willing to be?
-Quality vs. price – you probably get what you pay for.
-Is the cost savings worth the risk of data loss/interruption?
◦
What contingency plan do you have if the service
fails?
-Separate, independent digital back-up?
-Hard copy back-up?
◦What remedies, if any, do you have against the cloud
provider if there is data loss or service failure?
© 2012 Snell & Wilmer L.L.P 21
Data Privacy
© 2012 Snell & Wilmer L.L.P 22
© 2012 Snell & Wilmer L.L.P 22
Data Privacy Issues
•Data in the cloud is subject to different
protections than information stored in- house;
◦Data in the cloud = held by a third- party
•Currently: there is a patchwork of Federal and
State data privacy laws;
•
US and EU data privacy rules significantly differ;
◦EU has more protections and regulations
•US and EU have recently proposed expanded data privacy regulations.
© 2012 Snell & Wilmer L.L.P 23
•Data in the cloud is subject to different
protections than information stored in- house;
◦Data in the cloud = held by a third- party
•Currently: there is a patchwork of Federal and
State data privacy laws;
•
US and EU data privacy rules significantly differ;
◦EU has more protections and regulations
•US and EU have recently proposed expanded data privacy regulations.
© 2012 Snell & Wilmer L.L.P 23
Data Privacy Issues
•Existing laws can compel disclosure of cloud
data to the government.
◦Electronic Communications Privacy Act (ECPA)
◦Stored Communications Act (SCA)
◦USA Patriot Act
-National Security Letters
-Foreign Intelligence Surveillance Act (FISA) Warrants
◦Warrants and subpoenas generally
© 2012 Snell & Wilmer L.L.P 24
•Existing laws can compel disclosure of cloud
data to the government.
◦Electronic Communications Privacy Act (ECPA)
◦Stored Communications Act (SCA)
◦USA Patriot Act
-National Security Letters
-Foreign Intelligence Surveillance Act (FISA) Warrants
◦Warrants and subpoenas generally
© 2012 Snell & Wilmer L.L.P 24
Data Privacy Issues
•Current rules imposing data security and/or
breach notification obligations, including:
◦Sarbanes-Oxley
◦Family Educational Rights and Privacy Act (FERPA)
◦Health Insurance Portability & Accountability Act
(HIPAA)
◦Health Information Technology for Economic and
Clincal Health (HITECH) Act
◦Gramm- Leach- Biley Act (GLBA)
◦FTC Act, Section 5 (for companies that store
customer information on the cloud)
◦State Laws and Regulations
© 2012 Snell & Wilmer L.L.P 25
•Current rules imposing data security and/or
breach notification obligations, including:
◦Sarbanes-Oxley
◦Family Educational Rights and Privacy Act (FERPA)
◦Health Insurance Portability & Accountability Act
(HIPAA)
◦Health Information Technology for Economic and
Clincal Health (HITECH) Act
◦Gramm- Leach- Biley Act (GLBA)
◦FTC Act, Section 5 (for companies that store
customer information on the cloud)
◦State Laws and Regulations
© 2012 Snell & Wilmer L.L.P 25
Data Privacy: New Regulations?
•Significantly expanded data privacy regulation
schemes proposed in early 2012:
◦White House: Consumer Privacy Bill of Rights
◦EU: New General Data Protection Regulations
© 2012 Snell & Wilmer L.L.P 26
•Significantly expanded data privacy regulation
schemes proposed in early 2012:
◦White House: Consumer Privacy Bill of Rights
◦EU: New General Data Protection Regulations
© 2012 Snell & Wilmer L.L.P 26
Data Privacy: New Regulations?
White House Proposal – Feb.
2012
On-line Consumer Privacy Bill
of Rights
Enforceable Codes of Conduct
Expanded FTC Role Re Data
Privacy Rights Enforcement
Increased “Global
Interoperability” re various
consumer data privacy regs
© 2012 Snell & Wilmer L.L.P 27
White House Proposal – Feb.
2012
On-line Consumer Privacy Bill
of Rights
Enforceable Codes of Conduct
Expanded FTC Role Re Data
Privacy Rights Enforcement
Increased “Global
Interoperability” re various
consumer data privacy regs
© 2012 Snell & Wilmer L.L.P 27
Proposed “Consumer Privacy Bill of Rights”
•Intended goals are:
◦ Preserve online consumer trust in the internet
economy,
◦While providing Internet companies with the
regulatory certainty needed to permit innovation in
on-line commerce.
•Available on- line:
◦http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
© 2012 Snell & Wilmer L.L.P 28
•Intended goals are:
◦ Preserve online consumer trust in the internet
economy,
◦While providing Internet companies with the
regulatory certainty needed to permit innovation in
on-line commerce.
•Available on- line:
◦http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
© 2012 Snell & Wilmer L.L.P 28
Proposed “Consumer Privacy Bill of Rights”
•Individual Control by consumers of the data
collected by companies and how those
companies use such data;
•Transparency regarding privacy and security
practices;
•Respect for Context to ensure that companies
use data consistently with the context in which
the consumer provides the data;
•Security in handling personal data;
© 2012 Snell & Wilmer L.L.P 29
•Individual Control by consumers of the data
collected by companies and how those
companies use such data;
•Transparency regarding privacy and security
practices;
•Respect for Context to ensure that companies
use data consistently with the context in which
the consumer provides the data;
•Security in handling personal data;
© 2012 Snell & Wilmer L.L.P 29
Proposed “Consumer Privacy Bill of Rights”
•Access and Accuracy including the right of
consumers to access and correct personal
data;
•Focused Collection through reasonable limits
on collection and retention by companies of
personal data; and
•Accountability to ensure that companies
handling data adhere to the Consumer Privacy
Bill of Rights.
© 2012 Snell & Wilmer L.L.P 30
•Access and Accuracy including the right of
consumers to access and correct personal
data;
•Focused Collection through reasonable limits
on collection and retention by companies of
personal data; and
•Accountability to ensure that companies
handling data adhere to the Consumer Privacy
Bill of Rights.
© 2012 Snell & Wilmer L.L.P 30
Proposed “Consumer Privacy Bill of Rights”
•The White House proposes voluntary adoption
of a binding code of conduct incorporating the
privacy principles in the bill of rights…thus
making it enforceable under Section 5 of the
FTC Act.
•Alternatively, the White House proposes that
Congress pass a law incorporating the privacy
bill of rights.
•Unlikely that Congress will pass legislation this
year.
© 2012 Snell & Wilmer L.L.P 31
•The White House proposes voluntary adoption
of a binding code of conduct incorporating the
privacy principles in the bill of rights…thus
making it enforceable under Section 5 of the
FTC Act.
•Alternatively, the White House proposes that
Congress pass a law incorporating the privacy
bill of rights.
•Unlikely that Congress will pass legislation this
year.
© 2012 Snell & Wilmer L.L.P 31
Proposed EU Data Protection Regulations
Proposed January 25,
2012
Significant expansion
of current EU data
privacy scheme
Data privacy already a
fundamental right, per
the EU Constitution
Potential implications
beyond EU borders
© 2012 Snell & Wilmer L.L.P 32
Proposed January 25,
2012
Significant expansion
of current EU data
privacy scheme
Data privacy already a
fundamental right, per
the EU Constitution
Potential implications
beyond EU borders
© 2012 Snell & Wilmer L.L.P 32
Proposed EU Data Protection Regulations
•Would apply to almost all data collection and
processing activities regarding EU “data
subjects”
◦Would cover controllers and processors located in
the EU
◦
Would also cover controllers and processers
located outside of the EU if they offer goods or
services to data subjects in the EU or monitor their behavior
•Increased protections must be assured before
consumer data may be moved outside the EU
© 2012 Snell & Wilmer L.L.P 33
•Would apply to almost all data collection and
processing activities regarding EU “data
subjects”
◦Would cover controllers and processors located in
the EU
◦
Would also cover controllers and processers
located outside of the EU if they offer goods or
services to data subjects in the EU or monitor their behavior
•Increased protections must be assured before
consumer data may be moved outside the EU
© 2012 Snell & Wilmer L.L.P 33
Proposed EU Data Protection Regulations
• Provides increased consumer control of data
◦With few exceptions, data subjects must give
“informed consent” (generally through an “opt-in”
process) before their personal data may be
processed;
•Internet users would have “The Right to be
Forgotten”
◦Data subject would be entitled to have personal data
erased, even if the data has been made public!
•Available on- line:
http://ec.europa.eu/justice/data- protection/document/review2012/com_2012_11_en.pdf
© 2012 Snell & Wilmer L.L.P 34
• Provides increased consumer control of data
◦With few exceptions, data subjects must give
“informed consent” (generally through an “opt-in”
process) before their personal data may be
processed;
•Internet users would have “The Right to be
Forgotten”
◦Data subject would be entitled to have personal data
erased, even if the data has been made public!
•Available on- line:
http://ec.europa.eu/justice/data- protection/document/review2012/com_2012_11_en.pdf
© 2012 Snell & Wilmer L.L.P 34
Thank you
Patrick X. Fowler, Esq.
Snell & Wilmer LLP
Phoenix, Arizona
602.382.6213 | [email protected]
© 2012 Snell & Wilmer L.L.P 35
Patrick X. Fowler, Esq.
Snell & Wilmer LLP
Phoenix, Arizona
602.382.6213 | [email protected]
© 2012 Snell & Wilmer L.L.P 35
Categories
LegalDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 263
- Slides 35
- Favorites 1
- Age 4624 days
Related Slideshows
44
The Sale Of Goods Acts,1930 (Conditions & Warranties)
beastkalvi
22 views
29
INDIAN PARTNERSHIP ACT 1932 - OVERVIEWS
beastkalvi
29 views
9
INCUMPLIMIENTO DE PAGO - AUTOR JOSÉ MARÍA PACORI CARI
corporacionhiramservicioslegales
19 views
24
AMBITO APLICACION 728 - AUTOR JOSÉ MARÍA PACORI CARI
corporacionhiramservicioslegales
23 views
32
DOCUMENTOS GESTIÓN INSTITUCIONAL RELACIÓN LABORAL PÚBLICA - AUTOR JOSÉ MARÍA PACORI CARI
corporacionhiramservicioslegales
20 views
43
NR 05 - ASSEDIO MORAL.pptx NO AMBIENTE DE TRABALHO
gabriela18lg7
27 views