© copyright 2011, vorys, sater, seymour and pease llp. all rights reserved. higher standards make...

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®

CISO Executive NetworkExecutive Breakfast Roundtable

June 29, 2011

The Cloud and The Law


If something goes wrong:

• What performance standard was met or not met?

oWas that clearly referenced in the contract?

o How clearly can we demonstrate the miss?

• How do we know that something went wrong?

o Do the contract specifications conform to real world expectations?

oWill the provider notify us in the event of a breach? When?

o How much control do we have in crafting the response?


Where is my Data?

› For a lawyer, one of the most important facts but also can be difficult to fully grasp.

› Essential to understanding which party has control of the data and can be held responsible for:• Securing physical access to the data• Securing electronic access to the data• Encrypting the data (if required)• Monitoring for unauthorized access


What Data? What Jurisdiction?

Federal: Multiple sector-specific privacy laws:

› Education records – FERPA

› Medical records – HIPAA, the HITECH Act

› Financial data – Gramm-Leach-Bliley (“GLBA”)

› Disclosure to law enforcement – USA Patriot Act

› Electronic communications – ECPA

› E-Discovery/Litigation Holds – Federal and State Rules of Civil ProcedureState:

› Data-breach statutes, SSN laws, health privacy, financial privacy and the like.International:

› Personal data within EU – The European Union Data Protection Directive;

› Data laws of non EU-States (i.e. Australia, Canada and now, Mexico)Contract:

› Payment Card Industry Standards and any other contractual privacy provisions.


Is My Data Secure?

› What security measures does the provider have in place?• Is the data segregated from other parties’?

If so, how?

› Are the security measures documented?

› Do we have the right (and ability) to conduct security assessments?

› What monitoring do we do of the provider’s security practices?

› What are our rights in the event of a data breach? Can we bring in our forensic company?


Is a Password Required?Is a Password Enough?


Is My Data Available?

› Service Level Agreements• Uptime/Downtime Definitions• 24x7 or 8x5?• Measurement/metrics – who provides?• Measurement Periods – short enough? • Remedies: meaningful and incentivizing

› Practical Redundancies• Data sources• Power supplies • Communication links


Do you know who your neighbors are?


And, It Wasn’t the First Time . . .


Any Subcontractors?

› Is the provider hiring a third party which will have access to our data?

› What subcontractors will have access to which data?

› What written confidentiality and privacy obligations do they have?

› What security assessments have been done on the subcontractors’ practices?


Data Ownership and Use

› Does the contract provide that the data is “owned” by the customer?• Typically, state laws require that the

provider is only obligated to notify the “owner” - so you will have to take care of the rest.

› Does the contract provide that the data cannot be used except in the performance of the services?


Data Retention and Access

› What are the provider’s data search, retention and destruction practices?

› Can the provider implement a “legal hold” on request (because of actual or potential litigation)?

› Are sufficient processes and controls in place for necessary authentication of data?


Notice Required?

› Does the agreement mandate that that provider give notice within a specific (and short) time in the event of:• Any subpoena or other legal process

seeking access to the data?• Any security event or unauthorized

access?

› Is the provider obligated to provide assistance and support if such an event occurs?


Insurance vs. Contracts

› Insurance: If a covered “something” happens and you suffer a covered loss, we will pay according to policy limits.

› Contract: If I have failed to do what I said I would do and you suffer a loss as a result, I will pay you for the types of losses that I have agreed to pay up to the limits in my contract.


Insurance vs. Contracts

› Insurance Promise: If a covered event happens and you suffer a covered loss, we will pay according to policy limits.

› Contract Promise: If I have failed to do what I said I would do and you suffer a loss as a result, I will pay you for the types of losses that I have agreed to pay up to the limits in my contract.


Indemnification;Limits of Liability

› Typically, these are the most contentious contract provisions.

› Provider wants to exclude liability for certain kind of damages and to put a cap on the rest.

› Consider the types of damages that are most likely to be incurred and do not allow them to be excluded.

› Do not allow a cap that is lower than the likely loss. Even better to have a cap at a multiple of the likely loss. The best is no cap.

› Consider excluding from caps or limitations damages from: › willful misconduct,

› breach of confidentiality or privacy,

› bodily injury (if any work is to be done on site),

› property damage and

› infringement claims.


A Key Question:

› What happen to our data when the contract terminates? • Is it destroyed? • Returned?• Do we get machine readable copies? • If so, in what formats?• Will they provide transition assistance

at a reasonable cost?

© copyright 2011, vorys, sater, seymour and pease llp. all rights reserved. higher standards make...

Documents