cloud legal issues: contracts, regulatory matters, e-discovery topics

7/29/2019 Cloud Legal Issues: Contracts, Regulatory Matters, E-Discovery Topics

1/32

Cloud Legal Issues: Contracts,

Regulatory Matters, E-Discovery

Topics

Cloud Security Alliance NY Metro

ChapterFebruary 21, 2013


2/32

Agenda

Overview of provider and customer positions

What should go into written contracts?

What are the legal and regulatory concerns forthe provider and the customer?

What are the issues regarding E-discovery?


3/32

Context for moving into the cloud

The move into private and public cloud

(including SaaS, IaaS, PaaS, continues

Gartner had projected the worldwide market

for SaaS in 2012 was $14.4B.

A continuing central issue is that as adoption

of cloud increases, privacy regulation is also

increasing.


4/32

Context

When the rollout to cloud began, the sense

from customers was that many providers did

not negotiate the contracts. They offered take-

it-or-leave-it services that customers saw asprotecting the provider from everything, and

which transferred much of the responsibility,

liability and risk to the customer.


5/32

Context

Especially at the beginning, small and medium sizedbusinesses and startups accepted such contracts.Governmental bodies (City of Los Angeles, USDOD,etc.) and larger enterprises with negotiating power,

sought to negotiate changes. On a parallel track, industry and customers also

negotiated community clouds and private clouds forindividual customers. Private clouds are tailored to theuser and user community and can be much responsive

to customers needs regarding data security, privacy,and service level issues. The customer will pay morefor such individualized service.


6/32

Context

A big concern that customers mention is thatmany boiler plate agreements have no restrictionon where the services provider may processor

store a customers data as a result, a providerworking on a global basis can move that data toservers anywhere in the providers system.Multiple copies of the data can be in multiple

locations. It may be difficult for the provider orthe customer to know where the data is thereare consequential risk allocation issues.


7/32

Context

Some providers (the first was Amazon Web

Services) have contracts that allow customers

to geographically restrict where their data

may flow. The data will be processed andstored only in particular jurisdictions chosen

by the customer.


8/32

Context

Companies need to be able to control how

and where their data flows in order to comply

with particular legal and regulatory

requirements.


9/32

Regulatory issues

In US, financial services companies need to complywith the Gramm-Leach-Bliley Act (GLBA), which holdscompanies responsible for developing, implementingand maintaining a comprehensive information security

program to protect nonpublic customer information. Companies which process or store non-financial

personally identifiable information, or other sensitivedata, including health services related information, orwhich proved services accessed or used by minors

under the age of thirteen, need to comply with,respectively, HIPAA and the HITECH Act of 2009, andthe Childrens Online Privacy Protection Act of 1998.


10/32

Regulatory issues

Regarding the access by government or law

enforcement in the US, the applicable laws

include the Electronic Communications Privacy

Act and the USA Patriot Act. In addition to the federal requirements, 46 states,

plus Puerto Rico, the US Virgin Islands, and the

District of Columbia have laws regarding datagovernance, breach notification, encryption, and

stored and moving data.


11/32

Regulatory issues

In Europe, laws regarding privacy and data

protection are similarly layered. The EU Data

Protection Directive (1995) provides that

transfers of personal data originating in anyone of the 27 members states of the EU may

be made only to other member states and to

jurisdictions which have been determined bythe EU to have adequate data protection

standards.


12/32

Regulatory issues

To meet the adequacy test, US companies

moving personal information and data from

Europe to the US can do so lawfully by:

US Department of Commerce Safe Harbor provision

EU Standard Model Contracts

Binding Contractual Rules


13/32

Regulatory issues

Because of strong privacy rights reserved to Europeancitizens under European privacy laws, there may be ageneral presumption against the legitimacy of cloudcomputing in Europe. On June 18, 2010, it was

reported that the Data Protection Authority ofSchleswig-Holstein, one of the sixteen German states,issued a legal opinion that clouds located outside ofthe EU with are used in connection with a Europeandata subject, were unlawful per se, even if the EU

Commission had issued an adequacy determination infavor of the foreign country in question or if thecompany moving the data had certified to the USDepartment of Commerces Safe Harbor framework.


14/32

Regulatory issues

Under this ruling, for example, it would be

illegal for a European company to use a

Canadian (Canada has adequate safeguards)

cloud services provider or Amazon WebServices (which has certified that it complies

with the US Safe Harbor data security

requirements) to process, transport, or storedata belonging to a European data subject.


15/32

Regulatory issues

As of this writing, there is a lot of discussion in

the EU regarding the use of cloud computing.

In July 2012, the Schleswig-Holstein DPA

released recommendations on how cloud

providers and customers can conform to

German and EU data protection requirements.


16/32

Regulatory issues

In late September 2012, the EU Commissionpublished a report, Unleashing the Potential ofCloud Computing in Europe. This product is

being studied and commented by data protectionauthorities within the EU.

The Data Protection Directive of 1995 is itselfproposed to be replaced by a data protection

regulation. The regulation would allow for moreuniform application of the rules across Europeand less autonomy for individual country DPAs.


17/32

Besides regulatory issues, other topics of high concernto customers and providers are:

Integration regarding legacy systems, disaster recoveryand business continuity, breach response

responsibilities, possible co-mingling of data, serviceprovider viability, data ownership and accessibility,termination rights including the return of data upontermination.

Intellectual property rights regarding content. Some

provider contracts indicate that content provided tothem is theirs. This, of course, conflicts with howcompanies see content, which is proprietary to them.


18/32

Organization of contracts

Customer obligations

Maintaining customer side security

(administration of passwords, secure access)

Responsibility of accuracy and legality of

customer content (data is collected by

customer, not service provider)

Use of service in accord with applicable law


19/32


Provider obligations

Maintaining adequate security system

Being transparent regarding its use of dataand information handling practices

Disclosing data to third parties only as

authorized by law


20/32


Many agreements provide standard boiler platelegal terms with drill down of many of the servicespecifications left to the schedules and the SLAs.Typically, boiler plate legal terms include:

Term of the agreement Scope of the agreement

Fees and billing terms

Relationship management

Confidentiality terms

Intellectual property terms


21/32


Privacy and data protection terms

Reps and Warranties

Limitation of liability terms (risk allocation,

liability cap, carveouts, exclusions)

Indemnifications

Dispute resolution

Choice of law

Termination


22/32


The schedules to the agreement provide the drilldown and often address the operational andtechnical side of the agreement including:

Change control

Support services and service levels

Applicable policies and procedures

Detailed security provisions

Detailed regulatory, audit and record retentionrequirements

Exit management and termination assistance


23/32

Developments to manage risk

Providers have developed technical solutions to somesecurity issues faced by customers, including enhancedsecurity technologies and encryption, and otherprocesses and monitoring as an integral and critical

component of the offered service. The CSAs Cloud Controls Matrix provides guidance for

companies looking to compare among providers byproviding a standard framework for analysis.

Cyberinsurance policies are being developed and arebeing bought by customers.


24/32

E-Discovery

The basic requirement is that a client mustpreserve evidence when that client has noticeof pending litigation.

There are sanctions for spoliation ofinformation, including electronically storedinformation. Under 34(a) of the US FederalRules of Civil Procedure, electronically storedinformation in a partys possession, custody orcontrol, must be preserved.


25/32

E-Discovery issues

Regarding electronically stored information ande-discovery, the NYS Bar provides the followingguideline:

In determining what ESI should be preserved,clients should consider: the facts upon which thetriggering event is based and the subject matterof the triggering event; whether the ESI isrelevant to that event; the expense and burden

incurred in preserving the ESI; and whether theloss of ESI would be prejudicial to an opposingparty.


26/32

E-Discovery issues

However, due to the nature of cloudcomputing, data saved in the cloud may notbe clearly in the possession, custody or

control of any one party. Because there is nodedicated resource allocated to any particularcustomer of cloud services, and the resourcesare shared, isolating and then retrieving the

data of one customer can adversely affect thedata of another customer that is not involvedin the litigation.


27/32

E-Discovery issues

Therefore, ESI discovery in the cloud may create

liabilities because an unrelated third partys data

may necessarily be accessed or processed in

order to respond to the original request. Courts need to balance requests for ESI with the

privacy and data security rights of non-parties to

the litigation who may be inadvertently drawn into the dispute because of the way their data

resides in the cloud.


28/32

E-Discovery issues

In addition to the above issues, courts are

requiring the production of metadata, which is

hidden or deleted information, in an

electronic file that is not apparent to thereader viewing a hard copy or screen image.

Metadata includes information about authors,

origins, dates, comments, document versions,comments and embedded notes.


29/32

E-Discovery issues

A service contract should include safeguards

for both the customer and the provider so

that there are procedural guidelines (i) to

facilitate the discovery process, (ii) tominimize the risk of inadvertent discovery of

ESI of a third party, and (iii) to avoid placing

the provider in a position to either supply therequested ESI or become a focus of the

litigation itself.


30/32

E-Discovery issues

Reasonable provisions might include:

A description of the types and amounts of ESIincluding metadata that will be preserved in a

dedicated repository. A customers rights toaccess those materials should be clearly setforth.

A restriction on the providers ability tounilaterally access, view or provide acustomers ESI to government or third parties.


31/32

E-Discovery issues

A requirement that the provider notifycustomers in advance of the providers accessof the ESI (this would allow time for the

customer to challenge the access to the ESI, orto otherwise secure privileged information).

A restriction on the location of data centersstoring a customers ESI to avoid less favorable

privacy and data security laws in foreignjurisdictions.


32/32

Questions?

Contact: Walter Delacruz, Esq.

[email protected]

Disclaimer: This presentation does not constitute legaladvice or an opinion of the Cloud Security Alliance NYMetro Chapter or any member of the CSA. It does notcreate or invite and attorney-client privilege and may berendered incorrect by future developments. It is

recommended that it not be relied upon in connection withany dispute or other matter but that professional advice besought.

Copyright 2013 Cloud Security Alliance. All rights reserved.
mailto:[email protected]:[email protected]

cloud legal issues: contracts, regulatory matters, e-discovery topics

Documents