Chicago . Frankfurt . London . Los Angeles . New York . Palo Alto . Shanghai . Washington DC . West Palm Beach

Data Security and Privacy Risks in Cloud Computing Data Security and Privacy Risks in Cloud Computing

William A. Tanenbaum

Chair, Technology, Intellectual Property & Outsourcing Group, and

Chair, GreenTech and Sustainability Group

Kaye Scholer LLP

New York and Palo Alto Offices

Audience Poll Audience Poll

60350343.PPTX

• Do you have company trade secrets in the Cloud?

• Do you have contractual consent to use U.S. health and financial personal data?

• Do you have customer data from Europe in the Cloud?

• Has a court ordered you to preserve litigation documents?

• Will your Cloud provider pay for costs of database breaches?

Data Security vs. Privacy Data Security vs. Privacy

• To identify and protect against your risks, you need to distinguish between company data and personally identifiable information (“PII”)

• Unauthorized access vs. impermissible use

60414334.PPTX

Risk No. 1: Regulatory Requirements Risk No. 1: Regulatory Requirements

60350343.PPTX

• Data security requirements imposed by US regulations

– HIPPA, HITECH, GLB, SOX, FTC Act § 5, FERPA, Massachusetts, other states

• Raises audit issues

• Also export control regulations

Risk No. 2: Practical Data Hazards Risk No. 2: Practical Data Hazards

• Weak technical access protection

• Provider’s employees

• Provider’s subcontractors

• Lack of transparency

• Lack of customer control

60350343.PPTX

Risk No. 3: Litigation HoldsRisk No. 3: Litigation Holds

60350343.PPTX

• Can you meet litigation document hold requirements if your data is in the Cloud?

• Is metadata a legal and practical solution?

• Who pays tagging costs?

Risk No. 4: Can You Use Available Legal Options Under EEA Law? Risk No. 4: Can You Use Available Legal Options Under EEA Law?

60350343.PPTX

• Safe Harbor

• Approved Clauses

• Binding Corporate

Risk No. 5: Low Price Comes at a CostRisk No. 5: Low Price Comes at a Cost

• Generally, Utility Cloud providers:

– Rely on third party platforms and software

– Use one-sided contracts

– No ability to negotiate stronger protections

– No service levels

– Disclaim liability

• Conclusion: may not meet customer’s legal obligations

60350343.PPTX

Risk No. 6. Do Tier 1 Providers Go Far Enough? Risk No. 6. Do Tier 1 Providers Go Far Enough?

• Offer Private Clouds, but they may still fall short of legal obligations

• Offer more location specificity, but still may fall short

• Pay extra for data security

• At some point, tips into custom data center and hosting services, and becomes more ITO than Cloud

60350343.PPTX

Risk No. 7: Is There Sufficient Software Change Control? Risk No. 7: Is There Sufficient Software Change Control?

• If Provider changes software or version, will your software still work?

• Can compromise on advance notice?

• Caution: what do online terms and conditions allow?

60350343.PPTX

Risk No. 8: Database Breaches Risk No. 8: Database Breaches

• Who bears cost of:

– Determining liability and exposure under state law?

– Providing statutory notices?

– Providing identity protection services?

– Providing call centers and other customer-facing remediation?

– Government investigations?

– Infrastructure upgrades?

60350343.PPTX

Questions and Answers Questions and Answers

William A. Tanenbaum

Chair, Technology, Intellectual Property & Outsourcing Group

Chair, GreenTech and Sustainability Group

Kaye Scholer LLP, New York and Palo Alto

wtanenbaum@kayescholer.com

212-836-7661

60350343.PPTX

William A. Tanenbaumwtanenbaum@kayescholer.comWilliam A. Tanenbaumwtanenbaum@kayescholer.com

• William A. Tanenbaum is the international chair of both Kaye Scholer’s Technology, Intellectual Property & Outsourcing Group and its GreenTech and Sustainability Group, and works in the firm’s New York and Palo Alto offices. Legal Researcher Chambers found that Bill:

• “built one of New York City’s most outstanding transactional IT practices,”

• is an “internationally recognized intellectual property, technology and outsourcing lawyer,”

• is a “well-respected attorney, with a well-informed approach [who] provides litigation, transaction work and strategic counseling on a range of technology and outsourcing-related issues,”

• is “efficient, solution-driven and makes excellent judgment calls,”

• is “a leading light” in outsourcing with “household names” in his client roster,

• is “an acknowledged expert on the convergence of mainstream business with cleantech,” and that

• “clients highlight his IP experience but ‘commend his command of the whole deal.’”

• The Legal 500 publication found that Bill is “an outstanding attorney with a deep knowledge and understanding of technology and outsourcing and a deeply principled and trustworthy colleague.”

60350343.PPTX

William A. Tanenbaum (cont’d)William A. Tanenbaum (cont’d)• Bill’s Information Technology Law practice has been recognized for over ten years by Best

Lawyers and was ranked in the First Tier in New York in the 2010 Best Law Firms Survey by U.S. News and World Report. Because of the strength of his Group’s practice, Kaye Scholer was named as the “Internet & E-Commerce Law Firm of the Year” by The Lawyers World Law Awards 2011. He is a past President of the ITech Law Association and a graduate of Brown University (Phi Beta Kappa), Cornell Law School, and the Bob Bondurant School of High Performance Driving. Chambers recognized him as a “Leading Individual” and awarded him “Recommended” ratings in both “Technology and IT Outsourcing” and “Business Process Outsourcing,” and named him as a “Notable Practitioner” at the national level in Outsourcing. He was voted one of the World’s Top 250 IP strategists (IAM client survey) and he was selected as one of the country’s top 25 pre-eminent IT practitioners in the Best of the Best USA. He regularly advises clients on strategic intellectual property concerns, privacy, data security, data transfer, information life cycle management and competitive intelligence matters, in both transactional and litigation contexts. His the founder and co-chair of PLI’s annual legal Outsourcing Conference and the founder and chair of PLI’s annual GreenTech Law and Business Conference. He is listed in Who’s Who in America, the International Who’s Who of Business Lawyers, the Guide to the World’s Leading Litigation Experts and the Guide to the World’s Leading Patent Law Experts. He was the privacy and data protection columnist for the New York Law Journal, co-author of a book on privacy law and has been quoted in The Economist magazine as an expert on IP law. His articles have been used at Harvard and other law schools.

60350343.PPTX

Copyright ©2011 by Kaye Scholer LLP. All Rights Reserved. This publication is intended as a general guide only. It does not contain a general legal analysis or constitute an opinion of Kaye Scholer LLP or any member of the firm on legal issues described. It is recommended that readers not rely on this general guide in structuring individual transactions but that professional advice be sought in connection with individual transactions. References herein to “Kaye Scholer LLP & Affiliates,” “Kaye Scholer,” “Kaye Scholer LLP,” “the firm” and terms of similar import refer to Kaye Scholer LLP and its affiliates operating in various jurisdictions.

Chicago . Frankfurt . London . Los Angeles . New York . Palo Alto . Shanghai . Washington DC . West Palm Beach