partly sunny with a chance of rain ii: forecasting the legal issues in cloud computing

“Partly Sunny with a Chance of Rain II”: Forecasting the Legal Issues in Cloud Computing

by:

Thomas A. Kulik Chairman, Dallas Bar Association Computer Law Section

Partner, Scheef & Stone, L.L.P.

Dallas Bar Association – Computer Law Section October 28, 2013

®

About the Presenter Tom Kulik is a Partner in Scheef & Stone, L.L.P. out of its headquarters in Dallas, Texas, as well as Chairman of the Dallas Bar AssociaBon Computer Law SecBon. With a deep understanding of how intellectual property assets influence business, he leverages 20 years of law pracBce with prior industry experience, strategically counseling clients on maKers involving the evaluaBon, acquisiBon, development and protecBon of intellectual property rights, with an emphasis on creaBvely leveraging such assets both domesBcally and internaBonally.

Prior to matriculaBon in law school, he was an award-‐winning systems engineer for 3Com CorporaBon, where he was responsible for local and wide-‐area network architecture and design supporBng both Fortune 500 and start-‐up companies in the computer services, financial and pharmaceuBcal industries.

Leveraging this industry experience, his pracBce focuses on intellectual property transacBons, parBcularly within the context of the computer soQware, emerging Internet technologies and e-‐commerce, and includes an extensive trademark preparaBon and prosecuBon pracBce and aKendant intellectual property liBgaBon.

®

What is the “Cloud”?...

®

…and What is “Cloud CompuBng”?

®

“IaaS”

“PaaS”

“SaaS”

“Cloud CompuBng” – A Hazy Phrase for a Foggy (Evolving) Concept

“As a metaphor for the Internet, "the cloud" is a familiar cliché, but when combined with "compuBng," the meaning gets bigger and fuzzier…[but essenBally] encompasses any subscripBon-‐based or pay-‐per-‐use service that, in real Bme over the Internet, extends IT's exisBng capabiliBes.”

What Cloud Compu-ng Really Means, Eric Knor & Galen Gruman, InfoWorld, 2009

®

“Cloud CompuBng” DefiniBon – The NaBonal InsBtute of Standards and Technology

“Cloud compuBng is a model for enabling convenient, on-‐demand network access to a shared pool of configurable compuBng resources (e.g., networks, servers, storage, applicaBons, and services) that can be rapidly provisioned and released with minimal management effort or service provider interacBon. This cloud model promotes availability and is composed of five essen-al characteris-cs, three service models, and four deployment models.”

The NIST Defini,on of Cloud Compu,ng, Peter Mell and Tim Grance, Version 15, October 7, 2009

®

“Cloud CompuBng”-‐ EssenBal CharacterisBcs

•  On-‐demand self-‐service – unilateral and automaBc provisioning of a user’s compuBng needs

•  Broad network access – services available through the network to cellphones, PDAs, laptops, iPads, etc.

•  Resource pooling – dynamic assignment of physical and virtual compuBng resources

•  Rapid elas9city – quick scale-‐out/scale-‐in – seamless and seemingly unlimited to the user

•  Measured Service – automaBc control to opBmize management of resources (storage, processing, bandwidth, accounts)

®

“Cloud CompuBng” – Service Models

 So7ware-‐as-‐a-‐Service (“SaaS”) •  External soQware hosBng in a cloud infrastructure

 PlaDorm-‐as-‐a-‐Service (“PaaS”) •  Think “SaaS-‐plus” – compuBng plamorm and “soluBon stack” for building and running custom applicaBons by the user

 Infrastructure-‐as-‐a-‐Service (“IaaS”) •  Data processing, storage, network and other fundamental compuBng resources in cloud infrastructure

®

Examples of Cloud Services from Cloud Service Providers” (“CSPs”)

 Infrastructure-‐as-‐a-‐Service (“IaaS”) •  Amazon ElasBc Compute Cloud (EC2), Amazon S3, Rackspace

 So7ware-‐as-‐a-‐Service (“SaaS”) •  Apple iCloud, Google Apps, Facebook ApplicaBons

 PlaDorm-‐as-‐a-‐Service (“PaaS”) •  Salesforce AppExchange, Google AppExchange

®

“Cloud CompuBng” – Deployment Models   Private Cloud

  Used solely by/operated solely for the organizaBon

  Community Cloud   Used by/operated for mulBple organizaBons Bed to a “specific

community” with “shared concerns”

  Public Cloud   Owned by CSP providing cloud services to the public

  Hybrid Cloud   ComposiBon of 2 or more disBnct clouds “bound together by

standardized or proprietary technology that enables data and applicaBon portability”

®

“Cloud CompuBng” – DefiniBon in a Nutshell

A fully-‐scalable service for processing and storing data using third-‐party shared resources, soQware and informaBon accessible over a network (i.e. the Internet), and provided to computers and other devices on-‐demand:

  Usually subscripBon-‐based   May be pay-‐per-‐use   Even free!

®

Why the Cloud Model? A “Perfect Storm”

•  Economics -‐ IT capital cost pressures pushing for beKer ROI

•  More for Less -‐ Technological InnovaBon is permipng: »  BeKer communicaBons bandwidth availability

»  Improved microprocessor/bus speeds

»  Increased storage capabiliBes •  “Virtualiza,on” – easier for CSPs to maximize infrastructure for the services provided and offload much IT management

®

The Legal ConsideraBons in Cloud CompuBng: More Than A Drizzle…

  Security & Privacy   Contractual ConsideraBons   Intellectual Property   E-‐Discovery & LiBgaBon   Ethical ConsideraBons for Lawyers

®

The Legal ConsideraBons in Cloud CompuBng: Security & Privacy

  Data in the “Cloud” harder to protect •  Is a “mulB-‐tenant” architecture – data stored on a virtual server that

shares same physical server with other virtual servers

•  Security dependent upon configuraBon of the virtual servers and API vulnerabiliBes

•  Geographic distribuBon concerns – the “cloud” knows no boundaries

  Breach harder to detect & manage •  CSP may use third-‐party providers for elements of the service

•  Audit trail across mulBple plamorms not necessarily integrated

•  Geographic distribuBon concerns remain

®


®

Think that 3rd parBes are not looking for YOUR data?

THINK AGAIN…


 Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (2010) company policy claiming it owned all informaBon on its computers NOT enough to permit retenBon of aKorney-‐client privileged emails  N.J. Appellate Division reversed Superior Court’s order

 ordered employer and its counsel to turn over ALL email communicaBons between plainBff and her counsel AND delete same for hard drives

 Ordered hearing on sancBons  Point: aKorney-‐client privilege “substanBally outweigh[s]” employer’s enforcement of its own policies

®


 City of Ontario v. Quon, 130 S.Ct.2619 (2010) – 9-‐0 decision holding City did NOT violate police employees’ 4th Amendment rights by searching text messages on city-‐owned pagers

 SCOTUS rev’d 9th Circuit   found search to be “reasonable” because moBvated by

legiBmate work-‐related purpose & not excessive in scope

  Rejected 9th Circuit’s “least intrusive” means approach (i.e. use less intrusive methods to determine proper use of pagers)

 BUT…did not address employee privacy expectaBons when using employer computers

®


  Compliance with privacy and security laws and regulaBons no longer a domes-c maGer   Trans-‐border flow of private informaBon may trigger obligaBons

  U.S. laws far LESS restricBve than other countries (parBcularly the European Union)

  Liability for breach depends upon who controls the data versus mere data processors

  Many data privacy laws pre-‐date cloud compuBng capability

®


  Some DomesBc ConsideraBons: •  Graham Leach Bliley Act -‐ Financial insBtuBons must have policies/

procedures in place to protect “non-‐public personal financial informaBon” from improper disclosure

•  HIPAA/HITECH Act – “Covered enBBes” required to noBfy affected persons of breach of unencrypted “personal health informaBon”

•  FTC Safeguards Rule – Financial insBtuBons required to have wriKen security plan regarding customer’s private informaBon

•  FTC Red Flags Rule – InsBtuBons holding credit accounts must have wriKen idenBty theQ program

•  Stored CommunicaBons Act -‐ protecBon from disclosure for emails and other private data that are in such electronic storage

®


  Some InternaBonal ConsideraBons •  EU Data ProtecBon DirecBve 95/46/EC – no transfer of data to

countries OUTSIDE the EU unless they offer an “adequate level of protecBon” OR where excep-ons apply...like the U.S. Safe Harbor List

•  U.S. Department of Commerce negoBated a safe harbor framework with the European Commission to “bridge” differences in privacy protecBon with EU member states

•  CerBfying to the “safe harbor” will assure that EU organizaBons know that your company provides "adequate" privacy protecBon

®


  MUST understand the CSP operaBonal model to facilitate compliance with applicable privacy and security laws/regulaBons (especially interna-onally stored data)

  REVIEW CSP privacy policy AND security procedures for conBnuity with exisBng company procedures & guidelines (i.e. audit/reporBng requirements, security breach noBficaBons)

  IDENTIFY and SPECIFY data security controls at the soQware level (i.e. encrypBon, firewalls), as well as physical security

®

The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons

  Different contractual consideraBons from outsourcing model •  LocaBon of service/data NOT fixed, but distributed

•  CSP owns the technology, NOT the user/company •  Contracts normally NOT negoBable

  Risk allocaBon far more difficult to address •  No tradiBonal soQware “license” – is an access model

•  LiKle to no indemnity/infringement protecBon from CSP •  LimitaBon of liability may not cover anBcipated risk

®


Don’t think third parBes are “looking”? THINK AGAIN…

“Just as a sender of a leKer to a business colleague cannot be surprised that the recipient’s assistant opens the leKer, people who use web-‐based email today cannot be surprised if their communica9ons are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legi9mate expecta9on of privacy in informa9on he voluntarily turns over to third par9es.” Smith v. Maryland, 442 U.S. 735, 743-‐44 (1979).” (emphasis added)

Google MoBon to Dismiss, In re Google Gmail Li-ga-on, Case No. 5:13-‐md-‐02430-‐LHK (N.D. Ca.)

®


  JurisdicBon •  Governing law/Venue always favors the CSP

  LimitaBons of Liability •  Usually no liability for damages whatsoever (data

deleBon, corrupBon, failure to access, etc.)

  Limited to No Warranty •  “AS-‐IS” or “as available”

•  No warranty that service uninterrupted/error-‐free – limited to SLA, which may be inadequate

®


  TerminaBon •  CSPs usually reserve right to terminate unilaterally •  Data portability in event of terminaBon? Avoid “lock-‐in”

•  What is CSP goes bankrupt?

  Service Level Agreement (“SLA”) •  Usually rely upon service credits in event of specified

period of downBme, BUT credits mean liKle when the service is down!

  AudiBng/compliance?

®


Google Apps Examples: “Representa,ons. …Google warrants that it will provide the Services in accordance with the applicable SLA.” “Disclaimers. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. GOOGLE MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICE. THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS.

®


Google Apps Examples: “Limita,on on Indirect Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.” “Limita,on on Amount of Liability. NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID BY CUSTOMER TO GOOGLE DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY. “Governing Law. This Agreement is governed by California law, excluding that state’s choice of law rules. FOR ANY DISPUTE RELATING TO THIS AGREEMENT, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA. “

®


  MUST take CSP operaBonal model into consideraBon to address specific points of impact and allocate risk – KNOW the 3P providers

  REVIEW service levels/credits with a wary eye – may NOT be enough to cover for impact of downBme on business

  MUST address data export capabiliBes and ensure compaBbility with business conBnuity and DR plan

  NEGOTIATE…NEGOTIATE…NEGOTIATE!

®

Weather Brewing on the Horizon: Intellectual Property

 Intellectual property rights and the “cloud” more difficult to address:

•  No tradiBonal license model

•  “Legacy” systems/soQware – connecBvity to the “cloud” may not be consistent with exisBng licenses

•  Possible fixaBon issues due to distributed architecture  Evolving technology means the law is desperately trying to catch-‐up

 Trade secrets issues – inconsistent with cloud model?

®


 Copyright •  Remote storage DVR system held not to be a violaBon of U.S. copyright law (See Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2nd Cir. 2008), cert. den’d 129 S.Ct. 2890 (2009))

•  Aereo (retransmission of over-‐the-‐air broadcasts to mobile devices)

•  Digital Entertainment Content Ecosystem (DECE) – a.k.a. “Ultraviolet” -‐ purchase content once, then view in many formats and on many devices from cloud-‐based account

®


Trade Secrets – protecBons may be more limited!

Trade secret informaBon stored in the cloud may be subject to loopholes that permit unauthorized third-‐party disclosure. See Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F.Supp.2d 817 (E.D. Mich. 2000) (holding that the Stored CommunicaBons Act only prohibits the disclosure of stored communicaBons where the disclosing party provides an “electronic communicaBon service”, and a person who does not provide such a service "can disclose or use with impunity the contents of an electronic communicaBon unlawfully obtained from storage." (citaBon omiKed)).

®


 MUST determine how IP “creators” in organizaBon would be using CSP services and where stored

  REVIEW any legacy system Be-‐in to cloud for license compliance

  RETHINK placing trade secret informaBon within the cloud – law is evolving here

®

Weather Brewing on the Horizon: e-‐Discovery & LiBgaBon

 Discovery of electronically stored informaBon (“ESI”) drama-cally more difficult in the cloud •  Data preservaBon/integrity hard to manage

•  Data may be housed in mul-ple countries •  CSPs may use 3P providers

  JurisdicBonal issues •  Enforceability – mulBple countries vs. governing law

•  Country where data is resident in computer facility – governmental access?

®


  PreservaBon is KEY •  Unlike outsourced soluBons, users may not know what infrastructure they are using or the physical locaBon of data

•  CSP may be able to retrieve the data, but NOT know where your data is for the purpose of a liBgaBon hold

•  CSP may use third-‐party service providers for elements of services provided to the user, exacerbaBng the issue

  Courts may NOT disBnguish servers in the “cloud” from ones in direct possession

®


  SpoliaBon •  Cloud infrastructure increases spoliaBon risk •  Where CSPs use 3P providers – greater danger

  Data Integrity •  Data at rest – MUST be free from corrupBon

•  How to ensure NO CHANGE to data upon hold?

  Standard CSP agreements do NOT account for possibility of ESI preservaBon by default

®


 MUST account for specific CSP model and viability of the CSP regarding ability to comply with e-‐discovery and liBgaBon holds

 DEMAND accountability for handling of ESI •  General “cooperaBon” clause •  Acknowledge compliance with liBgaBon holds

 STRONGLY CONSIDER a separate agreement

®

Weather Brewing on the Horizon: Ethical ConsideraBons for Lawyers

 Law firm use of CSPs for their IT needs growing

 ConsideraBons are more delicate for law firms due to client confidenBality obligaBons, privilege, etc.

 BoKom line: it is available, but is it ethical?

®


 Answer: IT DEPENDS  17 states so far: Use of CSPs for storage of client files so long

as a reasonable standard of care is exercised, BUT differences:  Alabama, Arizona, California, ConnecBcut, Florida, Iowa, Maine,

MassachuseKs, New Hampshire, New Jersey, Nevada, New York, North Carolina, Oregon, Pennsylvania, Vermont & Virginia

 BoKom Line:  Use DILIGENCE and COMPETENCE exercising reasonable care  MUST have a BASIC understanding of the technologies used

 Have an OBLIGATION to remain current on the technologies

®


 What is considered a “reasonable standard of care”? •  MUST be knowledgeable about CSP handling of data

•  MUST contract with CSP to preserve confidenBality/security of data

 Transposing the “reasonableness” standard from “brick & mortar” to the “cloud” not as easy as you may think: •  Security – client confidenBality requires strong contractual protecBons •  Backups – MUST think about IaaS infrastructure

•  Data access – SLA service credit should NOT be sole remedy

•  Portability – Transfer of data in event of terminaBon crucial

•  Bankruptcy of CSP – how to account for possibility?

®


 USE COMMON SENSE •  Understand how the CSP will handle the data •  Don’t be afraid to ask quesBons – arguably have a duty TO ask them!

•  Security should cover both soQware capabiliBes AND physical faciliBes

 BoKom Line: LET’S BE CAREFUL OUT THERE!…

®

“Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computing

Email: [email protected]

LinkedIn: hKp://www.linkedin.com/in/tkulik TwiKer: @LegaIntangibls

Google+: hKp://gplus.to/TomKulik

Blog: hKp://www.legalintangibles.com

®

Q & A