partly sunny with a chance of rain ii: forecasting the legal issues in cloud computing
Post on 18-Oct-2014
1.043 views
DESCRIPTION
Driven by ever-increasing costs for computer infrastructure and the resources necessary to manage it, law firms and their clients have begun using hosted services and solutions available through the Internet for their required IT needs. Commonly referred to as “cloud computing,” these service models provide infrastructure, software or platforms via the Internet, rather than through more traditional on-site hardware and software installation and support. Technological developments have spurred somewhat of a “perfect storm” for the growth of cloud service providers, but clients and lawyers weighing this option must address the evolving legal risks inherent in this model, and may need to consider taking an umbrella before stepping “outside.”TRANSCRIPT
“Partly Sunny with a Chance of Rain II”: Forecasting the Legal Issues in Cloud Computing
by:
Thomas A. Kulik Chairman, Dallas Bar Association Computer Law Section
Partner, Scheef & Stone, L.L.P.
Dallas Bar Association – Computer Law Section October 28, 2013
®
About the Presenter Tom Kulik is a Partner in Scheef & Stone, L.L.P. out of its headquarters in Dallas, Texas, as well as Chairman of the Dallas Bar AssociaBon Computer Law SecBon. With a deep understanding of how intellectual property assets influence business, he leverages 20 years of law pracBce with prior industry experience, strategically counseling clients on maKers involving the evaluaBon, acquisiBon, development and protecBon of intellectual property rights, with an emphasis on creaBvely leveraging such assets both domesBcally and internaBonally.
Prior to matriculaBon in law school, he was an award-‐winning systems engineer for 3Com CorporaBon, where he was responsible for local and wide-‐area network architecture and design supporBng both Fortune 500 and start-‐up companies in the computer services, financial and pharmaceuBcal industries.
Leveraging this industry experience, his pracBce focuses on intellectual property transacBons, parBcularly within the context of the computer soQware, emerging Internet technologies and e-‐commerce, and includes an extensive trademark preparaBon and prosecuBon pracBce and aKendant intellectual property liBgaBon.
®
What is the “Cloud”?...
®
…and What is “Cloud CompuBng”?
®
“IaaS”
“PaaS”
“SaaS”
“Cloud CompuBng” – A Hazy Phrase for a Foggy (Evolving) Concept
“As a metaphor for the Internet, "the cloud" is a familiar cliché, but when combined with "compuBng," the meaning gets bigger and fuzzier…[but essenBally] encompasses any subscripBon-‐based or pay-‐per-‐use service that, in real Bme over the Internet, extends IT's exisBng capabiliBes.”
What Cloud Compu-ng Really Means, Eric Knor & Galen Gruman, InfoWorld, 2009
®
“Cloud CompuBng” DefiniBon – The NaBonal InsBtute of Standards and Technology
“Cloud compuBng is a model for enabling convenient, on-‐demand network access to a shared pool of configurable compuBng resources (e.g., networks, servers, storage, applicaBons, and services) that can be rapidly provisioned and released with minimal management effort or service provider interacBon. This cloud model promotes availability and is composed of five essen-al characteris-cs, three service models, and four deployment models.”
The NIST Defini,on of Cloud Compu,ng, Peter Mell and Tim Grance, Version 15, October 7, 2009
®
“Cloud CompuBng”-‐ EssenBal CharacterisBcs
• On-‐demand self-‐service – unilateral and automaBc provisioning of a user’s compuBng needs
• Broad network access – services available through the network to cellphones, PDAs, laptops, iPads, etc.
• Resource pooling – dynamic assignment of physical and virtual compuBng resources
• Rapid elas9city – quick scale-‐out/scale-‐in – seamless and seemingly unlimited to the user
• Measured Service – automaBc control to opBmize management of resources (storage, processing, bandwidth, accounts)
®
“Cloud CompuBng” – Service Models
So7ware-‐as-‐a-‐Service (“SaaS”) • External soQware hosBng in a cloud infrastructure
PlaDorm-‐as-‐a-‐Service (“PaaS”) • Think “SaaS-‐plus” – compuBng plamorm and “soluBon stack” for building and running custom applicaBons by the user
Infrastructure-‐as-‐a-‐Service (“IaaS”) • Data processing, storage, network and other fundamental compuBng resources in cloud infrastructure
®
Examples of Cloud Services from Cloud Service Providers” (“CSPs”)
Infrastructure-‐as-‐a-‐Service (“IaaS”) • Amazon ElasBc Compute Cloud (EC2), Amazon S3, Rackspace
So7ware-‐as-‐a-‐Service (“SaaS”) • Apple iCloud, Google Apps, Facebook ApplicaBons
PlaDorm-‐as-‐a-‐Service (“PaaS”) • Salesforce AppExchange, Google AppExchange
®
“Cloud CompuBng” – Deployment Models Private Cloud
Used solely by/operated solely for the organizaBon
Community Cloud Used by/operated for mulBple organizaBons Bed to a “specific
community” with “shared concerns”
Public Cloud Owned by CSP providing cloud services to the public
Hybrid Cloud ComposiBon of 2 or more disBnct clouds “bound together by
standardized or proprietary technology that enables data and applicaBon portability”
®
“Cloud CompuBng” – DefiniBon in a Nutshell
A fully-‐scalable service for processing and storing data using third-‐party shared resources, soQware and informaBon accessible over a network (i.e. the Internet), and provided to computers and other devices on-‐demand:
Usually subscripBon-‐based May be pay-‐per-‐use Even free!
®
Why the Cloud Model? A “Perfect Storm”
• Economics -‐ IT capital cost pressures pushing for beKer ROI
• More for Less -‐ Technological InnovaBon is permipng: » BeKer communicaBons bandwidth availability
» Improved microprocessor/bus speeds
» Increased storage capabiliBes • “Virtualiza,on” – easier for CSPs to maximize infrastructure for the services provided and offload much IT management
®
The Legal ConsideraBons in Cloud CompuBng: More Than A Drizzle…
Security & Privacy Contractual ConsideraBons Intellectual Property E-‐Discovery & LiBgaBon Ethical ConsideraBons for Lawyers
®
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
Data in the “Cloud” harder to protect • Is a “mulB-‐tenant” architecture – data stored on a virtual server that
shares same physical server with other virtual servers
• Security dependent upon configuraBon of the virtual servers and API vulnerabiliBes
• Geographic distribuBon concerns – the “cloud” knows no boundaries
Breach harder to detect & manage • CSP may use third-‐party providers for elements of the service
• Audit trail across mulBple plamorms not necessarily integrated
• Geographic distribuBon concerns remain
®
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
®
Think that 3rd parBes are not looking for YOUR data?
THINK AGAIN…
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (2010) company policy claiming it owned all informaBon on its computers NOT enough to permit retenBon of aKorney-‐client privileged emails N.J. Appellate Division reversed Superior Court’s order
ordered employer and its counsel to turn over ALL email communicaBons between plainBff and her counsel AND delete same for hard drives
Ordered hearing on sancBons Point: aKorney-‐client privilege “substanBally outweigh[s]” employer’s enforcement of its own policies
®
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
City of Ontario v. Quon, 130 S.Ct.2619 (2010) – 9-‐0 decision holding City did NOT violate police employees’ 4th Amendment rights by searching text messages on city-‐owned pagers
SCOTUS rev’d 9th Circuit found search to be “reasonable” because moBvated by
legiBmate work-‐related purpose & not excessive in scope
Rejected 9th Circuit’s “least intrusive” means approach (i.e. use less intrusive methods to determine proper use of pagers)
BUT…did not address employee privacy expectaBons when using employer computers
®
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
Compliance with privacy and security laws and regulaBons no longer a domes-c maGer Trans-‐border flow of private informaBon may trigger obligaBons
U.S. laws far LESS restricBve than other countries (parBcularly the European Union)
Liability for breach depends upon who controls the data versus mere data processors
Many data privacy laws pre-‐date cloud compuBng capability
®
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
Some DomesBc ConsideraBons: • Graham Leach Bliley Act -‐ Financial insBtuBons must have policies/
procedures in place to protect “non-‐public personal financial informaBon” from improper disclosure
• HIPAA/HITECH Act – “Covered enBBes” required to noBfy affected persons of breach of unencrypted “personal health informaBon”
• FTC Safeguards Rule – Financial insBtuBons required to have wriKen security plan regarding customer’s private informaBon
• FTC Red Flags Rule – InsBtuBons holding credit accounts must have wriKen idenBty theQ program
• Stored CommunicaBons Act -‐ protecBon from disclosure for emails and other private data that are in such electronic storage
®
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
Some InternaBonal ConsideraBons • EU Data ProtecBon DirecBve 95/46/EC – no transfer of data to
countries OUTSIDE the EU unless they offer an “adequate level of protecBon” OR where excep-ons apply...like the U.S. Safe Harbor List
• U.S. Department of Commerce negoBated a safe harbor framework with the European Commission to “bridge” differences in privacy protecBon with EU member states
• CerBfying to the “safe harbor” will assure that EU organizaBons know that your company provides "adequate" privacy protecBon
®
The Legal ConsideraBons in Cloud CompuBng: Security & Privacy
MUST understand the CSP operaBonal model to facilitate compliance with applicable privacy and security laws/regulaBons (especially interna-onally stored data)
REVIEW CSP privacy policy AND security procedures for conBnuity with exisBng company procedures & guidelines (i.e. audit/reporBng requirements, security breach noBficaBons)
IDENTIFY and SPECIFY data security controls at the soQware level (i.e. encrypBon, firewalls), as well as physical security
®
The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons
Different contractual consideraBons from outsourcing model • LocaBon of service/data NOT fixed, but distributed
• CSP owns the technology, NOT the user/company • Contracts normally NOT negoBable
Risk allocaBon far more difficult to address • No tradiBonal soQware “license” – is an access model
• LiKle to no indemnity/infringement protecBon from CSP • LimitaBon of liability may not cover anBcipated risk
®
The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons
Don’t think third parBes are “looking”? THINK AGAIN…
“Just as a sender of a leKer to a business colleague cannot be surprised that the recipient’s assistant opens the leKer, people who use web-‐based email today cannot be surprised if their communica9ons are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legi9mate expecta9on of privacy in informa9on he voluntarily turns over to third par9es.” Smith v. Maryland, 442 U.S. 735, 743-‐44 (1979).” (emphasis added)
Google MoBon to Dismiss, In re Google Gmail Li-ga-on, Case No. 5:13-‐md-‐02430-‐LHK (N.D. Ca.)
®
The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons
JurisdicBon • Governing law/Venue always favors the CSP
LimitaBons of Liability • Usually no liability for damages whatsoever (data
deleBon, corrupBon, failure to access, etc.)
Limited to No Warranty • “AS-‐IS” or “as available”
• No warranty that service uninterrupted/error-‐free – limited to SLA, which may be inadequate
®
The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons
TerminaBon • CSPs usually reserve right to terminate unilaterally • Data portability in event of terminaBon? Avoid “lock-‐in”
• What is CSP goes bankrupt?
Service Level Agreement (“SLA”) • Usually rely upon service credits in event of specified
period of downBme, BUT credits mean liKle when the service is down!
AudiBng/compliance?
®
The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons
Google Apps Examples: “Representa,ons. …Google warrants that it will provide the Services in accordance with the applicable SLA.” “Disclaimers. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. GOOGLE MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICE. THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS.
®
The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons
Google Apps Examples: “Limita,on on Indirect Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.” “Limita,on on Amount of Liability. NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID BY CUSTOMER TO GOOGLE DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY. “Governing Law. This Agreement is governed by California law, excluding that state’s choice of law rules. FOR ANY DISPUTE RELATING TO THIS AGREEMENT, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA. “
®
The Legal ConsideraBons in Cloud CompuBng: Contractual ConsideraBons
MUST take CSP operaBonal model into consideraBon to address specific points of impact and allocate risk – KNOW the 3P providers
REVIEW service levels/credits with a wary eye – may NOT be enough to cover for impact of downBme on business
MUST address data export capabiliBes and ensure compaBbility with business conBnuity and DR plan
NEGOTIATE…NEGOTIATE…NEGOTIATE!
®
Weather Brewing on the Horizon: Intellectual Property
Intellectual property rights and the “cloud” more difficult to address:
• No tradiBonal license model
• “Legacy” systems/soQware – connecBvity to the “cloud” may not be consistent with exisBng licenses
• Possible fixaBon issues due to distributed architecture Evolving technology means the law is desperately trying to catch-‐up
Trade secrets issues – inconsistent with cloud model?
®
Weather Brewing on the Horizon: Intellectual Property
Copyright • Remote storage DVR system held not to be a violaBon of U.S. copyright law (See Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2nd Cir. 2008), cert. den’d 129 S.Ct. 2890 (2009))
• Aereo (retransmission of over-‐the-‐air broadcasts to mobile devices)
• Digital Entertainment Content Ecosystem (DECE) – a.k.a. “Ultraviolet” -‐ purchase content once, then view in many formats and on many devices from cloud-‐based account
®
Weather Brewing on the Horizon: Intellectual Property
Trade Secrets – protecBons may be more limited!
Trade secret informaBon stored in the cloud may be subject to loopholes that permit unauthorized third-‐party disclosure. See Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F.Supp.2d 817 (E.D. Mich. 2000) (holding that the Stored CommunicaBons Act only prohibits the disclosure of stored communicaBons where the disclosing party provides an “electronic communicaBon service”, and a person who does not provide such a service "can disclose or use with impunity the contents of an electronic communicaBon unlawfully obtained from storage." (citaBon omiKed)).
®
Weather Brewing on the Horizon: Intellectual Property
MUST determine how IP “creators” in organizaBon would be using CSP services and where stored
REVIEW any legacy system Be-‐in to cloud for license compliance
RETHINK placing trade secret informaBon within the cloud – law is evolving here
®
Weather Brewing on the Horizon: e-‐Discovery & LiBgaBon
Discovery of electronically stored informaBon (“ESI”) drama-cally more difficult in the cloud • Data preservaBon/integrity hard to manage
• Data may be housed in mul-ple countries • CSPs may use 3P providers
JurisdicBonal issues • Enforceability – mulBple countries vs. governing law
• Country where data is resident in computer facility – governmental access?
®
Weather Brewing on the Horizon: e-‐Discovery & LiBgaBon
PreservaBon is KEY • Unlike outsourced soluBons, users may not know what infrastructure they are using or the physical locaBon of data
• CSP may be able to retrieve the data, but NOT know where your data is for the purpose of a liBgaBon hold
• CSP may use third-‐party service providers for elements of services provided to the user, exacerbaBng the issue
Courts may NOT disBnguish servers in the “cloud” from ones in direct possession
®
Weather Brewing on the Horizon: e-‐Discovery & LiBgaBon
SpoliaBon • Cloud infrastructure increases spoliaBon risk • Where CSPs use 3P providers – greater danger
Data Integrity • Data at rest – MUST be free from corrupBon
• How to ensure NO CHANGE to data upon hold?
Standard CSP agreements do NOT account for possibility of ESI preservaBon by default
®
Weather Brewing on the Horizon: e-‐Discovery & LiBgaBon
MUST account for specific CSP model and viability of the CSP regarding ability to comply with e-‐discovery and liBgaBon holds
DEMAND accountability for handling of ESI • General “cooperaBon” clause • Acknowledge compliance with liBgaBon holds
STRONGLY CONSIDER a separate agreement
®
Weather Brewing on the Horizon: Ethical ConsideraBons for Lawyers
Law firm use of CSPs for their IT needs growing
ConsideraBons are more delicate for law firms due to client confidenBality obligaBons, privilege, etc.
BoKom line: it is available, but is it ethical?
®
Weather Brewing on the Horizon: Ethical ConsideraBons for Lawyers
Answer: IT DEPENDS 17 states so far: Use of CSPs for storage of client files so long
as a reasonable standard of care is exercised, BUT differences: Alabama, Arizona, California, ConnecBcut, Florida, Iowa, Maine,
MassachuseKs, New Hampshire, New Jersey, Nevada, New York, North Carolina, Oregon, Pennsylvania, Vermont & Virginia
BoKom Line: Use DILIGENCE and COMPETENCE exercising reasonable care MUST have a BASIC understanding of the technologies used
Have an OBLIGATION to remain current on the technologies
®
Weather Brewing on the Horizon: Ethical ConsideraBons for Lawyers
What is considered a “reasonable standard of care”? • MUST be knowledgeable about CSP handling of data
• MUST contract with CSP to preserve confidenBality/security of data
Transposing the “reasonableness” standard from “brick & mortar” to the “cloud” not as easy as you may think: • Security – client confidenBality requires strong contractual protecBons • Backups – MUST think about IaaS infrastructure
• Data access – SLA service credit should NOT be sole remedy
• Portability – Transfer of data in event of terminaBon crucial
• Bankruptcy of CSP – how to account for possibility?
®
Weather Brewing on the Horizon: Ethical ConsideraBons for Lawyers
USE COMMON SENSE • Understand how the CSP will handle the data • Don’t be afraid to ask quesBons – arguably have a duty TO ask them!
• Security should cover both soQware capabiliBes AND physical faciliBes
BoKom Line: LET’S BE CAREFUL OUT THERE!…
®
“Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computing
Email: [email protected]
LinkedIn: hKp://www.linkedin.com/in/tkulik TwiKer: @LegaIntangibls
Google+: hKp://gplus.to/TomKulik
Blog: hKp://www.legalintangibles.com
®
Q & A