Securing Apps and Data in the CloudPresented By: Lisa Abe-Oldenburg

Toronto Board of Trade

July 23, 2014

Introduction

• Overview of Cloud Computing• Issues and Risks• Risk Mitigation Strategies• Responding to Data Breaches • Organizational Data and App Practices • Summary of Best Practices and Tips

Overview of Cloud Computing• "Cloud computing is a model for enabling convenient, on-demand network

access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models." - National Institute of Standards and Technology (NIST) v. 15

• Rearden LLC v. Rearden Commerce, Inc., 597 F.Supp. 2d 1006 (N.D. Cal. Jan. 27, 2009) – “Cloud Computing” defined as a software as a service platform for the online delivery of products and services

• “Surge computing” analogous to electricity providers, where players intra cloud (or in cloud stacks) or inter-cloud, are essentially trading processing and storage capacity. Data, software and servers are able to be moved instantaneously to available computation resources

Cloud Computing Essential Characteristics

• On-demand self-service. A consumer can unilaterally provision computing capabilities, such as applications, server time and network storage, as needed automatically without requiring human interaction with each service’s provider.

• Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

• Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Cloud Computing Essential Characteristics

• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Cloud Computing Essential Characteristics

• Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Cloud Computing Benefits

• Opportunity to purchase a broad range of IT services in a utility- based model

• Refocus efforts on IT operational expenditures and only pay for IT services consumed instead of buying IT with a focus on capacity

• Storage, provisioning and management of apps, data and other personal information in a cloud computing model or SaaS model, can help companies increase operational efficiencies, resource utilization, and innovation, delivering a higher return on our investments to stakeholders

• Simpler issuance of cloud based apps• Consumer device capabilities: Ubiquitous – Only requires data

connection

Deployment Models• Private cloud. The cloud infrastructure is operated solely for an

organization. It may be managed by the organization or a third party and may exist on premise or off premise.

• Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

• Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

• Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Cloud Delivery/Service Models• Software as a Service (SaaS)

• cloud provider supplies the software• user can set limited configuration of the software

• Platform as a Service (PaaS) • cloud provider supplies the programming language and tools• user selects and controls applications and hosting environments

• Infrastructure as a Service (IaaS)• cloud provider manages and controls underlying cloud infrastructure• user selects and configures operating systems, storage, applications,

networking components (e.g. firewalls, load balancers)• Cloud service integrators bundle multiple services into a single offering, to

appear as a seamless consolidated application• E.g. customer relationship and reservations system, e-signature/e-

commerce app, payment processing, billing platform, etc.

Cloud Delivery/Service Models

Data /

Content

Software Application

Platform

Computing Infrastructure(processing, storage, networks)

Cloud Infrastructure

user

useruser

CLOUD

Cloud Stack

Issues and Risks in Cloud Computing

• Regulatory and Document/Data Retention Risk• How will the cloud provider meet your

organization's regulatory compliance requirements?

• Access and retrieval of software and data for the purposes of audit, compliance, litigation/eDiscovery, correction, deletion, end of service/termination, breach/failure, disaster or insolvency of cloud provider

• Risk of insufficient backups, disaster recovery and business continuity plans – often obligations and costs are pushed onto customer (i.e. your company)

• Watch out for freezing of accounts and no access to data upon termination or breach – data could be deleted (hijacked until fees paid or dispute resolved)

Issues and Risks (cont.)

• Operational, compliance and legal risk• IT dept loses control• Where is the Cloud and which laws apply? • Where is the data and apps? Cloud is flexible

and data (and software) can move easily across borders if network is big enough - moved around to where storage or processing is more cost effective, efficient or available

• Your organization could be unwillingly subjecting itself to the laws of a foreign jurisdiction

• Contracts or services in foreign jurisdictions could have conflicts with local laws, storage, handling of disputes, export controls, etc.

Issues and Risks (cont.)

• Operational, compliance and legal risk (cont.)

• CASL applies to not just electronic communications, but also transmission data and software

• CASL currently prohibits the alteration of transmission data in an electronic message in the course of a commercial activity, without express consent, so that the message is delivered to a destination other than, or in addition to, that specified by the sender

Issues and Risks (cont.)

• Operational, compliance and legal risk (cont.)

• CASL will also prohibit the installation of a computer program on any other person’s computer system, in the course of commercial activity without express consent. To aid, induce, procure or cause to be procured any of the foregoing activities is also prohibited.

• These software prohibitions will apply effective January 15, 2015 to any computer system or person (whether contravening or directing) located in Canada at the relevant time.

Issues and Risks (cont.)

• Business Operations, Liability and Reputational Risks

• Risk of asset/data loss, security and privacy breaches, inability to retrieve or use data, failure to properly retain records

• No common cloud standards; PCI DSS, EMV and ISO standards may provide some security, reliability and interoperability

• Aggregation of vast amounts of personal information is possible especially when using mobile technologies

• Clouds are a target for criminals – lots of information

Issues and Risks (cont.)

• IP ownership and infringement risk• Loss of ownership and control over software

and data - how being used and by whom?• Ownership complications if cloud used for

any development – need to examine applicable jurisdiction's copyright law and cloud service agreement

• Software or systems being migrated to the cloud could also give rise to copyright infringement or breach of 3rd party licenses - creation of virtual servers or applications could be making a “copy” and require additional license rights and payment of fees to licensors/owners

Issues and Risks (cont.)• Legal Contract and Liability risk

• Limits on provider's liability may be too low - disclaimers, exclusions, short limitation periods; risk of liability shifts to your organization

• What is your recourse if provider is in breach? If there is a service interruption/outage, errors, damages, loss, data disclosure ?

• Cloud providers often will not give indemnities and will ask for broad indemnities from the customer – must renegotiate!

• Watch out for terms that could be unilaterally amended by service provider, deemed accepted by use, or cross-referenced in other documents or hyperlinks – you need to know in advance what your organization is agreeing to

Risk Mitigation Strategies

• Compliance vs. Security• Assess compliance requirements under applicable laws and regulations• Preparation is key to prevention of data loss or breach • Establish baselines for security, confidentiality, data integrity, access and

retention • Keep core business and data in-house or encrypted – establish policies• Incorporate e-discovery tools and information management processes • Consult with all stakeholders and legal counsel

• Analysis of data collection, storage, use, disclosure, transfer• Transparency of equipment, premises, personnel, processes• Internal governance, employee policies for BYOC and training• Plan for transitioning (e.g. end of term, sale of business,

subcontracting, affiliates) & knowledge transfer by employees

Risk Mitigation Strategies (cont.)

• Legal review of Contracts – existing and new• Negotiate limitations on liability and disclaimers, warranties and indemnities,

parental/prime contractor guarantees, hold-backs, alternative dispute resolution, performance bonds, insurance and other contract terms

• Must deal with changes to laws and regulations, technology and risk over time • Need reporting, breach notification and assistance, monitoring, management

oversight, audit rights, control, record keeping and data return, change process, confidentiality and privacy terms, security and encryption schemes, testing, data segregation, export controls, maintenance, disaster and continuity/recovery planning, data backup, early termination , etc.

• Have clear service & security level requirements that align with your organizational requirements – scope and remedies?

• Thresholds of risk tolerance will affect negotiations • What is the harm that could occur as a result of breach and which party is best able

to mitigate risk? Cost? Should indirect damages be allowed? Are caps on liability enough?

• Don’t sign a standard form contract!

Responding to Data Breaches

• What are your legal obligations if there is a data breach?• Note, this presentation only covers data breaches in the private sector

and not breaches with respect to public sector, health or employee information.

• Under federal private sector privacy law, PIPEDA, breach notification is currently voluntary - to notify individuals of breaches involving their personal information, or to notify the OPC

Responding to Data Breaches (cont.)

• The Canadian Data Breach Guidelines drafted in 2007 in consultation with commissioners' offices, advocacy groups and representatives from industry, encourage organizations to:

• Contain the breach and conduct a preliminary assessment of what occurred;

• Evaluate the risks associated with the breach;• Notify the parties affected by the breach;• Take adequate steps to ensure that such an incident does not recur in

the future.

Responding to Data Breaches (cont.)

• The OPC encourages organizations to notify the office or appropriate provincial privacy commissioners of “material” breaches of security safeguards that involve personal information—determining whether a breach is “material” involves, among other considerations, assessing the sensitivity of personal information and the number of individuals affected.

• PIPEDA does include requirements around adequately safeguarding personal information through the use of physical, technological and organizational measures.

• Absence of “appropriate” controls resulting in breaches currently does not trigger any regulatory consequences, such as fines or penalties.

Responding to Data Breaches (cont.)

• Proposed amendments to Canada's federal privacy legislation (PIPEDA) under Bill S-4 (introduced in the Senate April 8, 2014) will require businesses and organizations to track data breaches and report them to individuals and the OPC if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm, e.g. identity theft

• The Bill sets out factors to assess risk, requirements for the content and timing of the notification and record keeping requirements of all breaches

• May also be obligation to report to other organizations or government if risk could be reduced

• Non-compliance would be punishable by fines of up to $100,000

Responding to Data Breaches (cont.)

• The Bill also gives new powers to the privacy commissioner to:• negotiate voluntary but binding compliance agreements with

organizations that commit to taking action on privacy violations; • right to ask the Federal Court of Canada to order compliance or award

damages to someone harmed by a privacy violation up to a year after an investigation; and

• release information about non-compliant organizations if it is in the public interest.

Responding to Data Breaches (cont.)

• Alberta is only province which has enacted amendments to its private sector Personal Information Protection Act (PIPA) to address incidents involving the “loss of or unauthorized access to or disclosure of the personal information.”

• Note that recent SCC decision (Alberta (Information and Privacy Commissioner ) v. United Food and Commercial Workers, Local 401, 2013 SCC 62) struck down Alberta's PIPA in its entirety as unconstitutional. This declaration of invalidity has been stayed for 12 months in order to provide enough time to legislators to decide how to make this act constitutional – amendments planned for this fall

• Other provinces, e.g. Ontario, New Brunswick and Newfoundland and Labrador, only require breach notification with respect to personal health information.

Responding to Data Breaches (cont.)

• Alberta PIPA requires notice to the province’s Privacy Commissioner of loss of, or unauthorized access to, personal information under the organizations' control - only if a reasonable person would consider that there exists a real risk of significant harm to an individual. Commissioner decides whether individuals should be notified.

Responding to Data Breaches (cont.)

• “real risk of harm” must be more than merely speculative and not simply hypothetical or theoretical. A breach relating to highly sensitive personal information, such as financial information, is more likely to meet this standard and require reporting.

• The commissioner has interpreted “significant harm” to mean “a material harm...[having] non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”

Responding to Data Breaches (cont.)

• Manitoba's Personal Information Protection and Identity Theft Prevention Act (PIPITPA) – private sector law not yet in force

• PIPITPA will generally require breach notification to an individual directly if personal information is lost, accessed or disclosed without authorization – no harm threshold

• In Québec, the Commission d'accès à l'information du Québec ("CAI") in its 2011 Quinquennial Report entitled "Technology and Privacy, in a Time of Societal Choices" recommends to include, in both its public sector and private sector data protection laws, mandatory security breach reporting.

Responding to Data Breaches (cont.)

• PIPITPA will also create a private right of action for an individual to sue an organization for damages arising from its failure to:

• protect personal information that is in its custody or control; or • provide reasonable notice if the organization was not satisfied that the

lost, stolen or accessed information would be used lawfully.

• Jurisdictions outside Canada may have extraterritorial implications, e.g. California has its own breach notification law

Organizational Data and App Practices• Designate privacy and technology officers to ensure

compliance under Canadian and foreign laws• Consult with the regulators when in doubt about systems

and privacy policies• Have a data breach protocol plan in place - how to notify,

who, and when? E.g. the regulators, individuals, ASAP• Limit access to electronic records to a need-to-know basis

and password protect; control dissemination of apps• Draft and keep records of proper consents prior to

collecting, using or disclosing any personal information or providing apps

Organizational Data and App Practices (cont.)• Identify purposes for the collection, use and disclosure, and

limit collection, use and disclosure to those purposes, which must be reasonable

• Develop, implement and review privacy and security policies, CASL policy (see new CRTC Bulletin 2014-326), technology policy, including procurement, software, BYOD and services policies

• Train employees and get acknowledgments• Protect personal information and data from theft,

modification, and unauthorized access

Organizational Data and App Practices (cont.)

• Keep personal information only for as long as reasonable to carry out the business or legal purpose or as required by law and destroy or anonymize records once no longer needed

• Develop a procedure for information requests/access, correction and deletion

• Review and revise all contracts with third parties to ensure obligations flow through

• “Stress test” data and app operations - privacy and data policies can be a marketing opportunity

• After a data breach occurs, comply with data breach guidelines and notification requirements

• Offer credit monitoring to clients

Summary of Best Practices and Tips

• The legal implications of cloud computing, privacy, security, confidentiality and data breaches involve many complex issues

• Insist on provider transparency: participants/subcontractors, jurisdictions, data flow and processing, type of cloud and who has access

• Engage all organizational teams that may have input to the cloud relationship, e.g. operational, procurement, contracts negotiation, privacy, employment (HR), compliance, audit, insurance, IT, security, risk, Board of Directors

• Directors' liability for breach of their duties in risk management and oversight

• Have proper testing, plans and policies in place• Get early involvement of experienced legal counsel

Lisa K. Abe- Oldenburg, B.Comm., J.D.

Abe-oldenburgL@bennettjones.com

Tel.: 416-777-7475

www.bennettjones.com

• This presentation contains statements of generalprinciples and not legal opinions and should notbe acted upon without first consulting a lawyerwho will provide analysis and advice on a specificmatter.