Cloud Computing Legal Risks And Best Practices

Embed Size (px)


Cloud Computing: Legal Risks and Best Practices 1. Security and Data Privacy. 2. Recent OPC Guidelines. 3. Compliance Issues. 4. Negotiating Contracts with Cloud Providers. 5. New Trends and Challenges. 6. Practical Tips

Text of Cloud Computing Legal Risks And Best Practices

  • 1. Cloud Computing: Legal Risks and Best PracticesA Bennett Jones PresentationToronto, OntarioLisa Abe-Oldenburg, PartnerBennett Jones LLPNovember 7, 2012

2. Introduction Security and Data Privacy Recent OPC Guidelines Compliance Issues Negotiating Contracts with Cloud Providers New Trends and Challenges Practical Tips 3. Security and Data Privacy Access to and security of the data stored in the cloud. When it comes to cloud computing, the security and privacy ofpersonal information is extremely important. Given that personalinformation is being turned over to another organization, often inanother country, it is vital to ensure that the information is safeand that only the people who need to access it are able to do so. There is the risk that personal information sent to a cloud providermight be kept indefinitely or used for other purposes. Suchinformation could also be accessed by government agencies,domestic or foreign (if the cloud provider retains the informationoutside of Canada). 4. Security and Data Privacy The Personal Information Protection and Electronic DocumentsAct (PIPEDA) does not prohibit cloud computing or cross-borderdata transfer, even when the cloud service provider is in anothercountry. However, PIPEDA (and other privacy laws) establishes rulesgoverning use of the cloud and data transfer particularly withrespect to obtaining consent for the collection, use and disclosureof personal information, securing the data, and ensuringaccountability for the information and transparency in terms ofpractices. 5. Security and Data Privacy Cloud providers often serve multiple customers simultaneously.Many parties may have access to the data. Risk of exposure to possible breaches, both accidental anddeliberate. Cloud computing may lead to function creep uses of data bycloud providers that, were not anticipated when the informationwas originally collected and for which consent has typically notbeen obtained. Given how inexpensive it is to keep data, there is little incentive toremove the information from the cloud and more reasons to findother things to do with it. 6. Security and Data Privacy Need security protocols maintained at every stage Strict policies as well as enforcement measures need to be reviewedto ensure that the data is being kept confidential A detailed audit assessment may be required of the securityprotocols before an organization signs up with the service Tools such as Privacy Impact Assessments (PIA) or Threat RiskAssessments (TRA) could be valuable to help make assessments ofsafeguards Use of external auditors to ensure the industry standards ofsecurity protocols are being met by the service provider 7. Recent OPC Guidelines Office of the Privacy Commissioner of Canada (OPC), along withthe Privacy Commissioner of Alberta and BC, developed aGuidance Document for Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations Organizations must ensure they fully understand their obligationsunder Canadas private sector privacy legislation, including thoseunder certain provincial privacy legislation, and they need tocarefully assess the risks against the benefits. Organizations considering a cloud computing service shouldcarefully consider what information will be stored in the cloud andwhy. 8. Recent OPC Guidelines Organizations must consider the sensitivity of the personalinformation and carefully assess all the risks and implicationsinvolved in outsourcing personal data to the cloud. This assessmentshould also take into account whether the cloud is a public cloud,community cloud, private cloud or hybrid cloud, as defined in theOPCs Introduction to Cloud Computing. The sensitivity of the information, the type of cloud, and thecontractual arrangements should all play a key role in anorganizations decision to move, or not to move, personalinformation to the cloud. The Guideline recommends seeking professional advice inassessing the risks of using a cloud service provider. 9. Recent OPC Guidelines In order to ensure that personal information is protected,organizations using cloud computing services should: Limit access to the information and restrict further uses by the provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information. Find out if personal information will be segregated or stored in the same database as information from the cloud providers other clients. Ensure access to personal information is only granted to those who need it to do their job. Ensure that access to personal information is logged in protected audit trails. Do not assume that the providers general terms of service or policies will be adequate to establish such restrictions, review them carefully. 10. Recent OPC Guidelines Ensure that the provider has in place appropriate authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication. The level of authentication should be commensurate with the risk to the personal information being protected. Ensure there are procedures and technical controls to manage who has access rights to the personal information. Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Conduct an assessment of the risks associated with any lack of encryption. Determine if the encryption method is adequate and the access to encryption keys is properly managed. Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider. 11. Recent OPC Guidelines Ensure that there are procedures in place in the event of a personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information. Ensure there are provisions in the agreement with the cloud provider that specify when it will provide notification to the organization in the event of a security breach. Organizations subject to breach notification requirements will want to ensure the contract is clear about when the cloud provider is to provide reports on breaches in order for it to meet its legal obligations. Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract. 12. Recent OPC Guidelines Ensure periodic audits are performed. It is important for an organization to have some measure of oversight over a cloud providers policies and practices. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected. Organizations should verify practices and procedures to ensure the provider is handling personal information in accordance with the agreements in place and request evidence of effective auditing and timely response to security incidents. Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes. 13. Compliance Issues Statutes, regulations and guidelines that apply to aparticular industry sector in a particular jurisdiction, mayrequire specific compliance, such as service level terms,data recovery terms, data security regimes, auditprovisions and processes for retaining and selecting anythird party service provider. The organization transferring data to the cloud provider isultimately accountable for its protection. It needs toensure that the data is appropriately handled incompliance with any regulatory requirements. 14. Compliance Issues Cloud service provider may not have standards, controls ornotification process that meet OSFI, PIPEDA or otherstatutory or regulatory requirements In Alberta for example, there are specific breachnotification requirements and requirements to notifyindividuals when personal information is transferred to aservice provider located outside of Canada. 15. Compliance Issues International issues cross-border data transfer,compliance with foreign jurisdiction laws, export controls It is important to note that many non-Canadian basedcloud providers may also be subject to PIPEDA. To theextent that a cloud provider has a real and substantialconnection to Canada, and collects, uses or disclosespersonal information in the course of a commercialactivity, the provider is expected to protect personalinformation, in keeping with PIPEDA. 16. Compliance Issues For more information on outsourcing of personal dataprocessing across borders, please see PrivacyCommissioners Guidelines for Processing Personal DataAcross Borders. These considerations apply whethermoving data in the cloud or otherwise. 17. Negotiating Contracts with Cloud Providers Unlike outsourcing, many more parties are involved in a cloudbased service model a platform provider a provider of servers the data centre provider data centre operator(s) OS provider applications software providers a reseller, distributor or broker Disaster Recovery or Business Continuity Provider As a result it is a complex contracting environment No contractual privity between the customer andmany of the parties involved in the cloud services 18. Negotiating Contracts with Cloud Providers Typical contract structures that may be encountered in a cloudservice arrangement are: Terms of Service Service Level Agreement Acceptable Use Policies Privacy Policies Important points need to be negotiated before contract is