Download pdf - Cloud Computing Webinar: Legal & Regulatory Update for 2012

© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP

Cloud Computing Webinar:Legal & Regulatory Update for 201215 November 2012

Richard GrahamPartnerEdwards Wildman Palmer LLP London

+44 (0) 20.7556.4418

[email protected]

Michael BennettPartnerEdwards Wildman Palmer LLP Chicago

+1 312.201.2679

[email protected]

Mark SchreiberPartnerEdwards Wildman Palmer LLP Boston

+1 617.239.0585

[email protected]

♦Introduction: The Cloud♦Key Developments in 2012:

♦Cloud Mitigation Strategies

Development 1:Demystification

of the Cloud

Development 2:The Evolving

Cloud

Development 3:Regulatory Change

CustomerDrivers

SupplierDrivers

2


Introduction:Defining the Cloud

Introduction: Why the Cloud?

Approximate Costs for

Technology Cost of Enterprise Data Center

Cost of Cloud Data Center

Ratio

Enterprise Data Center with 1K Servers

Network $95 /Mpbs/ month

$13 / Mpbs / month

7.1

vs Storage $2.20 / GB / month

$0.40 / GB / month

5.7

Cloud base 100K Server Center

Administration 140 servers / Admin

1,000 servers / Admin

7.1

4

http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/

Introduction: Why the Cloud?

5

♦ “Switch” Data Center 2,200,000 square fee♦ (http://www.makeuseof.com/tag/5-worlds-biggest-data-centers-stats-pics/)

♦ Average Cloud Data Center 11.5 X the size of a football field♦ (http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/)

♦ Acquisitions of Terremark by Verizon for $1.4B

♦ Acquisition of Savvis for 2.5B by Century Link (Qwest)

Introduction: Cloud Definition

♦ http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

6

Characteristics Service Models Deployment Models

On-demand self-service

Software as a Service (SaaS)

Private cloud

Broad network access

Platform as a Service (PaaS)

Community cloud

Resource pooling Infrastructure as a Service (IaaS)

Public cloud

Rapid elasticity Cross Platform? Hybrid cloud


Introduction:The Problem with the Cloud

Introduction: The Problem with the Cloud

♦ 1. Service Confusion

Software Providers

TechnologyManufacturers

NetworkProviders

Information & Service Providers

8

♦ 2. Jurisdictional Confusion

CloudCustomerLocation?

CloudProvider

Location?

DataLocation?

DataSubject

Location?


Contract Regulatory

IntellectualPropertyRights

Data Protection

Breach Notification

US PATRIOTAct

9

♦ 3. Security Confusion


Denial ofService /

DDOS

Cyber Attack /Terrorism

Fraud /Theft /

ID Theft

CertificationAuthorityBreach

Phishing / Trojans /Botnets

Poor DataProtection

Compliance

AccidentalDisclosure

Data Loss

SecurityFlaw

DataDamage orDestruction

Information Security:Accessibility

IntegrityConfidentiality

10


4. Expectations Confusion

Software vs. Subscription

Commodity Service

Commodity Service

Leverage AssetsLeverage Assets

VirtualizationVirtualization

Outsourcing vs.Commodity

IndividualizedService Levels

Control

Provable Data Security / Privacy

11


Key Developments in 2012

Development 1: Demystification of the Cloud

Demystifying Cloud

Computing

Data & SecurityData & Security

1. New Privacy Risks?

2. More Data Sharing?

3. More Security Risks?

4. More International?

Ownership & ControlOwnership & Control

1. Extraterritorial?

2. Local Retention?

3. Access & Audit?

4. Loss of Control?

PoliticalPolitical

1. Business Models

2. Employment Protection

3. Risk Allocation

13

Development 2: The Evolving Cloud

♦ Traditional Outsourcing –vs– Cloud Computing

TraditionalOutsourcing

• Service Driven• Data Controllers /

Data Processors• Standalone Bespoke Services• Agents• Pushed Service Levels• Static Location

Cloud Computing

• Security Driven• IaaS / PaaS / SaaS • Standardized Environment• Shared Infrastructure• Self-service• Pulled Service Levels• Dynamic Location

• Service Scope• Service Levels• Charges

14


♦ The Cloud Contract: The Need for Change

Regulation & Consumer

Law

Large Negotiated

Deals

Differences Changers Legal Issues

Access

Shared

Commodity

Structure

Government

Industry

Landmark Deals

Insurers

Enforceability

Validity

Non-Compliant

Data Breach

The Cloud Contract

15


♦ Cloud Contracting: Non-Cloud versus CloudIACCM Most NegotiatedIACCM Most Negotiated

1. Limitation of Liability

2. Indemnities

3. Charges

4. Intellectual Property

5. Payment

6. Liquidated Damages

7. Service/Service Levels

8. Delivery/Acceptance

9. Applicable Law

10. Confidentiality/Access

Cloud Most NegotiatedCloud Most Negotiated

1. Limitation of Liability

2. Indemnities

3. Data Integrity

4. Service/Service Levels

6. Confidentiality/Access

7. Security/Audit

8. Lock-in/Exit/Term

5. Regulatory Compliance

9. Service Change

10. Intellectual Property

16

17

7. Liability •Warranties

•Indemnities

•Exclusions

•Limitations

Development 2: The Evolving Cloud♦ Cloud Contracting: Negotiation Checklist

3. Data•Information Security

•Access

•Audit

•Business Continuity/DR

2. Service•Services

•Service Levels

•Service Credits

•Price

4. Regulation•DP/Privacy

•Other

•Change

•Breach

1. Structure•Type (IaaS, PaaS, SaaS)

•Subcontractor

5. IPR•Ownership

•Rights of Use

6. Termination•Term

•Termination

•Exit

•Portability

8. Other•Jurisdiction

•Change

•Insurance

•Certification

17

18

♦ HIPAA♦ HITECH Act♦ GLB

♦ FACTA♦ FCRA♦ Fair Debt Collection Practices

Act

♦ FERPA♦ COPPA

♦ ITAR/Export Compliance

♦ FFIEC♦ Banking Requirements

♦ PIPEDA

♦ FTC♦ Subpoena/Rule 34 FRCP

♦ In re NTL Inc. Sec. Litig., 244 F.R.D. 179 (S.D.N.Y. 2007)

♦ State Regulations♦ SOX♦ ECPA♦ SCA

♦ PCI

Development 3: Regulatory Change

Development 3: Regulatory Change

♦ Transparency♦ Control♦ Sharing♦ Sub-Contracting♦ Data Portability♦ Outside of EEA

EU Article 29 Data Protection Working Party Opinion 1 July

2012

♦ Interoperability♦ Data Portability ♦ Reversibility♦ Certification♦ 'Safe and Fair' Contract Terms♦ European cloud market

EC Strategy for "Unleashing the

potential of cloud computing

in Europe" 27 September 2012

♦ What data to put into the cloud?♦ Performance monitoring♦ Written contract♦ Security assessment♦ Security measures♦ Using cloud services from outside the UK♦ Multi-tenancy environment

UK ICO Guidance on

Cloud Computing 27

September 2012

19


Cloud Mitigation Strategies

21


♦ Insurance

♦ Does Customer Understand Data?

♦ Robust Dispute Resolution

♦ Self Help♦ Backup ♦ Migration Plan♦ Privacy pre-Audit♦ Data Map

♦ “Leverage” Awareness

22


♦ SAS70 Type II; SSAE No. 16 Type 2, ISO 27001; TRUSTe; SysTrust; Verisign

♦ Safe Harbor / EU Data Protection Compliance

♦ Be Aware of Chat Boards/Internet Search/News

♦ Transparency of Procedures

♦ Multi/Single Jurisdiction of Data Centers?

23


♦ Multi-tenancy

♦ Escrow

♦ Data Map

♦ Audit of Customer Needs Upfront

♦ Contingency Planning♦ Migration♦ Return of Data♦ Termination Services

Conclusion & Questions?

Richard GrahamPartnerEdwards Wildman Palmer LLP London

+44 (0) 20.7556.4418

[email protected]/rgraham

Michael BennettPartnerEdwards Wildman Palmer LLP Chicago

+1 312.201.2679

[email protected]/mbennett

Mark SchreiberPartnerEdwards Wildman Palmer LLP Boston

+1 617.239.0585

[email protected]/mschreiber

24