• Cloud workshop

• How is the cloud structured?

• Understanding cloud functions

• Framework for data analysis

Cloud workshop

• What will you use the cloud for?

• Three functions that the cloud provides.

• Three functions the cloud does not provide.

• Three cloud providers.

• Do it yourself shop

• System integrator

• Reseller

• Collaborator

• What is Amazon providing?

• What is Brand X providing?

• Are there any other vendors?

• What is the “demarc line” for responsibilities?

• How much negotiating power do you have?

• What do you want?

•Platform as a Service - PaaS

•Software as a Service – SaaS•Professional Services as a Service -PSaaS

•Infrastructure as a Service - IaaS

• Platform as a Service - PaaS

• Infrastructure• computing platform• “solution stack”• uses distributed infrastructure components

• Supports cloud applications• allows deployment of customer applications• vendor assumes management of underlying hardware and basic software

• Software / Services as a selling point• COTS software• Centralized patch management• Data preservation / backup

• Software as a Service – SaaS• Professional Services as a Service• Distributed delivery

• Web access• One to many distribution

• Cloud is the platform• Virtual data center

• No capital outlay• A-la-cartre hardware use

• Infrastructure as a Service - IaaS

• Billed as a utility•Pricing feature or use based

Distributed delivery

Central location of information

Distributed infrastructure

• Controller

• Processor

• Transferor / Transferrer

What will you use the cloud for?

What does your cloud provider do?

What type of provider do you have?

Who is controller, transferor, processor?

• Case study• What is breach?• Cost of a breach• Regulation in the cloud

• Controller

• Processor

• Transferor / Transferrer

• Is security binary?• What is a breach?• Who are the parties to a breach?• Who has to be notified?• Who are the parties to a data transaction?• Which societal emphases prevail?• How do we make security a societal

determining factor in purchase decisions?• How do you measure security?• What role should government play?• Are you a special snowflake?

• Confidentiality• Integrity• Access

• Stability?• Confidentiality?• Law enforcement?• Compensation / making whole?

• Transparency• Imperfect information• Competitive pressures• Lack of definition• Imperfection in software• Risk perception

• Social engineering• Risks perceived incorrectly

• Mitigation?• Avoid?• Transfer?• Retain?

• Sectoral Based• Reactive• Generally state

based• Narrowly tailored

• Issue Based• Proactive• National

implementation

• Breach – both benign and malicious

• Breach notification

• Transfer of risk

• Security policies

• Contracting parties, third parties and vendors

• Legislative and regulatory

• Specific Safeguards• Protect against reasonably

anticipated uses• Ensure that workforce

complies with rule• Civil penalties• Actions by state AG• HHS investigations

HIPAA

• Security and confidentiality of customer information

• Protect against anticipated threats or hazards to security and integrity

• Protect against unauthorized access or use.

GLB

• Identification / Authentication procedures

• Disposal rules• Procedures to ensure

accuracy• Integrity / accuracy of

information sent out• Attempts to prevent

impersonation fraud.

FCRA

• Secure webservers• Delete personal

information after use• Limit employee access to

day• Provide training• Screen third parties

COPPA

• Protect the confidentiality of CPNI

• Reasonable measures to prevent and discover unauthorized access

FCC

• Unfair or deceptive actsFTC

• Massachusetts leads the way• Generally address confidentiality• Typically only include information tied to numbers• Beginning to include biometric data• Nexus requirement – except for Massachusetts• Exceptions for minor breaches / encrypted data

• U.S. continues to prefer sectoral• Breach approached from confidentiality• Private rights of action disfavored• FTC likely to have overall responsibility• Nexus requirement still the norm• Privacy / security interaction involves identification numbers.

• Data governance laws are here to stay• Expectation that in some format data breach will be extended to

cover not just telecoms• General data breach requirements in some EU Member States

already• Accountability and transparency principles• Broad scope of definition of personal data• Cloud and jurisdictional challenges• The role of controllers and processors

DATA PROTECTION/SECURITY COMPLIANCE AS A

COMPETITIVE MARKET ADVANTAGE

• A couple of deal-breaking elements from our daily experience:

1. Personal Data Processing Agreements (where duties and obligations are clearly identified)

2. Transparency and control over the personal data flow(circulation/transfer of personal data)

• These elements are requested by customers for 2 main reasons:1. COMPLIANCE: to establish enough control by the customer (Controller) on the personal data processing carried out by the provider (Processor) 2. INTERNAL RESPONSIBILITIES: to internally show that protection and control over personal data, as a company asset, have been considered in the choice of a provider that offers enough guarantees

EU data protection/security checklist

A Service Provider (SP) will have to share:① Information about its identity (and the representative in the EU, if

applicable), its data protection role, and the contact details of the Data Protection Officer or of a “privacy contact person”

② SP will have to describe in which ways the data will be processed and provide information on data location and subcontractors

③ How data transfers may take place and on which legal ground (mainly model contracts, binding corporate rules – SH principles have been under revision)

④ Data security measure in place, with special reference to:- availability of data- integrity- confidentiality - transparency- isolation (purpose limitation)- intervenability

⑤ Way to monitor SP data security / possibility to run audits for clients or trusted third-parties

⑥ Personal data breach notification policy

⑦ Data portability, migration, and transfer back assistance

⑧ Data retention, restitution and deletion policies

⑨ Accountability, meaning the policies and procedures SP has in place to ensure and demonstrate compliance, throughout the SP value chain (e.g., sub-contractors)

⑩ Cooperation with clients to respect data protection law, e.g., to assure the exercise of data protection rights

11 Management of law enforcement request of access to personal data

12 Remedies available for the customer in case of CSP breach of contract

• EU continues to prefer industry regulation• Breach approached from a confidentiality viewpoint• Private rights of action disfavored• National laws lag• Privacy tied to individual data

Break down your cloud transaction.

Understand what security means to you.

Define breach.

Decide what kind of snowflake you are.

• What is risk?• Deciding what risks to take.• Free legal advice

How does the cloud operate?

Who has access to the cloud?

General risk analysis. • SLA• Choice of Law

• Compliance• Regulations

• Contract• Security• Breach• Termination

Breach

Consequence

Breach

Consequence

Reliability• Demonstrated by metrics• Objective criteria used• Third party vendors consideredContract• Standard SLA may need additional

clauses for response time, fallback options, standards of service

• Static v. flexible SLA

In what country is the provider located?

Where is the provider’s infrastructure?

Will other providers be used?

What will happen to the data on termination?

Where will the data be physically located?

Should jurisdiction be split?

How will data be collected, processed, transferred?

Jurisdiction over the contract

Whose law governs

Jurisdiction over the contract

Whose law governsWhere the dispute is heardChange in judicial presumptionsJurisdiction over the data

Data protection directiveExport control laws

Jurisdiction over the data

Choice of lawThis Agreement shall be governed by the laws of the District ofColumbia, without reference to its choice of law provisions.Jurisdiction and venue shall be proper before the U.S. District Courtfor the District of Columbia located in Washington, D.C. The partiesagree not to contest notice from, or the jurisdiction of, this court.Notwithstanding the preceding sentences, the parties agree that allissues regarding the processing, transfer, protection and privacy ofany information transferred from X or any End User to Vendor shallbe governed by the laws of the United Kingdom. All disputesbetween the parties, and between a party and an End Userregarding Vendor’s access to this data shalll be heard before theappropriate court located in London, United Kingdom

Split choice of law if you have differing regulatory

obligations.

Security• Define “breach” • Determine when a breach happens• Assume there will be data breach laws• Review any laws that my currently exist• Understand who will be responsible for security• Create enforceable contract terms• Remember post termination issues• Understand that you may not be made whole

• What is a breach?• Who are the parties to a breach?• Who has to be notified?• Who are the parties to a data transaction?

• Breach: benign and malicious.

• Breach: parties, third parties, subcontractors, vendors

• Breach laws: state and federal

• Responsibility for security: parties, third parties, subcontractors vendors

• Post termination issues: data belongs to customer, breach liability extends post termination.

• Security policy: made part of contract. Revisions subject to customer review. Flow down to subcontractors and vendors

Contract provisions

Vendor has provided X with a copy of its current security policy(Policy) as it applies to the services to be performed by Vendorpursuant to this Agreement. Vendor represents and warrants thatthis security policy represents best of breed security procedures inits industry. Vendor shall give X no less than sixty days prior writtennotices of any changes in the Policy that impact the servicesprovided to X. Should X determine that these changesmaterially impact the security of the services, X shall have the rightto terminate this Agreement. In such a case, Vendor shall providereasonable assistance to X to transition its services to anotherprovider.

Require your vendor to have skin in the game.

Access

• Document data to which you have access

• Limit the number of employees who have access to data

• Create and implement access policies

• Require written notice

• Don’t assume validity

• Create and implement access policies

• Include legal advisor

• Understand and define law enforcement access

• Don’t assume your country’s laws will prevail

• Don’t let stereotypes interfere with a legal analysis

• Try to create definition

Access

Vendor shall provide X with no less than ten days prior written noticeof any governmental request for access to the data. For the purposesof this paragraph only, the term “governmental” includes any lawenforcement or similar entity. Should Vendor be prohibited by lawfrom providing this notice, Vendor shall strictly limit any disclosure ofthe data to that which is required by the law and the written documentupon which disclosure is based. Under no circumstances shallVendor provide access without a written request of disclosure whichcites the law requiring such disclosure. Vendor shall require thisprovision, or one similarly protective of X’s rights in all its contractswith suppliers or other vendors who provide aspects of the Services.

Understand who has access to data and under

what circumstances.

Termination

• Create and implement deletion policies • Flow down contract terms to vendors• Do not assume security ends upon termination• Create and implement deletion policies

Upon termination or expiration of this Agreement, Vendor shall deleteall data and provide X with written confirmation of this deletion.Vendor shall also instruct any entities who have had access to thedata to also delete it and provide Vendor with written certification ofthis deletion. The security obligations set out in this Agreementrelating to the data shall survive termination or expiration of thisAgreement until such time as the data is completely deleted byVendor and/or Vendor’s suppliers. Vendor shall require this provision,or one similarly protective of X’s rights in all its contracts withsuppliers or other vendors who provide aspects of the Services.

When agreement terminates, your rights

terminate.

Determine how services will be used

Evaluate cloud structure

Understand data collection, processing and transfer

Security breach notification

High risk regulatory areas

Disposition of data on termination

W. David SneadAttorney + CounselorTactical Legal Advice for Internet Business

david.snead@dsnead.com@wdsneadpc / Twitterdsnead.com / Blog