Cloud Computing Webinar: Legal & Regulatory Update for 2012
description
Transcript of Cloud Computing Webinar: Legal & Regulatory Update for 2012
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Cloud Computing Webinar:Legal & Regulatory Update for 201215 November 2012
Richard GrahamPartnerEdwards Wildman Palmer LLP London
+44 (0) 20.7556.4418
Michael BennettPartnerEdwards Wildman Palmer LLP Chicago
+1 312.201.2679
Mark SchreiberPartnerEdwards Wildman Palmer LLP Boston
+1 617.239.0585
♦Introduction: The Cloud♦Key Developments in 2012:
♦Cloud Mitigation Strategies
Development 1:Demystification
of the Cloud
Development 2:The Evolving
Cloud
Development 3:Regulatory Change
CustomerDrivers
SupplierDrivers
2
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Introduction:Defining the Cloud
Introduction: Why the Cloud?
Approximate Costs for
Technology Cost of Enterprise Data Center
Cost of Cloud Data Center
Ratio
Enterprise Data Center with 1K Servers
Network $95 /Mpbs/ month
$13 / Mpbs / month
7.1
vs Storage $2.20 / GB / month
$0.40 / GB / month
5.7
Cloud base 100K Server Center
Administration 140 servers / Admin
1,000 servers / Admin
7.1
4
http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/
Introduction: Why the Cloud?
5
♦ “Switch” Data Center 2,200,000 square fee♦ (http://www.makeuseof.com/tag/5-worlds-biggest-data-centers-stats-pics/)
♦ Average Cloud Data Center 11.5 X the size of a football field♦ (http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/)
♦ Acquisitions of Terremark by Verizon for $1.4B
♦ Acquisition of Savvis for 2.5B by Century Link (Qwest)
Introduction: Cloud Definition
♦ http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
6
Characteristics Service Models Deployment Models
On-demand self-service
Software as a Service (SaaS)
Private cloud
Broad network access
Platform as a Service (PaaS)
Community cloud
Resource pooling Infrastructure as a Service (IaaS)
Public cloud
Rapid elasticity Cross Platform? Hybrid cloud
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Introduction:The Problem with the Cloud
Introduction: The Problem with the Cloud
♦ 1. Service Confusion
Software Providers
TechnologyManufacturers
NetworkProviders
Information & Service Providers
8
♦ 2. Jurisdictional Confusion
CloudCustomerLocation?
CloudProvider
Location?
DataLocation?
DataSubject
Location?
Introduction: The Problem with the Cloud
Contract Regulatory
IntellectualPropertyRights
Data Protection
Breach Notification
US PATRIOTAct
9
♦ 3. Security Confusion
Introduction: The Problem with the Cloud
Denial ofService /
DDOS
Cyber Attack /Terrorism
Fraud /Theft /
ID Theft
CertificationAuthorityBreach
Phishing / Trojans /Botnets
Poor DataProtection
Compliance
AccidentalDisclosure
Data Loss
SecurityFlaw
DataDamage orDestruction
Information Security:Accessibility
IntegrityConfidentiality
10
Introduction: The Problem with the Cloud
4. Expectations Confusion
Software vs. Subscription
Commodity Service
Commodity Service
Leverage AssetsLeverage Assets
VirtualizationVirtualization
Outsourcing vs.Commodity
IndividualizedService Levels
Control
Provable Data Security / Privacy
11
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Key Developments in 2012
Development 1: Demystification of the Cloud
Demystifying Cloud
Computing
Data & SecurityData & Security
1. New Privacy Risks?
2. More Data Sharing?
3. More Security Risks?
4. More International?
Ownership & ControlOwnership & Control
1. Extraterritorial?
2. Local Retention?
3. Access & Audit?
4. Loss of Control?
PoliticalPolitical
1. Business Models
2. Employment Protection
3. Risk Allocation
13
Development 2: The Evolving Cloud
♦ Traditional Outsourcing –vs– Cloud Computing
TraditionalOutsourcing
• Service Driven• Data Controllers /
Data Processors• Standalone Bespoke Services• Agents• Pushed Service Levels• Static Location
Cloud Computing
• Security Driven• IaaS / PaaS / SaaS • Standardized Environment• Shared Infrastructure• Self-service• Pulled Service Levels• Dynamic Location
• Service Scope• Service Levels• Charges
14
Development 2: The Evolving Cloud
♦ The Cloud Contract: The Need for Change
Regulation & Consumer
Law
Large Negotiated
Deals
Differences Changers Legal Issues
Access
Shared
Commodity
Structure
Government
Industry
Landmark Deals
Insurers
Enforceability
Validity
Non-Compliant
Data Breach
The Cloud Contract
15
Development 2: The Evolving Cloud
♦ Cloud Contracting: Non-Cloud versus CloudIACCM Most NegotiatedIACCM Most Negotiated
1. Limitation of Liability
2. Indemnities
3. Charges
4. Intellectual Property
5. Payment
6. Liquidated Damages
7. Service/Service Levels
8. Delivery/Acceptance
9. Applicable Law
10. Confidentiality/Access
Cloud Most NegotiatedCloud Most Negotiated
1. Limitation of Liability
2. Indemnities
3. Data Integrity
4. Service/Service Levels
6. Confidentiality/Access
7. Security/Audit
8. Lock-in/Exit/Term
5. Regulatory Compliance
9. Service Change
10. Intellectual Property
16
17
7. Liability •Warranties
•Indemnities
•Exclusions
•Limitations
Development 2: The Evolving Cloud♦ Cloud Contracting: Negotiation Checklist
3. Data•Information Security
•Access
•Audit
•Business Continuity/DR
2. Service•Services
•Service Levels
•Service Credits
•Price
4. Regulation•DP/Privacy
•Other
•Change
•Breach
1. Structure•Type (IaaS, PaaS, SaaS)
•Subcontractor
5. IPR•Ownership
•Rights of Use
6. Termination•Term
•Termination
•Exit
•Portability
8. Other•Jurisdiction
•Change
•Insurance
•Certification
17
18
♦ HIPAA♦ HITECH Act♦ GLB
♦ FACTA♦ FCRA♦ Fair Debt Collection Practices
Act
♦ FERPA♦ COPPA
♦ ITAR/Export Compliance
♦ FFIEC♦ Banking Requirements
♦ PIPEDA
♦ FTC♦ Subpoena/Rule 34 FRCP
♦ In re NTL Inc. Sec. Litig., 244 F.R.D. 179 (S.D.N.Y. 2007)
♦ State Regulations♦ SOX♦ ECPA♦ SCA
♦ PCI
Development 3: Regulatory Change
Development 3: Regulatory Change
♦ Transparency♦ Control♦ Sharing♦ Sub-Contracting♦ Data Portability♦ Outside of EEA
EU Article 29 Data Protection Working Party Opinion 1 July
2012
♦ Interoperability♦ Data Portability ♦ Reversibility♦ Certification♦ 'Safe and Fair' Contract Terms♦ European cloud market
EC Strategy for "Unleashing the
potential of cloud computing
in Europe" 27 September 2012
♦ What data to put into the cloud?♦ Performance monitoring♦ Written contract♦ Security assessment♦ Security measures♦ Using cloud services from outside the UK♦ Multi-tenancy environment
UK ICO Guidance on
Cloud Computing 27
September 2012
19
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Cloud Mitigation Strategies
21
Cloud Mitigation Strategies
♦ Insurance
♦ Does Customer Understand Data?
♦ Robust Dispute Resolution
♦ Self Help♦ Backup ♦ Migration Plan♦ Privacy pre-Audit♦ Data Map
♦ “Leverage” Awareness
22
Cloud Mitigation Strategies
♦ SAS70 Type II; SSAE No. 16 Type 2, ISO 27001; TRUSTe; SysTrust; Verisign
♦ Safe Harbor / EU Data Protection Compliance
♦ Be Aware of Chat Boards/Internet Search/News
♦ Transparency of Procedures
♦ Multi/Single Jurisdiction of Data Centers?
23
Cloud Mitigation Strategies
♦ Multi-tenancy
♦ Escrow
♦ Data Map
♦ Audit of Customer Needs Upfront
♦ Contingency Planning♦ Migration♦ Return of Data♦ Termination Services
Conclusion & Questions?
Richard GrahamPartnerEdwards Wildman Palmer LLP London
+44 (0) 20.7556.4418
[email protected]/rgraham
Michael BennettPartnerEdwards Wildman Palmer LLP Chicago
+1 312.201.2679
[email protected]/mbennett
Mark SchreiberPartnerEdwards Wildman Palmer LLP Boston
+1 617.239.0585
[email protected]/mschreiber
24