Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
-
Upload
anthonywong -
Category
Documents
-
view
1.597 -
download
3
description
Transcript of Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
1
Anthony Wong MACS CPPresident, Australian Computer Society
Chief Executive, AGW Consulting
2
Cloud Computing
Potential to transform the way we live, work and interact Shapes the ICT sector and
the way enterprises provide
and use IT services Helps to level the playing
field by minimising up-front
investment in technology Changes business agility through “pay-as-you-use” for
access to bandwidth and technology functionality
3
Examples of Cloud Computing
Source: NBN Co
4
Reasons for adopting cloud computing
Outsource services to cloud suppliers Ability to up and down scale when required Reduction of internal technical support constraints Outsource technical management Provide more options and flexibility Deployment and adoption
of new technologies Access to special expertise Desire to reduce costs
5
Legal framework of Cloud Computing
Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges:
• Legal compliance issues• Service levels and performance• Cross-border issues • Data protection, rights and usage • Privacy and security• Termination and transition
6
Legal compliance issues
There is no ‘Law of Cyberspace’ for the Internet, however, in Australia, there are a number of specific laws that apply:
Electronic Transactions Acts Archives Act, FOI Act Copyright Amendment (Digital Agenda) Act 2000 (Cth) -
intellectual property Privacy Act 1988 & Privacy Amendment (Private Sector) Act
2000 (Cth) Cybercrime Act 2001 (Cth) Spam Act 2003 Telecommunications (Interception) Act 1979 (Cth)
7
Legal compliance issues
Legal requirements for organisations to consider: Have you reviewed your corporate governance and
industry regulation requirements? Are you able to comply with mandatory disclosures and
financial reporting? Are there special standards and compliance for your
industry? Can you comply with data retention requirements and
eDiscovery request during litigation?
Burden is on you to understand your compliance obligations
8
Legal compliance issues
Example of regulated industry Financial services companies must first notify Australian
Prudential Regulatory Authority (APRA) of data offshore transfer
Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: a financial institution’s ability to continue operations and
meet core obligations, following a loss of cloud computing services
confidentiality and integrity of sensitive (e.g. customer) data/information
compliance with legislative and prudential requirements
9
Legal compliance issues
Data and Records Preservation & Retention Ensure supplier’s data retention and destruction policies
comply with your requirements Your requirements depend upon nature of the activities and
regulatory environment in which your organisation operates And kinds of documents that your organisation has No single record retention requirements will be the same for
each organisation It has been asserted there are over 450 separate Acts of
Parliament in Australia contain provisions dealing with retention of records
Courts are not likely to be understanding because your data is in the Cloud
10
Legal compliance issues
What is the process in response to a legal request/search for information? FBI agents seized multi-tenant server
from data centre to gather evidence in an ongoing investigation
Unintended consequence of disrupting the continuity of other businesses whose data and information are hosted on the same server
*"Since the FBI seized its computer equipment earlier today, Liquid Motors has been unable to operate its business.”
*Networkworld April 22, 2009
Search and seizure at Data Centre
11
Service levels and performance
Some considerations for SLAs Cloud computing is dependent on the Internet – any
disruption will interrupt services Validate cloud services against your objectives and
understand how the services are provided Many traditional software licensing and outsourcing
contractual considerations come to play Cloud models often rely on multiple third party
providers or subcontractors How important are locations of servers? Can the
provider change server locations without any notice?
12
Service levels and performance
Factors to consider as a customer: Review the agreement (including standard form) and
provider’s terms of service Consider the range of services provided/required against
service levels critical to your business Be prepare to drive SLAs up (or down) to meet your needs Ask for performance guarantees (if critical) Include the right to audit provider’s operational and financial
viability Check the responsibilities of any sub-providers Ensure that your provider remains legally responsible for
obligations, notwithstanding sub-providers
13
Service levels and performance Most standard agreements trigger a ‘force majeure’ clause
that relieves the affected party of its obligations when disaster occurs: Is that acceptable for your requirements? Who is responsible for continuity of service when there are
multiple players and integrated transactional systems based in different geographical regions?
How long can you function without the contracted cloud services?
Develop a detailed Business Continuity Plan:a) Consider the events most likely to occur in your business
b) Know which disasters your supplier can cope with
c) Depending on (b), you might consider a ‘Plan B’
14
Cross-border issues
In a dispute or a conflict situation, which country’s court system will settle the dispute?
Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality
Local laws may override contractual agreements between cloud provider’s and customers
Location of servers may not be apparent from the provider’s terms of service
Consider the situation where Data may be stored in multiple locations (countries) at the same time
When do conflicts of laws occur?
15
Cross-border issues
Data stored in the U.S. is subject to U.S. law, for example: US Patriot Act – US government’s authority
extends to compel disclosure of records held by cloud providers
Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances
16
Cross-border issues
Jurisdiction is dependent on the sovereignty of a government Concept of jurisdiction evolved in relation to
geographical boundaries or territories Premise that each state or country has absolute
power to control persons and things located within its boundaries or territories
Internet challenges these territorially based principles
The law in regards to jurisdiction in cyberspace is unsettled
17
Consider Case Scenario:• Identifying the location of the offence/breach • Identifying the location where the harm resulted (e.g. victim’s location or computer’s location)• Deciding which sovereign nation and court should have jurisdiction over the dispute
Cross Border Jurisdiction Issues
Customer and User
Server breached & compromised
18
Cross-border issues
In order for a court to adjudicate in a case, the court must have authority over:
the subject matter in dispute (subject matter jurisdiction); and
parties before the court (personal jurisdiction)
19
Data protection, rights and usage
It is critical for organisations to understand how their data will be stored, used, managed and protected:
Consider issues of ownership of information and intellectual property created using cloud technology
Specify and define your “data” (including metadata) and your ownership rights
Consider what happens when your supplier “goes belly up”
Otherwise, consider making payments to your supplier for the return of data and materials which “you thought you owned”
20
Data protection, rights and usage
Monetisation of Data Assets – is this the new currency of the future?
Customer participation and information/data are valuable assets, for example:
Recent sale of Skype (400+ million users) for $8.5 billion
Doubling of LinkedIn’s (100+ million members) share price
Successful business models including Facebook and other social media companies
21
Privacy and security
Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud
Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: Privacy Act 1988 National Privacy Principle 4 (Data
Security) provides that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”
22
Privacy and security
Regulatory landscape in Australia:
Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth)
Equitable and common law duties regarding confidential information
State privacy legislation (State laws) and health privacy laws
Security and Information Management Standards and Practices
Other Codes of Conduct, Industry Standards and Guidelines
23
Privacy and security
Not all types of cloud services raise the same privacy and confidentiality risks:
Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks
Risks vary with the terms of service and privacy policy established by your provider
Can your cloud provider change the terms and policies at will? Do you have to comply with privacy legislation restricting
processing and transfer of data offshore? Should your agreement restricts services and data storage to
agreed locations? What are the rights of the supplier to operate in other locations? Define the scope of your confidential information – which will vary
depending on the nature of your business
24
Trans-Border Data Privacy
Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries
Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive
Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if:
the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles
the individual consents to the transfer the transfer is necessary for the performance of the contract between the
individual and the organisation or for the benefit of the individual
25
Privacy and security
Things to consider: Whose privacy policy will apply at different stages of the
data transfer? What security mechanisms are in place to manage data
transfers between parties? What are the consequences of security and privacy
breaches? How will you know if there is a breach? Is your cloud service provider required to provide
assistance in the investigation of security breaches? Is there an audit trail for data?
26
Privacy and security
Privacy Reform Privacy Act 1988 is being modernised to strengthen Australia’s
privacy protection 2008: ALRC report released, For Your Information: Australian
Privacy Law and Practice 2009: Government’s released its position on 197 of the
ALRC’s recommendations, including: develop a single set of National Privacy Principles strengthen and clarify the Privacy Commissioner’s powers
and functions 2010: exposure draft of the new Privacy Act was released by
the Government
27
Termination and transition
What assistance services do you need to change over to a new provider? Consider the payment required for transition services
Current architecture of cloud systems and lack of standards may hamper cloud interoperability and transition services Make compatibility and interoperability an issue
Seek clarity on limitations of liability in contracts Including exclusions of indirect, special and consequential
loss and direct losses And disclaimers and warranties
28
Conclusion
There is no one size fits all for cloud computing - laws are unsettled Not all cloud services are created equal and not all cloud services
should be subject to the same terms Few legal precedents regarding liability in the cloud Undertake due diligence as you need to fully understand the risks
associated with cloud computing and adopt a risk-mitigation approach to cloud adoption
Service agreements need to specify those areas the cloud provider is responsible for
Read the fine print of the cloud computing agreement carefully Specify locations for data storage and processing - know the
governing law of the cloud computing agreement
29
Conclusion
Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow
You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability
Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level
For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate
30
Thank You
“A global approach is the only way to deal with the Internet”
Francis Gurry, Head of the World Intellectual Property Organisation (WIPO)
and so for Cloud Computing…
Source: "IP's new role in the knowledge economy“ Asia Today International April/May 2011
www.linkedin.com/in/wonganthony
This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.