"Partly Cloudy with a Chance of Rain": Security, Privacy and E-Dicsovery Issues in Cloud Computing

“Partly Cloudy with a Chance of Rain”: Security, Privacy and E-Discovery Issues

in Cloud Computing

by:

TomA.KulikPartner,Scheef&Stone,L.L.P.

®

CollinCountyBarAssocia5onLi5ga5onSec5onMee5ng

June15,2016

AboutthePresenterTomKulikisaPartnerinScheef&Stone,L.L.P.outofitsheadquartersinDallas,Texas,aswellasChairmanoftheDallasBarAssociaDonComputerLawSecDon.Withadeepunderstandingofhowintellectualpropertyassetsinfluencebusiness,heleverages20yearsoflawpracDcewithpriorindustryexperience,strategicallycounselingclientsonmaLersinvolvingtheevaluaDon,acquisiDon,developmentandprotecDonofintellectualpropertyrights,withanemphasisoncreaDvelyleveragingsuchassetsbothdomesDcallyandinternaDonally.

PriortomatriculaDoninlawschool,hewasanaward-winningsystemsengineerfor3ComCorporaDon,wherehewasresponsibleforlocalandwide-areanetworkarchitectureanddesignsupporDngbothFortune500andstart-upcompaniesinthecomputerservices,financialandpharmaceuDcalindustries.

Leveragingthisindustryexperience,hispracDcefocusesonintellectualpropertytransacDons,parDcularlywithinthecontextofthecomputersoRware,emergingInternettechnologiesande-commerce,andincludesanextensivetrademarkpreparaDonandprosecuDonpracDceandaLendantintellectualpropertyliDgaDon.

®

Don’tForgettoShare!

®

#CollinCtyBar

Whatisthe“Cloud”?...

®

…andWhatis“CloudCompuDng”?

®

“IaaS”

“PaaS”

“SaaS”

OvercomingMisconcepDons…

WhatThisPresentaDonWillAddress

•  UnderstandingwhatconsDtutesthe“cloud”•  IdenDfyingspecificconsideraDonswhenconfrontedwithcloud-basedservicesinyourpracDce

•  IdenDfyingspecificconcernsaboutuseofcloudservicesby(orwith)yourclients

•  EthicalconsideraDonsinusingcloudservices

“CloudCompuDng”–AHazyPhraseforaFoggy(Evolving)Concept

“AsametaphorfortheInternet,"thecloud"isafamiliarcliché,butwhencombinedwith"compuDng,"themeaninggetsbiggerandfuzzier…[butessenDally]encompassesanysubscrip5on-basedorpay-per-useservicethat,inreal5meovertheInternet,extendsIT'sexis5ngcapabili5es.”

WhatCloudCompu1ngReallyMeans,EricKnor&GalenGruman,InfoWorld,2009

®

“CloudCompuDng”DefiniDon–TheNaDonalInsDtuteofStandardsandTechnology

“CloudcompuDngisamodelforenablingconvenient,on-demandnetworkaccesstoasharedpoolofconfigurablecompu5ngresources(e.g.,networks,servers,storage,applica5ons,andservices)thatcanberapidlyprovisionedandreleasedwithminimalmanagementeffortorserviceproviderinteracDon.Thiscloudmodelpromotesavailabilityandiscomposedoffiveessen1alcharacteris1cs,threeservicemodels,andfourdeploymentmodels.”

TheNISTDefini5onofCloudCompu5ng,PeterMellandTimGrance,Version15,October7,2009

®

“CloudCompuDng”-EssenDalCharacterisDcs

•  On-demandself-service–unilateralandautomaDcprovisioningofauser’scompuDngneeds

•  Broadnetworkaccess–servicesavailablethroughthenetworktocellphones,PDAs,laptops,iPads,etc.

•  Resourcepooling–dynamicassignmentofphysicalandvirtualcompuDngresources

•  Rapidelas9city–quickscale-out/scale-in–seamlessandseeminglyunlimitedtotheuser

•  MeasuredService–automaDccontroltoopDmizemanagementofresources(storage,processing,bandwidth,accounts)

®

“CloudCompuDng”–ServiceModels

! SoRware-as-a-Service(“SaaS”)•  ExternalsoRwarehosDnginacloudinfrastructure

! PlaVorm-as-a-Service(“PaaS”)•  Think“SaaS-plus”–compuDngplapormand“soluDonstack”forbuildingandrunningcustomapplicaDonsbytheuser

! Infrastructure-as-a-Service(“IaaS”)•  Dataprocessing,storage,networkandotherfundamentalcompuDngresourcesincloudinfrastructure

®

ExamplesofCloudServicesfromCloudServiceProviders”(“CSPs”)

! Infrastructure-as-a-Service(“IaaS”)•  AmazonElasDcComputeCloud(EC2),Rackspace,GoogleComputeEngine

! SoRware-as-a-Service(“SaaS”)•  AppleiCloud,GoogleApps,FacebookApplicaDons,Dropbox

! PlaVorm-as-a-Service(“PaaS”)•  SalesforceAppExchange,GoogleAppExchange,•  WindowsAzure

®

“CloudCompuDng”–DeploymentModels!  PrivateCloud

"  Usedsolelyby/operatedsolelyfortheorganizaDon

!  CommunityCloud"  Usedby/operatedformulDpleorganizaDonsDedtoa“specific

community”with“sharedconcerns”

!  PublicCloud"  OwnedbyCSPprovidingcloudservicestothepublic

!  HybridCloud"  ComposiDonof2ormoredisDnctclouds“boundtogetherby

standardizedorproprietarytechnologythatenablesdataandapplicaDonportability”

®

“CloudCompuDng”–DefiniDoninaNutshell

Afully-scalableserviceforprocessingandstoringdatausingthird-partysharedresources,soRwareandinformaDonaccessibleoveranetwork(i.e.theInternet),andprovidedtocomputersandotherdeviceson-demand:

"  UsuallysubscripDon-based"  Maybepay-per-use"  Evenfree!

®

WhytheCloudModel?A“PerfectStorm”

•  Economics-ITcapitalcostpressurespushingforbeLerROI

•  MoreforLess-TechnologicalInnovaDonispermirng:»  BeLercommunicaDonsbandwidthavailability

»  Improvedmicroprocessor/busspeeds

»  IncreasedstoragecapabiliDes•  “Virtualiza5on”–easierforCSPstomaximizeinfrastructurefortheservicesprovidedandoffloadmuchITmanagement

®

TheLegalConsideraDonsinCloudCompuDngforYourPracDce

! Security&Privacy

! E-Discovery&LiDgaDon

! EthicalConsideraDonsforLawyers

®

TheLegalConsideraDonsinCloudCompuDng:Security&Privacy

!  Datainthe“Cloud”hardertoprotect•  Isa“mulD-tenant”architecture–datastoredonavirtualserverthat

sharessamephysicalserverwithothervirtualservers

•  SecuritydependentuponconfiguraDonofthevirtualserversandAPIvulnerabiliDes

•  GeographicdistribuDonconcerns–the“cloud”knowsnoboundaries

!  Breachhardertodetect&manage•  CSPmayusethird-partyprovidersforelementsoftheservice

•  AudittrailacrossmulDpleplapormsnotnecessarilyintegrated

•  GeographicdistribuDonconcernsremain

®


®

Thinkthat3rdparDesarenotlookingforYOURdata?

THINKAGAIN…


®

• Third-PartySoRwareProvidersprovidingGREATtools…

• Google(Gmail,GoogleDocs,GoogleDrive)• Dropbox(filedistribuDon/sharingplaporm)• EverNote(onlinecross-plapormworkspace)

…BUTarethey“safe”touseinyourpracDce?ITDEPENDS


®

• DropBox• “Hacked”in2013,butcompanyclaimsitwas3rdpartyappsaccessingthesitethatcausedthebreach–problema1c

• Google• Hackedin2014–5millionusernames/pwds

• EverNote• Hackedin2014–50millionpasswordsreset

MORAL:BalanceConveniencevs.Confiden1ality


! Stengartv.LovingCareAgency,Inc.,990A.2d650(2010)CompanypolicyclaimingitownedallinformaDononitscomputersNOTenoughtopermitretenDonofaLorney-clientprivilegedemails! N.J.AppellateDivisionreversedSuperiorCourt’sorder

! orderedemployeranditscounseltoturnoverALLemailcommunicaDonsbetweenplainDffandhercounselANDdeletesameforharddrives

! OrderedhearingonsancDons! Point:aLorney-clientprivilege“substanDallyoutweigh[s]”employer’senforcementofitsownpolicies

®


!  SomeDomesDcConsideraDons:•  GrahamLeachBlileyAct-FinancialinsDtuDonsmusthavepolicies/

proceduresinplacetoprotect“non-publicpersonalfinancialinformaDon”fromimproperdisclosure

•  HIPAA/HITECHAct–“CoveredenDDes”requiredtonoDfyaffectedpersonsofbreachofunencrypted“personalhealthinformaDon”

•  FTCSafeguardsRule–FinancialinsDtuDonsrequiredtohavewriLensecurityplanregardingcustomer’sprivateinformaDon

•  FTCRedFlagsRule–InsDtuDonsholdingcreditaccountsmusthavewriLenidenDtytheRprogram

•  StoredCommunicaDonsAct-protecDonfromdisclosureforemailsandotherprivatedatathatareinsuchelectronicstorage

®


!  MUSTunderstandtheCSPoperaDonalmodeltofacilitatecompliancewithapplicableprivacyandsecuritylaws/regulaDons(especiallyinterna1onallystoreddata)

!  REVIEWCSPprivacypolicyANDsecurityproceduresforconDnuitywithexisDngcompanyprocedures&guidelines(i.e.audit/reporDngrequirements,securitybreachnoDficaDons)

!  IDENTIFYandSPECIFYdatasecuritycontrolsatthesoRwarelevel(i.e.encrypDon,firewalls),aswellasphysicalsecurity

®

WeatherBrewingontheHorizon:e-Discovery&LiDgaDon

! DiscoveryofelectronicallystoredinformaDon(“ESI”)drama1callymoredifficultinthecloud•  DatapreservaDon/integrityhardtomanage

•  Datamaybehousedinmul1plecountries•  CSPsmayuse3Pproviders

! JurisdicDonalissues•  Enforceability–mulDplecountriesvs.governinglaw

•  Countrywheredataisresidentincomputerfacility–governmentalaccess?

®


! SomeinteresDngearlynumbers-Forbes“Cloud&E-DiscoverySurvey”in2011foundthat:

! Only16%ofrespondentsindicatethataneDiscoveryplanisinplaceforcloud-basedinformaDonmanagementsoluDons

! 26%actuallyrespondedthattheydonothaveaneDiscoveryplaninplace

! 58%whodon’tevenknowifaplanexists!!!

Murphy,Barry,“e-DiscoveryinTheCloudNotAsSimpleAsYouThink”,Nov.29,2011(hLp://www.forbes.com/sites/jasonvelasco/2011/11/29/e-discovery-in-the-cloud-not-as-simple-as-you-think/

#1f203f576f6c)

®


!  SpoliaDon•  CloudinfrastructureincreasesspoliaDonrisk•  WhereCSPsuse3Pproviders–greaterdanger

!  DataIntegrity•  Dataatrest–MUSTbefreefromcorrupDon

•  HowtoensureNOCHANGEtodatauponliDgaDonhold?

!  StandardCSPagreementsdoNOTaccountforpossibilityofESIpreservaDonbydefault

®


! CloudcompuDnghasdrama1callyexpandedwhereelectronicallystoredinformaDon(ESI)canreside.

! DiscoveryinvolvestheidenDficaDon,preservaDon,collecDon,reviewandproducDonofrelevantinformaDoninaparty’spossession,custodyorcontrol…BUTpossessionandcontrolarelikelysplitbetweenapartytoliDgaDonandathird-partyCSP

! 2006amendmentstotheFRCP-expandedthedefiniDonof“document”underRule34toincludeESI,suchasMicrosoRWord,ExcelandPowerPointfiles,AdobePDFfiles,databaserecords,andCAD/CAMfiles.

®


!  PreservaDonisKEY•  UnlikeoutsourcedsoluDons,usersmaynotknowwhatinfrastructure

theyareusingorthephysicallocaDonofdata

•  CSPmaybeabletoretrievethedata,butNOTknowwhereyourdataisforthepurposeofaliDgaDonhold

•  CSPmayusethird-partyserviceprovidersforelementsofservicesprovidedtotheuser,exacerbaDngtheissue

!  CourtsmayNOTdisDnguishserversinthe“cloud”fromonesindirectpossession

! BoLomline:ObligaDontoadequatelypreserverelevantdocumentsextendstoESI

®


!  Whatare“sufficient”effortstopreserveforthepurposesofdiscovery?Judgedagainstastandardofreasonableness–Zubulakedecisions(JudgeShiraScheindlin,SDNY)

!  PensionCommiSeev.BancofAmericaSecuri1es,LLC685F.Supp.2d456(S.D.N.Y.2010).–  JudgeScheindlinstrikesagain!–  Reiteratedthat“thedutytopreservemeanswhatitsaysand

thatafailuretopreserverecords–paperorelectronic–andtosearchintherightplacesforthoserecords,willinevitablyresultinthespoliaDonofevidence”

–  FailuretofollowZubulakeeDiscoveryproceduresconsDtutesgrossnegligenceandissancDonable(includingadv.inference)

®


!  Rule26(b)(2)oftheRuleslimitsthescopeofdiscoverywithproporDonalityconsideraDons.!  Forexample,if“(iii)theburdenorexpenseoftheproposeddiscovery

outweighsitslikelybenefit,takingintoaccounttheneedsofthecase,theamountincontroversy,theparDes'resources,theimportanceoftheissuesatstakeintheliDgaDon,andtheimportanceoftheproposeddiscoveryinresolvingtheissues.”

!  Rule26(b)(2)(B)-specificlimitaDonswithrespecttoESI:!  “Apartyneednotprovidediscoveryofelectronicallystored

informaDonfromsourcesthatthepartyidenDfiesasnotreasonablyaccessiblebecauseofundueburdenorcost.”

!  BurdenisonthepartyfromwhomthediscoveryissoughttoshowthattheESIisnotreasonablyaccessible.

!  ConclusoryasserDonsthatdataisinaccessiblesimplybecausethedataresidesinacloudwillnotsuffice.

®


•  Control:CSPcontractsshouldaddress“control”ofdata-Ifnocontractualrightofcontrolisestablished,controlhasbeeninterpretedtoencompasswhenapartyhasthe“pracDcalability”toobtaindocuments,regardlessofhisorherlegalenDtlementtothem.

•  ConstruedBROADLYbythecourts:– whereacontractualprovisionconfersarightofaccess– whereaparty’sagenthaspossession– whereanemployeeorofficerhaspossessionorthelegalrighttoobtaindocuments.

®


!  eDiscoveryofESIinthecloudcanbecostlybecauseitislaborintensiveandtechnologicallydemanding–howtoaddress(defenseperspecDve)?!  Iden5fica5on:KnowwhereESIlocatedthroughtheCSP!  Preserva5on:EnsureCSPadherestodata-retenDonand

backuppoliciesperclient’sretenDonschedules!  Access&collec5on:knowhowtoactuallygettothedata

residentwiththeCSP

!  AlsoensureCSPcooperaDon!  ImmediatenoDceofanysubpoena!  affidavits,declaraDons,orothertesDmonyasnecessaryto

establishchainsofcustodyandauthenDcityforpurposesofadmissibility

®


! MUSTaccountforspecificCSPmodelandviabilityoftheCSPregardingabilitytocomplywithe-discoveryandliDgaDonholds

! DEMANDaccountabilityforhandlingofESI•  General“cooperaDon”clause•  AcknowledgecompliancewithliDgaDonholds

! STRONGLYCONSIDERaseparateagreementtoaddressESIdiscovery

®

WeatherBrewingontheHorizon:EthicalConsideraDonsforLawyers

! LawfirmuseofCSPsfortheirITneedsgrowing

! ConsideraDonsaremoredelicateforlawfirmsduetoclientconfidenDalityobligaDons,privilege,etc.

! BoLomline:itisavailable,butisitethical?

®


! Answer:ITDEPENDS-20statessofar:UseofCSPsforstorageofclientfilessolongasareasonablestandardofcareisexercised,BUTdifferences:!  Alabama,Arizona,California,ConnecDcut,Florida,Iowa,Maine,MassachuseLs,

NewHampshire,NewJersey,Nevada,NewYork,NorthCarolina,Ohio,Oregon,Pennsylvania,Vermont,Virginia,Washington&Wisconsin–NOTTEXAS!

! Whattodo?:!  UseDILIGENCEandCOMPETENCEexercisingreasonablecare

! MUSThaveaBASICunderstandingofthetechnologiesused

!  HaveanOBLIGATIONtoremaincurrentonthetechnologies

! List:hLp://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html

®


! Whatisconsidereda“reasonablestandardofcare”?•  MUSTbeknowledgeableaboutCSPhandlingofdata

•  MUSTcontractwithCSPtopreserveconfidenDality/securityofdata

! Transposingthe“reasonableness”standardfrom“brick&mortar”tothe“cloud”notaseasyasyoumaythink:•  Security–clientconfidenDalityrequiresstrongcontractualprotecDons•  Backups–MUSTthinkaboutIaaSinfrastructure

•  Dataaccess–SLAservicecreditshouldNOTbesoleremedy

•  Portability–TransferofdataineventofterminaDoncrucial

•  BankruptcyofCSP–howtoaccountforpossibility?

®


! ABAEthics20/20WorkingGroupReportonElectronicConfidenDality!  Formofoutsourcing–citesABAFormalEthicsOpinion08-451(lawyer’sobligaDons

whenoutsourcingworktonon-lawyers)!  OngoingexaminaDonofpossibleamendmentstoMRPC5.3(lawyer’sethicalobligaDons

whensupervisingnon-lawyerassistants)

! BOTTOMLINE:LawyerscanethicallyusecloudcompuDngproductsintheirlawpracDces…BUTbeforedoingso,youMUSTfullyassesstheirethicalobligaDonsandexerciseduediligenceinverngyourcloudcompuDngproviderofchoice.

®


! QuesDonstoASK:! WillIhaveunrestrictedaccesstothestoreddata?

! HaveIstoredthedataelsewheresothatifaccesstomydataisdeniedIcanacquirethedataviaanothersource?

! HaveIperformedduediligenceregardingthecompanythatwillbestoringmydata?

!  Inwhichcountryandstateisitlocated,andwheredoesitdobusiness?

! Doesitsenduser’slicensingagreement(EULA)containlegalrestricDonsregardingitsresponsibilityorliability,choiceoflaworforum,orlimitaDonondamages?

!  Intheeventofafinancialdefault,willIloseaccesstothedata,doesitbecomethepropertyoftheSaaScompany,oristhedatadestroyed?

®


! USECOMMONSENSE•  UnderstandhowtheCSPwillhandlethedata•  SecurityshouldcoverbothsoRwarecapabiliDesANDphysicalfaciliDes

! DOYOURDUEDILIGENCE•  Don’tbeafraidtoaskquesDons–arguablyhaveaDUTYTOASKthem!

! BECAREFUL!

®

“Partly Cloudy with a Chance of Rain”: Security, Privacy & E-Discovery in Cloud Computing

Email:[email protected]

LinkedIn:hLp://www.linkedin.com/in/tkulik TwiLer:@LegaIntangibls

Google+:hLp://gplus.to/TomKulik

Blog:hLp://www.legalintangibles.com

®

Q&A

"Partly Cloudy with a Chance of Rain": Security, Privacy and E-Dicsovery Issues in Cloud Computing

Law

Transcript of "Partly Cloudy with a Chance of Rain": Security, Privacy and E-Dicsovery Issues in Cloud Computing