"Partly Cloudy with a Chance of Rain": Security, Privacy and E-Dicsovery Issues in Cloud Computing
Transcript of "Partly Cloudy with a Chance of Rain": Security, Privacy and E-Dicsovery Issues in Cloud Computing
“Partly Cloudy with a Chance of Rain”: Security, Privacy and E-Discovery Issues
in Cloud Computing
by:
TomA.KulikPartner,Scheef&Stone,L.L.P.
®
CollinCountyBarAssocia5onLi5ga5onSec5onMee5ng
June15,2016
AboutthePresenterTomKulikisaPartnerinScheef&Stone,L.L.P.outofitsheadquartersinDallas,Texas,aswellasChairmanoftheDallasBarAssociaDonComputerLawSecDon.Withadeepunderstandingofhowintellectualpropertyassetsinfluencebusiness,heleverages20yearsoflawpracDcewithpriorindustryexperience,strategicallycounselingclientsonmaLersinvolvingtheevaluaDon,acquisiDon,developmentandprotecDonofintellectualpropertyrights,withanemphasisoncreaDvelyleveragingsuchassetsbothdomesDcallyandinternaDonally.
PriortomatriculaDoninlawschool,hewasanaward-winningsystemsengineerfor3ComCorporaDon,wherehewasresponsibleforlocalandwide-areanetworkarchitectureanddesignsupporDngbothFortune500andstart-upcompaniesinthecomputerservices,financialandpharmaceuDcalindustries.
Leveragingthisindustryexperience,hispracDcefocusesonintellectualpropertytransacDons,parDcularlywithinthecontextofthecomputersoRware,emergingInternettechnologiesande-commerce,andincludesanextensivetrademarkpreparaDonandprosecuDonpracDceandaLendantintellectualpropertyliDgaDon.
®
Don’tForgettoShare!
®
#CollinCtyBar
Whatisthe“Cloud”?...
®
…andWhatis“CloudCompuDng”?
®
“IaaS”
“PaaS”
“SaaS”
OvercomingMisconcepDons…
WhatThisPresentaDonWillAddress
• UnderstandingwhatconsDtutesthe“cloud”• IdenDfyingspecificconsideraDonswhenconfrontedwithcloud-basedservicesinyourpracDce
• IdenDfyingspecificconcernsaboutuseofcloudservicesby(orwith)yourclients
• EthicalconsideraDonsinusingcloudservices
“CloudCompuDng”–AHazyPhraseforaFoggy(Evolving)Concept
“AsametaphorfortheInternet,"thecloud"isafamiliarcliché,butwhencombinedwith"compuDng,"themeaninggetsbiggerandfuzzier…[butessenDally]encompassesanysubscrip5on-basedorpay-per-useservicethat,inreal5meovertheInternet,extendsIT'sexis5ngcapabili5es.”
WhatCloudCompu1ngReallyMeans,EricKnor&GalenGruman,InfoWorld,2009
®
“CloudCompuDng”DefiniDon–TheNaDonalInsDtuteofStandardsandTechnology
“CloudcompuDngisamodelforenablingconvenient,on-demandnetworkaccesstoasharedpoolofconfigurablecompu5ngresources(e.g.,networks,servers,storage,applica5ons,andservices)thatcanberapidlyprovisionedandreleasedwithminimalmanagementeffortorserviceproviderinteracDon.Thiscloudmodelpromotesavailabilityandiscomposedoffiveessen1alcharacteris1cs,threeservicemodels,andfourdeploymentmodels.”
TheNISTDefini5onofCloudCompu5ng,PeterMellandTimGrance,Version15,October7,2009
®
“CloudCompuDng”-EssenDalCharacterisDcs
• On-demandself-service–unilateralandautomaDcprovisioningofauser’scompuDngneeds
• Broadnetworkaccess–servicesavailablethroughthenetworktocellphones,PDAs,laptops,iPads,etc.
• Resourcepooling–dynamicassignmentofphysicalandvirtualcompuDngresources
• Rapidelas9city–quickscale-out/scale-in–seamlessandseeminglyunlimitedtotheuser
• MeasuredService–automaDccontroltoopDmizemanagementofresources(storage,processing,bandwidth,accounts)
®
“CloudCompuDng”–ServiceModels
! SoRware-as-a-Service(“SaaS”)• ExternalsoRwarehosDnginacloudinfrastructure
! PlaVorm-as-a-Service(“PaaS”)• Think“SaaS-plus”–compuDngplapormand“soluDonstack”forbuildingandrunningcustomapplicaDonsbytheuser
! Infrastructure-as-a-Service(“IaaS”)• Dataprocessing,storage,networkandotherfundamentalcompuDngresourcesincloudinfrastructure
®
ExamplesofCloudServicesfromCloudServiceProviders”(“CSPs”)
! Infrastructure-as-a-Service(“IaaS”)• AmazonElasDcComputeCloud(EC2),Rackspace,GoogleComputeEngine
! SoRware-as-a-Service(“SaaS”)• AppleiCloud,GoogleApps,FacebookApplicaDons,Dropbox
! PlaVorm-as-a-Service(“PaaS”)• SalesforceAppExchange,GoogleAppExchange,• WindowsAzure
®
“CloudCompuDng”–DeploymentModels! PrivateCloud
" Usedsolelyby/operatedsolelyfortheorganizaDon
! CommunityCloud" Usedby/operatedformulDpleorganizaDonsDedtoa“specific
community”with“sharedconcerns”
! PublicCloud" OwnedbyCSPprovidingcloudservicestothepublic
! HybridCloud" ComposiDonof2ormoredisDnctclouds“boundtogetherby
standardizedorproprietarytechnologythatenablesdataandapplicaDonportability”
®
“CloudCompuDng”–DefiniDoninaNutshell
Afully-scalableserviceforprocessingandstoringdatausingthird-partysharedresources,soRwareandinformaDonaccessibleoveranetwork(i.e.theInternet),andprovidedtocomputersandotherdeviceson-demand:
" UsuallysubscripDon-based" Maybepay-per-use" Evenfree!
®
WhytheCloudModel?A“PerfectStorm”
• Economics-ITcapitalcostpressurespushingforbeLerROI
• MoreforLess-TechnologicalInnovaDonispermirng:» BeLercommunicaDonsbandwidthavailability
» Improvedmicroprocessor/busspeeds
» IncreasedstoragecapabiliDes• “Virtualiza5on”–easierforCSPstomaximizeinfrastructurefortheservicesprovidedandoffloadmuchITmanagement
®
TheLegalConsideraDonsinCloudCompuDngforYourPracDce
! Security&Privacy
! E-Discovery&LiDgaDon
! EthicalConsideraDonsforLawyers
®
TheLegalConsideraDonsinCloudCompuDng:Security&Privacy
! Datainthe“Cloud”hardertoprotect• Isa“mulD-tenant”architecture–datastoredonavirtualserverthat
sharessamephysicalserverwithothervirtualservers
• SecuritydependentuponconfiguraDonofthevirtualserversandAPIvulnerabiliDes
• GeographicdistribuDonconcerns–the“cloud”knowsnoboundaries
! Breachhardertodetect&manage• CSPmayusethird-partyprovidersforelementsoftheservice
• AudittrailacrossmulDpleplapormsnotnecessarilyintegrated
• GeographicdistribuDonconcernsremain
®
TheLegalConsideraDonsinCloudCompuDng:Security&Privacy
®
Thinkthat3rdparDesarenotlookingforYOURdata?
THINKAGAIN…
TheLegalConsideraDonsinCloudCompuDng:Security&Privacy
®
• Third-PartySoRwareProvidersprovidingGREATtools…
• Google(Gmail,GoogleDocs,GoogleDrive)• Dropbox(filedistribuDon/sharingplaporm)• EverNote(onlinecross-plapormworkspace)
…BUTarethey“safe”touseinyourpracDce?ITDEPENDS
TheLegalConsideraDonsinCloudCompuDng:Security&Privacy
®
• DropBox• “Hacked”in2013,butcompanyclaimsitwas3rdpartyappsaccessingthesitethatcausedthebreach–problema1c
• Google• Hackedin2014–5millionusernames/pwds
• EverNote• Hackedin2014–50millionpasswordsreset
MORAL:BalanceConveniencevs.Confiden1ality
TheLegalConsideraDonsinCloudCompuDng:Security&Privacy
! Stengartv.LovingCareAgency,Inc.,990A.2d650(2010)CompanypolicyclaimingitownedallinformaDononitscomputersNOTenoughtopermitretenDonofaLorney-clientprivilegedemails! N.J.AppellateDivisionreversedSuperiorCourt’sorder
! orderedemployeranditscounseltoturnoverALLemailcommunicaDonsbetweenplainDffandhercounselANDdeletesameforharddrives
! OrderedhearingonsancDons! Point:aLorney-clientprivilege“substanDallyoutweigh[s]”employer’senforcementofitsownpolicies
®
TheLegalConsideraDonsinCloudCompuDng:Security&Privacy
! SomeDomesDcConsideraDons:• GrahamLeachBlileyAct-FinancialinsDtuDonsmusthavepolicies/
proceduresinplacetoprotect“non-publicpersonalfinancialinformaDon”fromimproperdisclosure
• HIPAA/HITECHAct–“CoveredenDDes”requiredtonoDfyaffectedpersonsofbreachofunencrypted“personalhealthinformaDon”
• FTCSafeguardsRule–FinancialinsDtuDonsrequiredtohavewriLensecurityplanregardingcustomer’sprivateinformaDon
• FTCRedFlagsRule–InsDtuDonsholdingcreditaccountsmusthavewriLenidenDtytheRprogram
• StoredCommunicaDonsAct-protecDonfromdisclosureforemailsandotherprivatedatathatareinsuchelectronicstorage
®
TheLegalConsideraDonsinCloudCompuDng:Security&Privacy
! MUSTunderstandtheCSPoperaDonalmodeltofacilitatecompliancewithapplicableprivacyandsecuritylaws/regulaDons(especiallyinterna1onallystoreddata)
! REVIEWCSPprivacypolicyANDsecurityproceduresforconDnuitywithexisDngcompanyprocedures&guidelines(i.e.audit/reporDngrequirements,securitybreachnoDficaDons)
! IDENTIFYandSPECIFYdatasecuritycontrolsatthesoRwarelevel(i.e.encrypDon,firewalls),aswellasphysicalsecurity
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! DiscoveryofelectronicallystoredinformaDon(“ESI”)drama1callymoredifficultinthecloud• DatapreservaDon/integrityhardtomanage
• Datamaybehousedinmul1plecountries• CSPsmayuse3Pproviders
! JurisdicDonalissues• Enforceability–mulDplecountriesvs.governinglaw
• Countrywheredataisresidentincomputerfacility–governmentalaccess?
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! SomeinteresDngearlynumbers-Forbes“Cloud&E-DiscoverySurvey”in2011foundthat:
! Only16%ofrespondentsindicatethataneDiscoveryplanisinplaceforcloud-basedinformaDonmanagementsoluDons
! 26%actuallyrespondedthattheydonothaveaneDiscoveryplaninplace
! 58%whodon’tevenknowifaplanexists!!!
Murphy,Barry,“e-DiscoveryinTheCloudNotAsSimpleAsYouThink”,Nov.29,2011(hLp://www.forbes.com/sites/jasonvelasco/2011/11/29/e-discovery-in-the-cloud-not-as-simple-as-you-think/
#1f203f576f6c)
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! SpoliaDon• CloudinfrastructureincreasesspoliaDonrisk• WhereCSPsuse3Pproviders–greaterdanger
! DataIntegrity• Dataatrest–MUSTbefreefromcorrupDon
• HowtoensureNOCHANGEtodatauponliDgaDonhold?
! StandardCSPagreementsdoNOTaccountforpossibilityofESIpreservaDonbydefault
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! CloudcompuDnghasdrama1callyexpandedwhereelectronicallystoredinformaDon(ESI)canreside.
! DiscoveryinvolvestheidenDficaDon,preservaDon,collecDon,reviewandproducDonofrelevantinformaDoninaparty’spossession,custodyorcontrol…BUTpossessionandcontrolarelikelysplitbetweenapartytoliDgaDonandathird-partyCSP
! 2006amendmentstotheFRCP-expandedthedefiniDonof“document”underRule34toincludeESI,suchasMicrosoRWord,ExcelandPowerPointfiles,AdobePDFfiles,databaserecords,andCAD/CAMfiles.
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! PreservaDonisKEY• UnlikeoutsourcedsoluDons,usersmaynotknowwhatinfrastructure
theyareusingorthephysicallocaDonofdata
• CSPmaybeabletoretrievethedata,butNOTknowwhereyourdataisforthepurposeofaliDgaDonhold
• CSPmayusethird-partyserviceprovidersforelementsofservicesprovidedtotheuser,exacerbaDngtheissue
! CourtsmayNOTdisDnguishserversinthe“cloud”fromonesindirectpossession
! BoLomline:ObligaDontoadequatelypreserverelevantdocumentsextendstoESI
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! Whatare“sufficient”effortstopreserveforthepurposesofdiscovery?Judgedagainstastandardofreasonableness–Zubulakedecisions(JudgeShiraScheindlin,SDNY)
! PensionCommiSeev.BancofAmericaSecuri1es,LLC685F.Supp.2d456(S.D.N.Y.2010).– JudgeScheindlinstrikesagain!– Reiteratedthat“thedutytopreservemeanswhatitsaysand
thatafailuretopreserverecords–paperorelectronic–andtosearchintherightplacesforthoserecords,willinevitablyresultinthespoliaDonofevidence”
– FailuretofollowZubulakeeDiscoveryproceduresconsDtutesgrossnegligenceandissancDonable(includingadv.inference)
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! Rule26(b)(2)oftheRuleslimitsthescopeofdiscoverywithproporDonalityconsideraDons.! Forexample,if“(iii)theburdenorexpenseoftheproposeddiscovery
outweighsitslikelybenefit,takingintoaccounttheneedsofthecase,theamountincontroversy,theparDes'resources,theimportanceoftheissuesatstakeintheliDgaDon,andtheimportanceoftheproposeddiscoveryinresolvingtheissues.”
! Rule26(b)(2)(B)-specificlimitaDonswithrespecttoESI:! “Apartyneednotprovidediscoveryofelectronicallystored
informaDonfromsourcesthatthepartyidenDfiesasnotreasonablyaccessiblebecauseofundueburdenorcost.”
! BurdenisonthepartyfromwhomthediscoveryissoughttoshowthattheESIisnotreasonablyaccessible.
! ConclusoryasserDonsthatdataisinaccessiblesimplybecausethedataresidesinacloudwillnotsuffice.
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
• Control:CSPcontractsshouldaddress“control”ofdata-Ifnocontractualrightofcontrolisestablished,controlhasbeeninterpretedtoencompasswhenapartyhasthe“pracDcalability”toobtaindocuments,regardlessofhisorherlegalenDtlementtothem.
• ConstruedBROADLYbythecourts:– whereacontractualprovisionconfersarightofaccess– whereaparty’sagenthaspossession– whereanemployeeorofficerhaspossessionorthelegalrighttoobtaindocuments.
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! eDiscoveryofESIinthecloudcanbecostlybecauseitislaborintensiveandtechnologicallydemanding–howtoaddress(defenseperspecDve)?! Iden5fica5on:KnowwhereESIlocatedthroughtheCSP! Preserva5on:EnsureCSPadherestodata-retenDonand
backuppoliciesperclient’sretenDonschedules! Access&collec5on:knowhowtoactuallygettothedata
residentwiththeCSP
! AlsoensureCSPcooperaDon! ImmediatenoDceofanysubpoena! affidavits,declaraDons,orothertesDmonyasnecessaryto
establishchainsofcustodyandauthenDcityforpurposesofadmissibility
®
WeatherBrewingontheHorizon:e-Discovery&LiDgaDon
! MUSTaccountforspecificCSPmodelandviabilityoftheCSPregardingabilitytocomplywithe-discoveryandliDgaDonholds
! DEMANDaccountabilityforhandlingofESI• General“cooperaDon”clause• AcknowledgecompliancewithliDgaDonholds
! STRONGLYCONSIDERaseparateagreementtoaddressESIdiscovery
®
WeatherBrewingontheHorizon:EthicalConsideraDonsforLawyers
! LawfirmuseofCSPsfortheirITneedsgrowing
! ConsideraDonsaremoredelicateforlawfirmsduetoclientconfidenDalityobligaDons,privilege,etc.
! BoLomline:itisavailable,butisitethical?
®
WeatherBrewingontheHorizon:EthicalConsideraDonsforLawyers
! Answer:ITDEPENDS-20statessofar:UseofCSPsforstorageofclientfilessolongasareasonablestandardofcareisexercised,BUTdifferences:! Alabama,Arizona,California,ConnecDcut,Florida,Iowa,Maine,MassachuseLs,
NewHampshire,NewJersey,Nevada,NewYork,NorthCarolina,Ohio,Oregon,Pennsylvania,Vermont,Virginia,Washington&Wisconsin–NOTTEXAS!
! Whattodo?:! UseDILIGENCEandCOMPETENCEexercisingreasonablecare
! MUSThaveaBASICunderstandingofthetechnologiesused
! HaveanOBLIGATIONtoremaincurrentonthetechnologies
! List:hLp://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html
®
WeatherBrewingontheHorizon:EthicalConsideraDonsforLawyers
! Whatisconsidereda“reasonablestandardofcare”?• MUSTbeknowledgeableaboutCSPhandlingofdata
• MUSTcontractwithCSPtopreserveconfidenDality/securityofdata
! Transposingthe“reasonableness”standardfrom“brick&mortar”tothe“cloud”notaseasyasyoumaythink:• Security–clientconfidenDalityrequiresstrongcontractualprotecDons• Backups–MUSTthinkaboutIaaSinfrastructure
• Dataaccess–SLAservicecreditshouldNOTbesoleremedy
• Portability–TransferofdataineventofterminaDoncrucial
• BankruptcyofCSP–howtoaccountforpossibility?
®
WeatherBrewingontheHorizon:EthicalConsideraDonsforLawyers
! ABAEthics20/20WorkingGroupReportonElectronicConfidenDality! Formofoutsourcing–citesABAFormalEthicsOpinion08-451(lawyer’sobligaDons
whenoutsourcingworktonon-lawyers)! OngoingexaminaDonofpossibleamendmentstoMRPC5.3(lawyer’sethicalobligaDons
whensupervisingnon-lawyerassistants)
! BOTTOMLINE:LawyerscanethicallyusecloudcompuDngproductsintheirlawpracDces…BUTbeforedoingso,youMUSTfullyassesstheirethicalobligaDonsandexerciseduediligenceinverngyourcloudcompuDngproviderofchoice.
®
WeatherBrewingontheHorizon:EthicalConsideraDonsforLawyers
! QuesDonstoASK:! WillIhaveunrestrictedaccesstothestoreddata?
! HaveIstoredthedataelsewheresothatifaccesstomydataisdeniedIcanacquirethedataviaanothersource?
! HaveIperformedduediligenceregardingthecompanythatwillbestoringmydata?
! Inwhichcountryandstateisitlocated,andwheredoesitdobusiness?
! Doesitsenduser’slicensingagreement(EULA)containlegalrestricDonsregardingitsresponsibilityorliability,choiceoflaworforum,orlimitaDonondamages?
! Intheeventofafinancialdefault,willIloseaccesstothedata,doesitbecomethepropertyoftheSaaScompany,oristhedatadestroyed?
®
WeatherBrewingontheHorizon:EthicalConsideraDonsforLawyers
! USECOMMONSENSE• UnderstandhowtheCSPwillhandlethedata• SecurityshouldcoverbothsoRwarecapabiliDesANDphysicalfaciliDes
! DOYOURDUEDILIGENCE• Don’tbeafraidtoaskquesDons–arguablyhaveaDUTYTOASKthem!
! BECAREFUL!
®
“Partly Cloudy with a Chance of Rain”: Security, Privacy & E-Discovery in Cloud Computing
Email:[email protected]
LinkedIn:hLp://www.linkedin.com/in/tkulik TwiLer:@LegaIntangibls
Google+:hLp://gplus.to/TomKulik
Blog:hLp://www.legalintangibles.com
®
Q&A