Cloud Security Alliance San Francisco, CA February 26, 2014

Francoise Gilbert, JD, CIPPManaging Director IT Law Group

© 2014 IT Law Group All Rights Reserved

Trust in the CloudLegal and Regulatory Framework

The House of CardsThe cloud ecosystem is very fragile.

It is a huge house of cards where layers sit on top of other layers. If one layer fails, the house of cards is likely to collapse

The cloud is based on dependencies. An organization depends on many others to operate.The glue that can help keep the Cloud House of Cards from collapsing is made of:- Transparency- Accountability- Trust

General Principles

An organization

Is responsible for data under its control, including data that have been transferred to third parties for processing

Should implement policies and practices to protect data in its custody, including: Implementing procedures to protect the privacy and security of personal

informationTraining staff on the organization’s policies and practicesDeveloping information to explain the organizations’ policies and procedures

Should use contractual or other means to provide comparable levels of protection while the data are being processed by a third party

In practice: A Recipe for Trust?

Comply with applicable laws

Abide by the promises that they made in contracts

Implement appropriate measures to protect the privacy and security of data in the company’s custody

Relevant to the type of data to be protected Take into account the state of technology, threats to the data

Require the same from contractors, service providers

Communicate clearly with constituents (customers, employees, business partners) Clear, detailed, understandable, disclosures Metrics, certification, attestation

Compliance with Applicable Laws

FTC Consent Decrees

Recent FTC Actions for lax security practices GMR Transcription Services, Inc. (Jan 31, 2014)

Provider of medical transcription service. Foru International Corporation (Jan 7, 2014)

Manufacturer of notional supplements GeneLink (Jan 7, 2014)

Manufacturer of nutritional supplements Accretive Health, Inc. (Dec. 31, 2013)

Medical billing and revenue management service for hospitals TRENDnet, Inc. (Sep. 4, 2013)

Telesurveillance service

FTC Consent Decree Requirements

Designate employee(s) to coordinate and be accountable for the information security program

Identify material internal and external risks to security, confidentiality, integrity of personal data that could result in unauthorized disclosure, misuse, loss, etc.

Assess sufficiency of the safeguards in place to control these risks, especially: Information systems Employee training and management Prevention, detection, response to attacks

Design, implement reasonable safeguards to control risk

Regularly test and monitor effectiveness of the safeguards

Develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order; and require them by contract to establish and implement and maintain, appropriate safeguards

Evaluate and adjust the program in light of the results of the testing and monitoring.

HIPAA - Privacy & Security Rules

Security Rule 45 CFR §164.300 et seq. 45 requirements, including

Administrative Safeguards Physical Safeguards Technical Safeguards

Security Breach Disclosure Rule 45 CFR §164.400 et seq. (covered entities) and 16 CFR 318 (PRH and related entities)

Notification of individuals Notification of the Secretary (covered entities) or the FTC (PHR) Notification of the Media

Privacy Rule 45 CFR §164.500 et seq.

HIPAA - Business Associates

45 CFR §164.308 (b)(1) “A covered entity may permit a business associate to create, receive, maintain or

transmit ePHI on the covered entity's behalf ONLY if the covered entity obtains satisfactory assurances … that the business associate will appropriately safeguard the information”

45 CFR §164.308 (b)(3)The organization must “document the satisfactory assurances … through a

written contract or other arrangement with the business associate that meet the … requirements”

European Union – Data Controllers

EU Data Protection Directive + implementation in the EU Member States national laws

Article 17 – Security of the Processing:

Subsection 1: “[Data] controllers must implement appropriate technical and organizational measures to

protect personal data against …. all unlawful forms of processing…” “Such measures shall ensure a level of security appropriate to the risks represented by

the processing and the nature of the data to be protected”

Subsection 2: “[Data] controller must, where the processing is carried out on its behalf, choose a processor

providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures”

European Union – Data Processors

EU Data Protection Directive

Article 17 – Security of the Processing

Subsection 3: “The carrying out of processing by way of a processor must be governed by a contract or

legal act binding the processor to the controller, and stipulating, in particular, that: The processor shall act only on instructions from the controller The obligations [to implement appropriate technical and organizational measures to protect

personal data] … shall also be incumbent on the processor”

Subsection 4: “For the purposes of keeping proof, the parts of the contract or legal act relating to data

protection and the requirements relating to the [technical and organizational security measures] … shall be in writing or in another equivalent form”.

European Union – Crossborder Data Transfer Restrictions

EU Data Protection Directive + EU Member States national laws

Article 25 Crossborder data transfer out of the EU/EEA prohibited unless the third country in question

ensures an adequate level of protection

Article 26(2) Crossborder data transfer permitted if the controller adduces adequate safeguards with

respect to the protection of the privacy of individuals, such safeguards may result from appropriate contractual clauses

Implemented in: Standard Contractual Clauses Safe Harbor Program

US/EU Safe Harbor Principles

Notice / Choice / Access Principles

Security Principle Take reasonable precautions to protect personal information from loss, misuse and

unauthorized access, disclosure, alteration and destruction

Onward Transfer Principle: Where an organization wishes to transfer information to a third party that is acting as an

agent, it may do so if it: Ascertains that the third party subscribes to the [EU Safe Harbor] Principles, or is subject to

the [1995 EU Data Protection] Directive; or Enters into a written agreement with such third party requiring at least the same

level of privacy protection as is required by the relevant Principles.

Canada

PIPEDA

Principles for the Protection of Personal Data (see: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-19.html#h-25)

Principles 7 – Safeguards Personal information shall be protected by security safeguards appropriate to the

sensitivity of the information.

Principle 1 – Accountability An organization is responsible for personal information in its possession or control, including

information that has been transferred to a third party for processing. The organization must use contractual or other means to provide a comparable level of protection when the information is being processed by a third party”

Contractual Process Contract Terms

Are you Contracting with a Third Party?

3-step process: Conduct appropriate due diligence to determine whether the third party uses – and

will continue to use – appropriate security and other measuresEnter into a written contract that requires the third party to use these appropriate

security measuresMonitor compliance with these obligations throughout the life of the contract (or

longer as needed), so long as the service provider holds the company’s data

This applies to ALL layers of the house of cards Ensure that each service provider or third party that will access your data will do the

same with its own service providers

Due Diligence?

To be performed BEFORE engaging third party

How to evaluate a third party’s procedures and practicesDetailed questionnaireOnsite investigation Interaction with other clientsReview third parties’ certifications, attestations

Note: Different types of due diligence depending on the nature of the relationship, bargaining power, etc.

Important: Keep track of the nature, scope, extent, responses, results of the due diligence

Consequence?Inadequate due diligence may have missed- Practices that:

- Do not meet industry standards- do not meet your own legal

obligations- are not adapted to your business

model- That the service provider lacks the

financial backing and financial stability- That the service provider actually

relies itself on other service providers, about whom you know nothing

Contracts In the cloud, a majority of contracts are not negotiated

Even those that are negotiated might provide limited promises

Non negotiated contracts:Pay-as-you-go model, where terms of contract may change at any timeOne sided provisions in favor of cloud providerDo not address security breach disclosure obligationsTake it or leave it approachVery limited liability; only downtime, if any

Negotiated contracts – for the lucky onesBetter termsVery difficult to negotiatePrice increase if you ask for more warranties, more liability

Difficult to acquire the “trust” of others in these conditions

If contract can be negotiated

Contractual provisions Service level agreements Damages

In case of outage In case of breach of security

Amount of damages ; damage limitation Direct Liquidated

Indemnification Reports Audit

Monitoring

During performance of the contract

Monitor the company’s or the third party’s performance Directly? Indirectly:

Periodic reportsAttestationsCertifications

What metrics?

Transparency reports

ConsequencesWithout the proper- Due diligence- Contracts- MonitoringYou are riding on a road with a very weak foundation

PoliciesProcedures

Policies and Procedures

Develop policies and procedures that meet the legal, contractual, and other requirements to which your company is subject, based on applicable or relevant Regulations Standards Best practices

Keep track of the rationale for developing them

Monitor their application by your personnel

Discipline the infringers

Ensure that your service providers, contractors, abide by similar rules and enforce them

AND communicate these policies, procedures, practices, success, failures to others to acquire their TRUST

Security Breaches

The reputation killer

AnticipateDevelop an incident response planConduct periodic “Fire drills”

Respond to the breach carefully Important effect on reputation, trustMake sure that you comply with all applicable laws, worldwideEvaluate whether you should go beyond what the laws require Importance of the communication, interaction with customers, affected parties

Keep Track

Don’t let your policies and procedures gather dust

Keep track of their application and implementation within the company

Develop matrix to measure performance Within the companyBy third parties, service providers, etc.

Look for benchmarks to evaluate your performance or that of your service providers Certifications, e.g. STAR Certification

Communicate, communicate, communicate

Conclusion

Takeaways

Trust is fragile. Easy to lose

Transparency is a close ally of trust. Meaningful disclosures help bring trust

In an era where the cloud that your company uses or wishes to use is likely sitting on top of multiple layers of other third party clouds, about which you may know nothing, it is important to:Understand your company's obligations with respect to the data stored or processed

in the cloudConduct appropriate, in depth due diligence

Review service providers’ disclosures Insist on comprehensive information

More Takeaways

Keep in mind that “it’s your data; it’s your responsibility”

You get what you pay for. If using cloud is such a saving from your current operation, there must be a reason…. Find out why it is so inexpensive.

Be realistic about what you are getting; evaluate whether the service Meets the needs of your own company with respect to the specific categories of data that

you will store in the cloud

Decide what is the right route to take, and what is needed to fulfill your company’s obligations as the custodian of very sensitive, valuable data

Do it, and make sure that all your service providers upstream are also doing it to protect your data

Insurance – assuming that you can purchase some - will not solve all of your problems.

Insurance companies may agree to provide coverage only if they have determined that your company has done its homework, uses proper safeguards, is responsible and accountable.

Contact Information

Francoise Gilbert, JD, CIPPManaging Director

IT Law Group

Email: fgilbert@itlawgroup.com Phone: (650) 804-1235

Mail: 555 Bryant Street # 603 – Palo Alto, CA 94301

www.itlawgroup.comwww.francoisegilbert.com

www.globalprivacybook.com@francoisegilbrt