Cloud Computing Legal Risks And Best Practices

Cloud Computing: Legal Risks and Best Practices

A Bennett Jones PresentationToronto, Ontario

Lisa Abe-Oldenburg, PartnerBennett Jones LLPNovember 7, 2012

Introduction

• Security and Data Privacy• Recent OPC Guidelines• Compliance Issues• Negotiating Contracts with Cloud Providers• New Trends and Challenges• Practical Tips

Security and Data Privacy

• Access to and security of the data stored in the cloud.• When it comes to cloud computing, the security and

privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so.

• There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada).


• The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing or cross-border data transfer, even when the cloud service provider is in another country.

• However, PIPEDA (and other privacy laws) establishes rules governing use of the cloud and data transfer — particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.


• Cloud providers often serve multiple customers simultaneously. Many parties may have access to the data.

• Risk of exposure to possible breaches, both accidental and deliberate.

• Cloud computing may lead to “function creep” — uses of data by cloud providers that, were not anticipated when the information was originally collected and for which consent has typically not been obtained.

• Given how inexpensive it is to keep data, there is little incentive to remove the information from the cloud and more reasons to find other things to do with it.


• Need security protocols maintained at every stage • Strict policies as well as enforcement measures need to be

reviewed to ensure that the data is being kept confidential • A detailed audit assessment may be required of the security

protocols before an organization signs up with the service• Tools such as Privacy Impact Assessments (PIA) or Threat

Risk Assessments (TRA) could be valuable to help make assessments of safeguards

• Use of external auditors to ensure the industry standards of security protocols are being met by the service provider

Recent OPC Guidelines

• Office of the Privacy Commissioner of Canada (OPC), along with the Privacy Commissioner of Alberta and BC, developed a Guidance Document for Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations

• Organizations must ensure they fully understand their obligations under Canada’s private sector privacy legislation, including those under certain provincial privacy legislation, and they need to carefully assess the risks against the benefits.

• Organizations considering a cloud computing service should carefully consider what information will be stored in the cloud and why.


• Organizations must consider the sensitivity of the personal information and carefully assess all the risks and implications involved in outsourcing personal data to the cloud. This assessment should also take into account whether the cloud is a public cloud, community cloud, private cloud or hybrid cloud, as defined in the OPC’s Introduction to Cloud Computing.

• The sensitivity of the information, the type of cloud, and the contractual arrangements should all play a key role in an organization’s decision to move, or not to move, personal information to the cloud.

• The Guideline recommends seeking professional advice in assessing the risks of using a cloud service provider.


• In order to ensure that personal information is protected, organizations using cloud computing services should:• Limit access to the information and restrict further uses by the

provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information. Find out if personal information will be segregated or stored in the same database as information from the cloud provider’s other clients. Ensure access to personal information is only granted to those who need it to do their job. Ensure that access to personal information is logged in protected audit trails. Do not assume that the provider’s general terms of service or policies will be adequate to establish such restrictions, review them carefully.

Recent OPC Guidelines• Ensure that the provider has in place appropriate

authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication. The level of authentication should be commensurate with the risk to the personal information being protected. Ensure there are procedures and technical controls to manage who has access rights to the personal information.

• Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Conduct an assessment of the risks associated with any lack of encryption. Determine if the encryption method is adequate and the access to encryption keys is properly managed. Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider.

Recent OPC Guidelines• Ensure that there are procedures in place in the event of a

personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information. Ensure there are provisions in the agreement with the cloud provider that specify when it will provide notification to the organization in the event of a security breach. Organizations subject to breach notification requirements will want to ensure the contract is clear about when the cloud provider is to provide reports on breaches in order for it to meet its legal obligations.

• Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract.

Recent OPC Guidelines• Ensure periodic audits are performed. It is important for an

organization to have some measure of oversight over a cloud provider’s policies and practices. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected. Organizations should verify practices and procedures to ensure the provider is handling personal information in accordance with the agreements in place and request evidence of effective auditing and timely response to security incidents.

• Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.

Compliance Issues

• Statutes, regulations and guidelines that apply to a particular industry sector in a particular jurisdiction, may require specific compliance, such as service level terms, data recovery terms, data security regimes, audit provisions and processes for retaining and selecting any third party service provider.

• The organization transferring data to the cloud provider is ultimately accountable for its protection. It needs to ensure that the data is appropriately handled in compliance with any regulatory requirements.

Compliance Issues

• Cloud service provider may not have standards, controls or notification process that meet OSFI, PIPEDA or other statutory or regulatory requirements

• In Alberta for example, there are specific breach notification requirements and requirements to notify individuals when personal information is transferred to a service provider located outside of Canada.

Compliance Issues

• International issues – cross-border data transfer, compliance with foreign jurisdiction laws, export controls

• It is important to note that many non-Canadian based cloud providers may also be subject to PIPEDA. To the extent that a cloud provider has a real and substantial connection to Canada, and collects, uses or discloses personal information in the course of a commercial activity, the provider is expected to protect personal information, in keeping with PIPEDA.

Compliance Issues

• For more information on outsourcing of personal data processing across borders, please see Privacy Commissioner's Guidelines for Processing Personal Data Across Borders. These considerations apply whether moving data in the cloud or otherwise.

Negotiating Contracts with Cloud Providers

• Unlike outsourcing, many more parties are involved in a cloud based service model• a platform provider• a provider of servers • the data centre provider• data centre operator(s)• OS provider • applications software providers • a reseller, distributor or broker• Disaster Recovery or Business Continuity Provider

• As a result it is a complex contracting environment• No contractual privity between the customer and

many of the parties involved in the cloud services


• Typical contract structures that may be encountered in a cloud service arrangement are:• Terms of Service• Service Level Agreement• Acceptable Use Policies• Privacy Policies

• Important points need to be negotiated before contract is executed


• As a low cost commodity service the service provider seeks to keep transaction costs down and simplify managing obligations to the customers

• services provided by the cloud service provider are usually on standard terms

• terms are often non-negotiable• tend to strongly favour the service provider• cloud provider often leaves open the option to unilaterally

change the agreement, limit its liability for the information, and/or subcontract to various other providers.


• Organizations sometimes find that cloud providers present “take it or leave it” contracts. In other words, the provider sets the parameters of the relationship, and the contracting organization is required to go along with it in order to use the service. This tends to be the case with low cost online services offered by cloud providers.

• The risk is that the terms of service that govern the relationship with the cloud service provider sometimes allow for more liberal usage of personal information and retention practices, and these standard contract clauses may not be sufficient to allow organizations to meet their privacy obligations.


• Many cloud agreements do not take responsibility for the customer's data

• Ultimate responsibility for the preservation of confidentiality and integrity of data is on the customer

• Some standard terms reserve the right to delete customer data for breach of term of the contract i.e. non-payment


• Warranties in general are limited• Even when warranties are available, they often exclude

any data loss, corruption or service• Need to still have traditional representations and

warranties , e.g. performance of the service must not interfere with or breach third party rights – whether intellectual property, contractual or other rights


• If you are not comfortable with what a particular cloud provider is proposing, you should not transfer personal information entrusted to you by your customers to that provider. You should push back, or take the time to shop around for a better solution.

• Since the data and processing infrastructure will be outside the customer's control and influence, the vital issues a customer seeks to address include: • Service security• Trade secret protection, information confidentiality• Data integrity• Compliance with privacy laws and regulations• Potential secondary uses of the data• Assurance of data segregation and isolation


• Other terms dealing with data management include:• Data ownership provisions• Determining of how the data is being used. For example, whether the

data that is being stored on the servers of the cloud service providers is also going to be used by the service provider, or accessed by others

• When can the customer (who owns the data) obtain copies of information that are stored on the cloud

• Data backup and recovery• At what time intervals the copies of information or data are to be

transmitted to the Customer• Data breach notification, whether by cloud provider or data host• Geographical locations of data

• Compliance with local security and data protection laws and regulations, including positive data breach notification statutes


• Organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices. These types of obligations and controls need to be in contracts with any subcontractor, outsourcer or cloud service provider, that is engaging in any of these activities on behalf of an organization.


• You must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.


• Service level agreements are critical• Outages, downtimes, response times• During an outage, one may not be able to access data or software

and disruption of business operations may occur

• SLA should state what happens when data is lost due to a service interruption

• Most SLAs contain no guarantee of quality of the service and the sole remedy may be service credits, subject to cap on liability

• Service levels are typically subject to scheduled downtime for maintenance and are also subject to internet or 3rd party down time – need to review and assess impact on business


• SLAs should include a duty of care, diligence and professionalism that is reasonably commensurate with the standards and practices that such services are performed and delivered in the customer's jurisdiction

• Performance risk transfers to the service provider who is better able to mitigate those risks

• Therefore performance outcomes and results need to be clearly stated as obligations of the provider in the contract


• Dealing with termination of the cloud services:• provisions relating to changing of service providers• exit strategy or transition plan • how and when the data is to be delivered• delivery of data as per the agreed delivery format • commitment by the vendor to destroy all customer data

• Need express disaster recovery and contingency planning obligations on the cloud service provider


• Problematic terms to watch out for:• Limits on service provider's liability very low,

disclaimers, short limitation periods• Exclusion of liability even if service provider

had knowledge• No indemnities by service provider for third

party claims; broad indemnities by customer for violation, conduct, content

• Terms not visible, may be cross-referenced and unilaterally amended by service provider, deemed acceptance by use, especially if dependencies on other providers


• Problematic terms to watch out for (cont.):• hidden fees (e.g. for data backup, retrieval),

service failures• data encryption, cleansing and backup

obligations pushed onto customer• no restrictions on subcontracting, no

background checks• indefinite term of contract, termination by

provider• failure to notify of data breach• freezing of accounts and no access to data

upon termination or deletion (data hijacking until fees paid or dispute resolved)

New Trends and Challenges

• Cloud computing can significantly reduce the cost and complexity of owning and operating computers and networks. If an organization uses a cloud provider, it does not need to spend money on information technology infrastructure, or buy hardware or software licences.

• Pay-per-use or consumption based pricing has been one of the most attractive features of cloud computing

• Cloud services can often be customized and flexible to use, providing scalability, better service levels and offer advanced services that an individual company might not have the money or expertise to develop.


• For businesses that are considering using a cloud service, cloud computing could offer better protection of personal information compared with current security and privacy practices. Through economies of scale, large cloud providers may be able to use better security technologies than individuals or small companies can, and have better backup and disaster-recovery capabilities.

• Cloud providers may also be motivated to build privacy protections into new technology, and to support better audit trails.


• On the other hand, while cloud computing may not increase the risk that personal information will be misused or improperly exposed, it could increase the scale of exposure. The aggregation of data in a cloud provider can make that data very attractive to cybercriminals, for example. Moreover, given how inexpensive it is to keep data in the cloud, there may be a tendency to retain it indefinitely, thereby increasing the risk and scale of breaches.


• Frequently, organizations find that employees have already moved personal information to a cloud service without IT staff or management being aware. For example:• Employees may be using a cloud-based e-mail service for business

correspondence• Employees may be using an online service to collaborate on documents• Client databases that are accessible online from any location could be

hosted in the cloud

• An organization that outsources personal data for processing or other services to a cloud service provider remains accountable for protecting its customers’ personal information and it must be transparent about its information management and privacy practices.

• Corporate policies need to be implemented.

Practical Tips

• Due diligence of cloud provider, processes, systems and controls - audits, certifications, testing

• Insist on transparency. Identify the Cloud support parties, type, processes, data flow, locations/jurisdictions, security, business resumption planning

• Select configurations and controls• Specify ownership and obtain assignments of rights if needed• Analyze contracts and if can’t negotiate necessary changes,

implement internal process changes or controls of what gets onto Cloud

• Think way ahead – contractual requirements should be part of any RFP

Conclusion

Cloud computing offers benefits for organizations and individuals. There are also privacy and security concerns. If you are considering a cloud service, you should think about how personal information and data can best be protected.

Carefully review the terms of service or contracts, and challenge the cloud service provider to meet your needs.

Questions?

Lisa K. Abe- Oldenburg, B.Comm., J.D.

[email protected]

Tel.: 416-777-7475

www.bennettjones.com

• This presentation contains statements of generalprinciples and not legal opinions and should notbe acted upon without first consulting a lawyerwho will provide analysis and advice on a specificmatter.