Upload
itandlaw
View
175
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Cloud computing has revolutionized computing, providing organizations with the opportunity to outsource their computing capability to a third party provider of networks, servers, storage, applications or services located in multiple jurisdictions. This webinar explored the global legal and regulatory developments in cloud computing that have occurred during 2012
Citation preview
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Cloud Computing Webinar:Legal & Regulatory Update for 201215 November 2012
Richard GrahamPartnerEdwards Wildman Palmer LLP London
+44 (0) 20.7556.4418
Michael BennettPartnerEdwards Wildman Palmer LLP Chicago
+1 312.201.2679
Mark SchreiberPartnerEdwards Wildman Palmer LLP Boston
+1 617.239.0585
♦Introduction: The Cloud♦Key Developments in 2012:
♦Cloud Mitigation Strategies
Development 1:Demystification
of the Cloud
Development 2:The Evolving
Cloud
Development 3:Regulatory Change
CustomerDrivers
SupplierDrivers
2
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Introduction:Defining the Cloud
Introduction: Why the Cloud?
Approximate Costs for
Technology Cost of Enterprise Data Center
Cost of Cloud Data Center
Ratio
Enterprise Data Center with 1K Servers
Network $95 /Mpbs/ month
$13 / Mpbs / month
7.1
vs Storage $2.20 / GB / month
$0.40 / GB / month
5.7
Cloud base 100K Server Center
Administration 140 servers / Admin
1,000 servers / Admin
7.1
4
http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/
Introduction: Why the Cloud?
5
♦ “Switch” Data Center 2,200,000 square fee♦ (http://www.makeuseof.com/tag/5-worlds-biggest-data-centers-stats-pics/)
♦ Average Cloud Data Center 11.5 X the size of a football field♦ (http://wikibon.org/blog/how-big-is-the-world-of-cloud-computing-infographic/)
♦ Acquisitions of Terremark by Verizon for $1.4B
♦ Acquisition of Savvis for 2.5B by Century Link (Qwest)
Introduction: Cloud Definition
♦ http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
6
Characteristics Service Models Deployment Models
On-demand self-service
Software as a Service (SaaS)
Private cloud
Broad network access
Platform as a Service (PaaS)
Community cloud
Resource pooling Infrastructure as a Service (IaaS)
Public cloud
Rapid elasticity Cross Platform? Hybrid cloud
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Introduction:The Problem with the Cloud
Introduction: The Problem with the Cloud
♦ 1. Service Confusion
Software Providers
TechnologyManufacturers
NetworkProviders
Information & Service Providers
8
♦ 2. Jurisdictional Confusion
CloudCustomerLocation?
CloudProvider
Location?
DataLocation?
DataSubject
Location?
Introduction: The Problem with the Cloud
Contract Regulatory
IntellectualPropertyRights
Data Protection
Breach Notification
US PATRIOTAct
9
♦ 3. Security Confusion
Introduction: The Problem with the Cloud
Denial ofService /
DDOS
Cyber Attack /Terrorism
Fraud /Theft /
ID Theft
CertificationAuthorityBreach
Phishing / Trojans /Botnets
Poor DataProtection
Compliance
AccidentalDisclosure
Data Loss
SecurityFlaw
DataDamage orDestruction
Information Security:Accessibility
IntegrityConfidentiality
10
Introduction: The Problem with the Cloud
4. Expectations Confusion
Software vs. Subscription
Commodity Service
Commodity Service
Leverage AssetsLeverage Assets
VirtualizationVirtualization
Outsourcing vs.Commodity
IndividualizedService Levels
Control
Provable Data Security / Privacy
11
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Key Developments in 2012
Development 1: Demystification of the Cloud
Demystifying Cloud
Computing
Data & SecurityData & Security
1. New Privacy Risks?
2. More Data Sharing?
3. More Security Risks?
4. More International?
Ownership & ControlOwnership & Control
1. Extraterritorial?
2. Local Retention?
3. Access & Audit?
4. Loss of Control?
PoliticalPolitical
1. Business Models
2. Employment Protection
3. Risk Allocation
13
Development 2: The Evolving Cloud
♦ Traditional Outsourcing –vs– Cloud Computing
TraditionalOutsourcing
• Service Driven• Data Controllers /
Data Processors• Standalone Bespoke Services• Agents• Pushed Service Levels• Static Location
Cloud Computing
• Security Driven• IaaS / PaaS / SaaS • Standardized Environment• Shared Infrastructure• Self-service• Pulled Service Levels• Dynamic Location
• Service Scope• Service Levels• Charges
14
Development 2: The Evolving Cloud
♦ The Cloud Contract: The Need for Change
Regulation & Consumer
Law
Large Negotiated
Deals
Differences Changers Legal Issues
Access
Shared
Commodity
Structure
Government
Industry
Landmark Deals
Insurers
Enforceability
Validity
Non-Compliant
Data Breach
The Cloud Contract
15
Development 2: The Evolving Cloud
♦ Cloud Contracting: Non-Cloud versus CloudIACCM Most NegotiatedIACCM Most Negotiated
1. Limitation of Liability
2. Indemnities
3. Charges
4. Intellectual Property
5. Payment
6. Liquidated Damages
7. Service/Service Levels
8. Delivery/Acceptance
9. Applicable Law
10. Confidentiality/Access
Cloud Most NegotiatedCloud Most Negotiated
1. Limitation of Liability
2. Indemnities
3. Data Integrity
4. Service/Service Levels
6. Confidentiality/Access
7. Security/Audit
8. Lock-in/Exit/Term
5. Regulatory Compliance
9. Service Change
10. Intellectual Property
16
17
7. Liability •Warranties
•Indemnities
•Exclusions
•Limitations
Development 2: The Evolving Cloud♦ Cloud Contracting: Negotiation Checklist
3. Data•Information Security
•Access
•Audit
•Business Continuity/DR
2. Service•Services
•Service Levels
•Service Credits
•Price
4. Regulation•DP/Privacy
•Other
•Change
•Breach
1. Structure•Type (IaaS, PaaS, SaaS)
•Subcontractor
5. IPR•Ownership
•Rights of Use
6. Termination•Term
•Termination
•Exit
•Portability
8. Other•Jurisdiction
•Change
•Insurance
•Certification
17
18
♦ HIPAA♦ HITECH Act♦ GLB
♦ FACTA♦ FCRA♦ Fair Debt Collection Practices
Act
♦ FERPA♦ COPPA
♦ ITAR/Export Compliance
♦ FFIEC♦ Banking Requirements
♦ PIPEDA
♦ FTC♦ Subpoena/Rule 34 FRCP
♦ In re NTL Inc. Sec. Litig., 244 F.R.D. 179 (S.D.N.Y. 2007)
♦ State Regulations♦ SOX♦ ECPA♦ SCA
♦ PCI
Development 3: Regulatory Change
Development 3: Regulatory Change
♦ Transparency♦ Control♦ Sharing♦ Sub-Contracting♦ Data Portability♦ Outside of EEA
EU Article 29 Data Protection Working Party Opinion 1 July
2012
♦ Interoperability♦ Data Portability ♦ Reversibility♦ Certification♦ 'Safe and Fair' Contract Terms♦ European cloud market
EC Strategy for "Unleashing the
potential of cloud computing
in Europe" 27 September 2012
♦ What data to put into the cloud?♦ Performance monitoring♦ Written contract♦ Security assessment♦ Security measures♦ Using cloud services from outside the UK♦ Multi-tenancy environment
UK ICO Guidance on
Cloud Computing 27
September 2012
19
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Cloud Mitigation Strategies
21
Cloud Mitigation Strategies
♦ Insurance
♦ Does Customer Understand Data?
♦ Robust Dispute Resolution
♦ Self Help♦ Backup ♦ Migration Plan♦ Privacy pre-Audit♦ Data Map
♦ “Leverage” Awareness
22
Cloud Mitigation Strategies
♦ SAS70 Type II; SSAE No. 16 Type 2, ISO 27001; TRUSTe; SysTrust; Verisign
♦ Safe Harbor / EU Data Protection Compliance
♦ Be Aware of Chat Boards/Internet Search/News
♦ Transparency of Procedures
♦ Multi/Single Jurisdiction of Data Centers?
23
Cloud Mitigation Strategies
♦ Multi-tenancy
♦ Escrow
♦ Data Map
♦ Audit of Customer Needs Upfront
♦ Contingency Planning♦ Migration♦ Return of Data♦ Termination Services
Conclusion & Questions?
Richard GrahamPartnerEdwards Wildman Palmer LLP London
+44 (0) 20.7556.4418
[email protected]/rgraham
Michael BennettPartnerEdwards Wildman Palmer LLP Chicago
+1 312.201.2679
[email protected]/mbennett
Mark SchreiberPartnerEdwards Wildman Palmer LLP Boston
+1 617.239.0585
[email protected]/mschreiber
24