PRIVACY AND DATA SECURITY ISSUES IN THE CLOUD LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH LISA. R. LIFSHITZ 416-775-8821

PRIVACY AND DATA SECURITY ISSUES IN THE CLOUD

LEXPERT CLOUD COMPUTING CONFERENCE 2012CLOUD COMPUTING: A PRACTICAL APPROACH

LISA. R. [email protected]

DECEMBER 3, 2012ST. ANDREW’S CLUB AND CONFERENCE CENTRE

AGENDA

1. Privacy and Data Protection-Regulatory Framework• Private Sector Organizations• Industry Specific Laws and Standards• Personal Health Information

2. Your Obligations• Data Protection and Data Transfer• Transferring Data Internationally• Data Breach Notification• CASL

3. Security• Risks in the Cloud• Technical Standards

4. Best Practices

1. REGULATORY FRAMEWORK (PRIVATE SECTOR)

• In Canada, the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulates the collection, use and disclosure of personal information in the private sector.

• “Personal information” is broadly defined in PIPEDA - includes any “information about an identifiable individual”, whether public or private, with limited exceptions.

• PIPEDA applies to federal works, undertakings and businesses and to all private sector organizations regulated by provinces that do not have substantially similar private sector privacy legislation that collect, use or disclose personal information in the course of their commercial activities. • Examples of federal works and undertakings in Canada include airlines,

banks, ferries, broadcasting, inter-provincial railways, interprovincial or international trucking, shipping or other transportation, aviation, banking, nuclear energy, activities related to maritime navigation, and radio stations.

REGULATORY FRAMEWORK

• PIPEDA also applies to all personal information that flows across provincial or national borders in the course of commercial transactions.

• PIPEDA is a general law that applies to the collection of personal information regardless of the technology used.

• PIPEDA will not apply in provinces with privacy legislation that is substantially similar to it. • Currently, only Alberta, British Columbia and Québec. • PIPEDA does apply to federal works, undertakings or businesses that operate in

those provinces. • In addition, Ontario health information custodians (e.g., physicians, nurses, hospitals,

etc.) have been exempted from PIPEDA with respect to personal health information as Ontario has a specific health information privacy statute that applies (more about this later!).

• Organizations that operate inter-provincially are required to deal with both provincial and federal privacy legislation.

REGULATORY FRAMEWORK

• Alberta and British Columbia have also enacted comprehensive private sector privacy legislation (the Personal Information Protection Act (“PIPA”) in both provinces) which applies generally and includes the personal information of employees.

• Québec’s private sector privacy legislation, an Act respecting the protection of personal information in the private sector (“Québec Privacy Act”), is similar in principle to PIPEDA, however, there are important differences in detail. • The Québec Privacy Act applies to all private sector organizations with respect to collection, use and

disclosure of personal information (not just with respect to commercial activities) and to employee information.

• Also applies to private sector collection, use and disclosure of personal health information. • All Canadian privacy legislation, including PIPEDA, reflects the following ten principles, derived from the

Organization for Economic Cooperation and Development Guidelines created in the early 1980’s: (1) accountability, (2) identifying purposes, (3) consent, (4) limiting collection, (5) limiting use, disclosure, and retention, (6) accuracy, (7) safeguards, (8) openness, (9) individual access, and (10) challenging compliance.

• All four principle private-sector statutes apply similar principles to comply with these legal obligations. The principles (i) mandate that personal information may only be collected, used or disclosed with the knowledge and consent of the individual; (ii) limit the collection of personal information to what is necessary for identified purposes; and (iii) require that personal information be collected by fair and lawful means.

A WORD ABOUT THE PUBLIC SECTOR

• Canadian provinces, territories and municipalities also have their own public sector privacy legislation. • Lots of statutes!

• See: the Freedom of Information and Privacy Protection Act, R.S.A. 2000, c F-25 (Alberta), Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c 165 (BC), Freedom of Information and Protection of Privacy Act, C.C.S.M. c F175 (Manitoba), Personal Health Information Privacy and Access Act, S.N.B. 2009, c P-7.05, replacing the Protection of Personal Information Act, S.N.B. 1998, c P-19.1 (New Brunswick), Access to Information and Protection of Privacy Act, S.N.L. 2002, c A-1.1 (Newfoundland), Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c 5 (Nova Scotia), Freedom of Information and Protection of Privacy Act, RSO 1990, c F-31 (Ontario), Freedom of Information and Protection of Privacy Act, RSPEI 1988, c F-15.01 (Prince Edward Island), An Act respecting Access to documents held by public bodies and the Protection of personal information, RSQ, c A-2.1 (Quebec), Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c F-22.01 (Saskatchewan), Access to Information and Protection of Privacy Act, R.S.Y. 2002, c 1 (Yukon), Access To Information And Protection Of Privacy Act, S.N.W.T. 1994, c 20 (Northwest Territories) and Access To Information And Protection Of Privacy Act, S.N.W.T. (Nu) 1994, c 20 (Nunavut).

• Note that the so-called “MUSH sector”- municipalities, universities, schools and hospitals - may be covered by the above legislation so please verify which acts apply!

WHAT THIS MEANS FOR THE CLOUD

• All four principle private-sector statutes apply similar principles to comply with these legal obligations.

• Several key differences between PIPEDA and the provincial privacy statutes, particularly in relation to data transfers and data breach notification. • These issues will be considered in more detail below.

• The legislative situation is more complicated for organizations that conduct business across provincial boundaries. • Within an exempt province, an organization’s use of personal information will be governed

by applicable provincial legislation. • However, PIPEDA will apply to organizations located in exempt provinces when they collect,

use or disclose personal information across provincial boundaries or internationally.• As Cloud computing involves the use of remotely located computing resources, it will almost

invariably involve the use of extra-provincial or international computing resources, thus triggering PIPEDA compliance.

• Depending upon the facts, where a Canadian organization transfers personal information into a Cloud computing environment, it may also be potentially required to consider its obligations under four distinct privacy laws.

INDUSTRY SPECIFIC LAWS AND STANDARDS

In addition to the obligations created by PIPEDA and substantially similar provincial privacy legislation, certain industry sectors have additional obligations that apply specifically to their sector. These include:

• The Payment Card Industry Data Security Standard (PCI/DSS), • The Office of the Superintendent of Financial Institutions standards, and• Additional legislative systems that apply to holders of health information in

various provinces.

THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

The Payment Card Industry Data Security Standard (PCI DSS) provides technical and operational requirements for organizations that store, process, or transmit data on payment card holders, such as merchants, and card issuers. Where credit card transactions take place, or card holder data is stored on the Cloud, PCI DSS will apply to Cloud Providers.

The PCI DSS creates requirements in six key areas:

1. Network Security 4. Strong Access Control

2. Cardholder Data Protection 5. Monitoring and Testing

3. A Vulnerability Management Program 6. Information Security Policy


Network Security• At a minimum, organizations are required to install firewalls to protect their network,

and sensitive areas within their network, from unauthorized access. Direct public access to the cardholder data environment is to be blocked.

• The PCI DSS directly prohibits using vendor defaults for passwords or system parameters, and requires the deletion of all unused accounts.

Protecting Cardholder Data• Cardholder data must be protected by security methods such as encryption,

truncation, or hashing when it is stored or transmitted over a network. Data retention should be limited to that required by legal or business reasons, and certain highly sensitive information, such as Card Verification Numbers, and PIN codes should not be stored.


Maintaining a Vulnerability Management Program• Organizations must use up to date anti-virus software on all systems. These systems

must generate logs of their audit activity. All systems and software must be kept up to date using the most recent vendor security patches.

Implementing Access Controls • Access to sensitive information should be limited to personal who actually need to

know it, based on their business responsibilities. This system should rely on user identification, and deny access to all users not specifically allowed access.

• Access to the physical facility itself should be controlled to prevent unauthorized access to data.


System Monitoring and Testing• Access to the system, and actions taken by users, must be logged to detect and

minimize data breaches. The audit trail itself should be protected from alteration and retained for at least a year.

• System vulnerability should be tested regularly, including checking for wireless access points.

Information Security Policy • The organization should implement a security policy that informs personnel of the

expectations placed on them. The policy should detail all of the PCI DSS requirements, include usage policies for critical equipment, such as wireless and remote access technology, and include an incident response plan.

THE OFFICE OF THE SUPERINTENDENT OF FINANCIAL INSTITUTIONS

• The Office of the Superintendent of Financial Institutions (OSFI) is a federal regulatory body with jurisdiction over federally regulated deposit taking entities, such as banks, insurance institutions, and pension plans.

• The OSFI “Outsourcing of Business Activities, Functions and Processes” (Guideline B-10) will apply to outsourcing agreements entered by subject organizations and Cloud Providers.

• Prior to outsourcing any business functions, entities subject to the OSFI guidelines are required to determine whether the agreement is “material” by considering: • The impact of the arrangement on their finances, reputation and operations,• The ability to have internal controls if the service provider were to fail, • The difficulty and cost of finding an alternate service provider or conducting the

activity in-house. • Arrangements deemed “material” must be subject to a risk management program that

meets specified requirements.


Outsourcing Risk Management: • OSFI requires organizations to undertake a due diligence process to determine how

to manage the risk associated with the outsourcing process. • This process must include an assessment of the service provider itself, including its

operational practices, financial stability, and for foreign service providers, the legal requirements of the jurisdiction in which they are located, and any political, social or economic conditions effecting it.

• When the decision is made to proceed with outsourcing, this must be documented in a written contract.


Outsourcing Agreements: • Ultimately, OSFI requires organizations to maintain their own accountability for

outsourced services. To ensure this, the contract must address: • The scope of the service being provided, • How frequently and in what form the service provider (here, the Cloud Provider)

will report to the organization, • The contingency procedures in place in case the system breaks down, • The audit rights of the organization, • Rules and any limitations on subcontracting, • The confidentiality and security requirements specified by the organization.

APPLICATION TO CLOUD COMPUTING

• On February 29, 2012 OSFI issued a “Memorandum re New technology-based outsourcing arrangements” that confirmed that the expectations contained in Guideline B-10 remain current and continue to apply in respect of technology-based outsourcing services, including Cloud computing.

• In particular, federally regulated financial institutions should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on i) confidentiality, security and separation of property; ii) contingency planning; iii) location of records, iv) access and audit rights, v) subcontracting, and vi) monitoring the material outsourcing arrangements.

PERSONAL HEALTH INFORMATION

• Be aware that some Canadian provinces have enacted sector specific healthcare privacy legislation. These are:• Alberta (the Health Information Act);• Manitoba (the Personal Health Information Act);• New Brunswick (the Personal Health Information Privacy and Access Act);• Newfoundland and Labrador (the Personal Health Information Act);• Ontario (the Personal Health Information Protection Act, 2004); and • Saskatchewan (the Health Information Protection Act).

• We will focus mainly on PHIPA (Ontario).

A WORD ABOUT PHIPA

• Under PHIPA, “Personal health information” is broadly defined as:

“identifying information about an individual in oral or recorded form”, and includes information that (a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, (b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, (c) is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual, (d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual, (e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance, (f) is the individual’s health number, or (g) identifies an individual’s substitute decision-maker. “Identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

• PHIPA requires health information custodians to take reasonable steps to ensure that the personal health information in their custody or control is protected against “theft, loss, and unauthorized use or disclosure”.

• Further, the custodian must protect against unauthorised copying, modification, and disposal. • If a health information custodian wishes to engage in Cloud computing, it must engage a Cloud Provider

that has knowledge and understanding of the legislative requirements applicable to the industry.

2. YOUR OBLIGATIONS - DATA PROTECTION AND THE CLOUD (KEY PIPEDA PRINCIPLES)

• Organizations are responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. (Principle 4.1.3).

• The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by third parties. (Principle 4.1.3).

• Organizations that collect, use or disclose personal information are required to provide security for that information that is appropriate when considering its sensitivity. (Principle 4.7)

• In creating safeguards for personal information, PIPEDA obligates organizations to implement physical measures, organizational measures and technological measures to ensure adequate safety.• Physical data protection mechanisms may include restricting access to secure locations.• Organizational data protection measures will include ensuring that only certain personnel

have access, or the access keys, to personal information. • Most important in Cloud computing, technological measures will include data encryption,

passwords and access keys. • The extent to which each of these protection methods is required will vary with the sensitivity of

the information in question; more sensitive information will require greater protection and vice versa.

KEY PIPEDA PRINCIPLES

• In addition to protecting personal information in their control, organizations are required to limit their use, disclosure and retention of personal information to those purposes disclosed when the information was first collected, unless additional consent is established. (Principle 4.2)

• After the initial purpose has been achieved, the personal information must be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information (Principle 4.5.3).

• Under a separate provision, Principle 4.8, PIPEDA requires organizations to be open about their policies and practices relating to the management of personal information.

• Taken together, Principle 4.1.3 and Principle 4.8 require that the covered organization at a minimum (1) have in place contractual or other means to provide a comparable level of protection, (2) inform its customers about its policies and practices related to the management of personal information, and 3) notify customers that their personal information may be available to a foreign government or its agencies under a lawful order made in that country.

• These obligations will continue to apply to organizations that outsource the processing of personal information to third party Cloud Providers.

ALBERTA PIPA OBLIGATIONS

• Alberta’s PIPA recently amended to require that organizations must notify individuals before transferring personal information to a foreign service provider (includes Cloud Providers).

• Organizations that use foreign service providers and that directly or indirectly transfer personal information outside Canada about an individual that was collected with the individual’s consent are now required to: • Notify individuals before or at the time of collecting or transferring the information in writing

or orally if the service provider outside of Canada will collect personal information on behalf of the primary organization;

• Notify individuals of the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada; and

• Provide the name or position or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization. [Section 13.1(1)]

• Note that definition of “service provider” means any organization, including, without limitation, a parent corporation, subsidiary, affiliate, contractor or subcontractor, that, directly or indirectly, provides a service for or on behalf of another organization.

NEW CLOUD GUIDELINES FROM OUR PRIVACY REGULATORS

• In June, 2012 the OPC, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information & Privacy Commissioner for British Columbia issued a joint Guidance Document called “Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations”.

• The focus of the OPC Guidance Document was to remind SMEs that under Canada’s private sector privacy legislation, an organization that collects personal information from an individual is accountable for the personal information even when it is outsourced for processing to third-party providers.

• Thus, all businesses in Canada, regardless of their size, are ultimately accountable for the personal information they collect, use and disclose even if they outsource personal information to a service provider that operates in the Cloud.

• The privacy regulators confirmed that (i) many standard Cloud computing agreements legal terms that are not sufficient to allow SMEs to meet their Canadian privacy obligations; (ii) standard Cloud computing agreement often allow a provider to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other providers.

• However, as confirmed by the OPC, SMEs must use contractual or other means to ensure that personal information is appropriately handled and protected by the Cloud Provider.

NEW CLOUD GUIDELINES

• SMEs using Cloud computing services should:• Limit access to the information and restrict further uses by the provider;• Ensure that the provider has in place appropriate authentication/access controls; • Manage encryption;• Ensure that there are procedures in place in the event of a personal information breach or

security incident;• Ensure periodic audits are performed; and• Have an exit strategy

• SMEs must pro-actively maintain control over personal information that is sent to a Cloud Provider, and take steps to prevent and limit secondary uses of personal information.

• Due diligence on the part of the organization will be required before signing a standard Cloud agreement and moving personal information to the Cloud.

• SMEs must (i) clarify what, if anything, the prospective Cloud Provider will do with the personal information provided; (ii) seek customers’ consent for new uses of their personal information; and (iii) always keep in mind the reasonable expectations of the individual.

WHAT DOES THIS ALL MEAN FOR THE CLOUD?

• Organizations subject to PIPEDA must ensure that any personal information transferred to a Cloud Provider is dealt with in a manner that meets the organization’s own legal obligations.

• This will require the Cloud Provider to be contractually bound to secure the information in an adequate manner, considering the sensitivity of the information, as well as the specification of data protection mechanisms and any data breach notification requirements will be discussed. • Cloud Provider must be required to use the information solely for the purpose for which it

was collected by the organization and disclosed to the Cloud Provider (and for no other purpose).

• The Cloud Provider must not be allowed to retain or use the information after the use disclosed to the individual has been achieved, or after the Cloud agreement is terminated. • Cloud Provider may be located in a foreign jurisdiction and may resist being contractually

bound to comply with the privacy obligations established in Canadian law. • Standard form contracts are often not adequate to allow organizations to meet their privacy

obligations under Canadian law, and indeed, may allow the Cloud Provider may amend the agreement, with or without notice to the organization.

• Be aware that the legal onus is on the outsourcing organization to ensure that any Cloud Provider to whom personal information is transferred complies with Canadian privacy laws.

• Customers must engage in due diligence efforts re their proposed Cloud Providers!

INTERNATIONAL TRANSFER OF PERSONAL INFORMATION

• PIPEDA Case Summary #2005-313 - Bank’s notification to customers triggered PATRIOT ACT concerns.• CIBC sent a notification to its VISA customers amending its credit cardholder

agreement.• Notification referred to the use of a U.S. based service provider and the

possibility of U.S. law enforcement or agencies accessing cardholder’s personal information under U.S. law.

• Main concern was possible scrutiny of personal information by U.S. authorities.• Outsourcing must be in compliance with OSFI requirements for a financial

institution.• Principle 4.1.3: responsibility for personal information transferred to a third party

processor.• Principle 4.8: Make available information re policies and practices relating to

management of personal information.


Findings:• Bank must have provisions in place to ensure a comparable level of protection for personal

information.• Contract had guarantees of confidentiality and security of information, oversight, monitoring and

audit right for CIBC, CIBC maintained custody and control of personal information.• Contract cannot override the laws of the U.S., and CIBC could not prevent its customers’

personal information from being lawfully accessed by U.S. authorities.• Companies should notify customers where personal information processed in foreign jurisdiction

and may be available to government agencies.

Lessons Learned:• PIPEDA cannot prevent U.S. authorities from lawfully accessing personal information of

Canadians held in Canada or U.S.• PIPEDA cannot force Canadian companies not to outsource to foreign-based service providers.• Organizations must be transparent about personal information handling practices and protect

personal information in the hands of third party processor (foreign or local).


• PIPEDA Case Summary #2007-365 - Responsibility of Canadian Financial Institutions in SWIFT’s disclosure of PI to U.S. Authorities• SWIFT disclosed personal information (PI) to U.S. authorities.• Concern was disclosure was outside of the approved processes for data

transfers.• Same principles involved.

Findings:• SWIFT and its members developed and implemented a sophisticated and elaborate

set of security measures to ensure integrity, confidentiality, security and reliability of financial messages it delivers.

• Through oversight and auditing mechanisms, contractual language and security measures, banks met their obligations to be responsible for PI in the hands of a third party processor.

• Banks had clear language in their privacy policies that inform customers that banks may send PI to foreign jurisdiction for certain purposes and it will be subject to the laws of that country.


Lessons Learned:• The same as #313! • Organizations cannot prevent a firm from responding to lawfully issued

subpoenas.• Companies should notify customers that it outsources information

processing to another jurisdiction and that PI may be available to the government or other agencies of that country.


PIPEDA Case Summary #2008-394 - Outsourcing of Email Service to U.S. Firm.• Canada.com sent an email to customers advising that service would be operated by a U.S.

based company.• Existing subscribers were required to accept new terms of use; new subscribers had to accept

the new terms of use.• Privacy Statement contained notification that email services were provided by U.S. based party.• Same principles involved.

Findings:• Sharing of information with service provider = use, rather than disclosure.• Consent to use information obtained when customers first sign up – if service provider changes,

use is still consistent with purpose.• Clear notification provided that PI stored in U.S. and could be accessed by foreign government.• Data transferred prior to notification was not accessible or identifiable until customers accepted

new terms of use.• Contract included guarantees of confidentiality and security of PI, oversight and monitoring and

audit of services provided.


Lessons Learned:• The same as #313!• Organizations must assess the risks that could jeopardize the security and

confidentiality of customer PI when it is transferred to foreign-based third party service providers.

• It is essential that organizations using third party service providers outside of Canada use contractual or other means to provide a comparable level of protection while the information is being processed by the third party.


IPC: Ministry of Natural Resources Licensing Automation System Privacy Investigation by the Ontario Privacy Commissioner (June 2012 – PC 12-39)

• Ministry awarded a US-based public company, Active Outdoors, a contract to host and maintain a Licensing Automation (LAS) system database relating to hunting and fishing licenses.

• Individuals in Ontario wishing to apply for a hunting and fishing license must submit personal information in the LAS database.

• IPC received a complaint about the privacy and security of the personal information stored in the LAS, particularly regarding the fact that the personal information of Ontarians would be subject to American laws, including the Patriot Act.

• IPC investigated and confirmed:• No legislative prohibition against the storing of personal information outside the province of

Ontario or Canada.• FIPPA does require provincial institutions to ensure that reasonable measures are in place

to protect the privacy and security of their records containing personal information.• The risk that law enforcement agencies may access personal information is not restricted to

information held in the US – Canadian law enforcement agencies have similar ‘robust powers’.


• Law enforcement agencies in Canada, the US and other countries have the ability to reach across borders to access personal information under various laws and agreements.

• IPC confirmed stance of the OPC that privacy risks posed by the Patriot Act are similar to those found in Canada; the privacy protection afforded a US provider is comparable to that of a Canadian provider.

• FIPPA does not prohibit provincial institutions from outsourcing services on the basis that foreign law, i.e. the Patriot Act, may apply.

• No prohibition on the storage of personal information by government institutions by the province.• KEY QUESTION: Has the MNR taken reasonable steps to protect the privacy and security of

their records in their custody and control via contract?• IPC reviewed key contractual provisions relating to data ownership, collection, use and

disclosure, confidential information, notice of compelled disclosure, subcontracting, security, retention and destruction, audits and governing law.

• MNR still needed to finalize its retention and destruction schedule; otherwise MNR found to have put in place reasonable measures to protect personal information.

DATA BREACH NOTIFICATION - ALBERTA

• Currently, only Alberta has a mandatory security breach reporting requirement that applies to all private sector organizations within the province. [Section 34.1]

• The Alberta PIPA now requires organizations to notify the Alberta Privacy Commissioner (“APC”) in instances where personal information is lost, accessed, or disclosed without proper authorization.

• This reporting obligation will arise only where the breach results in a “real risk of significant harm” to the individuals affected. • APC has interpreted the significant harm threshold to be met where the breach presents “a

material harm; it has non-trivial consequences or effects. • Examples may include possible financial loss, identity theft, physical harm, humiliation or damage

to one’s professional or personal reputation.”• Any such risk must be real, not “merely speculative” or “hypothetical or theoretical”.

DATA BREACH NOTIFICATION - PIPEDA

• Currently, PIPEDA does not create an explicit obligation to notify either the OPC or the individuals involved of breaches of security that affect personal information.

• In August 2007, the OPC published voluntary guidelines entitled “Key Steps for Organizations in Responding to Privacy Breaches” to assist organizations in responding to such situations. The OPC indicates that there are four key steps to consider when responding to a breach or suspected breach:

1. contain the breach by taking immediate steps to stop any further information from being disclosed and undertake a preliminary assessment of the situation;

2. evaluate the risk associated with the breach by considering the sensitivity of the information involved, whether it was encrypted, how it may be used, and the risks to the individual resulting from that use;

3. notifying the individuals if the privacy breach creates a risk of harm to the individual; and

4. developing a plan for the prevention of future breaches. • As these guidelines are voluntary, there is, strictly speaking, no penalty for organizations that do not

follow them. • As providing adequate security for personal information is an obligation under PIPEDA, the OPC is able

to investigate security breaches, either in response to a complaint or on its own initiative and may issue a report setting out the Commissioner’s findings, recommendations, and request the organization provide the OPC with notice of any actions that have been taken to implement the Commissioner’s recommendations.

DATA BREACH NOTIFICATION – BILL C-12

• This situation may change should an amendment to PIPEDA tabled on September 29, 2011 be adopted into law.• Bill C-12 would impose the following two mandatory data breach reporting and notification duties on organizations

subject to PIPEDA:

1. a duty to report all “material” breaches of their security safeguards involving personal information under their control to the OPC; and

2. a duty to notify individuals of any breach of security safeguards involving personal information under their control when it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”.

• “Breach of security safeguards” means the loss of, unauthorized access to, or unauthorized disclosure of, personal information resulting from a breach of an organization’s security safeguards or from a failure to achieve these safeguards.

• “Significant harm” includes, bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

• Where a breach in the security safeguards for personal information has been identified, organizations would be required to consider the sensitivity of the information affected, how many individuals were affected by the breach and whether the breach is indicative of an overarching problem with the organization’s security standards.

• Bill C-12 will create a right for individuals to file a complaint with the OPC if these procedures are not followed.

DATA BREACH NOTIFICATION – HEALTH CARE

Some Provinces Do Not Expressly Require Notification• In Alberta, Manitoba and Saskatchewan, there are no express requirements

contained in the relevant legislation to notify the person to whom the information relates (or the relevant Privacy Commissioner) where a privacy breach is detected.

• This situation is somewhat odd, as in Alberta there does exist an express requirement in the non-sector-specific Alberta PIPA for notification to the APC of a breach as discussed above.

• In Alberta, while there exists no regulatory requirement to provide notice to the APC or any other person of a privacy breach, should the APC become aware of a breach he or she may order that notice be provided, either to specifically affected individuals or to the general public.

DATA BREACH NOTIFICATION – HEALTH CARE

Ontario Requires Notification of Affected Individuals Only• Of the provinces surveyed, Ontario is unique in requiring that personal health information

custodians notify individuals only (and not the OIPC) of a privacy breach. • Subsection 12(2) of PHIPA states as follows:

• (2) Subject to subsection (3) and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.

• The language uses the imperative “shall” and appears to make such notification mandatory, regardless of the severity of the breach or the sensitivity of the patients to being so informed.

• However, the decisions so far taken under PHIPA by the OIPC indicate very clearly that the legislation is not interpreted in that manner in actual fact.

HEALTH REQUIREMENTS

Some Provinces Require Notification of Affected Individuals and the Privacy Commissioner • Both New Brunswick and Newfoundland and Labrador have comprehensive systems dealing with

breach notification, which include informing in appropriate cases both the affected individuals and the Privacy Commissioner. • In New Brunswick, the duty to notify is conditional on a threat assessment made by the

custodian. • Newfoundland and Labrador has a similar set of legislation, with a unique twist: the

custodian may, as in New Brunswick, perform a threat assessment and determine that the individuals need not be informed; however, the custodian must make an entirely different assessment as to whether there has been a “material breach” in order to determine whether or not to inform the Privacy Commissioner.

• If there has been a “material breach”, the Commissioner may override the custodian’s threat assessment and order notification of individuals.

DATA BREACH NOTIFICATION IN THE HEALTH CARE SECTOR

• Legislative situation in Canada with respect for mandatory breach notification for health information is extremely varied.

• Some provinces lack health sector specific privacy legislation at all, while in those provinces that do have it, some do not expressly require notification while others variously require notification of affected individuals and/or the provincial Privacy Commissioner.

• Insist on mandatory data breach notification in your Cloud agreements!

CANADA’S ANTI SPAM LEGISLATION

• Canada’s Anti-Spam Legislation (CASL) is expected to come into force in 2013.• Though it is directed at “damaging and deceptive ” forms of “spam”, CASL applies

broadly to all “commercial electronic messages” sent to an “electronic address”.• “Commercial electronic messages” will include messages sent by any means of

telecommunication, including text sound, voice, or image messages. • This will capture not only email, but other forms of electronic communication, such as

text messaging, and potentially social media, including Facebook and Twitter.

CANADA’S ANTI SPAM LEGISLATION

• CASL takes a prohibitive approach to Commercial Electronic Messages, prohibiting all but those messages that comply with its requirements.

• Under CASL: • Electronic messages require consent from the recipient, either express or

implied;• The message must contain prescribed disclosure; and• The message must contain an unsubscribe mechanism in prescribed form.

CASL – DISCLOSURE REQUIREMENTS

• The precise requirements for commercial electronic messages (“CEMs”) will be provided by regulations. Under the regulations CEMs must specify:

1. The name of the person sending the message and the person, if different, on whose behalf it is sent and the names by which those persons carry on business;

2. If applicable, an indication which person sent the message and on whose behalf it was sent;

3. The mailing address and one or more of the following: telephone number, email address and website of the person who sent the message and, if applicable, on whose behalf it was sent; and

4. An unsubscribe mechanism using the same electronic means as the CEM, and specifying an electronic address to which the request may be sent.

CASL – IMPLICATIONS FOR CLOUD COMPUTING

• The detailed requirements of CASL apply to all CEMs that are sent from or accessed from a computer in Canada. • Cloud Providers located in Canada would be obligated to comply with CASL

when sending CEMS to non-Canadians, on behalf of a non-Canadian client. • This result may incentivize the use of non-Canadian Cloud Providers. • Further, Canadian companies outsourcing their CEM communications with Canadians

to a foreign Cloud Provider would need to ensure that the service provider is able to comply with the CASL requirements.

CASL – IMPLICATIONS FOR CLOUD COMPUTING

• The disclosure requirements in the regulations also create barriers to the use of a Cloud computing model when the need for an unsubscribe mechanism is considered. • CASL requires the message to permit the recipient of the message to indicate

they no longer wish to receive CEMs from the sender of the message OR the person who caused it to be sent.

• As a single Cloud Provider may be sending CEMs on behalf of multiple organizations, this requirement may necessitate detailed unsubscribe language so that message recipients understand the effect of the unsubscribe mechanism.

• Industry Canada has revised the draft regulations following substantial comments by a large number of industry participants.

• The potential impacts identified in this presentation have not been addressed by revisions to the draft regulations, but they may yet be addressed by the creation of exceptions applicable to certain classes of CEM.

• In the absence of such revisions or clarifications, CASL may pose a substantial regulatory barrier to the use of a Cloud service model for sending CEMs to Canadians or from Canada.

SECURITY (AN OVERVIEW)

• Security is often cited as a major issue in Cloud Computing, partly because of general concerns arising from loss of control, partly because data protection laws require data holders/custodians to take appropriate security measures to protect personal data.

• Are the issues the same as regular IT services or different for the Cloud? • Do the risks outweigh the benefits? • You need to ask many questions of your Cloud Provider to determine whether their policies and

procedures are sufficient to meet your needs (including business and legal requirements).• However, many Cloud Providers are not forthcoming about their security arrangements.

• Many Cloud Providers consider it detrimental to their own security policies to provide full details of their security practices to all prospective customers or allow data centre visits

• Too much transparency about security can itself compromise security.• Cloud Providers may allow users to see a summary or high-level overview of security

policies, measures and standards.• St Marys’ 2012 survey: some customers (governments, financial institutions) allowed

security-vetted personnel to make escorted data centre visits, view specific documentation such as its ISO27001 policies and procedures and other detailed information and discuss issues with the Cloud Provider’s security/security monitoring personnel.

• NO ability to take away copies of security documents; restricted to viewing hard copies in closed rooms.

SECURITY ISSUES TO RAISE

Privileged User Access• Who will manage your data?• Who will have access to your data?• Consider physical, logical and personnel controls to protect proprietary and confidential

information.Regulatory Compliance• Will you be able to conduct an audit of the Cloud Provider’s security processes and procedures?• Will you be able to require the Cloud Provider to comply with security certifications?Data Location• Where will the data be stored? • Will the Cloud Provider commit to storing and locating your data in a specific jurisdiction?• Will the Cloud Provider agree to comply with local privacy laws applicable to your organization?• Consider physical safety of the infrastructure, political risk and data breaches.Data Segregation• What will the Cloud Provider do to ensure that your data is segregated from other users of the

Cloud? • Consider the encryption techniques used and other technological measures used.

SECURITY ISSUES TO RAISE

Recovery• What is the Cloud Provider’s disaster recovery plan? • What will happen to your data in the event of a disaster? • What will happen to the Cloud in the event of a disaster?

Investigative Support• Will the Cloud Provider commit to enable you to respond to discovery requests and

other investigations?

Long-Term Viability• How will you retrieve data stored in the Cloud?• What format will it take?

SECURITY RISKS THAT ARE UNIQUE TO THE CLOUD

Resource Pooling/Multi-Tenancies• This is what the public cloud is all about: pooling together resources for use by

multiple customers.• Physical security issues are the main concern with respect to the segregation of data

in the Cloud.• Ensure that individual customers do not impact operations of other “tenants” of the

Cloud and that tenants do not have access to any other tenant’s actual or residual data or network traffic.

• Greater risk, but offers economies of scale to SMEs.Viruses, Hackers and other Infrastructure Abuses• Cloud is an easy target for criminals. • As quickly as technology improves, criminals improve their tactics.• Registration systems may be weak and fraud detection mechanisms can be minimal

in the Cloud.• Look for strict registration and validation processes, fraud monitoring, validation and

monitoring of customer network traffic.


Insecure APIs• API is your access to the Cloud.• Ensure that there are authentication and access controls, encryption and activity

monitoring tools.• If you are going to customize an API, ensure that your IT department interfaces with

the Cloud service provider to test for security.

Data Loss or Leakage• Risk is increased over traditional IT.• Access controls, encryption, protection of data in transit, disposal challenges, risk of

association, data centre reliability, disaster recovery plans and other physical and remote access controls are all important to prevent data loss or leakage.


Use of Data by Cloud Provider• Opaque or transparent?• Cloud Provider should NOT have or require access to data that is stored in the Cloud. • May be minor exceptions for application maintenance, etc.• Ensure strong confidentiality obligations are placed on the Cloud Provider to protect

your data accordingly.

The “Unknown”• There is always the risk of the unknown when it comes to technology…• Protect against it by ensuring top notch security measures and protocols are in place

at your organization and Cloud Provider.

Question: Whose security policy will be followed? Usually that of the Cloud Provider, ideally based on “industry best practice” or specific standards, ISO27001, but often reserving rights to change their own policy unilaterally.

TECHNICAL STANDARDS (JUST TO NAME A FEW)

• Independent certifications to objective security standards often used as a compromise solution to address security concerns.

• While industry standards and certifications specific to Cloud security have not been fully developed, organizations such as the Cloud Security Alliance, Open Data Centre Alliance and CIF are working currently working on these.

• IT Controls and Governance currently in use include the following standards:• COBIT• COSO• ISO/IEC• PCI DSS• NIST

TECHNICAL STANDARDS

COBIT• For day-to-day use by business managers, IT professionals and assurance professionals.• Maximizes benefits derived from IT resources.• Framework:

• Business focused• Process oriented• Controls based• Measurement driven

COSO• Internal control system, to ensure that information used for financial reporting and legal

compliance is reliable.• Components of internal control:

• Control environment• Risk assessment• Control activities• Information and communication• Monitoring

TECHNICAL STANDARDS

ISO/IEC• Guidelines and general principles for initiating, implementing, maintaining and improving

information security management.• Used with COBIT.• Examples of some areas:

• Developing a security policy.• Developing and controlling information security measures.• Asset management, human resource security, communications and access to information.

NIST• Conceptual model for the requirements, structures and operations of Cloud computing.• Focus on three areas:

• Interoperability• Portability• Security

PRE-CONTRACTUAL PENETRATION TESTING

• Many customers, particularly those from regulated sectors, want to conduct pre-contractual security penetration testing to check integrity and robustness of providers’ security policy and IT systems and how well users’ data are separated from other users.

• Most Cloud Providers do not agree, because of potential adverse impact on other users’ services or data.• St Marys’ 2012: acceptable if the user agreed to unlimited liability for any damage cause

and to constrain testing as regards timing, from which IP address, etc.• Usually confined to a ‘sandbox’, i.e. a specially designated area, to avoid possible damage

to systems.• Possible compromise: Cloud Providers to conduct their own tests (or use a third party) and share

the results with current or prospective customers.• Ongoing user penetration tests considered unusual.• Much reliance on certifications.

HOW TO PROTECT YOURSELF – BEST PRACTICES

• Many of the privacy and security risks discussed above can be protected against/mitigated through contractual obligations placed on the Cloud Provider.

• The following is a non-exhaustive list of matters that should be addressed accordingly in your Cloud contract.

Security Safeguards• Critical that technical, physical and organizational safeguards be established and maintained by

the Cloud Provider. • The Cloud Provider should adhere to these requirements and any applicable (industry specific)

policies and procedures that you provide or require in order to protect against and mitigate security risks as well as demonstrate compliance with any statutory/regulatory requirements, such as those under PIPEDA and the provincial PIPAs.

• Obligate the Cloud Provider (and its subcontractors, as necessary) to fully cooperate and provide assistance in respect of remedying any security breach experienced by the Cloud Provider (or its subcontractors) that affects your organization or its data accordingly.

• Ensure the Cloud Provider (and the Cloud Agreement) requires security incidents to be promptly reported to customer.

BEST PRACTICES

Technology and Encryption Standards • If technology and encryption standards are not addressed as part of the general security

safeguards to be employed by the Cloud Provider, require the Cloud Provider to comply with any one or more, as appropriate, of the technical security standards discussed herein, or to adhere to certain technological and encryption standards to ensure the protection and authenticity of the data and assets entrusted to the Cloud.

Location • Seek additional clarity to gain a better understanding of the potential risks to your organization’s

data, what, if any, obligations flow from the location of such data, and how you can mitigate any risks that may arise.

• Obligate the Cloud Provider to either provide certain representations and warranties as to the location of the Cloud infrastructure or covenant not to remove the Cloud infrastructure from its current jurisdiction.

• If the location of the infrastructure is to be moved by the Cloud Provider, include an obligation for the Cloud Provider to provide prior written notice of such move so that your organization can comply with its legal requirements accordingly.

BEST PRACTICES

Confidentiality Obligations • Obligation on the Cloud Provider to protect any confidential information of your organization,

which should include, among others, personal information, intellectual property and proprietary information.

• Watch for limitations of liability (namely attempts to minimize/disclaim most of it), including any exclusions of indirect damages or other damages in respect of a breach of these obligations.

• Attempted limitations and carve-outs are especially pertinent when dealing with data breaches and/or data loss.

Privacy/Data Protection • Cloud Provider should comply with all applicable privacy laws, including, but not limited to, those

applicable pursuant to the governing law of the contract, the jurisdiction in which the Cloud infrastructure is located, as well as the local privacy laws applicable to your organization.

• Require the Cloud Provider to enable your organization to conduct sufficient due diligence and audits to ensure that these obligations will be met and to fix any deficiencies noted.

BEST PRACTICES

Subcontractors • Verify whether the Cloud Provider intends to subcontract any of the Cloud services and if so,

ensure that the Cloud Provider maintains full and complete responsibility for the actions and omissions of such subcontractors in the Cloud contract.

• Ensure that the Cloud Provider conducts sufficient due diligence on the subcontractors that it uses and that only those persons of a certain skill and expertise are granted access to your organization’s data or assets.

• Only those individuals with a “need to know” or “need to access” should be granted such access.

Employee Access/Use • As with subcontractors, ensure that the Cloud Provider maintains responsibility for the actions of

its employees. • Ensure that the Cloud Provider only allows those persons of a certain skill and expertise access

to your organization’s data or assets. • Only those individuals with a “need to know” or “need to access” should be granted such access.

BEST PRACTICES

Business Continuity and Disaster Recovery Plans • Cloud Provider’s business continuity and disaster recovery plans should be reviewed and

analyzed by you prior to execution of the Cloud contract. • Ensure that these plans coincide with your organization’s objectives and requirements, both from

an internal policy and procedure perspective as well as from a regulatory perspective. • These plans should also dovetail with any service level agreement agreed upon by the parties. • Ensure that any back-up Cloud Provider is subject to the same obligations as your Cloud

Provider.

Disposal and Retention of Data/Assets • You must have (and your Cloud agreement should reflect) an understanding of what data or

assets will be destroyed and how, where and when such data will be destroyed after termination/expiration of the Cloud agreement. You also need to know how long your organization’s data and assets will be retained by the Cloud Provider.

• Ensure that the Cloud Provider’s disposal and retention policies and procedures conform to your organization’s policies and procedures, both internally and from a regulatory perspective.

BEST PRACTICES

Disposal and Retention of Data/Assets • Cloud agreement should reflect an understanding of what data or assets will be destroyed and how,

where and when such data will be destroyed after termination/expiration of the Cloud agreement. • How long your organization’s data and assets will be retained by the Cloud Provider. • Ensure that the Cloud Provider’s disposal and retention policies and procedures conform to your

organization’s policies and procedures, both internally and from a regulatory perspective.

Data Breaches • Ensure that the Cloud Provider is obligated to provide you with prompt notice and detailed particulars of

any data breach affecting the Cloud infrastructure where your organization’s data or assets are stored, the physical location where the Cloud infrastructure is stored and any data breach of your organization’s assets or data.

• This will be more critical in certain jurisdictions than others (for example, Alberta and federally if Bill C-12 is passed) or in relation to certain kinds of data (for example, personal health information).

• Consideration is also relevant if your organization holds data that may be additionally subject to data breach notification laws, i.e. under U.S. state or federal laws.

• Obligate the Cloud Provider to provide assistance and cooperation with appropriate federal or provincial privacy regulators in respect of any data breach investigation or complaint that arises.

• Consider whether you want your own security personnel to investigate Cloud Provider breaches, consider whether the Cloud Provider had met required security standards (expect push-back; most will not agree to joint analysis with customers).

BEST PRACTICES

Audits • You must ensure that your organization has a right to audit the Cloud Provider. • This right may be limited, for example, to once or twice per calendar year or as otherwise

required by your own regulator.• Ensure that your organization has a mechanism in place to audit the Cloud Provider’s compliance

with security safeguards generally, in addition to any fee audits, if applicable.• Significant area of contention: Cloud Providers will not agree to unfettered audits often required

by financial institutions; will only agree to ‘commercially reasonable’ audits.• Negotiate specific audit rights (i.e. rights to access logs? Monitoring tools? Including those of

sub-contractors?)• May be acceptable for the Cloud Provider to share the results of their own audit reports (limited

rights).

Certificate of Compliance • If an audit is not practical, for example, in a public cloud, a certificate of compliance from an

officer of the Cloud Provider may be a reasonable alternative. • Determine the frequency and create the form of the certificate to be provided by the Cloud

Provider as part of the Cloud contract.

CONCLUSION

• Tempting (and frankly easier) for an organization that is considering using a Cloud computing service to “put its head in the sand” and essentially rely on the prospective Cloud Provider to manage all of the inherent privacy/data protection and security issues.

• However, Canadian organizations have clear and definite legal obligations to protect personal information and data.

• Be vigilant and actively manage the myriad privacy and security risks in order to meet your own regulatory and business requirements in these areas.

• Ask key questions of the prospective Cloud Provider, demand detailed responses and where necessary, negotiate and amend the Cloud agreement as necessary/required to address many of the key concerns in the privacy and security realm.

Questions? Comments?

Thank you!

LISA. R. [email protected]

TORKINMANES.COM