LEGAL NUANCES TO THE CLOUD
RITAMBHARA AGRAWALCLUBHACK 2012
01 DECEMBER 2012
2
ISSUES, RISKS & MITIGATION
• Security & Privacy of Data
• Confidentiality• Ownership• Liability• Attacks• Compliances• Contracts• Termination &
Exit• Jurisdiction
Legal Issues
• Loss of Data• Choice of Law• Disclosure of
trade secrets• Recovery• Data
Segregation• Portability• Sharing of Data
with 3rd Party
Risks
• Encryption of Data
• Define each Party’s liability
• Pre-contract due-diligence, contract negotiation, post-contract monitoring, termination
• Right to Audit to check location & compliances
Mitigation
3
LEGAL CHALLENGES IN CLOUD
LEGAL ISSUES
JURISDICTION
OWNERSHIP
COMPLIANCES
SECURITY
ATTACKS
TERMINATION & EXIT
CONTRACTUAL LIMITATIONS
4
SECURITY & PRIVACY
Secu
rity
& P
rivac
yPhysical Location of the data centers
Encryption of Data
Multi-tenant architecture
Adversity and intrusion
Data mining by the service provider
Access rights management
Different user data are usually stored on a single virtual server
Multiple virtual servers run on a single physical server
5
SERVICE LEVEL AGREEMENTS
Serv
ice
Leve
l Agr
eem
ents
Non-negotiable SLAs (often click wrap agreements)
If the SLA is non-negotiable, higher degree of reporting should be integrated in the Agreement
Additional options for termination should be available
Little opportunity to conduct due diligence
Strong limits on liability are included (including direct liability)
Terms often subject to change without prior intimation
Risk is usually shifted to user through provider friendly agreements
6
MULTIPLE PARTIES
Mul
tiple
Par
ties
Involvement of multiple parties makes onus & liability shift on one another
Liability of sub-contractors is often limited or disclaimed in entirety
Lack of contractual privity makes it difficult to make the provider accountable for any breach
Liability of provider for the acts of the sub-contractor
Right to conduct due diligence and to understand the model of delivery of services should be given to the customer.
7
DATA PROTECTION, RIGHTS & USAGE
Dat
a Pr
otec
tion
& IP
Rig
hts Define data clearly, it’s not standard that all
data belongs to the customer
Specify ownership rights
Define rights granted and the restrictions to monitor and access data by the provider
Third-party access to the data
Non-Disclosure Agreement with the service provider
Ensuring no rights are transferred to the service provider
Ensure if back up and transfer of data is permitted
8
JURISDICTION
Cros
s-Bo
rder
Dat
a Fl
owData flows across various borders
Cloud servers located in different countries, location of data is uncertain
Complications of conflicting laws
Dispute can be subject to various countries legal system
Jurisdictional Issues & Dispute Resolution Mechanism
9
COMPLIANCES
Com
plia
nces
Country and data specific compliances
The owner is equally liable as the service provider to ensure compliance of law
HIPPA, SOX, SAS 70 I & II, GLB, PCI DSS, FERPA and State Laws
Eg. HIPPA mandates standard practices to ensure security, confidentiality and data integrity for
healthcare-related data
Default in the respective compliances can bring in legal implications
10
TERMINATION & EXIT
Term
inati
on &
Exi
tInteroperability of data after termination
Data portability from one vendor another and bringing it entirely back-in house
In case of exit, can the records be successfully accessed?
Can data be extracted from the cloud
Obligations of each party in case of exit
11
ATTACKS
Attac
ks
Hacking, virus, malware disruptions, browser attacks, tampering, network security attacks, SQL Injection
Inducing threats, like data & network security, data locality, data integrity, data access, data segregation
Authorization & authentication, data confidentiality, web application security, data breaches, availability & back-up
12
CASE STUDIES- SONY
Sony laid off many of its
security personnel
Failure to protect over 100 million
user records
Attacks on Sony
PlayStation Network, Sony
Online Entertainment
& Sony Pictures
Dozen data breaches, ongoing
customer relations fallout &
class-action lawsuits.
Customers reusing
passwords, risks from attackers accessing
their other accounts also
13
CASE STUDIES
• Spear-phishing attack leading to breach affecting it’s clients and customer’s data
• Approximately 60 million customer email addresses were breached• Lesson: The Company outsourcing the job is equally responsible for
security of the customer data
EPSILON
• Hackers used SQL attack method to access the database that fed the server hosting the site
• Exposing 4,50,000 usernames and passwords• Yahoo didn’t store the data in cryptographic form and left it in plain
text making it vulnerable to attackYAHOO
• Hackers breached the site, stealing more than 6million customer’s passwords, which were very lightly encrypted & posted them on a Russian hacker forumLINKEDIN
14
MITIGATION OF RISK
• Evaluation of service provider’s security policy• Encryption to protect confidentiality & integrity of data• Suspected data breach must be addressed
Security
• Identifying relative risks between the parties, like ownership of data, data protection guidelines, trade secrets, indemnities, jurisdiction
• Pre-contract due-diligence, negotiable SLA• Planned & unplanned termination of the Agreement & return of data &
assets • Liability of each party in the event of breach of contract• Ownership of data
Contract
• Right to audit to check the compliances• To check the location of the data to ensure compliance of legal & statutory
provisionsAudit
15
Thank you
INDIA
A-42/6, Sector-62, Noida-201301Tel: +91-0120-47040722, +91 -0120-4740700 Fax: + 91 11 2741 8595
USA
Suite 119, 2 Davis Drive, Research Triangle Park, Durham (NC)-27709Ph: 1 262 432 1718; Fax: 1 877 895 9706
E-mail: [email protected]