LEGAL NUANCES TO THE CLOUD

RITAMBHARA AGRAWALCLUBHACK 2012

01 DECEMBER 2012

2

ISSUES, RISKS & MITIGATION

• Security & Privacy of Data

• Confidentiality• Ownership• Liability• Attacks• Compliances• Contracts• Termination &

Exit• Jurisdiction

Legal Issues

• Loss of Data• Choice of Law• Disclosure of

trade secrets• Recovery• Data

Segregation• Portability• Sharing of Data

with 3rd Party

Risks

• Encryption of Data

• Define each Party’s liability

• Pre-contract due-diligence, contract negotiation, post-contract monitoring, termination

• Right to Audit to check location & compliances

Mitigation

3

LEGAL CHALLENGES IN CLOUD

LEGAL ISSUES

JURISDICTION

OWNERSHIP

COMPLIANCES

SECURITY

ATTACKS

TERMINATION & EXIT

CONTRACTUAL LIMITATIONS

4

SECURITY & PRIVACY

Secu

rity

& P

rivac

yPhysical Location of the data centers

Encryption of Data

Multi-tenant architecture

Adversity and intrusion

Data mining by the service provider

Access rights management

Different user data are usually stored on a single virtual server

Multiple virtual servers run on a single physical server

5

SERVICE LEVEL AGREEMENTS

Serv

ice

Leve

l Agr

eem

ents

Non-negotiable SLAs (often click wrap agreements)

If the SLA is non-negotiable, higher degree of reporting should be integrated in the Agreement

Additional options for termination should be available

Little opportunity to conduct due diligence

Strong limits on liability are included (including direct liability)

Terms often subject to change without prior intimation

Risk is usually shifted to user through provider friendly agreements

6

MULTIPLE PARTIES

Mul

tiple

Par

ties

Involvement of multiple parties makes onus & liability shift on one another

Liability of sub-contractors is often limited or disclaimed in entirety

Lack of contractual privity makes it difficult to make the provider accountable for any breach

Liability of provider for the acts of the sub-contractor

Right to conduct due diligence and to understand the model of delivery of services should be given to the customer.

7

DATA PROTECTION, RIGHTS & USAGE

Dat

a Pr

otec

tion

& IP

Rig

hts Define data clearly, it’s not standard that all

data belongs to the customer

Specify ownership rights

Define rights granted and the restrictions to monitor and access data by the provider

Third-party access to the data

Non-Disclosure Agreement with the service provider

Ensuring no rights are transferred to the service provider

Ensure if back up and transfer of data is permitted

8

JURISDICTION

Cros

s-Bo

rder

Dat

a Fl

owData flows across various borders

Cloud servers located in different countries, location of data is uncertain

Complications of conflicting laws

Dispute can be subject to various countries legal system

Jurisdictional Issues & Dispute Resolution Mechanism

9

COMPLIANCES

Com

plia

nces

Country and data specific compliances

The owner is equally liable as the service provider to ensure compliance of law

HIPPA, SOX, SAS 70 I & II, GLB, PCI DSS, FERPA and State Laws

Eg. HIPPA mandates standard practices to ensure security, confidentiality and data integrity for

healthcare-related data

Default in the respective compliances can bring in legal implications

10

TERMINATION & EXIT

Term

inati

on &

Exi

tInteroperability of data after termination

Data portability from one vendor another and bringing it entirely back-in house

In case of exit, can the records be successfully accessed?

Can data be extracted from the cloud

Obligations of each party in case of exit

11

ATTACKS

Attac

ks

Hacking, virus, malware disruptions, browser attacks, tampering, network security attacks, SQL Injection

Inducing threats, like data & network security, data locality, data integrity, data access, data segregation

Authorization & authentication, data confidentiality, web application security, data breaches, availability & back-up

12

CASE STUDIES- SONY

Sony laid off many of its

security personnel

Failure to protect over 100 million

user records

Attacks on Sony

PlayStation Network, Sony

Online Entertainment

& Sony Pictures

Dozen data breaches, ongoing

customer relations fallout &

class-action lawsuits.

Customers reusing

passwords, risks from attackers accessing

their other accounts also

13

CASE STUDIES

• Spear-phishing attack leading to breach affecting it’s clients and customer’s data

• Approximately 60 million customer email addresses were breached• Lesson: The Company outsourcing the job is equally responsible for

security of the customer data

EPSILON

• Hackers used SQL attack method to access the database that fed the server hosting the site

• Exposing 4,50,000 usernames and passwords• Yahoo didn’t store the data in cryptographic form and left it in plain

text making it vulnerable to attackYAHOO

• Hackers breached the site, stealing more than 6million customer’s passwords, which were very lightly encrypted & posted them on a Russian hacker forumLINKEDIN

14

MITIGATION OF RISK

• Evaluation of service provider’s security policy• Encryption to protect confidentiality & integrity of data• Suspected data breach must be addressed

Security

• Identifying relative risks between the parties, like ownership of data, data protection guidelines, trade secrets, indemnities, jurisdiction

• Pre-contract due-diligence, negotiable SLA• Planned & unplanned termination of the Agreement & return of data &

assets • Liability of each party in the event of breach of contract• Ownership of data

Contract

• Right to audit to check the compliances• To check the location of the data to ensure compliance of legal & statutory

provisionsAudit

15

Thank you

INDIA

A-42/6, Sector-62, Noida-201301Tel: +91-0120-47040722, +91 -0120-4740700 Fax: + 91 11 2741 8595

USA

Suite 119, 2 Davis Drive, Research Triangle Park, Durham (NC)-27709Ph: 1 262 432 1718; Fax: 1 877 895 9706

E-mail: info@intelligere.inwww.intelligere.in