Download presentation
Presentation is loading. Please wait.
1
© 2009 Hogan & Hartson LLP. All rights reserved. Tuesday, October 6, 2009 11 AM – 12:30 PM EDT Webinar: Understanding the Legal Challenges of Cloud Computing
2
2 © 2009 Hogan & Hartson LLP. All rights reserved. Presenters Christopher Wolf – cwolf@hhlaw.comcwolf@hhlaw.com Philip Porter – pdporter@hhlaw.compdporter@hhlaw.com Zenas Choi – zjchoi@hhlaw.comzjchoi@hhlaw.com Andrea Ward – award@hhlaw.comaward@hhlaw.com Michael Larner – melarner@hhlaw.commelarner@hhlaw.com William Flanagan – wpflanagan@hhlaw.comwpflanagan@hhlaw.com Allison Stanton – acstanton@hhlaw.comacstanton@hhlaw.com
3
3 © 2009 Hogan & Hartson LLP. All rights reserved. Agenda What Exactly is Cloud Computing? Intellectual Property Issues Government Demands for Information Privacy Issues Labor and Employment Issues E-Discovery Data Security Safeguards Data Breach Responsibility Contracting Issues Service Level Issues Q&A
4
4 © 2009 Hogan & Hartson LLP. All rights reserved. What exactly is cloud computing? Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction – NIST Cloud computing is Internet ("cloud") based development and use of computer technology (“computing") – Wikipedia Zenas Choi zjchoi@hhlaw.com
5
5 © 2009 Hogan & Hartson LLP. All rights reserved. What exactly is cloud computing? (continued) Cloud Computing Delivery Models – “Software as a Service” (Saas) - allows customer to use vendor applications running on a “cloud” infrastructure – “Platform-as-a-Service” (PaaS) - allows customer to write applications that run in a “cloud” infrastructure – “Infrastructure-as-a-Service” (IaaS) - allows customer to obtain processing, storage, network capacity, and other computing resources from a “cloud” infrastructure Zenas Choi zjchoi@hhlaw.com
6
6 © 2009 Hogan & Hartson LLP. All rights reserved. What steps should a company take to protect its intellectual property in the cloud? Company’s loss of control in cloud is key to understanding risk to intellectual property Steps to take to protect IP in the cloud – Identify your company’s primary vulnerabilities – Perform due diligence – Compare vendor’s protective efforts to current in-house policies and procedures – Implement contractual safeguards Trade secret protection – Impact of putting trade secrets in the cloud Michael Larner melarner@hhlaw.com
7
7 © 2009 Hogan & Hartson LLP. All rights reserved. Is data in the cloud safe from government view? The Fourth Amendment to the U.S. Constitution affords protection against unreasonable search and seizure for houses and papers Transfer of information to a cloud provider creates opportunities for information to end up in the government’s hands There is legal murkiness over the protections afforded to data in the cloud vis-a-vis the government – See “Lost in the Cloud,” New York Times (7-19-09) (Professor Jonathan Zittrain concludes “data stored online has less privacy protection both in practice and under the law…If you entrust your data to others, they can let you down or outright betray you.”) Christopher Wolf cwolf@hhlaw.com
8
8 © 2009 Hogan & Hartson LLP. All rights reserved. Is data in the cloud safe from government view? (continued) Time for the “third party doctrine” to be refined – In United States v. Miller, 425 U.S. 435 (1976), Supreme Court held that there is no reasonable expectation of privacy in financial records maintained by a bank, because the information was voluntarily conveyed by the defendant to a third party (the bank) – “Right to Financial Privacy Act” now limits ability of Feds to obtain customer information from banks Electronic Communications Privacy Act (ECPA) provides some protections Christopher Wolf cwolf@hhlaw.com
9
9 © 2009 Hogan & Hartson LLP. All rights reserved. How should you address the privacy law issues implicated by cloud computing? Central privacy issues associated with cloud computing – Compliance with local privacy laws – Security of data – Transfer of data Responsibility for data Research service providers Use of contracts – Relevant clauses Processing in accordance with customer’s instructions Adequate technical and organisational security Service level agreements Audits Restitution and destruction of data Cross-border transfers Andrea Ward award@hhlaw.com
10
10 © 2009 Hogan & Hartson LLP. All rights reserved. What labor and employment law issues are implicated by sending data to the cloud? Andrea Ward award@hhlaw.com William Flanagan wpflanagan@hhlaw.com Putting employee data in the cloud – increased efficiencies, but also risks Employee data in the cloud must be protected, maintained, and retained in accordance with applicable federal and state law (e.g., ADA, FMLA, FCRA, FLSA) Before putting data in the cloud, consider – Whether category of data is appropriate for the cloud (e.g., HRIS data, compensation data, medical records, personnel files). – State laws. Caution - state records laws vary, and have not caught up with the technology – “On Site” rules. Some states require that records be kept, and be available for inspection, at the employer’s work site
11
11 © 2009 Hogan & Hartson LLP. All rights reserved. What labor and employment law issues are implicated by sending data to the cloud? (continued) Andrea Ward award@hhlaw.com William Flanagan wpflanagan@hhlaw. com – Litigation issues. – Applicability of foreign data protection and privacy laws (e.g., UK Data Protection Act of 1998)
12
12 © 2009 Hogan & Hartson LLP. All rights reserved. What are the e-Discovery challenges of identifying and collecting data stored in the cloud? Who has custody and control? – Data is no longer in the company’s custody What is the cost to identify and collect relevant data? – May need third party specialists – Reduced cost of cloud storage results in increased data volume Where is the data? – Collection from multiple sources within the cloud – Transfer of data issues (i.e. cross borders) Allison Stanton acstanton@hhlaw.com
13
13 © 2009 Hogan & Hartson LLP. All rights reserved. What are the e-Discovery challenges of identifying and collecting data stored in the cloud? (continued) Allison Stanton acstanton@hhlaw.com When to identify relevant data that may be in the cloud? – Identify, negotiate, and limit early in discovery Why comply with litigation requests for data in the cloud? – No settled law yet but courts unlikely to allow companies to make data inaccessible – Possible burden or cost argument
14
14 © 2009 Hogan & Hartson LLP. All rights reserved. What data security safeguards should a company put in place before outplacing data in the cloud? Zenas Choi zjchoi@hhlaw.com Conduct due diligence of vendor’s service offering; including understanding control over data, vendor’s use of subcontractors, and incident response procedures Analyze vendor’s security policies, and determine extent of vendor’s security commitments … do they meet internal security requirements? Understand jurisdictional and industry specific security requirements, and consider other contractual security requirements Consider third party risk assessment of systems and data to ensure all risks and identified and accounted for (including, e.g., a Privacy Impact Assessment (PIA) and/or other typical Threat Risk Assessments (TRA))
15
15 © 2009 Hogan & Hartson LLP. All rights reserved. What data security safeguards should a company put in place before outplacing data in the cloud? (continued) Zenas Choi zjchoi@hhlaw.com Classify data and systems, and consider whether sensitive data should be segregated or stored in more secure environments Consider whether special steps must taken before transferring data to vendor, e.g., encryption, business associate agreement, other commitments that may be required by law or best practices Consider extent to which data should be backed-up, including business continuity during initial data transfer Determine which party should bear ultimate responsibility and costs of notification resulting from a breach of the Cloud provider's data security obligations
16
16 © 2009 Hogan & Hartson LLP. All rights reserved. Whose responsibility is it if there is a data breach? Forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information “Owners” of data are responsible for notification in the event of breach (hacking, lost data, unauthorized access) Laws also impose duties on non-data owners or licensors – But those statutory duties are generally limited to notifying the data owner or licensor upon learning of the data breach Christopher Wolf cwolf@hhlaw.com
17
17 © 2009 Hogan & Hartson LLP. All rights reserved. Whose responsibility is it if there is a data breach? (continued) Essential to understand and have worked out in advance the requirement that the processor in the Cloud informs the “owner” of a breach – If there is adequate bargaining power, shifting the responsibility and costs of notification to the Cloud provider is desirable Christopher Wolf cwolf@hhlaw.com
18
18 © 2009 Hogan & Hartson LLP. All rights reserved. What are the contracting issues with cloud computing? Form of Agreement (clickwrap vs. signed agreement) – Clickwraps – consistent with web-based access to technology assets – Vendor’s Perspective – streamline contracting process – Customer’s Perspective – unlikely to address key issues Vendor’s ability to change the terms and conditions Pricing – Rate Increases Termination – Suspension of Services – Transition Services Michael Larner melarner@hhlaw.com
19
19 © 2009 Hogan & Hartson LLP. All rights reserved. How do companies and cloud service providers handle service level issues? Standard availability warranty: 99.5%-99.99% uptime, measured and reported monthly Examine the proposed availability warranty – Review the proposed availability calculation (access or access without serious malfunction?) – Review the definition of “Scheduled Downtime” – Review the proposed remedy for warranty breach Verify that a specific remedy is offered Termination for breach may not be a meaningful remedy Try sample calculations to verify the possibility of a remedy is not too remote and that the calculated remedy is sufficient to create an incentive for correction Philip Porter pdporter@hhlaw.com
20
20 © 2009 Hogan & Hartson LLP. All rights reserved. Questions and Answers Please visit our blog at: www.hhdataprotection.comwww.hhdataprotection.com
21
21 © 2009 Hogan & Hartson LLP. All rights reserved. Abu Dhabi Baltimore Beijing Berlin Boulder Brussels Caracas Colorado Springs Denver Geneva Hong Kong Houston London Los Angeles Miami Moscow Munich New York Northern Virginia Paris Philadelphia San Francisco Shanghai Silicon Valley Tokyo Warsaw Washington, DC www.hhlaw.com For more information on Hogan & Hartson, please visit us at
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.