1 / 25

Rob Corbet Partner Arthur Cox 23 January 2013

CPD Reference Code: 2013 – 0003. Cloud Computing – Data Protection Implications Chartered Accountants House, 47-49 Pearse St, Dublin 2. Rob Corbet Partner Arthur Cox 23 January 2013. Overview. Cloud Computing What is it? Why is everyone talking about it? What’s new about it?

ivria
Download Presentation

Rob Corbet Partner Arthur Cox 23 January 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CPD Reference Code: 2013 – 0003 Cloud Computing – Data Protection ImplicationsChartered Accountants House, 47-49 Pearse St, Dublin 2 Rob Corbet Partner Arthur Cox 23 January 2013

  2. Overview • Cloud Computing • What is it? • Why is everyone talking about it? • What’s new about it? • Legal Issues • Contract non-negotiation! • Security and Data Protection • Contractual Risk Management • Technical Risk Management

  3. Does everyone understand the Cloud? • Of the 88% of key decision-makers that do not use cloud computing, 39% said it was because they don't know enough about it • Gartner: “A style of Computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies.”

  4. What is it? Demystifying the Cloud Source: Mike Kavis blog at http://it.toolbox.com

  5. The Jargon • Infrastructure as a Service (IaaS) • Scalable/elastic computer resources • Via internet • Range from storage to computing/processing power • Generally pay-per-use model • Attractive commercial model and proven success • Backbone of many SaaS offerings • Platform as a Service (PaaS) • Development environment to code/host/deliver applications • e.g. Google’s App Engine, Microsoft Windows Azure and Salesforce’s Force.com • Attractive commercial model and proven success • Software as a Service (SaaS) • Delivery of software functionality via browser • Typically (not always) multi-tenanted offering i.e. customer holds account on single instance of s/w running on virtualised infrastructure • e.g. Google Gmail, Microsoft Office 365 and Salesforce.com • Transfer of data and processing to third party

  6. Different Clouds • Public Cloud • Created by vendor and offered to public • Multi-tenanted • Low cost • Private Cloud • Hosted by enterprise using the service • Not multi-tenancy • Hybrid Cloud • Enterprise set up private cloud services in combination with external public cloud services or community type cloud set up by group of users of certain offering

  7. Why is everyone talking about it? Cons • Security and Privacy • Can I trust the Cloud with my data? • Availability • What if my core Applications are down? • What if the Internet goes down? • Am I trapped with this Provider? • Performance • Will it deliver like the existing model? • What are my remedies if it doesn’t? • Legal Cover • What’s in the contract? Pros • Flexibility • e.g. log-in remotely from any device, multi-view and work on files simultaneously • Quick and Easy • Log in and off you go, no software downloads etc • Cheap • “Utility” computing without need for upgrades, replacement etc and less in-house IT support • Cap-ex -> Op-ex • Green • Burns less energy

  8. What’s New? Cloud v Traditional Models • Traditional delivery models • Software licensing • Remote managed service e.g. payroll • ICT outsourcing i.e. ICT resources given to another to manage • Cloud model • Internet/intranet accessible • Scalable (sometimes massively so) and user-configurable computing resources- PaaS and IaaS • Multi-tenancy – customers share single software instance • Subscription or usage based payment – at least an element of pay-for-what-you-use • Self-service model • Typically not location specific • New concerns for the ICT security professional and compliance community

  9. Challenges for the DP / Compliance / Legal Departments • Traditional Models • Customer-led • Contract-driven • Contracts with big paydays get negotiated and approved before signing • Cloud Model • Supplier-led • Standard T&Cs in return for cheap service (“click to proceed”) • Early adopters are US corporations who either have: • experience of getting things their way – Amazon, Google, Microsoft; or • have set themselves up to get their way - Salesforce • Subscription model –no single payday • Low(ish) regular payment = low risk assumption by Supplier

  10. Risk Management • Security • Service Levels • Liability Management • Exit management • Data Protection • Litigation Support • Disaster recovery • Audit and inspection • None of these are “new” legal or compliance issues • But usually heavily negotiated and formally approved in traditional “outsourcing” models

  11. A Quick Whose Who Financial Services Customer • Data Controller under EU law • Primary responsibility for DP compliance • Duty of care to customers • Client confidentiality paranoia • Risk averse • Regulated • Contracts are to be drafted, negotiated and executed • Expensive = high risk assumption • Who can I sue? Cloud Provider • Data Processor under EU law • Default responsibility only for data security • No duty of care to clients • Won’t join the paranoid! • Risk managers • Unregulated • Contacts are to there to be clicked • Cheap(er) = low risk assumption • You can’t sue me!

  12. What are the data security standards?

  13. Data Protection Implications • Compatibility with EU Data Protection Directive? • Exports of Data outside of the EEA • Adequate Level of Data Protection per Article 25 • Model Clauses? Safe Harbor? “Consent”? • DP Directive: Art 17: • Data controller must take “appropriate technical and organizational measures” • “Having regard to the state of the art and the cost of their implementation, … and the nature of the data to be protected” • “choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures … and must ensure compliance with those measures” • processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that the processor shall act only on instructions from the controller”

  14. Other DP Requirements • DP Directive Art 6: Keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected • DP Directive Art 12: Right of access and rectification for the data subject • Is the data controller able to meet these obligations in its chosen cloud environment?

  15. Proposed EU Data Protection Regulation {SEC(2012) 72 final} • Controller and Processor • Largely repeats the same standards as under the Directive • Introduces some new concepts • Sanctions, mandatory data breach reporting, “Privacy by Design” and “Right to be Forgotten” have captured the headlines • Clarifies applicable law - single set of rules apply across all 27 Member States • Bureaucracy on data transfer survives • Binding corporate rules, “adequacy” decisions by the Commission etc • Difficult to comply in a classic cloud construct • EU Commission hoping to progress the Regulation during Irish presidency of EU in 2013

  16. Data Protection Implications • “EU Clouds” available • Some Suppliers allow Customer decide the data venue • But e.g. AWS • “We participate in the safe harbor programs described in the Privacy Policy. You may specify the AWS regions in which Your Content will be stored and accessible by End Users. We will not move Your Content from your selected AWS regions without notifying you, unless required to comply with the law or requests of governmental entities” • “Notify” is not “Consent” • Governmental request - US Patriot Act? UK RIP Act?

  17. Contractual Risk Management

  18. Liability Issues • Typically blanket exclusions and limitations of liability • Always pro-Supplier • Distinction between “direct” and “indirect” loss? • What if Supplier disappears or goes bust? • 24 of the 31 Cloud T&Cs analysed by Queen Mary University required the customer to indemnify the provider against any claim against the provider arising from the customer’s use of the service • Remedies? • Sue? • Service Credits? • Recover data? • Most regulated organisations do not accept material supply contracts “as is” but SMEs do • Negotiability of terms is a function of deal value

  19. Will customers accept disclaimers post DP Regulation? • Proposed EU DP Regulation • Art 77 • Right to compensation and liability • Extends right to damages caused by processors and applies joint and several liability where controller and processor at fault • Art 78 • Obliges Member States to lay down rules on penalties • Art 79 • Obliges DPCs to impose fines (max 2% of global turnover), with due regard to circumstances of each individual case • Cloud providers not in a hurry to take on this liability risk

  20. Technical Risk Management Measures

  21. Technical Solutions • Encryption/Anonymisation: • EU law: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed • Draft EU DP Regulation • To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual • So, properly anonymised/encrypted data can avoid the application of the DP principles (encrypted data is not personal data) • But Supervisory Authorities are sceptical about anonymisation • Security certification: • ISO 27001, SAS 70, SSAE 16 • Exercise Right to Audit? Contentious point for cloud operators • Private Clouds

  22. Transparency • “… a lack of transparency in terms of the information a controller is able to provide to a data subject on how their personal data is processed is highlighted in the opinion as matter of serious concern. Data subjects must be informed who processes their data for what purposes and to be able to exercise the rights afforded to them in this respect. • A key conclusion of this Opinion is that businesses and administrations wishing to use cloud computing should conduct, as a first step, a comprehensive and thorough risk analysis. All cloud providers offering services in the EEA should provide the cloud client with all the information necessary to rightly assess the pros and cons of adopting such a service. Security, transparency and legal certainty for the clients should be key drivers behind the offer of cloud computing services.” • Art 29 Working Party Opinion 05/2012 on Cloud Computing

  23. Conclusion • As with all Internet innovations, the early adopters are not pre-occupied with legal risk • Commercial proposition looks compelling • But – the “what ifs” need to be considered • Suppliers not providing clear answers on data protection • “Trust us” is not good enough, even if the DP Directive didn’t place a legal obligation on you to guarantee that trust • Other considerations also core • Over-reliance on one supplier • Ceding of control • Disaster Recovery • Exit management • Ongoing Regulatory compliance • Remedies and Legal liability • DPC – You can outsource your data management but you cannot outsource accountability

  24. Questions? • Rob.Corbet@arthurcox.com • T: + 353 1 618 0566 • http://ie.linkedin.com/in/robcorbet

More Related