Cloud Computing: Issues and Risks BC Risk & Insurance - PDF document

Cloud Computing: Issues and Risks BC Risk & Insurance Management Association April 18, 2012 David Spratley & Tamara Hunter The Plan • introduction to cloud computing • general issues and risks • e-discovery • cloud computing contracts • privacy law compliance • questions 1

WHAT IS CLOUD COMPUTING? What is cloud computing? • technologies that provide computation, software, data access and storage services that do not require end- user knowledge of the physical location and configuration of the system that delivers the services (Wikipedia) • delivered over a network (typically, the Internet) 2

Categories Infrastructure as a Service (“IaaS”) and Storage • • Delivers computer infrastructure, along with storage and networking Software as a Service (“Saas”) • • Delivers software without the need to install and run applications Platform as a Service (“PaaS”) • • Allows the development and deployment of applications without the need to purchase specific hardware or software Benefits • cost • scalability • user mobility • customizability • reliability? • performance? • security? 3

CLOUD COMPUTING: GENERAL ISSUES AND RISKS General Issues and Risks • location and jurisdiction • data ownership • business interruption (service provider) • loss of access (customer) 4

General Issues and Risks • source code and escrow • migration • who can access? • backup and archiving General Issues and Risks • security • destruction of data • IP infringement 5

CLOUD COMPUTING: LITIGATION (E-DISCOVERY) What is discovery? • Process through which parties to a civil dispute learn about each others’ cases • Examination and document disclosure • Always in litigation; often in mediation/arbitration 6

Key Obligations Disclosure • • must disclose every relevant document in possession, control or power • “document” is broadly defined Preservation • • must preserve all relevant documents • Serious consequences for breach E-Discovery • Electronic documents increase scope, complexity and cost of discovery process • Courts aware of importance of electronic documents 7

Cloud Computing and Discovery • Disclosure and preservation obligations still apply • Court does not care if you store data in your building or in the cloud – only cares whether you have possession or control Cloud Computing and Discovery • Consider risks: • lost data • non-compliant data preservation practices • platform not easily searched • sub-outsourcing 8

Cloud Computing and Discovery • cloud computing contract is key • maintain legal control over data • due diligence on cloud provider • ability to retrieve data in any circumstance CLOUD COMPUTING: CONTRACT ISSUES 9

Contract Issues • system setup • service levels • ownership Contract Issues • representations and warranties • indemnities • insurance • disclaimers and limitations of liability 10

Contract Issues • confidentiality and security • term and termination • jurisdiction • force majeure CLOUD COMPUTING: PRIVACY LAW COMPLIANCE 11

• When you think about Cloud Computing, consider it as “mega-outsourcing” • Regular outsourcing is when you store your data on your own servers, but you send certain data to an outside service provider, so they can perform a function with the data and provide a product or a service (e.g. send personalized cheques to your customers or process your payroll and arrange for direct deposits for your employees). 12

• Cloud computing means you don’t have your own servers anymore – you’ve “out-sourced” that whole infrastructure The key privacy law compliance issue is security of • personal information 13

• Geographic location of personal information is a significant privacy law issue, especially for public bodies in British Columbia (and service providers to public bodies) but the concern with geographical location of data really boils down to a security issue Public Bodies in B.C.: Section 30.1 of FOIPPA • A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, [unless a specific exception applies] breach of s. 30.1 of FOIPPA is an offence • • some cloud service providers are aware of this requirement and offer cloud services that meet this requirement 14

• Organizations that provide services to public bodies must also comply with s. 30.1 in relation to those services (see s. 31.1 and definition of "employee" in FOIPPA ) • The bottom line for public bodies and service providers to public bodies is that they cannot engage in "full-on", standard public cloud computing arrangements with the typical "take it or leave it" contract (public cloud architecture) • A specialized cloud-computing solution is required • See: “Cloud Computing Guidelines for Public Bodies” on www.oipc.cbc.ca 15

• What about professionals (e.g., doctors, lawyers, accountants, etc.) and businesses handling highly sensitive personal information (e.g. banks, credit unions, insurance companies)? • Ethical and contractual obligations around confidentiality may also require specialized cloud computing solutions • Community Cloud or Private Cloud may work (e.g. Law Society Cloud for lawyers is being considered) Private Sector - still have obligation under PIPEDA and PIPA (and, • possibly, contractual obligations) to make reasonable security arrangements to protect personal information from risks such as unauthorized access, disclosure, destruction, etc. • Standard Cloud Computing contracts may not sufficiently protect customer/employee personal information • Requirement for transparency/notification (customers/employees have a right to know) 16

Security issues: • what geographic locations could be involved? Rule some out or stipulate acceptable jurisdictions • reputation/history of cloud provider • what other data will be mingled with your organization's data? Concern re: concentration of high-risk data • will your organization be able to access audit logs? • how quickly could you be required to produce a copy of your organization’s records? will your organization be able to meet that timeframe? • what obligations does the cloud provider have in the event of an information security breach? • immediate notification to your organization? • indemnity for any damages and professional fees? 17

• what happens if the cloud provider goes bankrupt? backup/escrow might not be sufficient without access to the application software necessary to decode the stored data • does the contract provide for a method for your organization to audit the cloud provider’s compliance with its contractual security obligations? • insurance – does your organization’s insurance coverage for information security breaches or data loss apply if your data is “in the clouds”? 18

THANK YOU Tamara Hunter David Spratley tamara_hunter@davis.ca dspratley@davis.ca 604.643.2952 604.643.6359 19