Welcome back to our series on Cloud Computing Legal Issues. I am fascinated on the speed that certain businesses want to move key business systems, data, and functions to the cloud without doing a risk assessment and legal review. It concerns me that it appears some business leaders are just following a hype trend and not doing their homework.
This post is about data location. You have a signed contract now with a cloud service provider, do you know where your data will be hosted? In a cloud computing environment, data and applications are hosted "in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from "well… hum ... in the cloud" to "we have servers everywhere, data moves around constantly" or "we cannot tell you for security reasons." Really? You better demand knowing in the contract. I sat in on a meeting a few weeks ago and heard a salesman from a top "cloud provider" say - you don't have to worry about that anymore, that is the beauty of the cloud. I choked on my coffee, and more so when the business leaders said, oh, ok.
As the custodian of confidential and valuable data -- personal or company information -- you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. In the legal world, location is most frequently associated with jurisdiction. The concept of “jurisdiction” is associated with the power of a judge or government entity to assert authority over the persons or things involved in an action, and to make a decision about a specific issue or sets of facts.
Jurisdiction is not necessarily exclusive. Several countries or courts may have concurrent jurisdiction over a matter. Indeed, litigants frequently argue about who has jurisdiction over their dispute. In the cloud environment, where a piece of equipment is located may have significant consequences on the ability of a court or other government authority to assert jurisdiction over that piece of equipment, and, in the case of a server, over the data contained in that server.
If the cloud that hosts your data has servers in a foreign country, the laws of that foreign country may govern your data when stored in that server. As a result, many important foreign laws may govern your data (in addition to those of the United States). This even applies to your code that is being developed in a foreign country - proceed with caution and complete awareness.
Cloud computing legal issues: Data protection laws
Assume that Cloud X Service provides hosting, email and collaboration solutions to Arnett, a U.S. company with no operations abroad. Assume also that the Cloud X network includes servers located in a data center in the United Kingdom. Thus, Arnett as Cloud X’s customer ends up using data or servers that are in the U.K.
The Data Protection Act (1998) governs the protection of personal information that is processed in the U.K. Of course, the Data Protection Act applies to companies that do business in the U.K. However, that is not the extent of its reach. Under Section 5(1)(b) of the act,, the law also applies to a data controller that is not established in the U.K. or in any other European Economic Area state (EEA includes the European Union plus Lichtenstein, Norway, Iceland) but that “uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.”
This means that if a foreign company uses equipment that is located in the U.K. to process personal data, the processing of the data must comply with the U.K. Data Protection Law, even if the company is not established, or does not do business in the U.K.. The same provision can be found in the data protection laws of the 30 EEA member states and other countries.
When a cloud service provider elects to install servers in the EEA or other countries with a similar data protection law, all data that is processed, stored or maintained on these servers are subject to the data protection laws of the country where the servers are located. These laws have extensive requirements, restrictions and prohibitions on what may or may not be done with personal data. They may require registrations with the country’s Data Protection Supervisory Authority; they may prohibit certain transfers of these data, and much more. Failure to comply may have serious consequences. It is your obligation to be aware, you can't outsource your responsibility - ignorance to the law is no defense.
Cloud computing legal issues: Government surveillance
In addition to foreign data protection laws, consider the possibility that a third party or a foreign government might want to have access to a cloud service server that holds your data. In principle, access by a third party, even a government, is restricted, and even the police or secret service may not have access to premises or equipment without appropriate authorization -- in the form of a search warrant or court order -- before being allowed to search a computer.
However, this is not the case everywhere. For example, if your data is stored on a server that is located in India, the server will be subject to the laws of India. India’s Information Technology Act of 2000 (as amended in 2009) governs many aspects of the protection and use of computers, networks, etc. Section 69 of India’s IT Act allows the Central Government to issue directions for the interception, monitoring and decryption of messages from any computer and other communication device for security reasons, for public order, to prevent the commission of any cognizable offense or to investigate any offense. Section 69B(1) grants the Central Government the power to authorize any agency of the government to monitor and collect traffic data or information generated, transmitted, received or stored on any computer. In both cases, there is no requirement for a court order or other permission, and no limitation to these powers. Plus I may add, it is not limited to just communications, things like data transfers such as proprietary code could be intercepted.
What information may be retained and preserved may also be dictated by the Indian government. Section 67C of the Information Technology Act requires companies to preserve and retain such information as may be specified, and for such duration, and in such manner and format as the central government may prescribe.
Thus, while the cloud may take advantage of the friendly business environment in a country, it may also subject equipment and data stored in this equipment to the monitoring and surveillance of the government in that country. The political influences may add additional risk to your company sensitive data. What is your risk as an organization?
Contracting tip
When negotiating your contract for cloud services, decide if knowing where your data is located is important to you. If it is, then try to limit the geographic area where your data will be stored or processed. The City of Los Angeles was able to obtain some restrictions in its contract with Computer Sciences Corp. and Google Inc. for email and other services. Some of the data will be stored only in the continental U.S.. See, Appendix J.1, Section 1.7 of the Professional Services Contract between Google and the City of Los Angeles, which provides:
1.7 Data Transfer. Google agrees to store and process Customer's email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States. Google shall make commercially reasonable efforts to advise Customer when such data storage capability is made available. Notwithstanding the foregoing, Google may store and process Login Data in any country in which Google or its agents maintain facilities.
Cloud service providers want the freedom to move data to different servers for load balancing or to take advantage of the lower cost of utilities or personnel in different geographies. However, by doing so, they may inadvertently expose their customers’ data to the laws of countries other than those where the customer opted to operate. Plus, it is your data, you are responsible for the protection thereof, you can't outsource that responsibility, so take control and set the expectations and contractual requirements.
It may be that, in the future, countries that wish to attract foreign investments and data centers will carve out a niche from their data protection laws. However, currently, the black letter law in many countries may subject cloud users to the data protection requirements and other laws of the country where the servers are located.
One more note on data location - always include a disaster recovery section in all your contracts. Business Continuity and Disaster Recovery is very important part of many regulatory requirements. Location will play a part in those plans.
Happy Holidays!
Bob Lankey
bob.lankey@arnettservicesgroup.biz
www.arnettservicesgroup.com
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Friday, December 20, 2013
Thursday, December 19, 2013
Cloud Computing: Legal Issues
Many organizations are quickly running to the cloud, but who is taking the time to evaluate and review the legal issues that comes with this new technology offerings. I have spoken with several organizational legal teams to find out they are brought in after there is a problem, breach of contract or a change of heart. Perhaps, the legal review needs to be done up front.
Let's take a few minutes to talk about some of the key issues. The characteristics of cloud computing -- on demand self-service, elasticity, metered service or ubiquitous access -- make it look like a simple and casual operation, but cloud computing services present many legal issues. Organizations need to tread carefully and perform due diligence, this means bring the corporate attorney into the loop.
Cloud computing legal issues: data location
Organizations need to know where the data they’re responsible for – both personal customer data and corporate information -- will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. I would also demand all your data is encrypted while at rest in the cloud.
Cloud computing legal issues result from where a cloud provider keeps data, including application of foreign data protection laws and surveillance. In my next post, learn about cloud computing legal issues stemming from data location, and how to avoid them.
Cloud computing contracts and cloud outages
When a cloud service goes down, users lose access to their data and therefore may be unable to provide services to their customers. When is a cloud user compensated for the loss of service, and to what extent? Users need to examine how cloud computing contracts account for cloud outages.
In a future post, learn how a cloud outage could negatively affect business and examines some cloud computing contracts and their provisions for cloud outages. You are still responsible for your Business Continuity Plan and Disaster Recovery Plan - you can not outsource that.
Cloud computing contracts: Tread carefully
Organizations must be careful with cloud computing contracts, according to a panel of lawyers at the RSA Conference 2011. Cloud computing contracts should include many data protection provisions, but cloud computing service providers may not agree to them.
In a future post, learn some advice on negotiating with cloud computing service providers and on legal considerations for organizations entering cloud service provider contracts, including data security provisions. I have found many service providers will push back on encryption demands, or even backup requirements. Make sure the contract and services agreement meet all YOUR business requirements, not theirs.
Ten key provisions in cloud computing contracts
When entering into a relationship with a cloud computing service provider, companies should pay attention to contract terms, security requirements and several other key provisions when negotiating cloud computing contracts.
In a future post, I will discuss cloud computing contracts and the ten key provisions that companies should address when negotiating contracts with cloud computing service providers. Have it in writing, including performance metrics, data ownership, and most important, the right to audit their facility and operations.
Developing cloud computing contracts
Cloud service relationships can be complicated. The use of cloud services could sacrifice an entity’s ability to comply with several laws and regulations and could put sensitive data at risk. Consequently, it’s essential for those using cloud computing services to understand the scope and limitations of the services they receive, and the terms under which these services will be provided.
In this series of posts, I will explain the critical considerations for cloud computing contracts in order to protect your organization as well as reviewing the critical steps and best practices for developing, maintaining and terminating cloud computing contracts. I will also give you advice on the terms and length of such contracts, and what your options are if you need to make a change due to performance.
In summary, not all Cloud Service providers are equal, and not all have your best interest in mind. After all, they are in this to make money, your money. Move to the cloud with caution, an open mind, and your legal affairs in order.
Happy Holidays
Bob Lankey
bob@arnettservicesgroup.biz
www.arnettservicesgroup.com
Let's take a few minutes to talk about some of the key issues. The characteristics of cloud computing -- on demand self-service, elasticity, metered service or ubiquitous access -- make it look like a simple and casual operation, but cloud computing services present many legal issues. Organizations need to tread carefully and perform due diligence, this means bring the corporate attorney into the loop.
Cloud computing legal issues: data location
Organizations need to know where the data they’re responsible for – both personal customer data and corporate information -- will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. I would also demand all your data is encrypted while at rest in the cloud.
Cloud computing legal issues result from where a cloud provider keeps data, including application of foreign data protection laws and surveillance. In my next post, learn about cloud computing legal issues stemming from data location, and how to avoid them.
Cloud computing contracts and cloud outages
When a cloud service goes down, users lose access to their data and therefore may be unable to provide services to their customers. When is a cloud user compensated for the loss of service, and to what extent? Users need to examine how cloud computing contracts account for cloud outages.
In a future post, learn how a cloud outage could negatively affect business and examines some cloud computing contracts and their provisions for cloud outages. You are still responsible for your Business Continuity Plan and Disaster Recovery Plan - you can not outsource that.
Cloud computing contracts: Tread carefully
Organizations must be careful with cloud computing contracts, according to a panel of lawyers at the RSA Conference 2011. Cloud computing contracts should include many data protection provisions, but cloud computing service providers may not agree to them.
In a future post, learn some advice on negotiating with cloud computing service providers and on legal considerations for organizations entering cloud service provider contracts, including data security provisions. I have found many service providers will push back on encryption demands, or even backup requirements. Make sure the contract and services agreement meet all YOUR business requirements, not theirs.
Ten key provisions in cloud computing contracts
When entering into a relationship with a cloud computing service provider, companies should pay attention to contract terms, security requirements and several other key provisions when negotiating cloud computing contracts.
In a future post, I will discuss cloud computing contracts and the ten key provisions that companies should address when negotiating contracts with cloud computing service providers. Have it in writing, including performance metrics, data ownership, and most important, the right to audit their facility and operations.
Developing cloud computing contracts
Cloud service relationships can be complicated. The use of cloud services could sacrifice an entity’s ability to comply with several laws and regulations and could put sensitive data at risk. Consequently, it’s essential for those using cloud computing services to understand the scope and limitations of the services they receive, and the terms under which these services will be provided.
In this series of posts, I will explain the critical considerations for cloud computing contracts in order to protect your organization as well as reviewing the critical steps and best practices for developing, maintaining and terminating cloud computing contracts. I will also give you advice on the terms and length of such contracts, and what your options are if you need to make a change due to performance.
In summary, not all Cloud Service providers are equal, and not all have your best interest in mind. After all, they are in this to make money, your money. Move to the cloud with caution, an open mind, and your legal affairs in order.
Happy Holidays
Bob Lankey
bob@arnettservicesgroup.biz
www.arnettservicesgroup.com
Tuesday, December 10, 2013
U.S. Tech Companies Ask Governments to Reform Surveillance Practices
U.S. Tech Companies Ask Governments to Reform Surveillance Practices - by now I think most of us have heard the news. Plus we have all heard of the many examples of US Surveillance Practices as it pertains to cell phones, emails, and the long list of actions.
Eight top tech companies in the U.S. have asked governments around the world to reform surveillance laws and practices, and asked the U.S. to take the lead. Should the US take the lead, or as being the largest surveillance organization have the lead?
AOL, Apple, Facebook, Google, LinkedIn, Twitter, Yahoo and Microsoft said Monday that they understand that governments need to take action to protect their citizens' safety and security, but "strongly believe that current laws and practices need to be reformed." Internet companies have been at the focus of disclosures through newspapers from June by former U.S. National Security Agency contractor, Edward Snowden, which suggested that the agency had real-time access to content on the servers of some Internet companies and was also tapping into the communications links between the data centers of Yahoo and Google.
The companies deny complicity in the NSA's dragnet surveillance, and some have asked permission from the U.S. Foreign Intelligence Surveillance Court to disclose aggregate information on security requests for user data under the Foreign Intelligence Surveillance Act.
The latest move appears to be one of a number by the Internet companies to highlight that they are on the side of the user, and to bring pressure on governments, particularly of the U.S. Facebook, AOL, Apple, Google, Microsoft and Yahoo wrote in October to the chairman and members of a U.S. Committee on the Judiciary, demanding that the surveillance practices of the U.S. should be reformed to enhance privacy protections and provide "appropriate oversight and accountability mechanisms."
Then these tech companies are working on ways to encrypt traffic between data centers, users, and applications. So as the security and technology borders continue to shift, are we taking steps to make it more difficult for government agencies to protect us, and giving safe haven to terrorists? Where do you draw the line of balance between privacy, security, and national best interest.
I agree that the world has changed, and threats everyday have changed at both a national level and a personal level. Each of us has threats against us each day, credit card fraud, identity theft, email malware and the list goes on. We do risk management each day and may not realize it. So it is a very real topic for all of us to discuss and get involved with. Appropriate for these tech companies to get involved? Should there be an independent advisor board to influence Washington on this topic - perhaps independent IT experts?
I think we need to take our time, look at the right approach and proceed with caution. We are quickly loosing our freedoms, and that is a worry.
Keep it positive!
Scott Arnett
scott@arnettservicesgroup.com
www.arnettservicesgoup.com
Eight top tech companies in the U.S. have asked governments around the world to reform surveillance laws and practices, and asked the U.S. to take the lead. Should the US take the lead, or as being the largest surveillance organization have the lead?
AOL, Apple, Facebook, Google, LinkedIn, Twitter, Yahoo and Microsoft said Monday that they understand that governments need to take action to protect their citizens' safety and security, but "strongly believe that current laws and practices need to be reformed." Internet companies have been at the focus of disclosures through newspapers from June by former U.S. National Security Agency contractor, Edward Snowden, which suggested that the agency had real-time access to content on the servers of some Internet companies and was also tapping into the communications links between the data centers of Yahoo and Google.
The companies deny complicity in the NSA's dragnet surveillance, and some have asked permission from the U.S. Foreign Intelligence Surveillance Court to disclose aggregate information on security requests for user data under the Foreign Intelligence Surveillance Act.
The latest move appears to be one of a number by the Internet companies to highlight that they are on the side of the user, and to bring pressure on governments, particularly of the U.S. Facebook, AOL, Apple, Google, Microsoft and Yahoo wrote in October to the chairman and members of a U.S. Committee on the Judiciary, demanding that the surveillance practices of the U.S. should be reformed to enhance privacy protections and provide "appropriate oversight and accountability mechanisms."
Then these tech companies are working on ways to encrypt traffic between data centers, users, and applications. So as the security and technology borders continue to shift, are we taking steps to make it more difficult for government agencies to protect us, and giving safe haven to terrorists? Where do you draw the line of balance between privacy, security, and national best interest.
I agree that the world has changed, and threats everyday have changed at both a national level and a personal level. Each of us has threats against us each day, credit card fraud, identity theft, email malware and the list goes on. We do risk management each day and may not realize it. So it is a very real topic for all of us to discuss and get involved with. Appropriate for these tech companies to get involved? Should there be an independent advisor board to influence Washington on this topic - perhaps independent IT experts?
I think we need to take our time, look at the right approach and proceed with caution. We are quickly loosing our freedoms, and that is a worry.
Keep it positive!
Scott Arnett
scott@arnettservicesgroup.com
www.arnettservicesgoup.com
Monday, December 9, 2013
IOS: Designing the Information Advantage
Arnett Group has a partnership with IOS, and the teamwork between the two organizations has been fantastic. Imaging Office Systems (IOS) is a company that has had a single focus since 1973: document management. To IOS document management means scanning documents, installing and configuring imaging systems, offering professional services and consulting as well as a modern approach to off –site storage. As you see it does not mean copiers as IOS is about reducing paper not multiplying it.
Scanning…IOS is one of the largest scanning companies in the United States with four separate conversion centers all operating identically under the FDA’s Quality System 21-CFR-Part 820 converting over 5,000,000 images per month. We also offer business process scanning.
Imaging Systems…IOS has installed over 500 multi-user systems throughout the United States. IOS represents several imaging software products such as OnBase, FileBound and EMC. IOS performs the system design, implementation, customization, training and on-going support.
Professional Services…this group of programmers, developers and certified Project Managers has developed a national reputation for being able to handle difficult system conversions from older imaging systems, as well as creating unique workflows and integrations to host systems. Utilizing Arnett Group to provide systems, network and security services, it is a professional team for the customer.
Record Center Storage…putting a modern twist on box storage, IOS delivers back the requested files through secure on-line portals so the boxes never have to leave the record center both greatly reducing the cost of storage as well as improving the security of client information.
IOS has experience in multiple markets such as pharmaceuticals, manufacturing, medical, and financials, to name a few. Some of our clients with imaging systems and scanning solutions are names you may recognize: such as Eli Lilly, GE Engine Service, Northwestern Memorial Hospital, and Baxter Credit Union.
Reach out to Arnett Group and let us work with you on a secure and complete document management solution. We are very proud to be working with IOS!
Keep it positive!
Scott Arnett
scott@arnettservicesgroup.com
www.arnettservicesgroup.com
Scanning…IOS is one of the largest scanning companies in the United States with four separate conversion centers all operating identically under the FDA’s Quality System 21-CFR-Part 820 converting over 5,000,000 images per month. We also offer business process scanning.
Imaging Systems…IOS has installed over 500 multi-user systems throughout the United States. IOS represents several imaging software products such as OnBase, FileBound and EMC. IOS performs the system design, implementation, customization, training and on-going support.
Professional Services…this group of programmers, developers and certified Project Managers has developed a national reputation for being able to handle difficult system conversions from older imaging systems, as well as creating unique workflows and integrations to host systems. Utilizing Arnett Group to provide systems, network and security services, it is a professional team for the customer.
Record Center Storage…putting a modern twist on box storage, IOS delivers back the requested files through secure on-line portals so the boxes never have to leave the record center both greatly reducing the cost of storage as well as improving the security of client information.
IOS has experience in multiple markets such as pharmaceuticals, manufacturing, medical, and financials, to name a few. Some of our clients with imaging systems and scanning solutions are names you may recognize: such as Eli Lilly, GE Engine Service, Northwestern Memorial Hospital, and Baxter Credit Union.
Reach out to Arnett Group and let us work with you on a secure and complete document management solution. We are very proud to be working with IOS!
Keep it positive!
Scott Arnett
scott@arnettservicesgroup.com
www.arnettservicesgroup.com
Tuesday, December 3, 2013
VCE VBLOCK Systems
I had the opportunity to be involved in a side by side compare of the VCE VBLOCK System and a comparable solution from HP. While I like the VBLOCK solution, I have a hard time with the TCO of the solution.
The benefits of the VBLOCK solution is the all in one rack design and it is built together, tested, and delivered to the customer as a 1 rack solution. That has many benefits to many organizations, more so today with small IT teams in organizations. Plus the solution is made up of the leaders in the industry, EMC, VMware, Cisco and Intel. I also like the management tools that come with the solution, so overall, I give it a C+.
There are other solutions out there that offer same if not better all in one model, with great management tools, and support. More important with a better TCO over the life of the solution. I had a CIO ask me the other day about my thoughts on Cisco and where they are going. Still a leader in network hardware? While I think they are still a leader, they are no longer the only game in town, and there are some great network switches and equipment available from other manufactures. For the overall cost, I still like the HP pro curve for edge switches, small offices and such. I have a hard time to justify to a customer why spend all that money with Cisco to purchase and then year after year SmartNet costs. This applies to the VBLOCK solution.
Cisco has a great marketing machine, and while they make many claims regarding speed, performance, reliability, there is nothing here the other guys don't have. My recommendation is to do your homework, look at the cost, and look at what it is you are trying to solve and the capability you need to deliver.
Keep it positive!
Scott Arnett
www.arnettservicesgroup.com
The benefits of the VBLOCK solution is the all in one rack design and it is built together, tested, and delivered to the customer as a 1 rack solution. That has many benefits to many organizations, more so today with small IT teams in organizations. Plus the solution is made up of the leaders in the industry, EMC, VMware, Cisco and Intel. I also like the management tools that come with the solution, so overall, I give it a C+.
There are other solutions out there that offer same if not better all in one model, with great management tools, and support. More important with a better TCO over the life of the solution. I had a CIO ask me the other day about my thoughts on Cisco and where they are going. Still a leader in network hardware? While I think they are still a leader, they are no longer the only game in town, and there are some great network switches and equipment available from other manufactures. For the overall cost, I still like the HP pro curve for edge switches, small offices and such. I have a hard time to justify to a customer why spend all that money with Cisco to purchase and then year after year SmartNet costs. This applies to the VBLOCK solution.
Cisco has a great marketing machine, and while they make many claims regarding speed, performance, reliability, there is nothing here the other guys don't have. My recommendation is to do your homework, look at the cost, and look at what it is you are trying to solve and the capability you need to deliver.
Keep it positive!
Scott Arnett
www.arnettservicesgroup.com
Subscribe to:
Posts (Atom)