Socially Aware will be sponsoring a free webinar on cybersecurity-related legal issues on December 2, 2014. As part of the webinar, privacy and data security lawyers from Morrison & Foerster LLP – including a number of Socially Aware contributors – will discuss the cybersecurity trends and challenges, addressing current and pending laws and regulations in various jurisdictions, how to work with regulators around the world, and critical action items before, during and after a security incident. For more information on Morrison & Foerster’s privacy and data security practice group, please follow them on Twitter @MoFoPrivacy. More information regarding the webinar, including how to register for the event, please click here.
For many companies, the main question about cloud computing is no longer whether to move their data to the “cloud,” but how they can accomplish this transition. Cloud (or Internet-based on-demand) computing involves a shift away from reliance on a company’s own local computing resources, in favor of greater reliance on shared servers and data centers. Well-known examples of cloud computing services include Google Apps, Salesforce.com, and Amazon Web Services. In principle, a company also may maintain its own internal “private cloud” without using a third-party provider. Since many companies choose to use third-party cloud providers, however, this article will focus on that cloud computing model.
Cloud computing offerings range from the provision of IT infrastructure alone (servers, storage, and bandwidth) to the provision of complete software-enabled solutions. Cloud computing can offer significant advantages in cost, efficiency, and accessibility of data. The pooling and harnessing of processing power provides companies with flexible and cost-efficient IT systems. At the same time, however, cloud computing arrangements tend to reduce a company’s direct control over the location, transfer, and handling of its data.
The flexibility and easy flow of data that characterize the cloud can raise challenging issues related to protection of data in the cloud. A company’s legal obligations and risks will be shaped by the nature of the data to be moved to the cloud, whether the data involve personal information, trade secret information, customer data, or other competitively sensitive information. This article describes the special legal considerations that apply when moving personal information to the cloud. It also offers a framework to help companies navigate these issues to arrive at a solution that meets their own legal and business needs.
Determine the categories of personal information to be moved to the cloud
As a general principle, personal information includes any information that identifies or can be associated with a specific individual. Some types of personal information involve much greater legal and business risks than other types of personal information. For example, a database containing health information will involve greater risks than a database containing names and business contact information of prospective business leads. Also, financial regulators in many countries require specific security standards for financial information. Accordingly, a cloud computing service that may be sufficient for the business lead data may fail to provide the legally required level of protection for health, financial, or other sensitive types of information.
A company will want to develop a strategy that provides sufficient protection to the most sensitive personal information to be transmitted to the cloud. In some cases, a company may elect to maintain certain types of personal information internally, in order to take advantage of more cost-efficient cloud computing services for its less-sensitive data.
Identify applicable laws affecting your outsourcing of personal information
Cloud computing, by its nature, can implicate a variety of laws, including privacy laws, data security and breach notification laws, and laws limiting cross-border transfers of personal information.
(a) Privacy Laws
Companies operating in the United States will need to consider whether they are subject to sector-specific privacy laws or regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). Such laws impose detailed privacy and data security obligations, and may require more specialized cloud-based offerings.
Europe-based companies, as well as companies working with providers in or with infrastructure in Europe, will need to account for the broad-reaching requirements under local omnibus data protection laws that protect all personal information, even basic details like business contact information. These requirements can include notifying employees, customers, or other individuals about the outsourcing and processing of their data; obligations to consult with works councils before outsourcing employee data; and registering with local data protection authorities. Similar requirements arise under data protection laws of many other countries, including countries throughout Europe, Asia, the Middle East, and the Americas.
(b) Data Security Requirements
Even if a company is not subject to these types of privacy laws, it will want to ensure safeguards for personal information covered by data security and breach notification laws. In the United States, these laws tend to focus on personal information such as social security numbers, driver’s license numbers, and credit or debit card or financial account numbers. One of the key safeguards is encryption because many (although not all) of the U.S. state breach notification laws provide an exception for encrypted data.
In contrast, many other countries require protection of all personal information, and do not necessarily provide an exception for encrypted data. Consequently, companies operating outside of the United States may have broader-reaching obligations to protect all personal information. While data protection obligations vary significantly from law to law, both U.S. and international privacy laws commonly require the following types of safeguards:
i. Conducting appropriate due diligence on providers;
ii. Restricting access, use, and disclosure of personal information;
iii. Establishing technical, organizational, and administrative safeguards;
iv. Executing legally sufficient contracts with providers; and
v. Notifying affected individuals (and potentially regulators) of a security breach compromising personal information.
The topic of data security in the cloud has received significant industry attention. Industry groups, such as the Cloud Security Alliance, have suggested voluntary guidelines for improving data security in the cloud. For example, please refer to the CSA’s Security Guidelines for Critical Areas of Focus for Cloud Computing, available at https://cloudsecurityalliance.org/download/security-guidance-for-critical-areas-of-focus-in-cloud-computing-v3/. In Europe, the Cloud Select Industry Group (CSIG), an industry group sponsored by the European Commission, recently issued the Cloud Service Level Agreement Standardization Guidelines, available at http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines. The Guidelines recommend contractual stipulations covering (1) business continuity, disaster recovery, and data loss prevention controls; (2) authentication/authorization controls, including access provision/revocation, and access storage protection; (3) encryption controls; (4) security incident management and reporting controls and metrics; (5) logging and monitoring parameters and log retention periods; (6) auditing and security certification; (7) vulnerability management metrics; and (8) security governance metrics. Providers also may choose to be certified under standards such as ISO 27001, although such certifications may not address all applicable legal requirements.
(c) Restrictions on Cross-Border Data Transfers
A number of countries—e.g., all the European Economic Area (EEA) Member States and certain neighboring countries (including Albania, the Channel Islands, Croatia, the Faroe Islands, the Isle of Man, Macedonia, Russia, and Switzerland), as well as countries in North Africa (e.g., Morocco), the Middle East (e.g., Israel), Latin America (e.g., Argentina and Uruguay), and Asia (e.g., South Korea)—restrict the transfer or sharing of personal information beyond their borders. These restrictions can present significant challenges for multinational companies seeking to move their data to the cloud. Recognizing these challenges, some providers are starting to offer geographic-specific clouds, in which the data are maintained within a given country or jurisdiction. Some U.S. providers have also certified to the U.S.-European Union Safe Harbor program, in order to accommodate EU-based customers. However, as the Safe Harbor only permits transfers from the EU to the United States, it is not a global solution. Accordingly, a company should assess carefully whether the options offered by a provider are sufficient to meet the company’s own legal obligations in the countries where it operates.
To complicate matters, international data protection authorities, particularly in the EEA, have expressed concerns about use of the cloud model for personal information. The Working Party 29 (WP29), the assembly of EEA data protection authorities, and many other local EEA authorities have issued guidance about cloud computing, covering purpose and transfer restrictions, notification requirements, mandatory security requirements, and the content of the contract to be concluded with cloud providers. This guidance includes the WP29 Opinion 05/2012 on Cloud Computing, which is discussed further below. The draft Data Protection regulation currently discussed among the EEA Member States reflects such guidance and should be accounted for prior to engaging cloud providers.
Review contractual obligations affecting your outsourcing of personal information
If your company is seeking to outsource to a cloud provider applications that involve third-party data, such as personal information maintained on behalf of customers or business partners, it is important to consider any limitations imposed by contracts with those third parties. Such agreements might require third-party consent to the outsourcing or subcontracting of data processing activities, or may require your company to impose specific contractual obligations on the new provider or subcontractor.
Select an appropriate cloud computing solution
Cloud services tend to be offered on a take-it-or-leave-it basis, with little opportunity to negotiate additional contractual protections or customized terms of service. As a result, companies may find themselves unable to negotiate the types of privacy and data security protections that they typically include in contracts with other service providers. Companies will need to evaluate whether the contract fulfills their applicable legal and contractual obligations, as discussed above. Beyond that, companies will want to evaluate the practical level of risk to their data, and what steps they might take to reduce those risks.
(a) Public vs. Private Cloud
Broadly speaking, a private cloud maintains the data on equipment that is owned, leased, or otherwise controlled by the provider. Private cloud models can be compared with many other well-established forms of IT outsourcing and do not tend to raise the same level of concerns as a public cloud model.
A public cloud model disperses data more broadly across computers and networks of unrelated third parties, which might include business competitors or individual consumers. While offering maximum flexibility and expansion capabilities, the public cloud model raises heightened concerns about the inability to know who holds your company’s data, the lack of oversight over those parties, and the absence of standardized data security practices on the hosting equipment. Given these challenges, companies outsourcing personal information will want to understand whether the proposed service involves a private or public cloud, as well as evaluate what contractual commitments the provider is willing to make about data security.
(b) Securing Data Before Transmission to the Cloud
Companies also may be able to take measures themselves to protect personal information before it is transmitted to the cloud. Some provider agreements instruct or require customers to encrypt their data before uploading the data to the cloud, for example. If it is feasible to encrypt the data prior to transmission to the provider, this may provide substantial additional protections, as long as the encryption keys are not available to the provider.
It is also important to account for applicable security requirements. To this effect, several countries in Europe have very specific statutory requirements for security measures, and some regulators have issued detailed security standards for cloud computing providers. Pursuant to the WP29 Opinion 05/2012, all contracts should include security measures in accordance with EU data protection laws, including requirements for cloud providers on technical and organizational security measures, access controls, disclosure of data to third parties, cooperation with the cloud client, details on cross-border transfer of data, logging, and auditing processing. The recent guidelines from the CSIG recommends the inclusion of the following provisions in processing agreements: (1) standards or certification mechanisms the cloud service provider complies with; (2) precise description of purposes of processing; (3) clear provisions regarding retention and erasure of data; (4) reference to instances of disclosure of personal data to law enforcement and notification to the customer of such disclosures; (5) a full list of subcontractors involved in the processing and inclusion of a right of the customer to object to changes to the list, with special attention to requirements for processing of special or sensitive data; (6) description of data breach policies implemented by the cloud service provider including relevant documentation suitable to demonstrate compliance with legal requirements; (7) clear description of geographical location where personal data is stored or processed, for purposes of implementing appropriate cross-border transfer mechanisms; and (8) time period necessary for a cloud service provider to respond to access, rectification, erasure, blocking, or objection requests by data subjects.
(c) Contract Issues
In the majority of cloud computing services, the client is the data controller and the cloud provider is the data processor. However, in certain scenarios (in particular Platform as a Service (PaaS) and Software as a Service (SaaS) in public computing models), the client and the cloud provider may be joint controllers. Under EU guidance, the responsibilities of joint controllers must be very clearly set out in the contract to avoid any “dilution” of legal responsibility.
The contract with the cloud services provider needs to set out clearly the roles and responsibilities of the parties. Unlike many outsourcing arrangements, cloud service contracts usually do not distinguish between personal information and other types of data. These contracts may still include at least basic data protection concepts, even if they are not expressly identified as such. At a minimum, companies will want to look for provisions preventing the provider from using the information for its own purposes, restricting the provider from sharing the information except in narrowly specified cases, and confirming appropriate data security and breach notification measures. Various European data protection authorities have underscored that access to cloud data by public authorities must comply with national data protection law and that the contract should require notification of any such requests unless prohibited under criminal law and should prohibit any non-mandatory sharing. Given the difficulty of negotiating special arrangements with cloud providers, it is important to select a cloud offering that is appropriately tailored to the nature of the data and the related legal obligations. It is likely that as cloud computing matures, more offerings tailored to specific business requirements, including compliance with privacy and similar laws, will be made available to companies.
While cloud computing can substantially improve the efficiency of IT solutions, particularly for small and medium-sized businesses, the specific offerings need to be examined closely. There is no “one-size-fits-all” solution to cloud computing, especially for companies operating in highly regulated sectors or internationally. By understanding their legal compliance obligations, companies can make informed decisions in selecting cloud computing services or suites of services that best meet their needs.
From our sister blog, MoFo Tech:
Within a decade, analysts say, the “Internet of Things” will have transformed our lives. Billions of Internet-connected devices will monitor our homes, businesses, cars, and even our bodies, using the data to manage everything from appliances to heart monitors. Companies like Google— which recently paid $3.2 billion for smart-thermostat company Nest Labs—are already racing to build the IoT. But businesses face fundamental questions regarding the ownership of data, protecting customer privacy, liability when devices fail, and more.
The IoT will connect product developers and manufacturers in countless new ways, creating uncertainty about ownership of and rights to customer data. If a company contracts with a big data vendor to store and process consumer information, for instance, each party will need to know that its partner has the legal rights to collect or share data, says Alistair Maughan, a partner in Morrison & Foerster’s London office who is co-chair of the Technology Transactions Group. Then there is the question of who owns the data. “There is a whole supply chain the law is only beginning to grapple with,” Maughan says. “Manufacturers will need to understand the risks when there aren’t clear government standards.”
An area of major interest is how companies will protect customer privacy when so much data is in play. Companies need to make sure that what they say about their use of data collected from connected devices is accurate, complete, and up to date. “There is no one-sizefits-all approach to data security,” says Morrison & Foerster partner D. Reed Freeman Jr., who specializes in privacy matters. “The burden for a company is to consider what kind of data you have and how to protect against reasonably foreseeable, unauthorized access to personal information.”
Liability, of course, is a paramount concern when connected businesses adjust their use of data for new business or consumer products, says Stephanie Sharron, a Morrison & Foerster partner and a member of the firm’s Technology Transactions Group. Using vast sets of data to find patterns and targets will leave open all sorts of possibilities for technical and human mistakes. “There are questions about who should bear responsibility for inaccurate inferences or patterns that give rise to harm,” Sharron says. “Or who is responsible if a pattern comes from inaccurate data from a malfunctioning sensor.”
Then there is the question of who will manage and monitor the electrical systems needed to operate such vast networks—traditional public utility companies, new electricity market participants, or a combination. “Customers will want more choices to accommodate the new technologies and services they get to use” in the IoT, says Robert S. Fleishman, senior of counsel for Morrison & Foerster and an expert on energy regulation law. “Generally it will be up to state public utility commissions to decide who gets to provide the traffic control function and related activities for these things to operate within the system for distributing energy.” Some state utility commissions have already started to look at reforming their regulations and policies.
Not to be outdone by Florida, California has yet again amended its data security breach law and again in groundbreaking (yet confusing) fashion. On September 30, 2014, California Governor Brown signed into law a bill (“AB 1710”) that appears to impose the country’s first requirement to provide free identity theft protection services to consumers in connection with certain data security breaches. The law also amends the state’s personal information safeguards law and Social Security number (“SSN”) law. The amendments will become effective on January 1, 2015.
Free Identity Theft Protection Services Required for Certain Breaches
Most significantly, AB 1710 appears to amend the California breach law to require that a company offer a California resident “appropriate identity theft prevention and mitigation” services, at no cost, if a breach involves that individual’s name and SSN, driver’s license number or California identification card number. Specifically, AB 1710 provides, in pertinent part, that if a company providing notice of such a breach was “the source of the breach”:
an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached.
The drafting of this requirement is far from clear and open to multiple readings. In particular, the use of the phrase “if any” can be read in multiple ways. For example, the phrase “if any” can be read to modify the phrase “appropriate identity theft prevention and mitigation services.” Under this reading, the law would impose an obligation to provide free identity theft protection services if any such services are appropriate. The phrase “if any,” however, could be read to modify the “offer” itself. Under this alternate reading, the law would provide that if a company intends to offer identity theft protection services, those services must be at no cost to the consumer. It is difficult to know how the California Attorney General (“AG”) or California courts will interpret this ambiguity. One thing is clear: until the AG or courts opine, the standard will remain unclear.
The drafting of the requirement also is not clear in other ways. For example, the statute does not specify what type of services would qualify as “appropriate identity theft prevention and mitigation services.” For example, would a credit monitoring product alone be sufficient to meet the requirement? Or would the law require something in addition to credit monitoring, such as an identity theft insurance element?
Nonetheless, state AGs historically have encouraged companies to provide free credit monitoring to consumers following breaches. In addition, even though not legally required, free credit monitoring has become a common practice, particularly for breaches involving SSNs and also increasingly for high-profile breaches. Nonetheless, California appears to be the first state to legally require that companies offer some type of a free identity theft protection service for certain breaches.
AB 1710 is particularly notable in its approach. First, the offer of free identity theft protection services will only be required for breaches involving SSNs, driver’s licenses or California identification card numbers. In this regard, an offer of free identity theft protection services will not be required for breaches involving other types of covered personal information, such as payment card information or usernames and passwords. This approach endorses a position that many companies have long held—that credit monitoring is appropriate only when the breach creates an actual risk of new account identity theft (as opposed to fraud on existing accounts). In addition, the offer of free identity theft protection services will only be required for a period of one year (as opposed to, for example, two years). The length of the offer of free credit monitoring has always been an issue of debate, and California has now endorsed a position that a one-year offer is sufficient.
Big Brother isn’t just watching. A single mother in upstate New York was surprised to find that she had a Facebook page in her name, complete with photos of her, her son, and her niece. She hadn’t actually set up the page. It turned out that she was being investigated as a bit player in a federal drug investigation and that the Drug Enforcement Administration had created the page in her name, without her permission. The page, which has since been taken down, used the woman’s real name as well as photos from her cell phone, which had been seized by the DEA. The DEA even went so far as to send and accept friend requests for the woman. The woman was sentenced to probation and has sued the DEA agent who put up the page. Facebook says impersonating someone to set up a page is a clear violation of its terms of service.
Transparency vs. security. Twitter and other technology and communications companies frequently receive requests from the U.S. government for user data that the government asserts it needs for national security purposes. In the interest of transparency, these companies wish to disclose how many such requests they have received, if any, in a given span of time. The government wants to restrict the dissemination of this information and, earlier this year, it reached a settlement on the issue with Google, Microsoft, LinkedIn, Facebook, and Yahoo. Twitter did not reach any such settlement and it has now sued the government in U.S. District Court in California, claiming that the government restrictions violate the First Amendment. The government argues that the more is known about its sources and methods in collecting national security data, the less secure the nation will be. This should be an interesting First Amendment case.
In the city there’s a thousand things. There’s been a lot of talk about “the Internet of things.” Google now wants to bring the Internet of things directly to city dwellers. What about Zipcars that broadcast when they’re available, or bus stops that communicate with your mobile device about the next bus arrival? As part of its “Physical Web” initiative, Google is seeking to bring these and similar features to the urban environment. The idea is to interconnect seemingly unconnected physical objects that city dwellers encounter on a daily basis. As a Google designer says, “Just tap and use.”
- Better shop around. In connection with a new staff report, the Federal Trade Commission (FTC) examined 121 popular apps used to comparison shop, find online deals and pay with mobile devices; the FTC concluded that many of these apps failed, prior to download, to disclose important information to users, such as how the apps deal with payment-related disputes and how consumer data is collected, used and shared. The FTC urged developers of mobile shopping apps to be more transparent in how they deal with privacy, security and consumer protection issues. If your company is involved with apps designed to facilitate online shopping, you’ll definitely want to check out the report.
- Social notworking. Does social media undermine office productivity? Surprisingly, a study suggests that social media is responsible for a mere 5% of wasted time at work, well behind “water cooler talk” (14% of office time wasted), IT problems (12%) and – my favorite – pointless meetings (11%).
- Chat or Tweet? For years, the direct message (DM) function within Twitter has been dormant – hardly used at all, much less for commercial purposes. Now, Twitter is trying to upgrade DM and position itself as a real-time chat option that will appeal to advertisers who want to communicate directly with consumers.
In November 2012, we wrote an Alert about the European Commission’s Communication on Cloud Computing intended, it said, to “… unleash the potential of cloud computing in Europe”. Sceptics were doubtful that the cloud industry needed much help from European regulators to thrive.
Twenty months later, the Commission has begun to deliver on its key actions in the Communication with the publication of its Cloud Service Level Agreement Standardisation Guidelines.
How helpful are these Standardisation Guidelines to the cloud sector at this point in its development?
The recently-issued Cloud Service Level Agreement Standardisation Guidelines have their origin back in November 2012. At that time, the European Commission issued a Communication setting out a road map for the future growth of cloud computing in Europe.
In the 2012 Communication, the Commission set out a number of key actions, including to cut through the jungle of standards and to promote safe and fair cloud contracts. The Commission believes that the development of model terms for cloud computing – and, specifically, service level agreements in the cloud sector – is one of the most important issues affecting the future growth of the cloud industry in Europe, and that standardising the approach to cloud services will enable buyers of cloud computing services to make fair comparisons between different providers’ offerings.
The latest issue of our Socially Aware newsletter is now available here.
All this–plus a collection of thought-provoking statistics about online privacy…
Snapchat’s recent settlement with the Federal Trade Commission (FTC) generally provides a comprehensive but not groundbreaking roadmap to the FTC’s privacy and data security expectations in the mobile environment under Section 5 of the FTC Act, with two very notable exceptions:
- It now appears that companies are required to follow researchers’ blogs and other writings to see if there are any privacy or data security vulnerabilities, and to act on any such information promptly; and
- It also appears that the FTC expects companies to be aware of all third parties who have technology that can interact with an app, and to make sure that when consumers engage in any such interaction, all of the company’s privacy and data security representations remain true. If the FTC continues down this path, it will create unsustainable new burdens on app developers, many of which have very few resources to begin with. Furthermore, if this is the new standard, there is no reason it should be limited to the app environment—analytically, this would lead to a rule of general application.
THE BASIC ALLEGED MISREPRESENTATION
Cisco estimates that 25 billion devices will be connected in the Internet of Things (IoT) by 2015, and 50 billion by 2020. Analyst firm IDC makes an even bolder prediction: 212 billion connected devices by 2020. This massive increase in connectedness will drive a wave of innovation and could generate up to $19 trillion in savings over the next decade, according to Cisco’s estimates.
In the first part of this two-part post, we examined the development of, and practical challenges facing businesses implementing, IoT solutions. In this second part, we will look at the likely legal and regulatory issues associated with the IoT, especially from an EU and U.S. perspective.
In the new world of the IoT, the problem is, in many cases, the old problem squared. Contractually, the explosion of devices and platforms will create the need for a web of inter-dependent providers and alliances, with consequent issues such as liability, intellectual property ownership and compliance with consumer protection regulations. Continue Reading The Internet of Things Part 2: The Old Problem Squared