Cloud Computing: Issues and Risks BC Risk & Insurance - - PDF document

cloud computing issues and risks
SMART_READER_LITE
LIVE PREVIEW

Cloud Computing: Issues and Risks BC Risk & Insurance - - PDF document

Jan 05, 2023 256 likes •450 views

Cloud Computing: Issues and Risks BC Risk & Insurance Management Association April 18, 2012 David Spratley & Tamara Hunter The Plan introduction to cloud computing general issues and risks e-discovery cloud

slide-1
SLIDE 1

1

Cloud Computing: Issues and Risks

BC Risk & Insurance Management Association April 18, 2012 David Spratley & Tamara Hunter

The Plan

  • introduction to cloud computing
  • general issues and risks
  • e-discovery
  • cloud computing contracts
  • privacy law compliance
  • questions
slide-2
SLIDE 2

2

WHAT IS CLOUD COMPUTING? What is cloud computing?

  • technologies that provide computation, software, data

access and storage services that do not require end- user knowledge of the physical location and configuration of the system that delivers the services

(Wikipedia)

  • delivered over a network (typically, the Internet)
slide-3
SLIDE 3

3

Categories

  • Infrastructure as a Service (“IaaS”) and Storage
  • Delivers computer infrastructure, along with storage and networking
  • Software as a Service (“Saas”)
  • Delivers software without the need to install and run applications
  • Platform as a Service (“PaaS”)
  • Allows the development and deployment of applications without the

need to purchase specific hardware or software

Benefits

  • cost
  • scalability
  • user mobility
  • customizability
  • reliability?
  • performance?
  • security?
slide-4
SLIDE 4

4 CLOUD COMPUTING: GENERAL ISSUES AND RISKS

General Issues and Risks

  • location and jurisdiction
  • data ownership
  • business interruption (service provider)
  • loss of access (customer)
slide-5
SLIDE 5

5

General Issues and Risks

  • source code and escrow
  • migration
  • who can access?
  • backup and archiving

General Issues and Risks

  • security
  • destruction of data
  • IP infringement
slide-6
SLIDE 6

6 CLOUD COMPUTING: LITIGATION (E-DISCOVERY)

What is discovery?

  • Process through which parties to a civil dispute learn

about each others’ cases

  • Examination and document disclosure
  • Always in litigation; often in mediation/arbitration
slide-7
SLIDE 7

7

Key Obligations

  • Disclosure
  • must disclose every relevant document in possession,

control or power

  • “document” is broadly defined
  • Preservation
  • must preserve all relevant documents
  • Serious consequences for breach

E-Discovery

  • Electronic documents increase scope, complexity and

cost of discovery process

  • Courts aware of importance of electronic documents
slide-8
SLIDE 8

8

Cloud Computing and Discovery

  • Disclosure and preservation obligations still apply
  • Court does not care if you store data in your building or

in the cloud – only cares whether you have possession

  • r control

Cloud Computing and Discovery

  • Consider risks:
  • lost data
  • non-compliant data preservation practices
  • platform not easily searched
  • sub-outsourcing
slide-9
SLIDE 9

9

Cloud Computing and Discovery

  • cloud computing contract is key
  • maintain legal control over data
  • due diligence on cloud provider
  • ability to retrieve data in any circumstance

CLOUD COMPUTING: CONTRACT ISSUES

slide-10
SLIDE 10

10

Contract Issues

  • system setup
  • service levels
  • wnership

Contract Issues

  • representations and warranties
  • indemnities
  • insurance
  • disclaimers and limitations of liability
slide-11
SLIDE 11

11

Contract Issues

  • confidentiality and security
  • term and termination
  • jurisdiction
  • force majeure

CLOUD COMPUTING: PRIVACY LAW COMPLIANCE

slide-12
SLIDE 12

12

  • When you think about Cloud Computing, consider it as

“mega-outsourcing”

  • Regular outsourcing is when you store your data on

your own servers, but you send certain data to an

  • utside service provider, so they can perform a

function with the data and provide a product or a service (e.g. send personalized cheques to your customers or process your payroll and arrange for direct deposits for your employees).

slide-13
SLIDE 13

13

  • Cloud computing means you don’t have your own

servers anymore – you’ve “out-sourced” that whole infrastructure

  • The key privacy law compliance issue is security of

personal information

slide-14
SLIDE 14

14

  • Geographic location of personal information is a

significant privacy law issue, especially for public bodies in British Columbia (and service providers to public bodies) but the concern with geographical location of data really boils down to a security issue

Public Bodies in B.C.: Section 30.1 of FOIPPA

  • A public body must ensure that personal information in its custody
  • r under its control is stored only in Canada and accessed only in

Canada, [unless a specific exception applies]

  • breach of s. 30.1 of FOIPPA is an offence
  • some cloud service providers are aware of this requirement and
  • ffer cloud services that meet this requirement
slide-15
SLIDE 15

15

  • Organizations that provide services to public bodies

must also comply with s. 30.1 in relation to those services (see s. 31.1 and definition of "employee" in FOIPPA)

  • The bottom line for public bodies and service providers to public

bodies is that they cannot engage in "full-on", standard public cloud computing arrangements with the typical "take it or leave it" contract (public cloud architecture)

  • A specialized cloud-computing solution is required
  • See: “Cloud Computing Guidelines for Public Bodies” on

www.oipc.cbc.ca

slide-16
SLIDE 16

16

  • What about professionals (e.g., doctors, lawyers, accountants, etc.)

and businesses handling highly sensitive personal information (e.g. banks, credit unions, insurance companies)?

  • Ethical and contractual obligations around confidentiality may also

require specialized cloud computing solutions

  • Community Cloud or Private Cloud may work (e.g. Law Society

Cloud for lawyers is being considered)

  • Private Sector - still have obligation under PIPEDA and PIPA (and,

possibly, contractual obligations) to make reasonable security arrangements to protect personal information from risks such as unauthorized access, disclosure, destruction, etc.

  • Standard Cloud Computing contracts may not sufficiently protect

customer/employee personal information

  • Requirement for transparency/notification (customers/employees

have a right to know)

slide-17
SLIDE 17

17

Security issues:

  • what geographic locations could be involved? Rule some out or

stipulate acceptable jurisdictions

  • reputation/history of cloud provider
  • what other data will be mingled with your organization's

data? Concern re: concentration of high-risk data

  • will your organization be able to access audit logs?
  • how quickly could you be required to produce a copy of

your organization’s records? will your organization be able to meet that timeframe?

  • what obligations does the cloud provider have in the

event of an information security breach?

  • immediate notification to your organization?
  • indemnity for any damages and professional fees?
slide-18
SLIDE 18

18

  • what happens if the cloud provider goes bankrupt?

backup/escrow might not be sufficient without access to the application software necessary to decode the stored data

  • does the contract provide for a method for your
  • rganization to audit the cloud provider’s compliance

with its contractual security obligations?

  • insurance – does your organization’s insurance

coverage for information security breaches or data loss apply if your data is “in the clouds”?

slide-19
SLIDE 19

19

THANK YOU

David Spratley dspratley@davis.ca 604.643.6359 Tamara Hunter tamara_hunter@davis.ca 604.643.2952