Cloud Computing: Privacy, Security and Other Issues and ...


14 Ιουν 2012 (πριν από 5 χρόνια και 11 μήνες)

998 εμφανίσεις

Cloud Computing: Privacy, Security and Other
Issues and Obligations
Alan Charles Raul
May 28, 2010
Storm Clouds?
 Privacy and data security issues
 E-discovery
 Government requests for data
 What law governs when your data is in the clouds?
 Legal uncertainty - not specifically regulated but a host of laws may
 Microsoft Cloud Computing Initiative
– The “Cloud Computing Advancement Act”
– Suggests modernizing ECPA
– Deter hacking via the CFAA

Promote transparency around cloud security practices
Federal Communications Commission (FCC)
 “Is the FCC positioning itself to become the Federal Cloud
Commission?” - Adam Thierer, PFF
 FCC solicited comments on cloud regulation for National Broadband
Plan – portability of data, transparency & privacy:
– What impact do developments in cloud computing have with
respect to broadband deployment, adoption and use?
– How can parties leverage cloud computing to obtain economic or
social efficiencies? Is it possible to quantify these efficiencies?
– Are consumers sufficiently protected by industry self-regulation &
to what extent might additional protections be needed?

Is the use of cloud computing a net positive to the environment?
Are there specific studies that quantify the environmental impact
of cloud computing?
FCC Update on National Broadband Plan
 One of the major goals is: “Improving government efficiency
and productivity”
 Recommendations include:
– Explore use of cloud computing to reduce costs
– Encourage greater use of social media
Federal Trade Commission (FTC)
 FTC is investigating the privacy and security implications of cloud
– 2009 FTC filing with the FCC states:
“The ability of cloud computing services to collect and centrally
store increasing amounts of consumer data, combined with the
ease with which such centrally stored data may be shared with
others, create a risk that larger amounts of data may be used by
entities not originally intended or understood by consumers“
 FTC indicated to the FCC that it was pursuing an investigation on
cloud computing services
 scope and purpose of investigation remains unclear
 “Storage of data on remote computers may raise privacy and
security concerns for consumers.”

David Vladeck, FTC's Consumer Protection Bureau
FTC Privacy Roundtables
 FTC’s January 2010 privacy roundtable focused on evolving
technologies, including cloud computing
 EPIC submitted comments
• User’s privacy and confidentiality risks vary significantly with
the terms of service and privacy policy established by the
cloud provider
• Security requirements for information may create problems
because user is unable:
– to assess the provider’s security
– to audit security for compliance
– to determine whether level of security meets statutory/regulatory
• Transfer of otherwise private information to cloud providers
may allow government access to information without notice to
Complaint to FTC Re: Google’s Cloud Computing
 FTC is considering EPIC petition regarding Google’s provision
of cloud computing services
– In March 2009, EPIC submitted a complaint detailing privacy and
security risks of Google’s cloud computing-based services
– Complaint cited four breaches involving Google cloud computing
services. EPIC alleged:
• Google disclosed user‐generated documents saved on its Google
Docs Cloud Computing Service to users of the service who lacked
permission to view the files
• Security flaws in Google's Gmail service allowed theft of usernames
and passwords for the 'Google Accounts' centralized log‐in service
– EPIC alleged:
• Google misrepresented the security of users’ information
• Google’s inadequate security is an unfair and deceptive business
Heath and Human Services (HHS)
– HIPAA Privacy Rule establishes national standards to protect
individuals’ medical records and other personal health
– HITECH “breach notification” regulations require health care
providers and other HIPAA covered entities to promptly notify
affected individuals (and possibly the HHS Secretary and the
media) of a breach
– HITECH now applies certain HIPAA and HITECH security and
privacy requirements to business associates (BA)
 Covered Entities must enter BA agreement with cloud provider to
store records containing PHI
– HIPAA/HITECH security and breach notifications obligations
apply in cloud
BA Agreements for Cloud Providers
 HIPAA's substantive requirements could conflict with cloud
provider's standard terms of service

Customized BA agreements may be necessary or appropriate
between Covered Entities and cloud providers
Expanded Definition of Business Associate
 HITECH expanded the categories of entities which will be
deemed “business associates” to include:
– Any organization that provides data transmission of individuals’
PHI to a Covered Entity (or its business associate) and requires
access on a routine basis to such PHI, such as a Health
Information Exchange Organization, Regional Health Information
Organization, E-Prescribing Gateway
– Vendors that contract with a Covered Entity to allow the covered
entity to offer a personal health record (PHR) to patients
HIPAA Privacy Rule
 HIPAA’s Privacy Rule requires that individuals’ health information is
properly protected by covered entities. Among other requirements,
the privacy rule prohibits entities from transmitting PHI over open
networks or downloading it to public or remote computers without
 HIPAA’s Privacy Rule regulations include standards regarding the
encryption of all PHI in transmission (“in-flight”) and in storage (“at-
HIPAA Security Rule
 Security Rule requires covered entities to establish detailed
administrative, physical and technical safeguards to protect
electronic PHI
– Implement access controls
– Encrypt data
– Set up audit controls for electronic PHI
• For example, detailed activity logs to see who had access, what
data was accessed, what IP addresses entered the site
– Data back-up procedures
• Must maintain exact copies of electronic PHI
– Disaster recovery mechanisms

For example, Amazon’s EC2 offers Availability Zones, which are
distinct locations engineered to be insulated from failure in other
HITECH: Breach Notification
for PHR Vendors
 “PHR” is an electronic record of identifiable health information on an
individual that can be drawn from multiple sources and is managed,
shared, and controlled by or primarily for the individual
– Vendor of Personal Health records” is a non-HIPAA-covered entity or BA
that offers or maintains a PHR
 “Vendors of personal health records and PHR related entities shall
notify third party service providers of their status as vendors of
personal health records or PHR related entities…”
– Companies or vendors that make use of cloud computing for data
that includes PHRs are required to notify their cloud computing
service providers that the data includes PHRs
 PHR vendors must notify the FTC and each affected individual of a breach of
their identifiable health information
 FTC presumes that unauthorized "acquisition" occurs when if unauthorized
access to unsecured PHRs, subject to proof that there was not, or could not
reasonably have been, any unauthorized acquisition
Federal Government Use of Cloud Computing
 Unique data privacy and security issues raised by federal
government’s increasingly widespread use of cloud computing
– Will government's cloud computing service vendors be required
by statute or contract to assume quasi-law enforcement roles?
– Will GSA vendors have immunity for liability arising from privacy
or security breaches?
• Risk allocation will be a key negotiating point in government
contracting, as it is in commercial cloud computing
– Will vendors have to process and store U.S. government data
only in the U.S. to enhance security and avoid potential conflicts
with foreign or international law?

Or will location requirements for storage/processing differ
according to the agency and the sensitivity of data?
Federal Information Security Management Act
 Federal Information Security Management Act of 2002 (FISMA)
– Requires each federal agency to develop, document, and
implement agency-wide program to provide information security
 Can government agencies use commercial providers of cloud
computing, while still maintaining security and FISMA compliance?
– Cloud providers Microsoft and Google are seeking FISMA
compliance accreditation from the National Institute of Standards
and Technology (NIST)
– Agencies must make ongoing assessments of security controls
and report compliance metrics as required by FISMA, including
• remote access management
• data level controls

real-time security awareness and management
Office of Management and Budget (OMB)
 OMB and the CIO council are working on policies to make
cloud computing easier for agencies
 Centralizing security certifications so vendors don't have to
repeat lengthy and costly security checks
 Internal clouds: Department of Defense's Rapid Access
Computing Environment (RACE) and NASA's Nebula
– NASA is leader in hybrid cloud, connecting public and private

Microsoft launched a new cloud computing service targeting
government, with higher security standards including
fingerprinting as part of biometric access control
Banking Agencies
 Compliance professionals and senior management must
know and assess the cloud provider, and oversee the
provider’s controls using techniques that maintain
compliance with
– Gramm-Leach-Bliley Act
– Fair Credit Reporting Act (FCRA)

State Information Security Laws
Gramm-Leach-Bliley Act
 Prior to allowing service provider access to customer PI, GLB
Safeguards Rule requires financial institutions to:
– take reasonable steps to ensure that the service provider is capable of
maintaining appropriate safeguards (the entity must undertake
appropriate due diligence with respect to the service provider's data
security practices)
– require the service provider by contract to implement and maintain such
 GLB allows states to pass stronger consumer privacy protections

Will states do so for data in the cloud?
State Information Security Laws
 Massachusetts issued regulations (effective March 1, 2010)
requiring any person who holds personal information about
Massachusetts residents to develop and implement a
comprehensive written information security program to protect
the data
 Entities subject to Massachusetts regulation implementing a
cloud-based solution must
– obtain written certification of compliance with these regulations
from third party vendors with access to personal information
– ensure that cloud provider complies with company's own policies
Electronic Communications Privacy Act (“ECPA”)
 Remote Computing Service (RCS) is “provision to the public of
computer storage or processing services by means of an electronic
communication system”
 Electronic Communication Service (ECS) is “any service which
provides users the ability to send or receive wire or electronic
 Protections against government access to ECS and RCS are
explicitly addressed in ECPA.18 U.S.C. 2702
– Access to ECS generally requires a warrant (unless it is communication
stored at a provider for >180 days, in which case it is treated as RCS)

More lenient requirements for government access to RCS. An
administrative subpoena or a court order is sufficient for government
access to the contents of these communications
Reforming ECPA
 Cloud computing won’t fit neatly into RCS/ECS dichotomy and
confounds traditional distinction between "private" information
stored on user's hard drive and records tendered to a third
party, subject to diminished protection
 Data in the cloud likely to be held to be RCS for purposes of ECPA
– Some cloud services may combine remote computing service and
electronic communication service
• Consider cloud operator that, like Apple’s Mobile Me, also lets user
send and receive emails
 Reform ECPA to strengthen protections for data in the cloud?
– Why shouldn’t users have same high level of privacy protection
when document created or stored in the cloud as on personal
computers’ physical hard drive?

Should there be a statute establishing specific standards for
cloud providers?
Government Ability to Access Cloud Data
 Generally, access to ECS requires a warrant for access to content
(unless it is communication stored at a provider for >180 days.)
 RCS data requires an administrative subpoena or a court order for
access to the contents of the communications
 Cloud providers may also be able to voluntarily turn over content:
– Rights or Property of Carrier. As may be necessarily incident to the
rendition of the service or to the protection of the rights/property of the
provider of that service. See 18 U.S.C.§ 2702 (b)(5)
– Exigent Circumstance. If the provider, in good faith, believes that an
emergency involving danger of death or serious physical injury to any
person requires disclosure without delay of communications relating to
the emergency. See 18 U.S.C.§ 2702 (b)(8)
– Child Pornography. To the quasi-governmental National Center for
Missing and Exploited Children. See 18 U.S.C.§§ 2258A, 2702 (b)(6)
– Inadvertently Obtained Criminal Evidence
 Subpoena suffices for non-content information
Microsoft Cloud Computing Initiative
 Microsoft’s “Cloud Computing Advancement Act” suggests:
– Modernizing ECPA to make clear that Fourth Amendment
protections apply to the cloud
– Deter hacking via the CFAA
• CFAA currently provides a cause of action for anyone who suffers
damage/loss as a result of a CFAA violation. Only a person who
actually suffers damages/loss may sue; often this precludes cloud
providers from instituting actions on behalf of their customers
• amend the civil action provision to make clear that cloud providers
have a private right of action against those who illegally access their
– Help users make informed choices by promoting transparency
around cloud providers’ security practices

Reconcile conflict of law issues by seeking a multilateral
framework on these issues in the form of a treaty or similar
international instrument
Digital Due Process Coalition
 Coalition went public in April, urging update of ECPA, key law
for government access to email/private files stored in “cloud”
– Coalition members include: ACLU, American Library Association, Americans for
Tax Reform ,AOL, Association of Research Libraries, AT&T, Center for
Democracy & Technology, Citizens Against Government Waste, Competitive
Enterprise Institute, Computer and Communications Industry Association, eBay,
Electronic Frontier Foundation, Google, Information Technology & Innovation
Foundation, Integra Telecom, Intel, Loopt, Microsoft, NetCoalition

Contents of Communications
: Coalition urges governmental entity
may require an entity covered by ECPA to disclose communications
not readily accessible to the public only with a search warrant issued
based on a showing of probable cause, regardless of age of
communications, means or status of storage or provider’s access to
or use of the communications in its normal business operations
 House Judiciary Committee has announced it will hold hearings this
spring to consider ECPA revisions
Google and the National Security Agency
 Google-NSA Relationship
– In February 2010, EPIC filed a Freedom of Information Act
request with the National Security Agency, seeking records
regarding the relationship between Google and NSA
– EPIC FOIA request also seeks NSA communications with
Google regarding Google's encryption of Gmail and cloud
computing services

EPIC also filed a lawsuit against NSA and NSC, seeking a key
document governing national cybersecurity policy
The Cloud and Cybersecurity
 Cyberattacks against Google were a "wake-up call" about the
vulnerabilities that could cripple the U.S. economy (Dennis Blair,
U.S. Director of National Intelligence)
 President Obama recently appointed Howard Schmidt as the
administration's cybersecurity coordinator
– Schmidt: “Cloud computing makes a lot of sense, but we need to
make sure that the policies…the legal framework is in place”
– “The spotlight will shift to authentication, encryption, service level
agreements and legal requirements”
– Schmidt has been working on requirements for secure cloud
computing architectures
 In February, House of Representatives passed cybersecurity
legislation (H.R. 4061). H.R. 4061 seeks to
– Enhance coordination and prioritization of the federal research
– Promote development of technical standards

Improve the transfer of cybersecurity technologies to the
Security Remains The Top Concern Re: Cloud
 Mixing of customers' information in the cloud creates new
– Threats include use of cloud computing for misdeeds, malicious
insiders, insecure application programming interfaces and data
loss or leakage
 Jericho Forum, Cloud Security Alliance, and others have data
security checklists for information technology vendors to use
for self-assessment.
– Checklists may also be used by users or potential purchasers of
IT products to assess their effectiveness in protecting data
Contact Information
Alan Charles Raul
Sidley Austin LLP
1501 K Street, NW
Washington, DC 20005
(202) 736-8477
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and
Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago);Sidley Austin LLP, a separate
Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New
York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law
(Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley
Austin, Sidley, or the firm.
This presentation has been prepared by Sidley Austin LLP as of September 11, 2007, for informational purposes only and does not constitute legal
advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this
without seeking advice from professional advisers.