BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
Cloud Computing: Privacy, Security and Other
Issues and Obligations
Alan Charles Raul
May 28, 2010
Storm Clouds?
Privacy and data security issues E-discovery
Government requests for data
What law governs when your data is in the clouds?
Legal uncertainty - not specifically regulated but a host of laws may apply
Microsoft Cloud Computing Initiative
– The “Cloud Computing Advancement Act” – Suggests modernizing ECPA
– Deter hacking via the CFAA
Federal Communications Commission (FCC)
“Is the FCC positioning itself to become the Federal Cloud
Commission?” - Adam Thierer, PFF
FCC solicited comments on cloud regulation for National Broadband Plan – portability of data, transparency & privacy:
– What impact do developments in cloud computing have with respect to broadband deployment, adoption and use?
– How can parties leverage cloud computing to obtain economic or social efficiencies? Is it possible to quantify these efficiencies? – Are consumers sufficiently protected by industry self-regulation &
to what extent might additional protections be needed?
– Is the use of cloud computing a net positive to the environment? Are there specific studies that quantify the environmental impact of cloud computing?
FCC Update on National Broadband Plan
One of the major goals is: “Improving government efficiency
and productivity”
Recommendations include:
– Explore use of cloud computing to reduce costs
– Encourage greater use of social media
Federal Trade Commission (FTC)
FTC is investigating the privacy and security implications of cloud computing
– 2009 FTC filing with the FCC states:
“The ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities not originally intended or understood by consumers“
FTC indicated to the FCC that it was pursuing an investigation on cloud computing services
scope and purpose of investigation remains unclear
“Storage of data on remote computers may raise privacy and
security concerns for consumers.”
FTC Privacy Roundtables
FTC’s January 2010 privacy roundtable focused on evolving
technologies, including cloud computing
EPIC submitted comments
• User’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider
• Security requirements for information may create problems because user is unable:
– to assess the provider’s security – to audit security for compliance
– to determine whether level of security meets statutory/regulatory requirements
• Transfer of otherwise private information to cloud providers may allow government access to information without notice to users
Complaint to FTC Re: Google’s Cloud Computing
FTC is considering EPIC petition regarding Google’s provision
of cloud computing services
– In March 2009, EPIC submitted a complaint detailing privacy and security risks of Google’s cloud computing-based services
– Complaint cited four breaches involving Google cloud computing services. EPIC alleged:
• Google disclosed user‐generated documents saved on its Google Docs Cloud Computing Service to users of the service who lacked permission to view the files
• Security flaws in Google's Gmail service allowed theft of usernames and passwords for the 'Google Accounts' centralized log‐in service – EPIC alleged:
• Google misrepresented the security of users’ information
• Google’s inadequate security is an unfair and deceptive business practice
Heath and Human Services (HHS)
HIPAA/HITECH
– HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health
information
– HITECH “breach notification” regulations require health care providers and other HIPAA covered entities to promptly notify affected individuals (and possibly the HHS Secretary and the media) of a breach
– HITECH now applies certain HIPAA and HITECH security and privacy requirements to business associates (BA)
Covered Entities must enter BA agreement with cloud provider to store records containing PHI
– HIPAA/HITECH security and breach notifications obligations apply in cloud
BA Agreements for Cloud Providers
HIPAA's substantive requirements could conflict with cloud
provider's standard terms of service
Customized BA agreements may be necessary or appropriate
between Covered Entities and cloud providers
Expanded Definition of Business Associate
HITECH expanded the categories of entities which will be
deemed “business associates” to include:
– Any organization that provides data transmission of individuals’ PHI to a Covered Entity (or its business associate) and requires access on a routine basis to such PHI, such as a Health
Information Exchange Organization, Regional Health Information Organization, E-Prescribing Gateway
– Vendors that contract with a Covered Entity to allow the covered entity to offer a personal health record (PHR) to patients
HIPAA Privacy Rule
HIPAA’s Privacy Rule requires that individuals’ health information is properly protected by covered entities. Among other requirements, the privacy rule prohibits entities from transmitting PHI over open networks or downloading it to public or remote computers without encryption
HIPAA’s Privacy Rule regulations include standards regarding the encryption of all PHI in transmission (“in-flight”) and in storage (“at-rest”)
HIPAA Security Rule
Security Rule requires covered entities to establish detailed administrative, physical and technical safeguards to protect electronic PHI
– Implement access controls – Encrypt data
– Set up audit controls for electronic PHI
• For example, detailed activity logs to see who had access, what data was accessed, what IP addresses entered the site
– Data back-up procedures
• Must maintain exact copies of electronic PHI – Disaster recovery mechanisms
• For example, Amazon’s EC2 offers Availability Zones, which are distinct locations engineered to be insulated from failure in other zones
HITECH: Breach Notification
for PHR Vendors
“PHR” is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual
– Vendor of Personal Health records” is a non-HIPAA-covered entity or BA that offers or maintains a PHR
“Vendors of personal health records and PHR related entities shall notify third party service providers of their status as vendors of
personal health records or PHR related entities…”
– Companies or vendors that make use of cloud computing for data that includes PHRs are required to notify their cloud computing service providers that the data includes PHRs
PHR vendors must notify the FTC and each affected individual of a breach of their identifiable health information
FTC presumes that unauthorized "acquisition" occurs when if unauthorized access to unsecured PHRs, subject to proof that there was not, or could not reasonably have been, any unauthorized acquisition
Federal Government Use of Cloud Computing
Unique data privacy and security issues raised by federal
government’s increasingly widespread use of cloud computing
– Will government's cloud computing service vendors be required by statute or contract to assume quasi-law enforcement roles? – Will GSA vendors have immunity for liability arising from privacy
or security breaches?
• Risk allocation will be a key negotiating point in government contracting, as it is in commercial cloud computing
– Will vendors have to process and store U.S. government data only in the U.S. to enhance security and avoid potential conflicts with foreign or international law?
• Or will location requirements for storage/processing differ according to the agency and the sensitivity of data?
Federal Information Security Management Act
Federal Information Security Management Act of 2002 (FISMA) – Requires each federal agency to develop, document, and
implement agency-wide program to provide information security Can government agencies use commercial providers of cloud
computing, while still maintaining security and FISMA compliance? – Cloud providers Microsoft and Google are seeking FISMA
compliance accreditation from the National Institute of Standards and Technology (NIST)
– Agencies must make ongoing assessments of security controls and report compliance metrics as required by FISMA, including
• remote access management • data level controls
Office of Management and Budget (OMB)
OMB and the CIO council are working on policies to make
cloud computing easier for agencies
Centralizing security certifications so vendors don't have to
repeat lengthy and costly security checks
Internal clouds: Department of Defense's Rapid Access
Computing Environment (RACE) and NASA's Nebula
– NASA is leader in hybrid cloud, connecting public and private clouds
Microsoft launched a new cloud computing service targeting
government, with higher security standards including
Banking Agencies
Compliance professionals and senior management must
know and assess the cloud provider, and oversee the
provider’s controls using techniques that maintain
compliance with
– Gramm-Leach-Bliley Act
– Fair Credit Reporting Act (FCRA)
– State Information Security Laws
Gramm-Leach-Bliley Act
Prior to allowing service provider access to customer PI, GLB Safeguards Rule requires financial institutions to:
– take reasonable steps to ensure that the service provider is capable of maintaining appropriate safeguards (the entity must undertake
appropriate due diligence with respect to the service provider's data security practices)
– require the service provider by contract to implement and maintain such safeguards
GLB allows states to pass stronger consumer privacy protections Will states do so for data in the cloud?
State Information Security Laws
Massachusetts issued regulations (effective March 1, 2010)
requiring any person who holds personal information about
Massachusetts residents to develop and implement a
comprehensive written information security program to protect
the data
Entities subject to Massachusetts regulation implementing a
cloud-based solution must
– obtain written certification of compliance with these regulations from third party vendors with access to personal information
Electronic Communications Privacy Act (“ECPA”)
Remote Computing Service (RCS) is “provision to the public of
computer storage or processing services by means of an electronic communication system”
Electronic Communication Service (ECS) is “any service which provides users the ability to send or receive wire or electronic communications”
Protections against government access to ECS and RCS are explicitly addressed in ECPA.18 U.S.C. 2702
– Access to ECS generally requires a warrant (unless it is communication stored at a provider for >180 days, in which case it is treated as RCS) – More lenient requirements for government access to RCS. An
administrative subpoena or a court order is sufficient for government access to the contents of these communications
Reforming ECPA
Cloud computing won’t fit neatly into RCS/ECS dichotomy and
confounds traditional distinction between "private" information
stored on user's hard drive and records tendered to a third
party, subject to diminished protection
Data in the cloud likely to be held to be RCS for purposes of ECPA – Some cloud services may combine remote computing service and
electronic communication service
• Consider cloud operator that, like Apple’s Mobile Me, also lets user send and receive emails
Reform ECPA to strengthen protections for data in the cloud?
– Why shouldn’t users have same high level of privacy protection when document created or stored in the cloud as on personal computers’ physical hard drive?
Should there be a statute establishing specific standards for
cloud providers?
Government Ability to Access Cloud Data
Generally, access to ECS requires a warrant for access to content (unless it is communication stored at a provider for >180 days.) RCS data requires an administrative subpoena or a court order for
access to the contents of the communications
Cloud providers may also be able to voluntarily turn over content: – Rights or Property of Carrier. As may be necessarily incident to the
rendition of the service or to the protection of the rights/property of the provider of that service. See 18 U.S.C. § 2702 (b)(5)
– Exigent Circumstance. If the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency. See 18 U.S.C. § 2702 (b)(8)
– Child Pornography. To the quasi-governmental National Center for Missing and Exploited Children. See 18 U.S.C. §§ 2258A, 2702 (b)(6) – Inadvertently Obtained Criminal Evidence
Microsoft Cloud Computing Initiative
Microsoft’s “Cloud Computing Advancement Act” suggests: – Modernizing ECPA to make clear that Fourth Amendment
protections apply to the cloud – Deter hacking via the CFAA
• CFAA currently provides a cause of action for anyone who suffers damage/loss as a result of a CFAA violation. Only a person who
actually suffers damages/loss may sue; often this precludes cloud
providers from instituting actions on behalf of their customers
• amend the civil action provision to make clear that cloud providers have a private right of action against those who illegally access their datacenters
– Help users make informed choices by promoting transparency around cloud providers’ security practices
– Reconcile conflict of law issues by seeking a multilateral framework on these issues in the form of a treaty or similar international instrument
Digital Due Process Coalition
Coalition went public in April, urging update of ECPA, key law
for government access to email/private files stored in “cloud”
– Coalition members include: ACLU, American Library Association, Americans for Tax Reform ,AOL, Association of Research Libraries, AT&T, Center for
Democracy & Technology, Citizens Against Government Waste, Competitive Enterprise Institute, Computer and Communications Industry Association, eBay, Electronic Frontier Foundation, Google, Information Technology & Innovation Foundation, Integra Telecom, Intel, Loopt, Microsoft, NetCoalition
Contents of Communications: Coalition urges governmental entity may require an entity covered by ECPA to disclose communications not readily accessible to the public only with a search warrant issued
based on a showing of probable cause, regardless of age of
communications, means or status of storage or provider’s access to or use of the communications in its normal business operations
House Judiciary Committee has announced it will hold hearings this spring to consider ECPA revisions
Google and the National Security Agency
Google-NSA Relationship
– In February 2010, EPIC filed a Freedom of Information Act request with the National Security Agency, seeking records regarding the relationship between Google and NSA
– EPIC FOIA request also seeks NSA communications with Google regarding Google's encryption of Gmail and cloud computing services
– EPIC also filed a lawsuit against NSA and NSC, seeking a key document governing national cybersecurity policy
The Cloud and Cybersecurity
Cyberattacks against Google were a "wake-up call" about the vulnerabilities that could cripple the U.S. economy (Dennis Blair, U.S. Director of National Intelligence)
President Obama recently appointed Howard Schmidt as the administration's cybersecurity coordinator
– Schmidt: “Cloud computing makes a lot of sense, but we need to make sure that the policies…the legal framework is in place”
– “The spotlight will shift to authentication, encryption, service level agreements and legal requirements”
– Schmidt has been working on requirements for secure cloud computing architectures
In February, House of Representatives passed cybersecurity legislation (H.R. 4061). H.R. 4061 seeks to
– Enhance coordination and prioritization of the federal research – Promote development of technical standards
– Improve the transfer of cybersecurity technologies to the marketplace
Security Remains The Top Concern Re: Cloud
Mixing of customers' information in the cloud creates new
risks.
– Threats include use of cloud computing for misdeeds, malicious insiders, insecure application programming interfaces and data loss or leakage
Jericho Forum, Cloud Security Alliance, and others have data
security checklists for information technology vendors to use
for self-assessment.
– Checklists may also be used by users or potential purchasers of IT products to assess their effectiveness in protecting data
Contact Information
Alan Charles Raul
Sidley Austin LLP 1501 K Street, NW Washington, DC 20005 [email protected] (202) 736-8477 www.sidley.com/infolaw
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
This presentation has been prepared by Sidley Austin LLP as of September 11, 2007, for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.
