• No results found

Cloud Computing: Trust But Verify

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud Computing: Trust But Verify"

Copied!
43
0
0

Loading.... (view fulltext now)

Download now ( 43 Page )

Full text

(1)

Cloud Computing: Trust But

Verify

14th Annual Privacy and Security Conference

February 8, 2013, Victoria

Martin P.J. Kratz, QC

(2)

Cloud Computing

• Provision of services available on the Internet

• Cloud based services widely used for consumer

applications

– increasingly being adopted for business applications

• Services typically provided on demand and

scalable

– user can expand use of the services dramatically

• Services typically provided on a per usage basis

(a pooled resource / utility model) although many

consumer based services may be provided

without charge and on terms where the user

(3)

TODAY’S DISCUSSION

• Which rules apply?

• Cloud Computing in the Private Sector

• Cloud Computing for the Public Sector

• Questions

(4)

WHICH RULES APPLY?

• To assess law that is applicable need to

determine:

– Public or Private?

– Federally or provincially regulated activity?

– What information does the organization collect, use and disclose?

 Is it health information?

 Is it personal employee information?

 Is it information collected, used or disclosed on behalf of

another party (are they Public or Private?)

 Is the information collected, used or disclosed by a third

party on behalf of the organization?

(5)

CLOUD COMPUTING &

PRIVATE SECTOR PRIVACY

(6)

PRIVATE SECTOR OVERLAP

Federal: Personal Information Protection

and Electronic Documents Act

(“PIPEDA”) BC: Personal Information Protection Act Man: PIPEDA Sask: PIPEDA Alberta: Personal

Information Protection Act

(7)

ACTIVITIES MATTER

• Legislation is

activity based

• Nature and location

of the activity (not

the organization)

dictates applicable

legislation

• Consider all

applicable

jurisdictions

• Consider scope of

obligations

(8)

Which Laws are Applicable?

• Businesses doing business in multiple

jurisdictions need to be aware of the applicable

law in each jurisdiction

• Businesses with operations and customers solely

located in a province - likely look to the law of that

province

– Alberta, BC – Personal Information Protection Act

– Quebec - Loi sur la protection des renseignements personnels

dans le secteur privé Quebec

– Other - PIPEDA

• Need to consider inter-provincial transfers of

personal information

• Contemplation of blended multi-jurisdictional

privacy compliance programs

(9)

PRIVATE SECTOR ENTITIES

MAY USE CLOUD COMPUTING

(10)

PIPEDA Case #145

It is not a “disclosure” if the personal information is in the “control” of the customer

• Railway has agreement providing for provision of personnel files and training records to the managing organization for

management purposes

• PIPEDA 4.1.3 – organization is responsible for personal

information in its possession or custody, including information transferred to a third party for processing

Organization to use contractual or other means to provide comparable level of protection

– Organization only provides information necessary to be processed

– Service provider limits internal disclosure on a need-to-know basis

– Agreement includes control by organization, confidentiality and other precautions reinforcing the organization’s control of the data / personal information

(11)

PIPEDA Case #394

• Email operation services provided by US service provider • PIPEDA does not prohibit one from obtaining services

across international borders

• Important for the customer to assess risks to security and confidentiality of customer personal information when

transferred to a service provider – protection measures must be formalized by contract or other means

• Must be transparent about information handling practices and notify customers that information may be available to governments of the other county under lawful orders

• The sharing of information with the 3rd party service

provider seen as a 'use' under PIPEDA that requires consent

• Once consent was obtained - change in service providers would not require a further consent

(12)

AB/BC PIPA

• It is not a “disclosure” if the personal information is in the “control” of the organization

• PIPA (BC)

– Exemption permits collection, use and disclosure of personal information without consent for services provider to assist organization to carry out work – Organization must have consent

– Service providers processing limited to the purposes in consent

• PIPA (AB)

• Definition 1(h) “organization” includes “any person acting on behalf of a corporation, unincorporated association, trade union or partnership or an individual” acting in a commercial capacity

(13)

FOCUS ON CLOUD

COMPUTING SERVICE

(14)

KEY PRINCIPLE - YOU’RE

RESPONSIBLE

An organization is responsible for personal information that is in its custody or under its control. Where an organization engages the services of a person, whether as an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person’s compliance

with this Act.

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization

shall use contractual or other means to provide a

comparable level of protection while the information is being processed by a third party.

(15)

CLEAR ACCOUNTABILITY

5(6) Nothing in subsection (2) is to be construed so

as to relieve any person from that person’s

responsibilities or obligations under this Act

“… 5(2) affirms that a person or agent retained by

an organization, whether under contract or

otherwise, is not relieved of its own

responsibilities or obligations because it has been

retained by another organization. The end result

is that there can be accountability by on the part

of both principal and agent, organization and

(16)

CONSENT & NOTICE

• Consider consent / notice requirements:

– Initial transfer of personal information to service provider – Distinction between transfer of information for

processing and disclosure? – "use" per PIPEDA Case #394?

– Future collection, use and/or disclosure by third-party suppliers

– Is properly obtained consent / notice to collection, use and/or disclosure by a company sufficient consent / notice for performance of those activities by a

(17)

CLOUD COMPUTING TERMS

• Appropriate terms in contract with cloud

computing service providers are critical

(18)

TERMS TO CONSIDER

• Contracts with cloud computing service providers

should ideally include some or all of the following:

– Covenants restricting collection, use and disclosure of information other than for purposes for which third party is expressly retained

 Typically addressed in the confidentiality provisions, but

must assess that definition of confidential information is broad enough to capture all personal information

– Covenants requiring the service provider to maintain specific privacy, safety, security and backup standards for the personal information that meet the company’s standards

– A right to audit the privacy & security practices of the cloud service provider

(19)

FURTHER TERMS

– If a cloud service provider is collecting information

directly for which consent / notice has not already been obtained, detailed requirements regarding the form and content of the consent / notice, and the manner in which it must be recorded

– Obligations to provide access to personal information to the company and its customers/employees

– A right to require the cloud service provider to modify its privacy practices at the company’s request

– An indemnity for breach of privacy (may be carved out of limitation of liability)

– Sensitivity of the personal information will dictate extent of contractual protection required

(20)

AB OIPC Investigation P2006-IR-004

• Complaint re Union – International Union maintains personal

information about members in system in Las Vegas • Assessment of safeguards found:

– Union implemented reasonable administrative and technical safeguards at both local and international levels

– Union's policies, procedures, technical security and response to a security breach incident were compliant with PIPA

• Report assessed preventive measures used to protect personal information including:

– Training of all users, special training of system operators – Servers and data in locked secured data centre

– 5 levels of security of data – firewalls, virus, spyware, denial of service & intrusion protection

– Data encrypted during transmission – System subject to audits

(21)

AB PIPA

• Mandatory requirements for organizations using

foreign service providers include:

– Notification of individuals if service provider

outside of Canada will collect personal

information on behalf of organization

– Notification if organization will be transferring

personal information to service provider

outside of Canada

– Including information on the outsourcing

(22)

PIPEDA Case #313

• CIBC, amending cardholder agreement, notifies VISA customers on use of a US service provider and possibility that US law enforcement agencies may be able to obtain access to personal information

• No opt out possible • CPC's findings:

• PIPEDA does not prohibit use of foreign based 3rd party

service providers

• Canadian organizations must have provisions in place when using 3rd party service providers to ensure a

comparable level of protection • CIBC contract provided

– security & confidentially guarantees

– Oversight, monitoring and audit of services

(23)

PIPEDA Case #313

• personal information in the hands of a foreign 3rd party

service provider, is subject to the laws of that country and no contractual provision can override those laws

• clear that there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider — be it Canadian or US — can be

obtained by government agencies, whether through the provisions of U.S. law or Canadian law

• at the very least, a company in Canada that outsources information processing to the US should notify its

customers that the information may be available to the US agencies under a lawful order made in that country

(24)

CLOUD COMPUTING - THE

(25)

THE CHANGING LANDSCAPE

• 9/11 Terror Attacks

• Uniting and Strengthening America by Providing

Appropriate Tools Required to Intercept and

Obstruct Terrorism Act (USA PATRIOT Act)

• BC Govt Serv. Employ Union vs British Columbia

(Minster of Health Services)

– Issue arises in the context of an effort by the Government to outsource certain processing

• But … access for law enforcement is normal in

other jurisdictions including Canada

• Hogan Lovells study of numerous countries

(26)
(27)

THE BC Response

• Bill 73 provides provincial offences, with fines of

up to $500,000, for outsourcing service providers

who:

– Store, access or disclose personal information of a

British Columbia public sector body outside of Canada, subject to a few narrowly defined exceptions

– Fail to provide notice to the Minister of Management Services of any foreign demand for disclosure of personal information held by the service provider; or – Discipline, suspend, demote, harass or otherwise

disadvantage an employee who, acting in good faith and on the basis of reasonable belief, complies with the notice obligations above or acts to insure compliance with the British Columbia legislation

(28)

BC Govt Serv Empl Union v. BC

• No Charter or statutory breach by outsourcing to US linked service provider

• Outsourcing of implementation and development of technology services confirmed

• Province retained ultimate responsibility for all administration and operation, assessments and final approvals

• "More than reasonable security" in structure of outsource transaction including:

– Trust provisions – Province to obtain shares of opco if risk of disclosure occurs

– Restrictions on use and control of electronic equipment by employees – $35M penalty for breach of confidentiality

– Whistle blowing requirements (contractually and legislatively by FOIPPA)

– Extensive FOIPPA provisions (Bill 73) to ensure records kept in private and in BC

– All information remains property of Province – Prohibition on disclosure of data

(29)

Features post Bill 73 in BC contracts

• Requirements for segregated data access • Requirements to keep individual user logs

• More use of non-disclosure agreements (between individual service provider employees and the public body, between employees of a sub-contractor and the service provider, and between employees of the sub-contractor and the public body)

• Annual oath requirements for service provider and sub-contractor employees

• Restrictions on access of foreign-based employees to personal information, where these employees work on transition and transformation activities

• Limitations on data access generally, including data remote access

(30)

Features post Bill 73 in BC contracts

• Corporate internal limitations on data access, cutting off extra-provincial access

• Alarm notification facilities to alert the public body to copying or unusual access activity

• Prohibitions on service provider staff outbound web and email access

• Restrictions on data portability hardware to only designated personnel

• Dedicated service provider privacy officers to monitor compliance

• Financial penalties in contract in the event of disclosure or privacy breaches

(31)

Mission School District No. 75

• Use of US based on line assessment tool

• Unions allege breach of FOIPPA to BC OIPC: – Security arrangements reasonable?

– Adequate consent to storage and access of the personal information?

• Commissioner finds:

– S. 30 FOIPPA requirement to make reasonable security arrangements does not foreclose contracting out of

services

– Public body cannot contract out of its privacy obligations – Must provide reasonable security having regard to the

nature of the personal information involved and

seriousness of consequences if unauthorized disclosure – Found adequate consent through click to agree

(32)

Nova Scotia Response

• Personal Information International Disclosure

Protection Act 2006 SNS 2006, c 3

• Requires that information under the custody and control of a public or government body be stored only in Canada and accessed only in Canada

– Unless individual has consented to its storage or disclosure outside of Canada

– Unless for permitted disclosure

• Permits public body or service provider to

disclose personal information out of Canada for

many lawful purposes including for law

(33)

AB Suggestions

• Alberta's commissioner recommended creation of

an Alberta government checklist or model

outsourcing contract, which would be applicable

to consider in a cloud computing context :

– A prohibition on the assignment or subcontracting of the outsourcing contract without the written consent of the public body

– A requirement of notification by the outsourcer in the event of a notice of creditor's remedies or Court

applications for bankruptcy or protection from creditors – A requirement of notice on any demand for access to or

disclosure of personal information received by the outsourcer

(34)

AB Suggestions

– A requirement of notice of any loss or unauthorized access to personal information by the outsourcer or its employees

– A right to audit for both compliance with the contract and with any legislation stipulated to be applicable to it (i.e. Alberta FOIPPA, the Health Information Act, etc.)

– A requirement for the outsourcer to have in place a

system to monitor or audit its own use and disclosure of the personal information, with an access provision for the public body to review those logs on certain

conditions

– Stipulated consequences for breach including

mandatory return of all copies of personal information and assistance in recovering lost or otherwise disclosed personal information

(35)

The Federal Response

• Federal Treasury Board Secretariat released:

– A policy guidance document “Taking Privacy into Account Before Making Contracting Decisions”

– A strategy paper entitled “Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows”

(36)

Review of Licensing Automation

System

• PC 12-39 Ont. Priv. Comm.

• Ministry of Natural Resources uses US licensing

automation system to manage hunting & fishing licenses • Privacy Impact Assessment conducted before proceeding • OPC: Ontario has no legislative prohibition on storing

personal information outside of Ontario or Canada

• Prov. Institution obligated to ensure reasonable measures in place to protect privacy and security of records

containing personal information

• Risks of PATRIOT ACT similar to those of law enforcement access in Canada – rely on PIPEDA case #2005-313

(37)

Review of Licensing Automation

System

• Safeguards found sufficient and include: – All data owned by the Ministry

– Agent cannot use, collect or disclose personal information for unauthorized purposes

– All personal information is subject to confidentiality obligations

– Require notice of compelled disclosure

– No subcontracting without Ministry consent

– Agent to ensure security and integrity of all personal information in its possession

– Agent to return all information at end of term, retaining none

– Provision for audit of privacy and security compliance – Governing law Ontario

(38)

Existing Practices

• The segregation of personal information being handled

under the contract from other records held by the contractor • Audit trails to closely monitor how information is being

handled

• The limiting of right-to-access based upon specific user profiles

• Approval by the government of any subcontracting

• The return or approved destruction of all records at the end of a contract

• The signing of non-disclosure agreements

• The use of encryption technology allowing only government officials to view the decrypted data

(39)

New Practices

• The inclusion of a new step in the solicitation checklist for service contracts that asks for the review of direct and

indirect risks involving personal and proprietary information • Use of multi-disciplinary teams to review proposed

contracting arrangements

• Monitoring of all contracts where foreign companies have access to personal or other sensitive information

• Adding contractual requirements that part or all of the work be completed within the institution (especially when health information is involved) or within Canada

• Ensuring by contract that personal information or other protected or classified information is shared with third parties only where warranted

(40)

New Practices

• Consultation with legal services for all future contracts

where personal or sensitive information will be exchanged or provided to third parties to consider inclusion of

provisions that prevent disclosure under any foreign legislation

• Modification of contract forms to allow contract authorities to better assess risk

• Exploration of technological solutions to protect information flows

• Amendment of training plans to increase department-wide assessment of risks

• Development of risk management approaches related to business and personal information to mitigate risks

associated with foreign legislation, which will in turn be

incorporated in the institution's corporate risk management framework

(41)
(42)

Final Comments

• Do your Due Diligence

– know your service provider / customer

– know your jurisdiction(s)

– know your transaction

• Understand the obligations

• Design the cloud computing service

relationship to address privacy and

security safeguards

• Look to public sector guidelines as

checklist

(43)

QUESTIONS?

Martin P.J. Kratz, QC

References

Download now ( PDF - 43 Page - 481.75 KB )

Related documents

DRAFT ACCREDITATION SELF-STUDY OCTOBER 2014 GRADUATE SCHOOL OF PUBLIC HEALTH, UNIVERSITY OF PITTSBURGH

workforce, and future collaborative programs are anticipated. Assessment of the extent to which this criterion is met and an analysis of the school’s strengths, weaknesses, and

SMART Source SM Solar PV Program Guidebook

Extensions will be granted for residential projects only if the Market Actor requests an extension prior to the incentive reservation period’s expiration date and

With the use of a Shop Boss Scheduling computerized program, every phase of the production operations is scheduled emphasizing on-time deliveries.

State of the art vertical and horizontal machining centers Pictured Mori Seiki NH5000..

A cinnamaldehyde Schiff base ofS-(4-methylbenzyl) dithiocarbazate: crystal structure, Hirshfeld surface analysis and computational study

As part of an on-going study on the potential biological activities and structural chemistry of di- thiocarbazate Schiff bases and their metal complexes (Yusof, Ravoof, Jamsari et

BLOWN FILM COEXTRUSION LINES

retail and industrial applications The brand new HYBRID FLEX series The brand new Hybrid flex range comprises single-layer extrusion lines and coextrusion lines for the

Investigation Of Ground Penetrating Radar For Detection Of Road Subsidence Northcoast Of Jakarta, Indonesia

Based on correlation with core drilling data, this unit is characterized by grey, very soft clay, low plasticity, saturated in place and derived from Quaternary marine clay

Clinical Characteristics of Elderly Patients with Refractory Gastroesophageal Reflux Disease

Furthermore, statistically signi ficant difference was also detected in family status of patients between the two groups: there were a higher proportion of married patients and a

2013 IBM SINGLE SIGN-ON WITH CA SITEMINDER FOR SAMPLE WEB APPLICATION

Note: While installing above Siteminder Application server agent for Websphere Enter host configuration object as snoop_host and agent configuration object as