Welcome & Introductions

(1)

Addressing Data Privacy and Security Compliance

in Cloud Computing

Benjamin Hayes,

Director of Legal Services, Data Privacy Compliance – North America Accenture

Welcome & Introductions

Benjamin Hayes, CIPP, CIPP/C, CIPP/G, CIPP/IT, CIPP/E

Director of Legal Services,

Data Privacy Compliance – North America Accenture, LLP

[email protected]

703.947.2292

What does Accenture do?

• $31B company

• 250,000+ employees in 64 countries • 3 lines of business:

(2)

Agenda

• Introductions

• Data Privacy Legal Regulatory Update

 The Data Privacy legal landscape  Recently enacted data privacy laws

• Cloud Computing – Data Protection Compliance Considerations

 Overview: The Current Landscape  Compliance Challenges  Allocation of Responsibility

 Practical Considerations in working with Cloud Suppliers

• Discussion

Data Privacy Legal Landscape

The privacy legal landscape

Data Privacy laws address:

• the way in which companies and government bodies may collect, use, store, disclose, share, transfer and otherwise process personal data about individuals.

Personal Data= any information about an identified or identifiable individual

• Duties of Companies when holding, using and sharing personal data of any

individual, whether as a data owner or a service provider

• Rights of individuals in relation to their personal data—e.g., right to access.

• Powers of supervisory government body to oversee and enforce the law,

(3)

3 Models for Privacy Laws

• General laws—apply to all collection, use

and disclosure of personal data (the

“omnibus model”)

- Customers

- Employees

- Business contacts

• Sectoral laws—apply only to specific

business sectors like health care,

financial services

- Most broadly adopted in US and Asia

• No regulation

- Privacy laws began in US/Europe and have

spread to other parts of the world, but not

universal

8

The privacy legal landscape

Privacy Laws Around the World

Major Data Privacy Legal Changes 2010-2012

• New laws:

• India (IT security regulations) • Malaysia

• Mexico • Peru • China • Philippines

• Changes / enhancements to existing laws:

• EU (E-Privacy Directive implementation) • Taiwan

• South Korea

• Proposed additional changes:

(4)

Recently Enacted Data Privacy Laws

APAC

–

Taiwan, South Korea, China, India

Comprehensive data privacy laws being adopted by countries which previously had none.

• Taiwan (effective November, 2011)

- Aligns to EU standards, with variations on consent requirement.

• South Korea (effective September 30, 2011)

- Similar to EU, but more restrictions on data exports (addl. guidance expected); restrictions on the use of CCTV.

• China- Jiangsu province (effective January 1, 2012)

- EU-style law – only in the province of Jiangsu – the first comprehensive DP law at any level in China.

Recently Enacted Data Privacy Laws: India

“Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011”

• Effective as of May, 2011

• Issued under the authority of 2001 IT Act, as amended 2008.

• Applies only to “sensitive personal information”– name (and any other data) in conjunction with:

• Financial account data • Health information • Passwords / biometric data • Sexual orientation

• Initially thought to apply to data brought to India for processing, outsourcing was excluded from the regulations’ scope by Government clarification (Aug 2011).

Recently Enacted Data Privacy Laws

South America – Mexico, Peru

• Mexico

- Similar to Canada, the law basically aligns with EU standards, but does not include data export restrictions.

- Data security regulations released Dec., 2011

• Peru

- The law basically aligns to EU standards, including restrictions on trans-border data flows.

(5)

Significant changes to EU Data Protection (Privacy)

Directive planned

January, 2012 - the European Commission has issued a DRAFT Data Protection Regulation which would replace the existing EU Data Protection

Directive

• Most of the current substance of the DP Directive will remain in force, but with several added requirements:

– Data security breach notification – required to clients or to individuals within

24 hours

– Service Providers (“data processors”) would be directly regulated with regard to security and certain other provisions.

– Opt-in consent required (particularly for marketing) in many cases where it is not required currently

– Companies larger than 250 employees required to have data privacy officer with certain responsibilities.

Trends in the new laws

• General trend is to embrace EU-style fair information practices (FIPs), but move away from EU-style data export restrictions (with some exceptions).

• Sometimes called the “Canadian Model”

• More attention to data security, but less technically prescriptive laws. More focus on independent standards regimes like ISO 27001 and PCI Data Security Standard.

• Growing acceptance of the “Accountability Model” which would articulate general principles of privacy laws, but would leave it to companies and third-party standards-setting bodies to create detailed program standards.

• Greater focus on “Privacy by Design”—responsibility to build data privacy functionality into software and other technology.

Cloud Computing –

(6)

A Working Definition of

Cloud Computing

• Cloud computing is a model for enabling convenient,

on-demand network access to a shared pool of configurable

computing resources (e.g., networks, servers, storage,

applications, and services) that can be rapidly provisioned

and released with minimal management effort or service

provider interaction.

• The cloud model allows for flexibility and scalability.

• There are three service models and four deployment

models.

3 Cloud Service Models



Cloud Software as a Service (SaaS)

 Cloud provider hosts software so it doesn’t need to be installed or

managed and hardware doesn’t need to be purchased for it



Cloud Platform as a Service (PaaS)

 Black-box services with which developers can build applications on

top of the computing infrastructure



Cloud Infrastructure as a Service (IaaS)

 Processing, storage,

network capacity, and other fundamental computing resources are “rented”

4 Cloud Deployment Models



Public cloud

□sold to the public; mega-scale infrastructure



Private cloud

□enterprise owned or leased (e.g., co-location services)



Hybrid cloud

□composition of two or more clouds



Community cloud

(7)

Compliance Challenges—Data Security,

Availability



Compliance with strict technology standards (e.g., HIPAA,

PCI, Spain, Italy, Romania)



Data ownership



Allocation of responsibility for security



Exposure of data to government subpoenas (Patriot Act, India)



Data retention and destruction issues



Quality of service guarantees



Attraction to hackers-especially for public clouds



Possibility for massive outages vs. data

availability requirements

Compliance Challenges—

Who is subject to the law?

Most privacy laws apply to classes of entities, instead of classes of data.

 The effect is that service providers are typically not governed directly by privacy laws, but by service contracts with data owners (clients).

Cloud—particularly public cloud—service contracts are not designed to be highly negotiated. Indeed, for most customers they are not intended nor will they be negotiated at all.

Where does this leave the data owner who must satisfy privacy and security requirements under X law, to which the cloud supplier is not subject?

Compliance Challenges (cont.)

How the EU Views Cloud Computing

Mere hosting, even without logical access to data, is still considered “processing” under EU privacy laws.

Insistence on standard EU Model Clauses or Safe Harbor to create a lawful basis for non-EU data storage.

Concern and suspicion about access by foreign (e.g. U.S., India, China) governments to data stored in non-EU cloud.

Some EU regulators taking the view that EU businesses should use EU-only clouds. Required already under certain public sector rules.

(8)

Cloud Computing –

Allocation of Responsibility

How is Cloud different than traditional hosting?

• In traditional hosting, an entire application and its data reside on known physical machines.

- In cloud computing, application and data are on known virtual servers, but physical location is dynamic and always changing.

• In traditional hosting, host plays an active role in configuration and/or maintenance of the application and its data—responsible for backups, network security, etc.

- (IaaS / PaaS) Cloud is more self-service for application owners—many optional functions and components, but nothing works until configured and activated by the application owner.

 Example: backup – no backup will occur unless the data controller chooses and provisions a backup mechanism; then provider is responsible for executing it

The effect of virtualization on the roles of the parties

• Virtualization means that applications and data are split up across many physical servers.

• Applications and data can only be reassembled by the “virtualization layer,” without access to the VL the data is viewable only as unreadable 1s and 0s. • In IaaS and PaaS cloud models, system administrators may not have access to

client-controlled virtualization layers—the effect is no access to data. Important to understand exactly what access—and where it occurs—cloud provider has. • The implication is that Cloud providers (other than SaaS) have no ability to control

application-level security (e.g. access rights, authentication, encryption, logging, data quality, etc.)—these functions must be established and maintained by the manager of the application.

(9)

Cloud requires a reallocation of responsibilities:

• “Substantive Data Privacy” requirements (Fair Information Practices) must be met entirely by data controllers in IaaS / PaaS models. Shared responsibility in SaaS—but who is responsible for software design? • Any security requirement that can be

executed at the application or database level (e.g., authentication, access logs, encryption, password complexity, etc.) are responsibility of application manager. • IaaS / PaaS providers are left with a

residuary of physical, facilities, network and hardware responsibilities, as well as logging and access controls for helpdesk and admin super-users.

Justice is blind—

the law requires that things be done, but is not particular as to who does them

System Component Responsibility and Control

by Cloud Type

Network Storage Servers Physical security Operating System Database System Software Application Architecture Application User ‐ Man ag e d Network Storage Servers Physical security Operating System Database System Software Application Architecture Application Network Storage Servers Physical security Operating System Database System Software Application Architecture Application Network Storage Servers Physical security Operating System Database System Software Application Architecture Application On‐Premise Infrastructure as a Service Platform as a Service Software as a Service User ‐ Man ag e d _User ‐ Man ag e d Clo u d Clo u d Clo u d

Encryption Encryption Encryption Encryption

Common Fallacies

• Encrypting data absolves the cloud supplier of any responsibility for

security

• If the application is stored on the cloud, data typically cannot be encrypted during use by the application

• Cloud host admin personnel or help desk often have some type of access (more common in PaaS than IaaS, very common in SaaS)

• All compliance can occur at the application level

(10)

Perspective from

a Cloud System Integrator

Accenture’s position as a reseller of

third-party cloud services

Cloud Terms

of Service

Client

requirements

What is the problem?

• Public Cloud 1.0 business model (c. 2009) did not address clients’ legal compliance needs. Standard terms for cloud services are typically insufficient to meet clients’ regulatory requirements for regulated data, and are presented as non-negotiable

-Result: regulated data could not be placed into the cloud. • Situation began to change in 2011

• This is now changing as some cloud suppliers see privacy and security compliance as a competitive differentiator

(11)

Accenture’s Solution—the Mother of All

Security Schedules (MOASS)

• For use only with IaaS and PaaS providers • Based on 33 privacy and security laws in 29 countries

• Derived from the superset of security requirements

• Does not address PCI Data Security Standard (payment card data) • Does not include requirements that can be executed as part of

application management—these are the responsibility of the application manager (either the client or the system integrator)

• Includes EU Model Clauses, a HIPAA Business Associate Agreement, and terms drawn from laws in most major economies.

• Suppliers who agree to terms can be said to “comply with” their portion of responsibilities under most privacy laws.

A pragmatic approach

to compliance in the cloud

Practical considerations—

Understand the landscape

• Going into the cloud with eyes open means:

• Understand that the cloud is a more self-service service model than traditional hosting or ASP services.

• Chances are excellent that your company will retain most of the responsibility for application-related compliance requirements.

• Do not expect to devolve a significant number of compliance responsibilities or a significant amount of liability for data breaches to the cloud.

• Do not expect a high degree of visibility into the technical operations of your cloud.

(12)

Practical considerations—Understand the data

• Identify:

-- what data will be moved to the cloud? -- what law(s) is it subject to?

-- which requirements can be performed at the application level, or using a la carte PaaS services?

• Whatever cannot be managed directly by the data controller / application manager must be flowed down to the cloud host by contract:

-- Physical security -- Hardware requirements

-- Access, authentication, logging, and workstation controls for cloud admin / helpdesk personnel with access to data

Practical Consideration

-Understand the proposed cloud

• Where are the data centers?

-- You don’t need a street address—just what countries? • What supplier personnel can obtain access to production data and under what

circumstances?

-- Where (what countries) are these people based? • What do standard terms and conditions include?

-- EU Model Clauses or Safe Harbor?

-- Attestations concerning specific security measures to be followed? -- Audit rights?

• If standard terms do not address all compliance requirements, will supplier agree to alter standard terms?

-- If not, STOP. If you have unmet compliance responsibilities and the supplier

won’t accommodate them in the contract, change suppliers or explore hybrid cloud options.

• Does the supplier have credible audit reports it is willing to share, or will it allow you to perform a security review?

• What SLAs will the cloud commit to regarding uptime, availability of data, portability, etc?

• Recognize that cloud suppliers will not negotiate terms like

other subcontractors:

– Willingness to negotiate terms at all may be tied to minimum monthly spend commitments

– Full rights of audit for data security are not likely to be agreed – Unlimited liability for data breaches is basically impossible

• Important to understand what terms supplier has accepted

with other clients and whether there is any opportunity to

negotiate if terms do not appear to support your compliance

requirements.

Practical Consideration

(13)

Resources

Discussion

Contact Information

Contact:

Ben Hayes

Director of Legal Services, Data Privacy Compliance – North America [email protected]