You Are Viewing Cloud Computing

Internet of Things: Significant Privacy & Security Issues

Posted by fgilbert on January 9th, 2014

The Internet of Things has the potential to transform many fields, including home automation, medicine, and transportation. It will connect more things and more people to the Internet, and ultimately, connect more people with each other. Our devices will know, more than ever, who we are, what we pay, what we sign up for, or with whom we interact. As a result, one of the significant issues raised by the Internet of Things is consumer privacy and data security.

Because interconnected devices and services often collect and share large amounts of personal information, companies offering products as part of the Internet of Things must ensure that they safeguard the privacy and security of users. Policymakers and members of the technology community must also be sensitive to consumer privacy and data security issues.

The recent Federal Trade Commission action against TRENDnet provides a vivid example of the potential mishaps that can occur when proper privacy and security measures are missing. TRENDnet sold its Internet-connected SecurView cameras for purposes ranging from home security to baby monitoring. Defective software allowed unfettered online viewing and in some instances listening, by anyone with the camera’s IP address. As a result, hackers posted live feeds of nearly 700 consumer cameras on the Internet, showing activities such as babies asleep in their cribs and adults going about their daily lives. In addition, TRENDnet transmitted user login credentials in clear, readable text over the Internet.

The Federal Trade Commission charged that TRENDnet’s lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet and found that TRENDnet’s practices were deceptive and unfair. Among other things, the settlement requires TRENDnet to establish a comprehensive information security program and to obtain third-party assessments of its security programs every two years for the next 20 years. TRENDnet must also notify customers about the security issues with the cameras and the availability of the software update to correct them, and provide free technical support for the next two years to assist customers in updating or uninstalling their cameras.

Mobile devices and wearable devices play an important role in the Internet of Things, as well. They collect, analyze, and share information about users and their environment, such as their current location, travel pattern, speed, or the noise levels in their surroundings. They allow users to connect with each other in all sorts of settings, and share – knowingly, or not – a wide variety of information among themselves and with the service provider.

Mobile app providers have an obligation to inform their customers about their collection and use. This is specifically required by the California Online Privacy Protection Act. The Federal Trade Commission agrees, as well. In February 2013, the Federal Trade Commission investigated the practices of Path, a social network that allows users to keep journals about moments in their life and share them with up to 150 friends.

In its complaint against Path, the FTC identified circumstances where Path deceived users by collecting personal information, such as information from their address books, without the users’ knowledge or consent. The FTC concluded that the collection of personal information from a mobile phone without disclosure or permission may be a deceptive or unfair practice under the FTC Act. The final consent decree requires Path to establish a comprehensive privacy program and obtain independent privacy assessments every other year for the next 20 years. Path will also have to pay a fine of U.S. $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

This case has obvious implications for other Internet-connected devices that collect personal information about users. Such technologies should include some way to notify users and obtain their permission. This raises questions of how businesses should convey, on the small phone screen, information about what data, sometimes of a highly sensitive nature, these devices and apps collect, use, and share.

Providing notice to consumers may be complicated in the case of devices with a limited or no user interface. Activity trackers have only very basic user interfaces on the device itself. Smart light bulbs may not have any consumer-facing user interface. Similar issues arise with wearable devices, such as smart watches, wristbands or glasses. Addressing consumers’ privacy concerns over such devices will present business, engineering, and policy challenges that will require constant innovation.

The Internet has evolved to one of the most dynamic forces in the global economy. It is reshaping entire industries and changing the way we interact on a personal level. The Internet of Things promises even greater progress, but raises significant information privacy and security issues.

Use of Cloud Computing in a Law Office

Posted by fgilbert on October 10th, 2013

 

Attorney and law firms are increasingly interested in taking advantage of the proliferation of cloud computing services in their law practice. For example, they might wish to use web-based email to interact with their clients, subscribe to customer relationship management (CRM) services that are offered as Software as a Service (SaaS) to manage their customer and prospect lists. They may be tempted to store documents in the many storage services that are offered at no charge. New options are emerging every day, as more applications are developed and marketed.

However, while cloud services present significant advantages, the use of cloud computing services by attorneys and law firms present unique challenges due to the ethical rules to which attorneys are subject. In addition to ethical concerns, services provided in a cloud computing environment present a number of technical, physical, and contractual risks. Cloud computing agreements should be reviewed carefully before venturing into this new, complex form of outsourcing.

The Advantages of Cloud Computing

Cloud computing offers so many advantages that it is difficult to resist the temptation. Many services can be obtained at a significantly low cost; in many cases, they may be offered free of charge. Thus, it may be less expensive for the law firm to acquire these services from a cloud provider rather than running and maintaining an application using one’s own server on one’s premises. The maintenance is usually included in the offering, so there may be no need to worry about keeping up with updates, as they are installed automatically. The services are accessible from anywhere, a feature of great interest to attorneys who work long hours and may take advantage of the remote access capability to telecommute if needed. Altogether, cloud computing requires less in-house expertise and capability and less infrastructure, which may result in significant savings.

Cloud computing services may provide flexibility. As these services are often sold on demand, a law firm may take advantage of the elasticity to purchase as little as it needs on a regular basis, knowing that it can quickly ramp up and add storage, computing capability, or a few new features if the need arises.

Cloud computing may also provide increased stability and security. Reputable cloud providers usually employ the most up-to-date, sophisticated security measures. Their experienced, adequately trained staff excels at implementing security measures that take into account the current trends. They have access to sophisticated tools to monitor unauthorized access to the systems or manage permissions. These entities also have the ability to put in place sophisticated disaster recovery and business continuity features that are likely to be more powerful and effective than those that a small or lean law practice could implement.

However, entrusting data to cloud providers is not without danger. For instance, a large cloud provider that is known for servicing prestigious customers might also be the target of cyber attacks aimed at disrupting these customers’ operation or accessing their critical data. In addition, attorneys are subject to stringent ethical rules that may hamper their ability to use certain types of cloud services for certain purposes or with certain categories of data.

Ethical Rules

Before starting a search for cloud services that would make your practice so much more efficient, you should first determine whether the Ethical Rules that apply to your profession would allow your law firm to use cloud services. Ethical rules vary from one jurisdiction to another, but they tend to follow some common general principles.

Competence, Confidentiality

Most Ethical Rules that apply to attorneys contain a duty of competence and a duty of confidentiality. Will the professionals who will use the new cloud based program be sufficiently proficient, and able to log in and out of a system, save or annotate documents, in a manner that does not put at risk the confidentiality or the integrity of the data?

Duty to Supervise

The Ethical Rules may also contain a duty to supervise and may require an attorney who assigns work or responsibilities to a non-attorney (e.g., the cloud provider) to make reasonable efforts to ensure that the third party’s conduct is compatible with the attorney’s professional obligations.

Duty to Safeguard Client Data

Attorneys are also generally required to keep client property, such as files, information, and documents appropriately safeguarded. Would a law firm be able to ensure proper safekeeping of the clients file if these files were stored in a cloud? Certain cloud services may host the data or several customers on the same server. Would this co-location be deemed “appropriate safeguard?

Further, the cloud provider may have structured its network so that the servers are spread throughout the world. Keep in mind that a foreign country would be likely to assert jurisdiction over any server located within its territory. These countries are also likely to have adopted different laws or standards with respect to third party or government access to data, confidentiality, or data ownership.

Duty to Communicate with Client

Finally, Ethical Rules for attorneys may contain a duty to communicate with clients. Would this duty require a attorney or law firm to promptly inform clients of any decision to store the client’s data in a third party’s cloud and to seek their consent?

Given the potential application of these and other ethical rules it would be prudent for attorneys and law firms that contemplate the use of cloud computing services to review carefully the ethical rules that apply to their profession, in their region, and review, as applicable, any opinion or guidance that may have been published by the applicable authority that regulates their profession.

How to Manage Cloud Computing Risk

Numerous precautions and measures can be taken by attorneys to reduce their exposure to legal, commercial, and reputational risk in connection with the use of cloud services.

Internal Due Diligence

Before stepping into the cloud, you should conduct an internal due diligence in order to determine the potential obstacles or constraints that might prohibit or restrict the use of cloud services by your law firm. For example, you should review the ethical rules that might apply to your organization, as discussed above. You should also determine whether the law firm or any of its professionals has entered in a confidential agreement or data use agreement that might restrict the transfer of data to third parties, even if these third parties are service providers. You should also determine whether the proposed plan to use a cloud service or host would require the prior consent of your clients.

Keep in mind, as well, that some data might be so sensitive or confidential that they should not be transferred to cloud, or the transfer might require significant precautions. This might be the case, for example, for files that pertain to high stakes mergers or acquisitions.

External Due Diligence; Contracts

Make sure that you understand the particular application or service you are contemplating to purchase. How will the servers be used to process your data? While it is important to involve your information technology team, you should understand how the service will operate, where the servers will be located, whether your data will be collocated with others customers’ data, and how your data will be protected from intrusion or disasters. Ensure that the service will be reliable and easy to use by everyone at the law firm. Conduct appropriate due diligence of the proposed vendor and the proposed applications. Check references. Conduct online searches and/or call current clients to evaluate the vendor’s reputation.

You should also review the proposed contract carefully, even if you are told that it is not negotiable. First, it might actually be possible to negotiate changes. And even if it is not, you should understand the consequences and implications of the engagement you are making. Pay special attention to the disclaimers of liability, confidentiality, intellectual property, and security provisions.

Continuous Access to Data

Service outages happen regularly. It is important to ensure that the cloud service will provide alternative access to data, such as by switching to a server located in a different region if an outage affects a specific data center. The service provider should have in place a robust disaster recovery plan that alleviates the effect of outages.

Consider backing-up your data to an alternative system or a second cloud provider, to ensure that you will be able to access the data in the event of an outage in the vendor’s facility or network, or in the event of a natural or other disaster.

Ensure that you have the ability to change providers when it becomes necessary or desirable to do so. Keep in mind, however, that while it may be feasible to move from one hosting service to another, changing applications, such as a customer relationship management, is likely to be impossible, or very costly.

Many cloud contracts provide that in the event of an outage the customer will be refunded that portion of their monthly fee that corresponds to the duration of the outage. Be realistic about the actual effect of such provision. The refund might be insignificant compared to the huge inconvenience and loss of business and loss of data availability. For example, what would you do if you are in the middle of a trial or closing an acquisition, and suddenly the needed data are not available due to an outage or other force majeure event?

Security, Security Breaches

Ensure that the data will be appropriately protected from unauthorized access or modification. Specific steps that may be required such as installation of firewall, access limitations, encryption, strong passwords or other authentication measures, and electronic audit trail to monitor access to data. Ensure that you are informed of the security breaches that affect the data that your law firm uploads to the cloud. You may have a legal and/or ethical obligation to inform your clients and the regulators about an incident affecting these data. Negotiate compensation or indemnification by the service provider if the breach is caused by the cloud provider either affirmatively or through its own negligence/failure to maintain agreed-upon safeguards or reasonable security measures.

Data Ownership

Beware of obscure or confusing clauses that might give the cloud provider ownership of data stored in its services, or the metadata associated with the access to or processing of your law firm’s or clients’ data. Ensure that the contracts with the service provider(s) acknowledge that the data are owned by the law firm and/or its client, and not by the cloud provider.

Termination

Anticipate the need to terminate the service. Have an exit strategy in place so that the law firm may change its provider when it becomes necessary or desirable to do so.

Implementation

Train your own staff and professionals who will use the cloud service or products, and obtain their written agreement to comply with your security measures and those that are recommended by the cloud provider such as the use of strong passwords, and the prohibition of sharing passwords.

Conclusion

There is no doubt that cloud computing is here to stay and that gradually companies will move most of their data to the cloud. However, switching the physical custody of one’s data to a third party does not relieve an organization from its legal obligations to protect these data, ensure adequate security and integrity, limit its use to specific purposes, or ensure its availability. Thus, any company should carefully consider the pros and cons, as well as the consequences of the use of cloud services. For lawyers and law firms, these concerns are compounded with other concerns that come from the specific ethical rules that govern the profession. Before venturing in the cloud, lawyers and law firms must evaluate the effect of the relevant rules of ethics to which they are subject, identify the categories of data that may be processed or stored in the cloud, and take other necessary measures to ensure that they will be able to fulfill all of their legal and ethical duties to their clients.

How to address cybersecurity threats in medical devices

Posted by fgilbert on June 24th, 2013

The FDA has published for comments a draft guidance that is intended to assist the health industry in identifying and addressing cybersecurity threats in medical devices. Indeed, medical devices are frequently used to collect patients’ vital signs. The information is then transferred to a database within the medical office or in the cloud, for further processing. For instance a diabetic patient may be equipped with a device that collects blood samples and sends the information to a cloud-based service that makes a diagnosis, determines the right dosage of a drug, and sets the time at which the dosage should be administered to the patient.

To complete this prowess, the medical device takes advantage of wireless, network, and Internet connections in order to exchange medical device-related health information collected from patients with a remote service or practitioner. The transmittal of patient information to remote computing facilities and their storage in a cloud can cause significant cybersecurity concern. The interception and unauthorized use, modification or deletion of critical patient information could have deadly consequences.

The draft guidance provides recommendations to consider and identifies documentation to be provided in FDA medical device premarket submissions in order to assure effective cybersecurity management and reduce the risk of compromise. Not surprisingly, the guidance recommends that engineers and manufacturers should develop security controls to maintain the confidentiality, integrity, and availability of the information collected from the patient and transmitted the medical cloud that allows the storage and processing of the information.

The draft guidance suggests the use of “cybersecurity by design”, a concept similar to that of “privacy by design,” to bake into the design of the medical devices and the equipment connected to these devices, the much-needed security features that could ensure more robust and efficient mitigation of cybersecurity risks.

The proposed guideline outlines the steps to be used for this purpose and stresses the importance of documenting the different steps taken:

  • Conduct a risk analysis and develop a management plan as part of the risk analysis;
  • Identify the assets at risk, the potential threats to these assets and the related vulnerabilities;
  • Assess the impact of the threats and vulnerabilities on the device functionality;
  • Assess the likelihood that a vulnerability might exploit;
  • Determine the risk levels and suitable mitigation strategies;
  • Assess residual risk, and define risk acceptance criteria.

As always, the issue is one of balance. Balancing the universe of threats against the probability of a security breach. Factors to be taken into account would include the type medical device, the environment in which it is used, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach. In addition, the guidance recommends that manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (e.g., home use vs. healthcare facility use) to ensure that the security capabilities are appropriate for the intended users.

The FDA draft guidance recommends that medical device manufacturers should be prepared to provide justification for the security features chosen and consider appropriate security controls for their medical devices including, but not limited to:

  • Limit access to trusted users only;
  • Ensure trusted content;
  • Use fail-safe and recovery features.

The proposed guidance also identifies the type of documentation that should be developed in preparation for premarket submission filed with the FDA. This information includes:

  • Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device;
  • Traceability matrix that links the cybersecurity controls to the cybersecurity risks that were considered;
  • Systematic plan for providing validated updates and patches to operating systems or medical device software;
  • Documentation to demonstrate that the device will be provided to purchasers and users free of malware; and instructions for use and product specifications related to recommended anti­virus software and/or firewall use appropriate for the environment of use.

The Draft Guidance is available at http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

 

Laws Regulating Government Access to Cloud Data

Posted by fgilbert on March 13th, 2013

 

A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, and members of the Lexing Network, in a discussion of the laws that regulate government access to cloud data.

The topic is of great importance to cloud services providers and users, which are increasingly becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party in a lawsuit. Requests for access by law enforcement, intelligence and secret services, are governed by very complex rules, and predictably, these rules differ from country to country.

As Peter McGoff, the General Counsel of Box, a major provider of cloud services, explained in his introductory remarks, cloud service providers (CSP) receive frequent requests for access to data or communications stored on their servers. They will respond to these requests in a manner that addresses the CSP’s obligations to comply with the applicable laws and its obligations to the customers affected by the access request, while ensuring that the CSP’s resources are used efficiently and reasonably.

The program followed with an overview of the applicable laws in the United States by Francoise Gilbert, Managing Director of the IT Law Group. The Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) are the primary laws governing these issues, and they are supplemented by other federal laws and a plethora of state laws. ECPA and FISA were enacted in the 1970s and 1980’s, and have been amended numerous times, including through the USA PATRIOT Act 2001, and most recently through the FISA Amendment Act 2013.

A discussion with attorneys practicing in Canada, the United Kingdom, Switzerland, Italy, France, and Belgium followed. For example, Canada’s Security Intelligence Service Act (Part II)allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment of any “information, record, document or thing.” In the United Kingdom, government agencies find their authority in the Regulation of Investigatory Powers Act 2000 (RIPA).  Among other things, RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources.

The program concluded with tips from Peter McGoff. CSPs and other companies that anticipate receiving third party requests for access to data or communications should have in place a plan for responding to these requests in a manner that is consistent with the terms and conditions of their service, and that takes into account their obligations under the laws of the countries that have jurisdiction over their operations.

A video of the program is available by clicking here.

USA Patriot Act Effect on Cloud Computing Services

Posted by fgilbert on December 11th, 2012

Recent reports and press articles, with attention grabbing headlines, have expressed concern, and at times asserted, that the U.S. government has the unfettered ability to obtain access to data stored outside the United States by U.S. cloud service providers or their foreign subsidiaries. They point to the USA PATRIOT Act (“Patriot Act”) as the magic wand that allows U.S. law enforcement and national security agencies unrestricted access to any data, anywhere, any time. In fact, the actual impact of the Patriot Act in this cloud context is negligible.

To the extent that the U.S. law enforcement or national security agencies can access data held in the cloud or elsewhere, it is not through the Patriot Act but through decades-old laws and judicial decisions. For more than 40 years, government access to personal data and communications in the context of national security and law enforcement matters has been regulated by a wide range of federal and state laws. These laws were enacted long before the passage of the Patriot Act, and have been amended further since then. These laws are not so different from those that are in effect elsewhere. Most other nations have in place comparable provisions for access to data in the context of national security or law enforcement. Others do not, and in this case, their governments have unrestricted powers to access any data anywhere from anyone.

This article will examine the actual role and effect of the Patriot Act, and briefly describe some of the U.S. laws that govern access to data by the U.S. law enforcement, national security, and intelligence services. A subsequent article will address how other countries, in Europe and elsewhere, regulate access to data by their respective governmental entities in similar circumstances.

 

Only a Series of Amendments

Contrary to press reports, the Patriot Act is not “the” US law that governs the rules for access to data or communications by law enforcement and national security agencies. Signed into law in 2001 after the September 11 attacks, the USA PATRIOT Act (acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) is primarily a combination of amendments to existing laws that were enacted in the 1970’s and 1980’s.

The amendments brought in by the Patriot Act were designed to make it easier for the U.S. law enforcement and national security agencies, in the context of criminal investigations, to conduct surveillance and access data for the purpose of preventing, detecting, and investigating crimes and terrorist acts. For example, previously, if law enforcement needed to have access to data held by communication providers in multiple states, it had to seek separate search warrants from separate judges. The Patriot Act amendments allowed for this type of investigation to require only one search warrant to be obtained from one federal judge. This change streamlined the process for U.S. government searches in certain cases, but did not affect the underlying laws, regulations, and prior court decisions pertaining to government requests for access to data.

 

Rules for Government Access to Data

It is not as easy as the press depicts it for U.S. prosecutors, law enforcement or national security agencies to have access to data, information, document or premises owned or controlled by private entities, enterprises, financial institutions, and the like. Numerous rules govern the circumstances and manner in which state or federal government agents may act and collect the evidence that they are seeking. In addition, other rules govern the use of this evidence. Evidence may be admitted in court only if it has been legally collected in accordance with applicable laws.

At the federal level, the basic rule written in the 4th Amendment to the U.S. Constitution grants individuals the right to be secure from unreasonable searches and seizures. In addition, several federal laws, such as the Wiretap Act, Stored Communications Act, Pen Register Act, Foreign Intelligence Surveillance Act, Communications Assistance to Law Enforcement Act, or the Economic Espionage Act define specific rules. A similar regime exists under state law. Most U.S. states have general surveillance laws as well as specific laws, such as laws that govern the use of RFID technologies for surveillance purposes.

These laws may depend on the nature of the information to be retrieved and the purpose for which it is retrieved. For example, the Wiretap Act pertains to access to data in transit, whereas the Stored Communications Act pertains to access to data in storage. There are different provisions for access to content (e.g., the actual message or communication) as opposed to access to non-content (e.g., the identity of the sender or recipient, or time of the call or communication). The law may distinguish whether the person being investigated is a U.S. citizen or resident, or, instead an “agent of a foreign power,” as is the case under the Foreign Intelligence Surveillance Act.

The laws described above define the specific rules and requirements that must be met for a federal or state investigator to have access to specific data, premises, or equipment where the data is located, and for specific purposes. In most cases, the investigator is required to obtain a subpoena, a court order, or a warrant. In rare cases, it may be possible to have access to data without a subpoena, court order, or warrant; these cases are specifically identified in the applicable law, and are generally associated with extraordinary circumstances and grave hostile acts. There, other types of control and oversight apply.

 

Stored Communications Act

The rules of the Stored Communications Act are frequently used in the context of access to data stored by cloud service providers. Enacted in 1986, the Stored Communications Act governs access to wire, oral, and electronic communications in storage (as opposed to communications in transit). The law contains general prohibitions against access to these communications, and exceptions, such as rules that allow disclosure of these communications by providers of electronic communications services (e.g., Verizon, AT&T). It also contains an exception for allowing a governmental entity to obtain access to data stored by communication and computing service providers. These rules are very complex and detailed.

When the data are held by an electronic communications service provider, the rules for obtaining access to the content differ according to the length of the period during which the service provider has held the data. The threshold is 180 days. The requirements are most stringent for access to data held for less than 180 days than for data held for longer than 180 days. This dichotomy was developed in the late 80’s, at a time when the Internet, as we know it now, did not exist, and before we started using servers for storage purposes. At that time, it was deemed that a communication that had been stored for 180 days was abandoned and thus deserved less protection.

When a governmental entity seeks to obtain access to content that an electronic communications service has held in storage for less than 180 days, it must first obtain a search warrant. The standard for obtaining a warrant is very high: the government agent must show that “probable cause” exists, based on his or her personal observation or hearsay information, to show that evidence of a crime would be found in the requested search.

On the other hand, to obtain access to the same content held by the same electronic communications service provider for more than 180 days, a subpoena or court order would suffice. The requirement for a subpoena or a court order is much less stringent than that for a search warrant. However, if the government elects to use a subpoena or a court order, it must give prior notice to the subscriber or customer of that service. If the government wants to avoid providing notification, then a warrant is required.

This is just an example of the complexity of these rules; they are detailed in lengthy provisions, with numerous exceptions and nuances. For example, the rules described above apply only to “electronic communication services” (“ECS”) (i.e., services that send or receive wire or electronic communications). Different requirements apply to access to data held by “remote computing services” (“RCS”) (i.e., services that provide computer storage or processing services”). In this case, the 180-day dichotomy does not apply and the requirements are different. Further, while the rules above would apply for access to “content” (i.e., what was said, what was the message), there are different rules for access to “non-content” (i.e., when the messages was sent, from whom, to whom).

 

Foreign Intelligence Surveillance Act and Amendment

Enacted in 1978, the Foreign Intelligence Surveillance Act (FISA) prescribes procedures for physical searches and electronic surveillance of activities of foreign entities and individuals where a significant purpose of the search or surveillance and the collection of information is to obtain “foreign intelligence information.”

The term “foreign intelligence information” is defined to include information that relates to actual or potential attacks or grave hostile acts of a foreign power or an agent of a foreign power, sabotage, international terrorism, weapons of mass destruction, clandestine intelligence activity by or on behalf of a foreign power, or similar issues.

Like for the other laws described in this article, the Patriot Act did not create the FISA, it only amended it. For example, the Patriot Act enlarged the scope of the existing law to apply when “a significant purpose” of the search or surveillance is the collection of foreign intelligence, whereas the scope of FISA was initially limited to searches where “the primary purpose” was the collection of foreign intelligence.

The FISA allows the President of the United States, through the U.S. Attorney General, to authorize electronic surveillances without a court order in order to acquire foreign intelligence for a period of up to one year. Instead, the government must seek an order from the FISA Court (or “FISC”), a special court that oversees surveillance activities under the FISA. The application to conduct the surveillance must set out the facts to support a finding by the FISC judge reviewing the application that there is probable cause to believe that the proposed target is a foreign power, and must describe the premises or property that is the proposed subject of the search or surveillance. The U.S. Attorney General representative must certify, in writing and under oath, that the electronic surveillance is solely directed at the acquisition of communications between or among foreign powers and that the proposed procedures meet the “minimization procedures” requirement. The U.S. Attorney General representative must immediately transmit, under seal, a copy of this certification procedure to the FISC.

The FISA was amended in 2008 through the FISA Amendment Act (FAA) to permit the U.S. Attorney General and the Director of National intelligence to jointly authorize the targeting of non-U.S. persons reasonably believed to be located outside the United States, in order to acquire foreign intelligence information. Targeting under the FAA requires a determination by the U.S. Attorney General and the Director of National Intelligence that exigent circumstances exist because intelligence important to the national security of the United States may be lost.

There are numerous limits to the way in which the targeting may be conducted, and minimization procedures must be used. In addition, the targeting must be conducted in a manner consistent with the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable searches and seizures.

The U.S. government does not have jurisdiction over non-U.S. entities located outside the U.S. territory. The FAA does not grant U.S. governmental entities the right to access servers held outside the United States. It only defines the rules that federal agents must follow to target communications made by non-U.S. persons believed to be located abroad.

 

Annual Reports

The issuance of search warrants or orders allowing access to or interception of communication is highly controlled. It is not enough that each investigator must provide substantial information to show why the search is needed, and provide the grounds for why the content is relevant or material. In addition, any judge who has issued an order for an interception or has denied the request for access to data must provide detailed reports on the approvals or denials annually to the Administrative Office of the United States Courts.

Concurrently, the U.S. Attorney General who made a request for access must also file a report to the courts’ administrative office. This report must contain detailed information about each investigation, including, for example, the number of persons whose communications were intercepted, number of arrests resulting from the interception, or number of convictions. Compilations of the judge reports and U.S. Attorney General reports are prepared annually, and a summary report is provided to Congress. These reports are publicly available for anyone to review and posted on the Internet.

Consequently, investigations are not initiated lightly; having to prepare so many applications, sworn statements and reports would already be a deterrent. In addition, each such investigation is very costly. According to the report of these investigations filed in 2010, the average cost of an “interception” ranges from $20,000 to over $100,000, with a median around $50,000.

 

U.S. Government Access to Data Outside the U.S.

What happens when an investigation would require access to data held in a foreign country? Generally, a U.S. prosecutor or investigator will not be permitted to conduct an investigation or to interview witnesses abroad. In most cases, the help of the local government will be necessary. To this end, over the years, nations have agreed on a variety of bilateral or multilateral treaties that define how they will cooperate in certain matters.

For example, the U.S. is party to several Mutual Legal Assistance Treaties (MLAT) for the purpose of gathering and exchanging information in an effort to enforce civil or criminal laws. There are numerous MLATs related to police and law enforcement cooperation and MLATs with respect to tax evasion, for example.

In addition, the U.S. is a member of the Council of Europe Convention on Cybercrime, which it ratified in 2007. The Convention governs electronic surveillance, sharing of evidence and computer crime. It allows governments to request and provide mutual assistance in the investigation and prosecution of a number of crimes, such as hacking, unauthorized access to computer systems, child pornography, or copyright infringements.

In some cases, law enforcement may attempt to obtain access to information held abroad by making the request from the U.S. affiliate of a company located abroad that may have custody or control over the documents or information at stake. In the U.S., courts have held that a company with a presence in the U.S. is obligated to respond to a valid demand for information by the U.S. government (made under one of the applicable U.S. laws) so long as the company retains custody or control over the data. The key question is whether the U.S. company does have the required level of “custody or control” to be forced to respond to the government request.

The question whether a U.S. based company has custody or control over data held outside the United States has been the subject of many cases and controversies. The seminal case in this area involves the Bank of Nova Scotia, where a U.S. court required the U.S. branch of the Canadian bank to produce documents that were held in the Cayman Islands for criminal proceedings in the U.S. This principle of extraterritorial reach has been followed elsewhere, for example in Australia. In the 1999 case of the Bank of Valletta PLC vs. National Crime Authority, the Australian branch of a Maltese bank was required to produce documents held in Malta for use in an Australian criminal proceeding.

 

Government Investigations and Privacy

There is an inherent opposition between governments’ requests for access to data in the context of criminal investigations or the fight against drugs or terrorism, and the basic rights of individuals to privacy in their home or their papers. The laws that govern government access to data and communications have attempted to provide a balance between the individual interest of a person and the community’s interest in fighting crime and terrorism, but have also recognized that national security may trump personal privacy. The laws discussed above are intended to curb the enthusiasm limit the powers of law enforcement and national security personnel in their quest for evidence.

In the European Union, there is a similar analysis. Directive 95/46/EC, the foundation document that defines the principles of privacy protection for all individuals and that is implemented into the national laws of each E.U. and E.E.A. Member State, recognizes that there are cases where privacy rights have to defer to other rights. The Directive has carved out from the blanket protection of individuals with respect to the processing of personal data, the ability for governments to have access to, or use of, personal information in connection with investigations that pertain to national security, defense and related areas. Some of the issues of privacy in the context of police and judicial investigation are addressed in a separate document, the Council Framework Decision 2008/977/JHA of November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

A similar carve-out is provided in the E.U.-U.S. Safe Harbor Principles, which state, “adherence to [the Safe Harbor] principles may be limited to the extent necessary to meet national security, public interest, or the requirements of law enforcement.”

 

What Rules Apply Abroad?

While rules that pertain to government access to data and communications in the United States have received a lot of attention, most countries also have laws authorizing government investigations for national security and other purposes. We will examine these foreign laws in an upcoming article.

 

 

NOTE:  A prior version of this article was published in May 2012 by TechTarget under the title: Demystifying the Patriot Act; Cloud Computing Impact.

 

Article 29 Working Party’s Opinion on Cloud Computing: A Threat for the Industry?

Posted by fgilbert on July 16th, 2012

In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud.  It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.

Even though opinions of Article 29 Working Party do not have the force of law, they have a very significant influence over the ways companies operate, and the privacy choices they make.  US businesses operating in the European Economic Area should keep in mind that the data protection authority of the country or countries in which they operate are highly likely to follow the guidance set forth in a Working Party’s opinion.  Thus, it is important that they operate within the guidelines and guidance provided in the opinions and other writings of the Article 29 Working Party.

Overview

One of the most significant concerns expressed in the Article 29 Opinion on Cloud Computing is the extent to which the Safe Harbor Principles fail to address the unique ways in which cloud computing services hold and process data.  The Article 29 Working Party believes that the Safe Harbor Principles, which were conceived in a different technological environment, fail to address the unique environment in which cloud services are provided. In their view, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.

The Opinion points to the lack of control over the whereabouts of the data held in the cloud, the lack of transparency on the security measures being adopted or the identity of the subprocessors, as threats to the protection of personal data.  It also stresses the importance of informing the data subjects about who processes their data, for what purposes, and in which locations, and how they can exercise the rights afforded to them in this respect when their data are hosted or processed in the cloud.

Due Diligence & Contract Terms

The document recommends that the cloud client select a cloud provider that guarantees compliance with EU data protection legislation derived from Directives 95/46/EC and 2002/58/EC.  It stresses that the cloud client should verify whether the cloud provider can guarantee the lawfulness of any crossborder international data transfers.

Once the cloud service provider is identified, the relationship should be recorded in a contract that affords sufficient guarantees in terms of technical and organizational measures for the cloud service.  The Opinion identifies a number of contractual safeguards to be included in the contract for cloud services.

Crossborder Transfers & Safe Harbor

One of the most important components of the Opinion is its negative analysis of the ability of most cloud providers to meet the restrictions on crossborder data transfers that are part of the EEA Member States national data protection laws.  The Opinion expresses significant concerns about the Safe Harbor’s ability to meet the requirements that the recipient of the data provide “adequate protection” consistent with that which is provided in the EU and EEA.

Among other things, the Opinion warns that the Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that it has a Safe Harbor certification.  The company exporting data should request evidence demonstrating that their principles are complied with.  The Opinions also states that it might be advisable to complement the commitment of the data importer to the Safe Harbor with additional safeguards taking into account the specific nature of the cloud.’’

It is not clear what effect the Working Party’s Opinion in WP 196 will have on US cloud providers.  If US cloud providers want to continue to attract EU based clients, they will have to address the recommendations of WP 196, at least in connection with their sales in the European Union.  Will US customers request the same level of transparency and control?

Further analysis of WP 196 available in Francoise Gilbert’s article published by the BNA Privacy & Security Law Report, available here.

CNIL on Cloud Computing

Posted by fgilbert on June 28th, 2012

On June 25, CNIL – the French Data Protection Authority – published its recommendation on the use of cloud computing services. This recommendation is the result of a research project on cloud issues, which started in the Fall of 2011 with a consultation with industry. The documents released by CNIL include a summary of the research and documents; a compilation of the responses received to the consultation, and a set of recommendations.

The recommendations includes:

  • Clearly identify the type of data and type of processing that will be in the cloud
  • Identify the security and legal requirements
  • Conduct a risk analysis to identify the needed security measures
  • Identify the type of cloud service that is adapted for the contemplated type of processing
  • Choose a provider that provides sufficient guarantees

The CNIL document also provides an outline of the contractual clauses that should be included in a cloud contract and contains “Model Clauses” that may be added to contracts for cloud services.  These model clauses are provided as a sample, are not mandatory, and can be changed or adapted to each specific contract.

Except for a high level summary in English, the documents described above are currently available only in French on the CNIL website.  According to CNIL representatives, English translations of these documents should be available shortly.

  • Overview of CNIL Recommendation – Summary in English:

http://www.cnil.fr/english/news-and-events/news/article/cloud-computing-cnils-recommandations-for-companies-using-these-new-services/

  • Overview of CNIL Recommendation – Summary in French

http://www.cnil.fr/la-cnil/actualite/article/article/cloud-computing-les-conseils-de-la-cnil-pour-les-entreprises-qui-utilisent-ces-nouveaux-services/

  • Compilation of the responses to the CNIL consultation on cloud computing (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Synthese_des_reponses_a_la_consultation_publique_sur_le_Cloud_et_analyse_de_la_CNIL.pdf

  • Recommendation for companies wishing to use cloud services (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Recommandations_pour_les_entreprises_qui_envisagent_de_souscrire_a_des_services_de_Cloud.pdf.

 

 

Outline of BCR for Processors Published by Article 29 Working Party

Posted by fgilbert on June 20th, 2012

On June 19, 2012, the Article 29 Working Party adopted a Working Paper (WP 195) on Binding Corporate Rules (BCR) for processors, to allow companies acting as data processors to use BCR in the context of transborder transfers of personal data, such as in the case of cloud computing and outsourcing.

WP 195 includes a full checklist of the requirements for BCR for Processors and is designed both for companies and for data protection authorities.  The document provides a checklist outlining the conditions to be met in order to facilitate the use of BCR for processors, and the information to be found in the applications for approval of BCR to be presented in the application filed with the Data Protection Authorities.

 

How to Conquer Cloud Computing Contracts – Part 2

Posted by fgilbert on April 21st, 2011

Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.

In part 1 of this article we discussed the preliminary planning and due diligence involved with choosing a cloud service provider.

In this part 2, we review critical steps for developing, maintaining and terminating cloud computing contracts.

Read and negotiate the contract

Once you have chosen one or several cloud vendors or cloud offerings, the next step is to enter into a written contract for these services. The contract is intended to accurately describe the agreement and understanding of the parties. It should address the major issues that are critical for the survival of your business.

Depending on the nature of the services, the volume of data, and the leverage of the company, the contract may be in the form of a click-wrap agreement, which is not negotiated, or the parties may negotiate a more complex written document that is tailored to the specific situation.

If only a click-wrap agreement is available, the contract is likely to be one-sided in the favor of the service provider and to lack most of the warranties and protections that a purchaser of the service would wish to receive. In this case, you should balance the risks from foregoing negotiations and protections against the actual benefits, financial savings and ease of use promised by the cloud service provider.

If you have the ability to negotiate the cloud computing contracts, you may be able to add or modify provisions that address your company’s needs while defining the obligations of the parties both during the term of the contract and upon termination. Detailed, comprehensive provisions tailored to the unique risks of operating in a cloud environment should be negotiated.

For example, it is important to know where the data will be stored or processed, because the fact that the data are held on a server in a particular state or country is likely to subject the data to the jurisdiction of the country where the server is located. You may want to look for guarantees with respect to the scope of the services, the prices, the support offered and the downtime. You should also seek commitment from the cloud vendor that it will protect your data with adequate security measures. You may also need to ensure that the vendor will inform you promptly if a security incident has affected the data that you placed in its custody. As the custodian of your employees’ or customers’ personal information, you may have an obligation under U.S. state law or foreign laws to inform them of loss or compromise of their data.

Cloud computing contracts termination

Numerous events may lead to the termination of cloud computing contracts and relationships. The contract may expire at the end of its term and not be renewed. It may be terminated for default or material breach, financial difficulties or bankruptcy. Each such event raises the issue of access to, and ownership of assets; organizations must plan to ensure they will be able to retrieve their data.

Keep in mind that your data will be the most at risk upon termination of the contract. The cloud vendor has no incentive to be nice to a customer that is leaving. Worse, the cloud vendor may be experiencing financial difficulty, which significantly increases the risk of loss and vulnerability of the data. Provide for the proper — and secure — winding down of the relationship in order to ensure business continuity and to limit the risk of loss or alteration of the data.

Plan for termination of the contract before signing it. Ensure that the service agreement lays out whether and how the data will be returned to your company or destroyed, the cost associated with this return, and the procedures to be used in the event of termination.

The volume of data to be returned might require planning and proper logistics. The data might have been commingled with other customers’ data to save space or for technical reasons. This entanglement might make it difficult, time consuming, expensive or perhaps impossible to disentangle the data.

The cloud environment may create unique risks or enhanced exposure. The technology used — i.e., a distributed computing environment — may make it difficult to locate the data. The amount of data may be so large that practical difficulties in collecting the data are very likely. Further, the parties are likely to be located in different jurisdictions, each with a different legal regime, which will increase the uncertainty and complexity.

Continuous monitoring

Throughout the life of the relationship, keep monitoring the activities of the vendor to ensure the performance of the contract according to its terms. To the extent possible, monitor, test and evaluate the services provided in order to verify that the required service levels are reached, the promised privacy and security measures are being used, and the agreed upon processes and policies are being followed.

Keep in mind also that further revisions to the contract might be necessary from time to time. They may be required by external or internal changes. For example, the cloud service provider may have to change its security practices and procedures in order to address new security threats. It may have developed new products or applications that are better suited to your company’s needs. Both the cloud service provider and the customer may need to adapt to new compliance requirements if new laws are passed or regulations are enacted during the term of the contract.

Talk to your lawyer early

In most cases, entrusting your company’s data to a third party will be an important decision. Get help from experienced professionals. Do not wait until the last minute to speak with your lawyer. The more you procrastinate, the more you expose your company to errors and failure. It’s like starting a game with part of the team missing, and waiting until the last 10 minutes to bring in the remainder of the players. It may work occasionally, if you are lucky, but most of the time, playing with an incomplete team will cause you to fail or take unnecessary risks. Your attorney will help you navigate the maze of multilayered cloud computing contracts, decipher obscure, complex, cloud agreements, identify what is missing, and see through puffing and other empty promises.

This article was first published by TechTarget (registration required) in February 2011.

How to Conquer Cloud Computing Contracts – Part 1

Posted by fgilbert on April 14th, 2011

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

Consistent with this model, which benefits from uniformity and standardization, many cloud services agreements are presented in the form of a click-wrap agreement, where no negotiation is possible, and the customer clicks on an “I agree” button to express consent to the terms. The apparent ease of entry into these contracts makes the process seem as easy or inconsequential as purchasing a song from iTunes.

However, the fact that in most cases the purchaser of cloud services is pushed to interact with vendors through websites and generic form agreements does not adequately reflect the unique complexity and importance of cloud service contracts. Cloud computing relationships are extremely complex and fragile. They involve relinquishing control over, and custody of, a company’s vital data, documents and applications to one or more service providers with whom company executives may not have ever met, and which may be hidden or difficult to identify in the fog created by the so-called cloud. Cloud contracts, however, raise numerous complex technical, business and other issues that could create significant exposure to financial disasters, embarrassment and other problems if not attended to with sufficient precautions.

Cloud computing legal issues, in particular, abound. These issues include: ensuring access, availability and performance; customization and integration with existing technologies; cost and pricing; compliance with regulatory requirements; ability to terminate and move to another service provider or take data in-house; and much more. The security measures used to protect the data entrusted to the vendor are crucial. It is also important to define how liability for the loss of data will be allocated; or to address the extent to which the customer will be able to have access to the data or retrieve the data in case of termination.

Do not be fooled by the appearances; be careful when stepping in the cloud. In part one of this two-part article, we’ll review cloud computing preliminary legal considerations and the due diligence required before choosing a cloud service provider. Part two covers critical steps for developing, maintaining and terminating a cloud service provider contract.

Think before you click

First, do not rush into a cloud service agreement. Cloud providers have made it very easy to purchase their services on the Internet. It is almost as easy to purchase a book from Amazon as it is to purchase a subscription to Amazon’s EC2 services. Wait! Do not click on the “I agree” button until you understand what you are getting, and more importantly, what you are not getting. Just because the service appears so easily available from the vendor’s website does not mean it is the right service for you, or that the terms of the offering are fair and balanced.

Ensure there are no cloud computing legal obstacles

Are you sure that using cloud for the type of data and the types of services that you envision is legal? Companies are the custodians of the personal and other data entrusted to them. These data are frequently protected by laws, regulations or contracts that prohibit, restrict or limit the disclosure or transfer of the data to a third party. For example, health information protected under HIPAA cannot be transferred to a third party or “business associate” without imposing specific obligations to that business associate. Some U.S. state laws require that Social Security numbers, drivers’ license numbers, financial information, and other similar information be encrypted before being transferred to a third party. Other laws require entering into a written agreement with the service provider, with specific terms.

If your data originate in one of the 40-plus countries that have adopted comprehensive data protection laws, it’s likely that the data may not be taken out of its country of origin and transferred abroad because the recipient country is probably not going to provide the adequate protection for the privacy rights of the individual to whom the data pertains unless specific contracts are signed or other specified arrangements are made.

Perhaps your company has signed a confidentiality agreement or a data-transfer agreement with a third party from which it received sensitive data, such as personal information or trade secrets. In this case, this agreement probably prohibits you from transferring the data to a third party without the prior permission of the data owner. Thus, moving the data to a cloud without the prior permission of the data owner would breach this agreement.

Remember: Before exploring the cloud services offering, determine whether your business model and the contracts that bind your company allow for the use of these services, and under which conditions.

Due diligence questions

Once you are confident that a particular application or database may be moved to the cloud without breaching any laws or existing contracts, you must investigate the vendor. Just because a service is attractive or works well for the company next door, does not mean that it is right for you.

Organizations should conduct a thorough due diligence of a proposed cloud service provider in order to determine whether the services offered correspond to its needs. Myriad questions need to be asked and their answers carefully analyzed; for example:

  • What services will be provided?
  • Will the service allow the company to fulfill its computing and access needs?
  • What are the vendor’s technical capabilities?
  • What are its financial capabilities? What is the likelihood that it will remain in business for the next few years?
  • What service levels will be offered? Is there any possibility of downtime?
  • How secure are its operations? What security measures are used?
  • Is the cloud vendor equipped to handle business interruption and disaster?
  • What support will be provided?
  • What will happen if there is a security incident?

Different methods may be used to conduct a due diligence. For example, you could speak with existing clients, send questionnaires and review the answers, review audit reports, and survey comments from current customers on listservs and other forums on the Internet.

Remember that this due diligence is necessary to understand and evaluate the entity to which you will entrust important company information. It’s a well-known “best practice” and required by several laws. Skipping this important step would expose the company and its management to potential claims of negligence and breach of duty of care.

For part 2 of this article click here.

This article was first published by TechTarget (registration required) in February 2011.