SECURITY AND THE CLOUD: KEY TIPS TO MANAGING YOUR RISKS IN CLOUD COMPUTING AGREEMENTS

Presented by the

American Bar Association Business Law Section and Center for Professional Development

American Bar Association Center for Professional Development 321 North Clark Street, Suite 1900 Chicago, IL 60654-7598 www.americanbar.org 800.285.2221

CDs, DVDs, ONLINE COURSES, DOWNLOADS, and COURSE MATERIALS

ABA self-study products are offered in a variety of formats. Find our full range of options at www.ShopABA.org

The materials contained herein represent the opinions of the authors and editors and should not be construed to be the action of the American Bar Association Business Law Section or Center for Professional Development unless adopted pursuant to the bylaws of the Association.

Nothing contained in this book is to be considered as the rendering of legal advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel. This book and any forms and agreements herein are intended for educational and informational purposes only. © 2013 American Bar Association. All rights reserved. This publication accompanies the audio program entitled “Security and the Cloud: Key Tips to Managing Your Risks in Cloud Computing Agreements” broadcast on November 15, 2013(event code: CEB3SAC).

Discuss This Course Online Visit http://www.americanbar.org/groups/cle/course_content/cle_discussion_boards.html

to access the discussion board for this program. Discussion boards are organized by the date of the original program,

which you can locate on the preceding page of these materials.

http://www.americanbar.org/http://www.shopaba.org/http://www.americanbar.org/groups/cle/course_content/cle_discussion_boards.htmlhttp://www.americanbar.org/groups/cle/course_content/cle_discussion_boards.html

TABLE OF CONTENTS

1. Presentation Slides

2. 26.15 Class Action Litigation—E-Commerce and Internet Law: Treatise with Forms

(2nd Edition, Vol. 3)

3. 27.07 Class Actions and Other Security Breach Litigation—E-Commerce and Internet Law: Treatise with Forms (2nd Edition, Vol. 3)

4. EU Cloud Opinions: Nebulous or Ominous?

Robert Bond

5. Summary of Cloud Computing Standards (Presentation Slides)

6. Privacy and Data Security in the Global Cloud Lisa R. Lifshitz and Danielle Waldman

7. Overview of Cloud Computing1

Jae B. Pak

1 “Overview of Cloud Computing,” was originally published by the American Bar Association Section of Business Law 2013 Annual Meeting. Copyright 2013© by the American Bar Association. Reprinted with permission. This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

1

1

www.americanbar.org | www.abacle.org

Security and the Cloud: Key Tips to Managing Your Risks in Cloud Computing Agreements Friday, November 15, 2013 | 1:00 PM Eastern Sponsored by the ABA Center for Professional Development

What is Cloud Computing?

2

Application(s)

Platform

Infrastructure

3

Application(s)

Platform internet

Infrastructure

4

Application(s)

Platform

Infrastructure

> deploy.exe > configure.exe

(Runs on

Vendor Servers)

5

OS

Applications

OS

Guest

A

cco

unt

Ap

ps

Guest

A

cco

unt

Ap

ps

Guest

A

cco

unt

Ap

ps

Guest

A

cco

unt

Ap

ps

Hypervisor

Guest

O

S

Ap

ps

Guest

O

S

Ap

ps

Guest

O

S

Ap

ps

Guest

O

S

Ap

ps

Each Guest OS runs in a separate virtual machine

(VM)

6

Application(s)

Platform

Infrastructure

> deploy.exe > configure.exe

(Runs on

Vendor Servers)

(Runs on

Vendor Servers)

7

CONTROL

> deploy.exe > configure.exe

Hypervisor

OS

Apps

OS

> deploy.exe > configure.exe

> deploy.exe > configure.exe

8

9

1

Privacy and Data Security issues in the Cloud – The view from the EU

15 November 2013 Robert Bond, CCEP Partner and Notary Public Speechly Bircham LLP Robert.Bond@speechlys.com

Robert Bond

A Solicitor, Notary and Certified Compliance & Ethics Professional, Robert has specialised in data protection since 1983 and is listed in the top 20 Best Privacy Advisers in a survey published in Computer World. In 2012 Robert was appointed an Ambassador for Privacy by Design by Commissioner Ann Cavoukian of Ontario. He has advised many multinationals on transborder data flows and global data protection compliance since 1997, co-authored the ICC BCR Report in 2006, the ICC Guidelines on Basel II and Data Protection in 2007 and the ICC UK Cookies Guide in 2011. Robert is the author of many books, including Negotiating International Software Licenses and Data Transfer Agreements (Sweet & Maxwell) and Negotiating Software Contracts (Bloomsbury). Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Study, an Honorary Member of the Institute of Export and in 1994 was a researcher in Information Security and Data Protection at the University of Leicester. Robert is listed in Legal Experts 2013 and The Who’s Who of International Internet & E-Commerce Lawyers.

Robert is listed as Notable Practitioner for Data Protection in Chambers UK 2014 to 2010 describing him as “an esteemed figure in the field. He has an impressive reputation for his work on cross-border data compliance and cutting-edge IT data privacy issues within the digital, online and social media spheres.” Sources say: “He continues to impress year on year. His spark of imagination and ability to grasp the technology are amazing.” "He is up for anything and incredibly knowledgeable," report clients. "Everyone gravitates towards him. A very good communicator and very generous with his time.”

2

What is cloud computing?

A nebulous concept - different definitions

“Hamlet: Do you see yonder cloud that’s almost in shape of a camel?

Polonius: By the mass, and ‘tis like a camel, indeed.

Hamlet: Methinks it is like a weasel.

Polonius: It is backed like a weasel.

Hamlet: Or like a whale?

Polonius: Very like a whale.”

William Shakespeare, “Hamlet”, Act 3 scene 2

EU is walking a tightrope between support and rejection Because of its inherent freedom from locational constraints, cloud computing could raise the digital single market to a new level. But this will only be the case if we achieve effective implementation of single market rules. The gains are potentially huge. The preparatory study undertaken for the Commission estimates that the public cloud would generate €250 billion in GDP in 2020 with cloud-friendly policies in place against €88 billion in the "no intervention” scenario, leading to extra cumulative impacts from 2015 to 2020 of €600 billion. Brussels, 27.9.2012 COM(2012) 529 final

On 19 September 2013 the Committee on Civil Liberties, Justice and Home Affairs published its Opinion on "unleashing the potential on cloud computing in Europe". Whilst the Opinion recognizes the potential benefits of cloud computing for businesses, citizens, the public sector and the environment, it focuses almost entirely on the need for current and future EU laws to adequately protect individuals whose data is processed in the cloud, particularly laws such as data protection.

businesses and administrations wishing to use cloud computing should conduct, as a first step, a comprehensive and thorough risk analysis. All cloud providers offering services in the EEA should provide the cloud client with all the information necessary to rightly assess the pros and cons of adopting such a service. Security, transparency and legal certainty for the clients should be key drivers behind the offer of cloud computing services. Art 29 Opinion 05/2012 on Cloud Computing

3

What are the Key Data Protection Concerns?

Typically mix security and privacy Some considerations to be aware of: – Who is responsible for protecting personal data? – Applicable law and jurisdiction; – Contractual issues; – Legal basis for data processing; – International Data transfers; – Data security; – Storage; – Retention; – Destruction; – Auditing, monitoring and risk management; – Data protection breaches.

The impact of the proposed EU data protection regulation on cloud computing

Draft EU data protection Regulation of January 2012 to replace Directive 95/46/EC

Provisions impacting cloud computing:

• Single rule throughout the EEA; • Jurisdiction: when are Cloud Users and Providers subject to EU

Data Protection Law? • Security requirements when engaging a cloud provider; • Data security and risk assessment requirements; • Breach notification requirements.

4

Art. 29 Data Protection Working Party Opinion on the application of data protection to cloud computing and similar services

Opinion WP196 of 1st July 2012

Two main risks associated to cloud computing services • lack of control over the data and • lack of information on data processing

Cloud Computing Duties and Responsibilities • Cloud clients (as data controllers) • Cloud providers (as data processors) • Subcontractors

Cloud Services Contracts General Data Protection Principles International Data Transfers Risk Analysis and Checklist Future developments

UK and EU Guidance on Cloud Computing

“Guidance on Cloud Computing” of the ICO of 27 September 2012

• Assess the risk of processing highly sensitive data in the cloud; • Consider that moving data to the cloud may create additional types of data; Privacy

impact assessments should be considered before engaging in large or complex cloud services;

• Assessment of the administrative, technical and physical controls of the cloud service provider is not a “one-time” event;

• Use third-party audits and certifications; • Technical security measures of a cloud computing program should include:

Access control Encryption of data Data retention and destruction procedures Limits on the cloud service provider’s access

“Unleashing the potential of cloud computing in Europe” of 27 September 2012 The EU Commission Communication outlines three main areas of action:

• Setting up the necessary standards; • Contract Terms and Conditions; • Open Cloud Partnership.

5

•Construction & Engineering •1 November 2006

For more information on our services, please contact: Robert Bond +44 (0)20 7427 6660 robert.bond@speechlys.com

1

PRIVACY AND DATA SECURITY ISSUES IN THE CLOUD – THE VIEW FROM CANADA

Lisa R. Lifshitz, Partner, Torkin Manes LLP 416-775-8821 LLIFSHITZ@TORKINMANES.COM Prepared for the “Security and the Cloud: Key Tips to Managing Your Risks in Cloud Computing Agreements” Panel, American Bar Association “In the Know” Webinar November 15, 2013

AGENDA

1. What makes Canada Different? Canada’s Privacy and Data Protection Regulatory Framework

• Private Sector Organizations • Industry Specific Laws and Standards

2. Key PIPEDA Obligations • Data Protection and Data Transfer • Cloud Guidelines From Canada’s Regulators • Transferring Data Internationally • Data Breach Notification

3. Security • Becoming Compliant in Canada

4. Best Practices

2

1. What makes Canada “different” for US vendors of Cloud services? • We have a patchwork of private sector and public sector privacy laws that companies

& governments have to comply with. • We also have sector-specific laws that apply. • Any Canadian organization that wants to move to the Cloud, including US-based

Clouds, has to comply with its obligations under Canada’s private sector privacy legislation.

• Our regulators have offered detailed guidelines (June 2012) regarding privacy responsibilities and considerations.

• What can U.S. vendors do to manage and mitigate these requirements?

• In a nutshell: U.S. vendors must offer and execute adequate contracts (with exceptions).

Regulatory Framework (Private Sector-Federal)

• In Canada the use of personal information is governed by a number of federal and provincial laws - which law applies to an organization will depend upon where it is located and the industry that the organization is engaged in.

• The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulates the collection, use and disclosure of personal information in much of the private sector. • PIPEDA applies to “FWUBS” - federal works, undertakings and businesses and

to all private sector organizations regulated by provinces that do not have substantially similar private sector privacy legislation that collect, use or disclose personal information in the course of their commercial activities.

• Examples of FWUBs in Canada include airlines, banks, ferries, broadcasting, inter-provincial railways, interprovincial or international trucking, shipping or other transportation, aviation, banking, nuclear energy, activities related to maritime navigation, and radio stations.

• “Personal information” is broadly defined in PIPEDA - includes any “information about an identifiable individual”, whether public or private, with limited exceptions.

3

Regulatory Sector (Private Sector-Federal)

• PIPEDA also applies to all personal information that flows across provincial or national borders in the course of commercial transactions.

• PIPEDA will not apply in provinces with privacy legislation that is substantially similar to it. • Currently, only Alberta, British Columbia and Québec. • Manitoba has a new privacy act, the Manitoba Personal Information Protection and Identity Theft Prevention

Act that received Royal Assent on September 13 but is not yet in force. • PIPEDA does apply to federal works, undertakings or businesses that operate in those provinces.

• Organizations that operate inter-provincially are required to deal with both provincial and federal privacy legislation.

• All Canadian privacy legislation, including PIPEDA, reflects the following ten principles, derived from the Organization for Economic Cooperation and Development Guidelines created in the early 1980’s: (1) accountability, (2) identifying purposes, (3) consent, (4) limiting collection, (5) limiting use, disclosure, and retention, (6) accuracy, (7) safeguards, (8) openness, (9) individual access, and (10) challenging compliance.

• All four principle private-sector statutes apply similar principles to comply with these legal obligations. The principles (i) mandate that personal information may only be collected, used or disclosed with the knowledge and consent of the individual; (ii) limit the collection of personal information to what is necessary for identified purposes; and (iii) require that personal information be collected by fair and lawful means.

Just a word about the public sector…

• Canadian provinces, territories and municipalities also have their own public sector privacy legislation. • Lots of statutes!

• See: the Freedom of Information and Privacy Protection Act, R.S.A. 2000, c F-25 (Alberta), Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c 165 (BC), Freedom of Information and Protection of Privacy Act, C.C.S.M. c F175 (Manitoba), Personal Health Information Privacy and Access Act, S.N.B. 2009, c P-7.05, replacing the Protection of Personal Information Act, S.N.B. 1998, c P-19.1 (New Brunswick), Access to Information and Protection of Privacy Act, S.N.L. 2002, c A-1.1 (Newfoundland), Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c 5 (Nova Scotia), Freedom of Information and Protection of Privacy Act, RSO 1990, c F-31 (Ontario), Freedom of Information and Protection of Privacy Act, RSPEI 1988, c F-15.01 (Prince Edward Island), An Act respecting Access to documents held by public bodies and the Protection of personal information, RSQ, c A-2.1 (Quebec), Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c F-22.01 (Saskatchewan), Access to Information and Protection of Privacy Act, R.S.Y. 2002, c 1 (Yukon), Access To Information And Protection Of Privacy Act, S.N.W.T. 1994, c 20 (Northwest Territories) and Access To Information And Protection Of Privacy Act, S.N.W.T. (Nu) 1994, c 20 (Nunavut).

• Note that the so-called “MUSH sector”- municipalities, universities, schools and hospitals - may be covered by the above legislation so please verify which acts apply!

4

What does this all mean for the Cloud?

• All five private-sector statutes apply similar principles to comply with these legal obligations. • Several key differences between PIPEDA and the provincial privacy statutes, particularly in

relation to data transfers and data breach notification. • The legislative situation is more complicated for organizations that conduct business across

provincial boundaries. • Within an exempt province, an organization’s use of personal information will be governed by

applicable provincial legislation. • However, PIPEDA will apply to organizations located in exempt provinces when they collect,

use or disclose personal information across provincial boundaries or internationally. • Manitoba not yet exempt so PIPEDA still applies.

• Therefore PIPEDA will apply when transferring data to US-Cloud vendors. • Depending upon the facts, where a Canadian organization transfers personal information

into a Cloud computing environment, it may also be potentially required to consider its obligations under four (eventually five) distinct privacy laws.

There are also industry specific laws and standards

In addition to the obligations created by PIPEDA and substantially similar provincial privacy legislation, certain industry sectors have additional obligations that apply specifically to their sector.

• The Payment Card Industry Data Security Standard (PCI/DSS). • The Office of the Superintendent of Financial Institutions Guidelines

• Guideline B-10 (for outsourcing) • OSFI Guidelines E-4A and E-4B concerning Record Keeping

Requirements. • OSFI Guidelines E-5 concerning Retention/Destruction of Records.

• Additional laws that apply to holders of health information in various provinces.

5

The Office of the Superintendent of Financial Institutions

• The Office of the Superintendent of Financial Institutions (OSFI) is a federal regulatory body with jurisdiction over federally regulated deposit taking entities, such as banks, insurance institutions, and pension plans.

• The OSFI “Outsourcing of Business Activities, Functions and Processes” (Guideline B-10) will apply to outsourcing agreements entered by subject organizations and Cloud Providers.

• OSFI requires organizations to undertake a due diligence process to determine how to manage the risk associated with the outsourcing process.

• This process must include an assessment of the service provider itself, including its operational practices, financial stability, and for foreign service providers, the legal requirements of the jurisdiction in which they are located, and any political, social or economic conditions affecting it.

The Office of the Superintendent of Financial Institutions

Outsourcing Risk Management: • When the decision is made to proceed with outsourcing, this must be documented in

a written contract. • Ultimately, OSFI requires organizations to maintain their own accountability for

outsourced services. To ensure this, the contract must address: • The scope of the service being provided, • How frequently and in what form the service provider (here, the Cloud Provider)

will report to the organization, • The contingency procedures in place in case the system breaks down, • The audit rights of the organization, • Rules and any limitations on subcontracting, and • The confidentiality and security requirements specified by the organization.

6

Guideline B-10 still applies to Cloud Computing Services

• On February 29, 2012 OSFI issued a “Memorandum re New technology-based outsourcing arrangements” that confirmed that the expectations contained in Guideline B-10 remain current and continue to apply in respect of technology-based outsourcing services, including Cloud computing.

• In particular, federally regulated financial institutions must consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on i) confidentiality, security and separation of property; ii) contingency planning; iii) location of records, iv) access and audit rights, v) subcontracting, and vi) monitoring the material outsourcing arrangements.

Like in the US, Personal Health Information Is Treated Differently… • Be aware that some Canadian provinces have enacted sector specific healthcare

privacy legislation. These provinces are: • Alberta (the Health Information Act); • Manitoba (the Personal Health Information Act); • New Brunswick (the Personal Health Information Privacy and Access Act); • Newfoundland and Labrador (the Personal Health Information Act); • Ontario (the Personal Health Information Protection Act, 2004); and • Saskatchewan (the Health Information Protection Act).

7

A word about PHIPA (Ontario)

• Under PHIPA, “Personal health information” is broadly defined as: “identifying information about an individual in oral or recorded form”, and includes information that

(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, (b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, (c) is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual, (d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual, (e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance, (f) is the individual’s health number, or (g) identifies an individual’s substitute decision-maker. “Identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

• PHIPA requires health information custodians to take reasonable steps to ensure that the personal health information in their custody or control is protected against “theft, loss, and unauthorized use or disclosure”.

• Further, the custodian must protect against unauthorised copying, modification, and disposal. • U.S. Cloud vendors that wish to play in the healthcare space in Ontario must have knowledge and

understanding of the legislative requirements applicable to the industry.

2. Key PIPEDA Obligations re Data Protection and the Cloud

• Canadian organizations are responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. (Principle 4.1.3).

• The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by third parties. (Principle 4.1.3).

• Organizations that collect, use or disclose personal information are required to provide security for that information that is appropriate when considering its sensitivity. (Principle 4.7)

• In creating safeguards for personal information, PIPEDA obligates organizations to implement physical measures, organizational measures and technological measures to ensure adequate safety.

• Physical data protection mechanisms may include restricting access to secure locations. • Organizational data protection measures will include ensuring that only certain personnel

have access, or the access keys, to personal information. • Most important in Cloud computing, technological measures will include data encryption,

passwords and access keys. • The extent to which each of these protection methods is required will vary with the sensitivity of

the information in question; more sensitive information will require greater protection and vice versa.

8

Key PIPEDA Principles – Canadian obligations

• In addition to protecting personal information in their control, organizations are required to limit their use, disclosure and retention of personal information to those purposes disclosed when the information was first collected, unless additional consent is established. (Principle 4.2)

• After the initial purpose has been achieved, the personal information must be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information (Principle 4.5.3).

• Under a separate provision, Principle 4.8, PIPEDA requires organizations to be open about their policies and practices relating to the management of personal information.

• Taken together, Principle 4.1.3 and Principle 4.8 require that Canadian organizations at a minimum (1) have in place contractual or other means to provide a comparable level of protection, (2) inform their customers about its policies and practices related to the management of personal information, and 3) notify customers that their personal information may be available to a foreign government or its agencies under a lawful order made in that country.

• These obligations will continue to apply to organizations that outsource the processing of personal information to third party Cloud Providers.

And if you live in Alberta…

• Alberta’s PIPA recently amended to require that organizations must notify individuals before transferring personal information to a foreign service provider (includes Cloud Providers).

• Organizations that use foreign service providers and that directly or indirectly transfer personal information outside Canada about an individual that was collected with the individual’s consent are now required to:

• Notify individuals before or at the time of collecting or transferring the information in writing or orally if the service provider outside of Canada will collect personal information on behalf of the primary organization;

• Notify individuals of the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada; and

• Provide the name or position or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization. [Section 13.1(1)]

• Note that definition of “service provider” means any organization, including, without limitation, a parent corporation, subsidiary, affiliate, contractor or subcontractor, that, directly or indirectly, provides a service for or on behalf of another organization.

9

Cloud Guidelines from Canada’s Regulators

• In June, 2012 the OPC, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information & Privacy Commissioner for British Columbia issued a joint Guidance Document called “Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations”.

• The focus of the OPC Guidance Document was to remind SMEs that under Canada’s private sector privacy legislation, an organization that collects personal information from an individual is accountable for the personal information even when it is outsourced for processing to third-party providers.

• Thus, all businesses in Canada, regardless of their size, are ultimately accountable for the personal information they collect, use and disclose even if they outsource personal information to a service provider that operates in the Cloud.

• The privacy regulators confirmed that (i) many standard Cloud computing agreements legal terms that are not sufficient to allow SMEs to meet their Canadian privacy obligations; (ii) standard Cloud computing agreement often allow a Provider to unilaterally change the agreement, limit its liability for the information, and/or subcontract to various other Providers.

• However, as confirmed by the OPC, SMEs must use contractual or other means to ensure that personal information is appropriately handled and protected by the Cloud Provider.

Canadian Cloud Guidelines

• SMEs using Cloud computing services must: • Limit access to the information and restrict further uses by the Provider; • Ensure that the Provider has in place appropriate authentication/access controls; • Manage encryption; • Ensure that there are procedures in place in the event of a personal information breach or

security incident; • Ensure that there are procedures in place in the event of an outage to ensure business

continuity and prevent data loss; • Ensure periodic audits are performed; and • Have an exit strategy.

• SMEs must pro-actively maintain control over personal information that is sent to a Cloud Provider, and take steps to prevent and limit secondary uses of personal information.

• No new consent required when outsourcing to a Cloud Provider to process information for the same purpose outlined at the time of collection.

• Therefore: SMEs must (i) clarify what, if anything, the prospective Cloud Provider will do with the personal information provided; (ii) seek customers’ consent for new uses of their personal information; and (iii) always keep in mind the reasonable expectations of the individual.

10

What does all this mean for the Cloud?

• Canadian organizations must ensure that any personal information transferred to a Cloud Provider is dealt with in a manner that meets the organization’s own legal obligations.

• This will require the US Cloud Provider to be contractually bound to secure the information in an adequate manner, considering the sensitivity of the information, as well as the specification of data protection mechanisms and any data breach notification requirements will be discussed.

• Cloud Provider must be required to use the information solely for the purpose for which it was collected by the organization and disclosed to the Cloud Provider (and for no other purpose).

• The Cloud Provider must not be allowed to retain or use the information after the use disclosed to the individual has been achieved, or after the Cloud agreement is terminated.

• Standard form contracts are often not adequate to allow organizations to meet their privacy obligations under Canadian law.

• The legal onus is on the outsourcing organization to ensure that any Cloud Provider to whom personal information is transferred complies with Canadian privacy laws.

• Regulators also provided two pages of “Cloud Computing Key Questions” re accountability, security, secondary uses, knowledge, consent and transparency, control, accessibility and jurisdiction/access.

Transferring Data Internationally/Patriot Act Concerns

• Currently, PIPEDA, the B.C. PIPA, the Quebec PIPA and the Manitoba PIPITPA do not address the international transfer of personal information.

• As previously discussed, Alberta’s PIPA contains a positive obligation for organizations to notify individuals before transferring personal information to a Cloud Provider outside of Canada.

• However, the Office of the Privacy Commissioner of Canada (“OPC”) encourages organizations to make it clear to individuals when their personal information may be processed in foreign jurisdictions and may be accessible to law enforcement and national security authorities in those jurisdictions.

• In its 2009 Guidelines for Processing Personal Data Across Borders, the OPC states that organizations must be transparent with relation to trans-border data flows (including advising customers that their personal information may be sent to another jurisdiction for processing).

• Much concern over possible Patriot Act intrusion. • Trio of cases established that PIPEDA cannot prevent U.S. authorities from lawfully

accessing personal information of Canadians held in Canada or U.S. • PIPEDA cannot force Canadian companies not to outsource to foreign-based service

Providers. • Organizations must be transparent about personal information handling practices and protect

personal information in the hands of third party processor (foreign or local).

11

International Transfer of Personal Information-Is the Tide Shifting? IPC: Ministry of Natural Resources Licensing Automation System Privacy Investigation by the

Ontario Privacy Commissioner (June 2012 – PC 12-39) • Ministry awarded a US-based public company, Active Outdoors, a contract to host and maintain a

Licensing Automation (LAS) system database relating to hunting and fishing licenses. • Individuals in Ontario wishing to apply for a hunting and fishing license must submit personal

information in the LAS database. • IPC received a complaint about the privacy and security of the personal information stored in the

LAS, particularly regarding the fact that the personal information of Ontarians would be subject to American laws, including the Patriot Act.

• IPC investigated and confirmed: • No legislative prohibition against the storing of personal information outside the province of

Ontario or Canada. • FIPPA does require provincial institutions to ensure that reasonable measures are in place to

protect the privacy and security of their records containing personal information. • The risk that law enforcement agencies may access personal information is not restricted to

information held in the US – Canadian law enforcement agencies have similar ‘robust powers’.

International Transfer of Personal Information

• Law enforcement agencies in Canada, the US and other countries have the ability to reach across borders to access personal information under various laws and agreements.

• IPC confirmed stance of the OPC that privacy risks posed by the Patriot Act are similar to those found in Canada; the privacy protection afforded a US Provider is comparable to that of a Canadian Provider.

• FIPPA does not prohibit provincial institutions from outsourcing services on the basis that foreign law, i.e. the Patriot Act, may apply.

• No prohibition on the storage of personal information by government institutions by the province. • KEY QUESTION: Has the MNR taken reasonable steps to protect the privacy and security of their

records in their custody and control via contract? • IPC reviewed key contractual provisions relating to data ownership, collection, use and

disclosure, confidential information, notice of compelled disclosure, subcontracting, security, retention and destruction, audits and governing law.

• MNR still needed to finalize its retention and destruction schedule; otherwise MNR found to have put in place reasonable measures to protect personal information.

12

Mandatory Data Breach Notification - Alberta

• Currently, only Alberta has a mandatory security breach reporting requirement that applies to all private sector organizations within the province. [Section 34.1]

• The Alberta PIPA now requires organizations to notify the Alberta Privacy Commissioner (“APC”) in instances where personal information is lost, accessed, or disclosed without proper authorization.

• This reporting obligation will arise only where the breach results in a “real risk of significant harm” to the individuals affected.

• APC has interpreted the significant harm threshold to be met where the breach presents “a material harm; it has non-trivial consequences or effects”.

• Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”

• Any such risk must be real, not “merely speculative” or “hypothetical or theoretical”.

Mandatory Data Breach Notification - Manitoba

• Under new PIPITPA, an organization is obligated to notify the individual directly if personal information is stolen, lost, or accessed in an unauthorized manner.

• This obligation does not apply where (i) a law enforcement agency is investigating the theft, loss or unauthorized access; or (ii) the organization is satisfied that it is not reasonably possible for the personal information to be used unlawfully.

• PIPITPA does not have a harm threshold - this seems to suggest that all breaches can trigger notification, subject to the above.

• PIPITPA also creates a right of action for an individual against an organization for damages arising from its failure to: a) protect personal information that is in its custody or control; or b) provide reasonable notice if the organization was not satisfied that the lost, stolen or accessed information would not be used unlawfully.

• Organizations found guilty of failing to protect PI, failing to notify a significant security breach, willfully collecting, using or disclosing PI in contravention of the Act, willfully attempting to gain or gains access to PI in contravention of the Act or disposing of or altering, falsifying, concealing or destroying PI or any record relating to PI, or directing another person to do so, with an intent to evade a request for access to the information or the record are subject to a summary conviction and fines of up to $10,000 for an individual and $100,000 for a person other than an individual (due diligence defense).

13

Data Breach Notification - PIPEDA

• Currently, PIPEDA does not create an explicit obligation to notify either the OPC or the individuals involved of breaches of security that affect personal information.

• In August 2007, the OPC published voluntary guidelines entitled “Key Steps for Organizations in Responding to Privacy Breaches” to assist organizations in responding to such situations. The OPC indicates that there are four key steps to consider when responding to a breach or suspected breach:

1. contain the breach by taking immediate steps to stop any further information from being disclosed and undertake a preliminary assessment of the situation;

2. evaluate the risk associated with the breach by considering the sensitivity of the information involved, whether it was encrypted, how it may be used, and the risks to the individual resulting from that use;

3. notifying the individuals if the privacy breach creates a risk of harm to the individual; and 4. developing a plan for the prevention of future breaches.

• As these guidelines are voluntary, there is, strictly speaking, no penalty for organizations that do not follow them.

• As providing adequate security for personal information is an obligation under PIPEDA, the OPC is able to investigate security breaches, either in response to a complaint or on its own initiative and may issue a report setting out the Commissioner’s findings, recommendations, and request the organization provide the OPC with notice of any actions that have been taken to implement the Commissioner’s recommendations.

Proposed Amendments to PIPEDA – Bill C-475

• Previous attempts to amend PIPEDA have repeatedly been made to include a mandatory breach notification requirement. Past Bill C-29 died on paper when a federal election was called in the spring of 2011.

• Bill C-475 - most recent effort to amend PIPEDA re mandatory data breach notification. • If passed, organizations will have to notify the OPC of any incident involving the loss or disclosure

of, or unauthorized access to, personal information where a “reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access”.

• Factors that are relevant in determining whether there is a real risk of harm include (a) the sensitivity of the personal information; and (b) the number of individuals whose personal information was involved.

• “Harm” includes bodily harm, humiliation, embarrassment, injury to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, identify fraud, negative effects on credit rating and damage to or loss of property.

• Notification must be made without “unreasonable delay after the discovery of the loss or disclosure of, or unauthorized access to, personal information”.

14

Bill C-475, continued

• It will be up to the OPC to decide whether the reporting organization must notify affected individuals to whom there is an appreciable risk of harm and if the OPC makes that determination, the reporting organization must notify the affected individuals “without unreasonable delay”.

• Organizations can always notify individuals on their own initiative and inform the OPC if they do so.

• The OPC can also order organizations to comply with the Act (on a time-limited basis ) and force them to take certain actions, including ceasing to collect, use or disclose PI and publishing a public notice describing their corrective actions.

• If the organization fails to comply with the OPC’s orders or misses the OPC’s timelines, the OPC has a right of action against the organization.

• Bill went through a second reading on October 22, 2013.

Data Breach Notification – Health Care

Some Provinces Do Not Expressly Require Notification • In Alberta, Manitoba and Saskatchewan, there are no express requirements contained in the

relevant legislation to notify the person to whom the information relates (or the relevant Privacy Commissioner) where a privacy breach is detected.

• This situation is somewhat odd, as in Alberta there does exist an express requirement in the non-sector-specific Alberta PIPA for notification to the APC of a breach as discussed above.

• In Alberta, while there exists no regulatory requirement to provide notice to the APC or any other person of a privacy breach, should the APC become aware of a breach he or she may order that notice be provided, either to specifically affected individuals or to the general public.

Ontario Requires Notification of Affected Individuals Only • Of the provinces surveyed, Ontario is unique in requiring that personal health information

custodians notify individuals only (and not the OIPC) of a privacy breach.

15

Data Breach Notification – Health Care

Some Provinces Require Notification of Affected Individuals and the Privacy Commissioner • Both New Brunswick and Newfoundland and Labrador have comprehensive systems dealing with

breach notification, which include informing in appropriate cases both the affected individuals and the Privacy Commissioner.

• In New Brunswick, the duty to notify is conditional on a threat assessment made by the custodian.

• Newfoundland and Labrador has a similar set of legislation, with a unique twist: the custodian may, as in New Brunswick, perform a threat assessment and determine that the individuals need not be informed; however, the custodian must make an entirely different assessment as to whether there has been a “material breach” in order to determine whether or not to inform the Privacy Commissioner. If there has been a “material breach”, the Commissioner may override the custodian’s threat assessment and order notification of individuals.

• Takeaway: Legislative situation in Canada with respect for mandatory breach notification for health information is extremely varied.

• U.S. vendors should include mandatory breach notification in their health Cloud agreements.

3. Security Concerns

The OPC is quite concerned about security issues in Cloud Computing (Fact Sheet, 2011, Guidelines 2012). • The OPC has noted the (i) need to segregate data when dealing with Cloud Providers that serve

multiple customers; and (ii) potential secondary uses of the data as being two main areas of concern with respect to the security of data in the Cloud.

• OPC recognizes that Canadian organizations may need to inform a non-Canadian Cloud Provider of the obligations that it is required to comply with under PIPEDA on behalf of the organization.

• Further, if the Cloud Provider has a real and substantial connection to Canada, and collects, uses or discloses personal information of Canadians in the course of a commercial activity, the OPC expects that the Cloud Provider will protect personal information in accordance with PIPEDA, irrespective of where it is domiciled.

• If the Cloud Provider collects, uses or discloses personal information of Canadians in the course of commercial activity and does not comply with PIPEDA, the Federal Court of Canada has held that the OPC has jurisdiction to investigate complaints in respect of such activities.

16

4. Best Practices

There are many things that U.S. vendors can do to make their Cloud agreements “Canadian compliant” as listed below. Security Safeguards • Specify in the Cloud agreement those technical, physical and organizational safeguards be

established and maintained by the Cloud Provider. • The Cloud Provider should adhere to these requirements and any applicable (industry specific)

policies and procedures that customers require in order to protect against and mitigate security risks as well as demonstrate compliance with any statutory/regulatory requirements, such as those under PIPEDA and the provincial PIPAs.

• The Cloud Provider (and its subcontractors, as necessary) should fully cooperate and provide assistance in respect of remedying any security breach experienced by the Cloud Provider (or its subcontractors) that affects the organization or its data accordingly.

• Ensure the Cloud Provider (and the Cloud Agreement) requires security incidents to be promptly reported to the customer.

Best Practices

Technology and Encryption Standards • If technology and encryption standards are not addressed as part of the general security

safeguards to be employed by the Cloud Provider, the Cloud Provider should be required to comply with any one or more, as appropriate, of the technical security or to adhere to certain technological and encryption standards to ensure the protection and authenticity of the data and assets entrusted to the Cloud.

Location • Customer should verify where data will be held and obligate the Cloud Provider to either provide

certain representations and warranties as to the location of the Cloud infrastructure or covenant not to remove the Cloud infrastructure from its current jurisdiction.

• If the location of the infrastructure is to be moved by the Cloud Provider, include an obligation for the Cloud Provider to provide prior written notice of such move so that the customer can comply with its legal requirements accordingly.

17

Best Practices

Privacy/Data Protection • Cloud Provider should comply with all applicable privacy laws, including, but not limited to, those

applicable pursuant to the governing law of the contract, the jurisdiction in which the Cloud infrastructure is located, as well as the local privacy laws applicable to customer’s organization.

• Require the Cloud Provider to enable customer to conduct sufficient due diligence and audits to ensure that these obligations will be met and to fix any deficiencies noted.

Disposal and Retention of Data/Assets • Cloud agreement should reflect an understanding of what data or assets will be destroyed and

how, where and when such data will be destroyed after termination/expiration of the Cloud agreement.

• How long will customer’s data and assets will be retained by the Cloud Provider. • Ensure that the Cloud Provider’s disposal and retention policies and procedures conform to

customer’s policies and procedures, both internally and from a regulatory perspective.

Best Practices

Subcontractors • Verify whether the Cloud Provider intends to subcontract any of the Cloud services and if so,

ensure that the Cloud Provider maintains full and complete responsibility for the actions and omissions of such subcontractors in the Cloud contract.

• Ensure that the Cloud Provider conducts sufficient due diligence on the subcontractors that it uses and that only those persons of a certain skill and expertise are granted access to customer’s data or assets.

• Only those individuals with a “need to know” or “need to access” should be granted such access.

Employee Access/Use • As with subcontractors, the legal agreement should provide that the Cloud Provider maintains

responsibility for the actions of its employees. • Ensure that the Cloud Provider only allows those persons of a certain skill and expertise access to

the organization’s data or assets. • Only those individuals with a “need to know” or “need to access” should be granted such access.

18

Best Practices

Business Continuity and Disaster Recovery Plans • Cloud Provider’s business continuity and disaster recovery plans should be reviewed and

analyzed by customer prior to execution of the Cloud contract. • Ensure that these plans coincide with customer’s objectives and requirements, both from an

internal policy and procedure perspective as well as from a regulatory perspective. • These plans should also dovetail with any service level agreement agreed upon by the parties. • Ensure that any back-up Cloud Provider is subject to the same obligations as the Cloud Provider.

Disposal and Retention of Data/Assets • Customer must have (and the Cloud agreement should reflect) an understanding of what data or

assets will be destroyed and how, where and when such data will be destroyed after termination/expiration of the Cloud agreement. The Customer also needs to know how long its data and assets will be retained by the Cloud Provider.

• Ensure that the Cloud Provider’s disposal and retention policies and procedures conform to customer’s policies and procedures, both internally and from a regulatory perspective.

Best Practices

Data Breaches • Ensure that the Cloud Provider is obligated to provide customer with prompt notice and

detailed particulars of any data breach affecting the Cloud infrastructure where customer’s data or assets are stored, the physical location where the Cloud infrastructure is stored and any data breach of the customer’s assets or data.

• This will be more critical in certain jurisdictions than others (for example, Alberta, Manitoba and federally if Bill C-475 is passed) or in relation to certain kinds of data (for example, personal health information).

• Consideration is also relevant if customer holds data that may be additionally subject to data breach notification laws, i.e. under U.S. state or federal laws.

• Obligate the Cloud Provider to provide assistance and cooperation with appropriate federal or provincial privacy regulators in respect of any data breach investigation or complaint that arises.

• Consider whether the customer wants its own security personnel to investigate Cloud Provider breaches, consider whether the Cloud Provider had met required security standards (expect push-back; most will not agree to joint analysis with customers).

19

Best Practices

Audits • Customer must ensure that customer organization has a right to audit the Cloud Provider. • This right may be limited, for example, to once or twice per calendar year or as otherwise required

by your own regulator. • Ensure that customer’s organization has a mechanism in place to audit the Cloud Provider’s

compliance with security safeguards generally, in addition to any fee audits, if applicable. • Significant area of contention: Cloud Providers will not agree to unfettered audits often required by

financial institutions; will only agree to ‘commercially reasonable’ audits. • Negotiate specific audit rights (i.e. rights to access logs? monitoring tools? Include those of sub-

contractors?) • May be acceptable for the Cloud Provider to share the results of their own audit reports (limited

rights). Certificate of Compliance • If an audit is not practical, for example, in a public Cloud, a certificate of compliance from an

officer of the Cloud Provider may be a reasonable alternative. • Determine the frequency and create the form of the certificate to be provided by the Cloud

Provider as part of the Cloud contract.

Conclusion

• As discussed, Canadian organizations have clear and definite legal obligations to protect personal information and data.

• Considerable opportunity for U.S. vendors to successfully do business in Canada.

• U.S. vendors should ideally create “Canadian compliant” forms of agreements (Salesforce, IBM, Microsoft already have them, just to name a few).

• Canadian privacy/security requirements should not be a barrier to entry if managed correctly.

20

Questions? Comments? Thank you!

LISA. R. LIFSHITZ 416-775-8821 LLIFSHITZ@TORKINMANES.COM

Managing Your Risks in Cloud Computing

Ian C. Ballon Greenberg Traurig LLP

(650) 289-7881 (310) 586-6575

Ballon@GTLaw.com Facebook, Twitter, LinkedIn, Google+: Ian Ballon

www.IanBallon.net

Managing Your Risks in the Cloud What rules apply to the cloud?

– Contract (rules that limit use, potential loss of control, indemnification/contractual remedies)

– IP Liability and safe harbors Copyright and the DMCA Trademark/ Lanham Act issues CDA preemption

“The Cloud” is more a marketing concept than a term of legal significance – we are talking about remote storage

The Cloud is a series of private spaces where rules in the first instance are determined by contract

Early litigation (mostly IP related) – Television and music in the cloud – Storage lockers (vs. file sharing sites) – Cloud provider liability for user conduct and content – Privacy and security litigation

IP Issues relevant to cloud security – Infringement vs. no liability (especially in the storage locker context) – Relevant to customer due diligence (MegaUpload example)

Privacy and security: We can extrapolate from current privacy and security class action suits what the risks are

How are the rules different in the cloud? – If you are a cloud provider, you are taking on liability for third party content – If you are a customer, your remedies may be limited because of standing, privity of

contract and contractual liability limitations

CLOUD STORAGE AND LIABILITY FOR USER

CONDUCT AND CONTENT

Liability for User Content & Conduct in the Cloud Copyright - Notice and Take Down (DMCA)

– Direct, contributory, vicarious and inducing infringement DMCA – applies to service providers; not off-Internet conduct or content

– Sony safe harbor Trademark – De Facto Notice and Take Down

– Direct, contributory and Inducing infringement and vicarious in some circuits – No DMTA or Sony safe harbor but increasing de facto recognition for notice and takedown

Tiffany (NJ) Inc. v. eBay, Inc., 600 F.3d 93 (2d Cir.), cert. denied, 131 S. Ct. 647 (2010) I-800-Contacts, Inc. v. Lens.com, Inc.., _ F.3d _, 2013 WL 3665627 (10th Cir. 2013)

– Publishers exemption - 15 U.S.C. § 1114(2)(B)-(C) Patent law

– Direct, contributory and inducing patent infringement – U.S. Supreme Court decision in Global-Tech Appliances, Inc. v. SEB S.A., 131 S. Ct.

2060 (2011): willful blindness is inducement Potential Preemption of State IP claims under 47 U.S.C. § 230 (the

Communications Decency Act) – 230(c)(1): No provider or user of an interactive computer service shall be treated as the

publisher or speaker of any information provided by another information content provider – Preempts inconsistent state laws (including defamation, privacy) – Excludes: federal criminal claims, claims under the ECPA or “any similar state law” and

“any law pertaining to intellectual property.” – State IP claims: Ninth Circuit law vs. district courts in other circuits – Applies to interactive computer services

“interactive computer service” means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.

Questions: – What level of knowledge is required?

Generalized knowledge vs. knowledge of specific files vs. red flag awareness – Are the rules the same for the cloud?

17 U.S.C. § 512(k)(1) Service provider — (A) As used in subsection (a), the term “service provider” means an entity offering the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, without modification to the content of the material as sent or received.

(B) As used in this section, other than subsection (a), the term “service provider” means a provider of online services or network access, or the operator of facilities therefor, and includes an entity described in subparagraph (A).

Cloud Security and the Risk of Litigation

Data Security and the Cloud Security risks - sources

– Internal (human error, disgruntled or departing employees, corporate espionage) – External (hackers, data thieves, corporate espionage) – Consumer risks that impact companies and their reputation: phishing, spamming

Security risks – most common losses – Malware – Laptop/mobile device theft/loss – Insider abuse of network access or email – Denial of service attacks (DDoS) – Financial fraud – Password sniffing – Exploitation of wireless access

Security law – Affirmative mandates under federal and state law

Patchwork of laws (no one cybersecurity statute) Most laws do not mandate specific practices or technologies (e.g., firewall,

encryption) but focus on what is reasonable or appropriate (which recognizes that technologies and security risks are constantly evolving) but without safe harbors

– FTC enforcement actions (and to a lesser extent State AG enforcement) Shapes the law and best practices Investigations can cause PR issues and usually lead to litigation

– Security breach notification laws Invites regulatory enforcement actions and litigation

– Litigation, including class action litigation Suits against companies Suits by companies against those responsible

– Industry best practices – Insurance requirements

Data Security Law and the Cloud Affirmative mandates under federal law

– Financial (GLB) – Health care (HIPAA) – Children (COPPA)

Patchwork of affirmative mandates and remedies under state law – Security breach notification laws – MA information security law – CA and other laws requiring reasonable security precautions (and similar restrictions imposed on

third parties by contract) – Data destruction laws

FTC enforcement actions – Specific statutes (GLB, HIPAA, COPPA, CAN-SPAM) – FTC Act § 5 – unfair or deceptive acts or practices

Deceptive: variation from a stated Privacy Policy or other representation Increasingly focused on unfairness (i.e., inadequate security precautions, even if no deceptive

representation) In re Twitter (2011)

Dept. of Commerce Cybersecurity Report (2011) – Voluntary codes of conduct (enforced by the FTC)

Security breach notification laws – 46 states, DC, Puerto Rico, Guam, U.S. Virgin Islands

None: Alabama, Kentucky, New Mexico, South Dakota – Laws impose conflicting obligations – Invitations to litigation and State AG investigations

Litigation, including class action litigation – Suits against companies

Negligence, Contract, Implied Contract – Suits by companies against those responsible

Criminal and civil remedies (consider tradeoffs) Federal anti-hacking statutes (ECPA, CFAA) Trade secret law

Security Breach Litigation State security breach notification statutes

– Some authorize private claims – Some prohibit civil claims

Securities fraud and class action suits brought against companies Suits against perpetrators:

– Satellite litigation to compel the disclosure of the identity of anonymous or pseudonymous perpetrators

– The Electronic Communications Privacy Act Title I (intentional interception of wire, oral or electronic

communications) Title II (intentional, unauthorized access (or access beyond what was

authorized) to stored communications) – The Computer Fraud and Abuse Act

Unauthorized access to financial records Intentional unauthorized access to a computer - knowingly and with

intent to defraud ($5,000 threshold) Dissemination of computer viruses Trafficking in passwords Attempt

– The Copyright Act (if information stolen) – Trade secret laws (state and the federal) – State law trespass claims

eBay v. Bidder’s Edge Intel v Hamidi

– Unfair competition – Breach of contract

Phishing and Pharming Litigation California and other security notification statutes (and

proposed federal legislation) Criminal violations

– The Wire Fraud statute – The Consumer Fraud and Abuse Act – The CAN-SPAM Act – Credit card or access device fraud – Bank fraud – Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028

Civil claims: – California and other states have adopted anti-phishing statutes that

provide for statutory damages. – Other civil claims

MySpace, Inc. v. TheGlobe.com, Inc., 2007 WL 1686966 (C.D. Cal. Feb. 27, 2007)

MySpace, Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007)

DATA PRIVACY, SECURITY BREACH AND BEHAVIORAL

ADVERTISING CLASS ACTION

LITIGATION

Privacy Class Action Litigation

Spring 2010: Facebook settles Beacon case for $9M August 2010: Flash cookie suits against Quantcast and Clearspring

– June 2011: Final court approval of settlement class action $2.4M August 2011: Bose v. Interclick, Inc., No. 10 Civ. 9183, 2011 WL 4343517

(S.D.N.Y. Aug. 17, 2011): Advertisers (including CBS, Mazda and McDonald’s) dismissed w/prejudice

Apps on social networks (social network IDs) Unique phone IDs Common weakness: Standing? Injury?

– Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1147 (2013) – In re Google Privacy Policy Litig., 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012) – Pirozzi v Apple Inc., 2012 WL 6652453 (N.D. Cal. Dec. 20, 2012) – In re iPhone Application Litig., Case No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20,

2011) (dismissing for lack of Article III standing, with leave to amend, a putative class action suit against Apple and various application providers alleging misuse of personal information without consent)

– Edwards v. First American Corp., 610 F.3d 514 (9th Cir. 2010), cert. dismissed, 132 S. Ct. 2536 (2012)

ECPA – 18 U.S.C. §§ 2500, 2700 et seq. – Only protects the contents of communications

In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (dismissing plaintiff’s claim because geolocation data was not the contents of a communication)

– Also: no interception (Wiretap Act) and for advertisers no access (Stored Communications) (alleged communication is between widget provider and user’s hard drive); for many websites and advertisers, consent (including from TOU or Privacy Policy)

– Lazette v. Kulmatycki, _ F. Supp. 2d _, 2013 WL 2455937 (N.D. Ohio 2013) – Low v. LinkedIn Corp., No. 11–cv–01468–LHK, 2012 WL 2873847 (N.D. Cal. July 12, 2012) – Joffe v. Google, Inc., _ F.3d _, 2013 WL 4793247 (9th Cir. 2013) – In re Google Inc. Gmail Litig., Case No. 13–MD–02430–LHK, 2013 WL 5423918 (N.D. Cal. Sept.

26, 2013)

Privacy Class Action Litigation

CFAA - 18 U.S.C. § 1030 – $5,000 minimum injury – Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL

1282980 (N.D. Cal. Mar. 26, 2013) Video Privacy Protection Act – 18 U.S.C. § 2710

– In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012)

State claims (CAFA) – Unfair competition, contract claims: Need injury and damage. In re

Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) – Breach of contract – must be more than nominal damages. Rudgayer v.

Yahoo! Inc., 2012 WL 5471149 (N.D. Cal. Nov. 9, 2012) – Common law invasion of privacy: no claim if disclosed in Privacy Policy

Class certification: Harris v. Comscore, Inc., _ F.R.D. _, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013) (certified a class of users who downloaded Comscore software since 2005; SCA, ECPA I, CFAA)

Targets to date? App and mobile providers, social networks (UUID), any advertiser

Security Breach Litigation Against Companies Suits for breach of contract, negligence and potentially implied contract

– Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012) (holding defendant’s security procedures to not be commercially reasonable)

– Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011) Allowing negligence, breach of contract and breach of implied contract claims to go

forward Implied contract by grocery store to undertake some obligation to protect

customers’ data Class certified: In re Hannaford Bros. Co. Customer Data Sec. Breach Litigation,

2013 WL 1182733 (D. Me. Mar 20, 2013) – Lone Star National Bank v. Heartland Payment Systems, Inc., _ F.3d _, 2013 WL

4728445 (5th Cir. Sept. 3, 2013) Standing in Putative Class Action Cases

– Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (finding standing where plaintiff’s information was posted on a municipal website and then taken by an identity thief, causing actual financial loss fairly traceable to d’s conduct)

– Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs had both been identity theft victims)

– Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007) (finding standing in a security breach class action suit against a bank based on the threat of future harm)

– Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing in a suit where plaintiffs unencrypted information (names, addresses and social security numbers) was stored on a stolen laptop)

– Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding no standing in a suit by law firm employees against a payroll processing firm alleging negligence and breach of contract relating to the risk of identity theft and costs to monitor credit activity), cert. denied, 132 S. Ct. 2395 (2012)

Distinguished environmental and toxic tort cases

Subpoenas and Discovery in the Cloud Third parties seeking your information stored on a

third party’s servers in the cloud Evidence in Litigation (ECPA)

– Suzlon Energy Ltd. v. Microsoft Corp., 671 F.3d 726 (9th Cir. 2011)

– Bower v. Bower, 808 F. Supp. 2d 348, 349-50 (D. Mass. 2011) (“Faced with this statutory language, courts have repeatedly held that providers such as Yahoo! and Google may not produce emails in response to civil discovery subpoenas.”)

– Juror No. One v. Superior Court, 206 Cal. App. 4th 854 (2012)

– The oxymoron of compelled consent in California

Contract Formation and Class Actions Trend: Characterizing Click-Through + a link as browserwrap

– Dawes v. Facebook, Inc., 885 F. Supp. 2d 894 (S.D. Ill. 2012) – Fteja v. Facebook, Inc., 841 F. Supp. 2d 829 (S.D.N.Y. 2012) (hybrid)

Continued Hostility to implied contracts – In re Zappos.com, Inc. Customer Data Securities Breach Litig., 893 F. Supp. 2d 1058 (D. Nev.

2012) (links to TOU on every page) – Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010)

Arbitration and Class Action Waivers

– AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011) – American Express Co. v. Italian Colors Restaurant, 133 S. Ct. 2304 (2013) – Kilgore v. KeyBank, Nat’l Ass'n, 718 F.3d 1052 (9th Cir. 2013) (en banc) – Mortensen v. Bresnan Communications, LLC, 722 F.3d 1151, 1157-61 (9th Cir. 2013) – Coneff v. AT & T, Corp., 673 F.3d 1155, 1160-62 (9th Cir. 2012) – Schnabel v. Trilegiant Corp., 697 F.3d 110 (2d Cir. 2012) (email after agreement “failure to

cancel = consent to arbitration” not a binding agreement to arbitrate disputes) But see Hancock v. AT+T, 701 F.3d 1248 (10th Cir. 2012) (enforcing click through contract and arbitration

provision contained in subsequent email that afforded the plaintiff the opportunity to cancel service within 30 days and obtain a partial refund if it did not agree with the provision)

Reservation of Unilateral Rights – Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) (“[b]ecause Qwest retained an

unfettered ability to modify the existence, terms and scope of the arbitration clause, it is illusory and unenforceable.”), appeal dismissed, _ F.3d _, 2013 WL 4083273 (10th Cir. 2013)

– In re Zappos.com, Inc. Customer Data Securities Breach Litig., 893 F. Supp. 2d 1058 (D. Nev. 2012) (unilateral right to amend the TOU at any time rendered the agreement illusory)

Drafting tips – Rent-A-Center, West, Inc. v. Jackson, 130 S. Ct. 2772 (2010)

Challenge to the enforceability of an agreement (arbitrable) vs. challenge to the agreement to arbitrate Clause: arbitrator, not a court, must resolve disputes over interpretation, applicability, enforceability or

formation, including any claim that the agreement or any part of it is void or voidable

Children and the Cloud

Children, the Cloud and the use of mobile devices – COPPA regulations

Sites and services targeted to children General audience sites

– I.B. v. Facebook, 905 F. Supp. 2d 989 (N.D. Cal. 2012) (allowing claims by minors for reimbursement of credit card charges for Facebook credits based on the California law that provides that certain contracts with minors are void)

– But see Dawes v. Facebook, Inc., 885 F. Supp. 2d 894 (S.D.

Ill. 2012) (enforcing choice of forum clause; infancy cannot be used as a sword rather than a shield)

A.V. v. iParadigms, LLC, 544 F. Supp. 2d 473, 481 (E.D. Va. 2008), aff'd in part and rev'd in part on other grounds, 562 F.3d 630, 639 (4th Cir. 2009) (minors equitably estopped from denying agreement to the terms of use of a plagiarism verification site)

– Age of majority is higher in Alabama, Nebraska and Mississippi

Managing Your Risks in Cloud Computing

Ian C. Ballon Greenberg Traurig LLP

(650) 289-7881 (310) 586-6575

Ballon@GTLaw.com Facebook, Twitter, LinkedIn, Google+: Ian Ballon

www.IanBallon.net

2

3

4

5

6

7

Table of ContentsPresentation Slides26.15 Class Action Litigation--E-Commerce and Internet Law: Treatise with Forms (nd Edition, Vol. 3)27.07 Class Actions and Other Security Breach Litigation--E-Commerce and Internet Law: Treatise with Forms (nd Edition, Vol. 3)EU Cloud Opinions: Nebulous or Ominous?Summary of Cloud Computing Standards (Presentation Slides)Privacy and Data Security in the Global CloudOverview of Cloud Computing