PRESENTATION TITLE

December 4-7, 2011Sheraton Chicago Hotel and Towers

Chicago, Illinois

Cloud Computing:Key Issues for Blue Plans to address before moving tothe Cloud

Joseph E. KendallPartnerPillsbury Winthrop Shaw Pittman

John L. NicholsonCounselPillsbury Winthrop Shaw Pittman

CLOUD COMPUTING

Agenda

• What is the Cloud ?• Blue Plans and Cloud Computing – Today and the Future• How secure is data in the Cloud?• Contracting for Cloud services• Specific contract issues - Cloud vs Outsourcing Contracts• e Discovery and Subpoenas in the Cloud• Best practices for data in the Cloud

2

CLOUD COMPUTING 3

What is the Cloud?

CLOUD COMPUTING

What is the “Cloud”?

• Cloud Computing is:

“a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks,servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

- National Institute of Standards and Technology

4

CLOUD COMPUTING

Essential Characteristics

Rapid Elasticity

Elasticity is defined as the ability to scale resources both up and down as needed. To the consumer, the cloud appears to be infinite, and the consumer can purchase as much or as little computing power as they need.

Measured Service

In a measured service aspects of the cloudservice are controlled and monitored by the Cloud Provider. This is crucial for billing, access control, resource optimization, capacity planning and other tasks.

On-demand, Self-service

The on-demand and self-service aspects of cloud computing mean that a consumer canuse cloud services as needed without any human interaction with the Cloud Provider.

Resource Pooling

Resource pooling allows a Cloud Provider to serve its consumers via a multi-tenant model. Physical and virtual resources are assigned and reassigned according to demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).

Ubiquitous Network Access

Ubiquitous network access means that the Cloud Provider’scapabilities are available over the network and can be accessed through standard mechanisms by both thick and thin clients

5

CLOUD COMPUTING

Service Models

The consumer uses ”fundamental computing resources" such as

processing power, storage, networking components or middleware. The consumer can control the operating system, storage,

deployed applications and possibly networking components such as firewalls

and load balancers, but not the cloud infrastructure beneath them.

Infrastructure as a Service(IaaS)

The consumer uses a hosting environment for their applications. The

consumer controls the applications that run in the environment (and possibly has some control over the hosting environment), but

does not control the operating system, hardware or network infrastructure on

which they are running. The platform is typically an application framework.

Platform as a Service(PaaS)

The consumer uses an application but does not control the operating system, hardware or network infrastructure on

which it's running.

* Note: Business Process as a Service is the furthest evolution of SaaS Cloud Services, but is nascent in the marketplace.

Software as Service(SaaS)

Ad hoc development / testingCover volume fluctuations

Taking custom applications to the cloudDeveloping new, cloud-based apps

Commodity applications (email)Non-proprietary business processes

Uses:

Amazon EC2Sun

Micrsoft’s Network.comHP Flex. Computing Svcs.

IBM Blue CloudOpSource

Jamcracker

Bungee ConnectEtelos

CogheadGoogle App EngineHP Adaptive IaaS

Force.comLongJump

Microsoft Office 365 Oracle SaaS platform

Salesforce SFANetSuite

GoogleAppsWorkday Human Capital Mgmt.

6

CLOUD COMPUTING

Deployment ModelsPublic Cloud

In simple terms public cloud services are characterized as being available

to clients from a third party service provider via the Internet.The term “public” does not always mean free, even though it can be free or fairly inexpensive to use. A public cloud does not mean that a

user’s data is publically visible; public cloud vendors typically provide an access control mechanism for their

users. Public clouds provide an elastic, cost effective means to

deploy solutions.

Private CloudIn a private cloud-based service,

data and processes are managed within the organization without the

restrictions of network bandwidth, security exposures and legal

requirements that using public cloud services might entail. In addition, private cloud services offer the provider and the user greater

control of the cloud infrastructure, improving security and resiliency

because user access and the networks used are restricted and

designated.

Private clouds can be built on a company's own infrastructure (“internal clouds”) or on the backbone of public clouds.

Hybrid CloudA hybrid cloud is a combination of a public and private cloud that interoperates. In this model users typically outsource non-business-critical information and processing to the public cloud, while keeping business-critical services and data in their control

7

CLOUD COMPUTING

Realistic Cloud Deployment

Source - http://www.saasblogs.com/saas/which-part-of-the-public-vs-private-cloud-elephant-are-you-touching/

8

CLOUD COMPUTING

Blue Plans and the Cloud

9

CLOUD COMPUTING

What can the Cloud mean to Blue Plans?

Microsoft’s Office 365 Cloud Service provides the following:• Word (Word Processing)• Excel• Calendar• Mail (25GB)• PowerPoint• SharePoint intranet for co-authoring documents • Premium antivirus / anti-spam filtering• Instant Messaging• Voice Chat (VoIP)• Online customer support• Build/host web site

10

CLOUD COMPUTING

Where do Blue Plans stand today with respect to Cloud Computing?• Blue CIOs are motivated to look for ways to use the Cloud because:

– Opportunities to reduce cost– Speed to Deployment

• Blue Plans exploring how to benefit from the Cloud– Blue Plans exchange info / ideas on Cloud usage– Use of IaaS to address Resource Spikes (Proof of Concept)

• Some production use– Blue Plan running proprietary app on SalesForce (PaaS)– Blue Plan using Microsoft Office 365 – Blue Plan using cloud based solution to access CMS database

• Conclusions: – Blue Plans are actively looking at how they can benefit from the Cloud– Preliminary and Limited adoption of Cloud services to date

11

CLOUD COMPUTING

How secure is data in the Cloud?

Cloud Data Centers are easier to secure:• Software / Patches are up do date• Limit devices on the network• Use of repeatable processes and best practicesPerceived risks of Cloud Computing:• Multi-tenant use of Cloud Resources

– Answer: Data encrypted - only Blue Plan has encryption keys• Network – data flows over same physical cable

– Answer: Hybrid approach - Combine Cloud computing and VPN to make it more secure

• People - Cloud Staff can access data from multiple companies– Answer: Run “dark” data centers

12

CLOUD COMPUTING

How secure is data in the Cloud?

Survey of 127 Cloud Providers by Ponemon Institute, April 2011• Most Cloud Providers believe Customers buy Cloud services because of

lower cost and faster access to Cloud resources, and not Security• Majority of Cloud Providers believe it is their customer’s responsibility

to secure the Cloud and not their responsibility • Most Cloud Providers do not believe their services substantially protect and

secure confidential information of their customers• Most Cloud Providers do not have dedicated Security personnel• But, 1/3 of Cloud Providers considering Security solutions in next 2 years

13

CLOUD COMPUTING

How secure is data in the Cloud?

• Summary and Predications: – Cloud data centers do not have many of the security issues that are

inherent to non-cloud data centers– Cloud Providers focus on the cost and speed aspects of their services,

not security– But Security issues are being addressed– As Cloud solutions mature, Cloud Providers will begin to invest more in

security as way to differentiate themselves from their competitors– In 2-3 years, Cloud data centers will be as secure as any non-cloud or

Blue Plan Data Center

14

CLOUD COMPUTING

How can you measure/require security in the Cloud?

• ISO 27001 Certification– Be sure to review the Statement of Applicability

• Check against Cloud Security Alliance Cloud Controls Matrix– Contract should include rep & warranty that certification will be maintained

• Service Organization Controls (“SOC”) 2 Audit– Customers used to require SAS 70 Type 2, which has been replaced by SSAE 16

Type 2 (also known as SOC 1)– SOC 1 tests controls at a service organization relevant to user entities internal

control over financial reporting, but it used to be the only option– SOC 2 tests controls at a service organization relevant to security, availability,

processing integrity, confidentiality, or privacy

15

CLOUD COMPUTING

The Future of Blue Plans in the Cloud

• Blue Plans will take advantage of Cloud benefits where security is not a priority and where PHI is not implicated

• If Cloud Providers offer same Security as Blue Plans can achieve, will Blue Plans place PHI / PII in the Cloud ?

– Limited amounts of PHI / PII – Possibly Yes• For example, in the Sales area, the sale of a policy might require placing

some health insurance information in the Cloud regarding the purchaser (name, SS#, address)

• Benefits of a Cloud based solution may outweigh some breach risk– Substantial amounts of PHI – No

• Blue Plan systems with large amounts of PHI (e.g., Claims and Membership) will not be placed in the Cloud, even if security at the Cloud Provider is the same as Blue Plan provides

16

CLOUD COMPUTING

The Future of Blue Plans in the Cloud

• The potential financial liability from a data breach will prevent Blue Plans from trusting PHI to most Cloud Providers– In order for Blue Plan to trust the Cloud Provider with PHI, Cloud

Provider must assume financial responsibility for data breaches– But Cloud Providers will not agree to substantial liability for data

breaches because they are not getting paid enough to assume that risk• Breach could wipe out profits, revenue or the Cloud Provider• Many Cloud Providers are “start-ups” without ability to make Blue Plan whole

– Contrast with Outsourcing Providers, which will agree to substantial liability provisions because the profit / revenue is sufficient to justify the risk

17

CLOUD COMPUTING

The Future of Blue Plans in the Cloud

• Cyber Liability Insurance– Same party should control both data security and data breach liability

• Alignment of interests will reduce breaches– Recovery under policies is not guaranteed

• Policies not uniform – wide variance• Policies very complex / negotiable• Gaps

– Coverage for “Blue Plan’s breach of duty to maintain privacy of PHI”– Breach = “unauthorized acquisition, access, use or disclosure of PHI”

• Strongly Recommend legal review of policy• Do not rely on obligation in contract that Cloud Provider will obtain policy

18

CLOUD COMPUTING

Contracting for Cloud Services

19

CLOUD COMPUTING

This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. ThisAGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it.

This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. ThisAGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it.

This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This

Cloud Provider’s Typical Contract TemplateThis AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it.

This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it.

This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it.

This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it. This AGREEMENT contains lots of really fine print and we really do not feel like negotiating any of it.

* * *

20

CLOUD COMPUTING

Guiding Principles for Contracting with Cloud Providers• Must understand Cloud Provider’s business model

– Standard service to all customers– Consistent, repeatable processes

• Customers must accept a standard delivery model to take advantage of the cost savings

• Cloud Providers insist on their own contract template – They want standardized contracts to match their standardized delivery model

• But there ARE terms to negotiate !

21

CLOUD COMPUTING

Outsourcing vs. Cloud contracting

Topic Outsourcing Cloud ServicesContract Template Use Customer’s template

Each deal customized

Cloud Providers insist on their contract documents

Contract Negotiation Almost everything negotiable

Service delivery solution customized

Provisions impacting uniformity and scalability of the cloud service are not negotiable.

Service delivery solution standardized

Contract Leverage Size of deal matters. Competition matters. Size and competition matter much less

Contract Negotiation Timing 4-8 months, but can be 12 months or more Generally < 3 months and frequently faster

Term 5-7 years, with Renewal Options 1-3 years, with evergreen extension unless either party terminates 30 days before anniversary

22

CLOUD COMPUTING

Outsourcing vs. Cloud contracting

Topic Outsourcing Cloud ServicesContract Modification Modified only via written contract

amendmentGoverned by online terms (service descriptions) or “then current” policies found on web pages (security and privacy)

Control Over Supplier Personnel

Key Supplier Positions, background checks, and ability to remove personnel

Largest contracts may include one Key Supplier Position, but little else

Subcontractors Significant restrictions on use of subcontractors

No restrictions - Subcontractors may be essential to the provider’s ability to deliver the services

Security Fully negotiable (for a price) Non-negotiable

Governance Detailed, multi-committee governance structure

None

23

CLOUD COMPUTING

Outsourcing vs. Cloud contracting

Topic Outsourcing Cloud ServicesService Levels Customized and numerous Standardized and very few

Service Level Credits Customized. Based on percentage of monthly revenue – generally 5-15%

Can be significant – even up to 100% of monthly charges (but dollars are smaller and credits tied to the charges for the failed service)

Data Location Customer knows where its data is

Limits on moving data center

Customer does not know where data is

Fewer restrictions on data center location

Charges Complex combination of transition charges, plus ongoing fixed and variable charges

Minimal transition cost (if any). Charges based on simple metric such as “per user” or “per seat” or similar units

Audits Extensive audit rights, particularly in dedicated environments

None (although Supplier may agree to provide SSAE 16)

24

CLOUD COMPUTING

Outsourcing vs. Cloud contracting

Topic Outsourcing Cloud ServicesLimit of Liability General 12 months of charges

Numerous exceptions to direct and consequential damage limits – indemnities, breach of confidentiality, wrongful abandonment, failure to provide disengagement assistance, gross negligence, intentional misconduct

Stipulated direct damages – error correction, cost of work-around, overtime, government fines and penalties, cost to recreate data

Need to negotiate to make it mutual

12 months of charges also, but tied to the particular service causing the damages

More limited carve-outs, especially for consequential damages

Data Breach Liability Separate liability bucket, ranging from 1 – 12 additional months of charges (may depend on whether data encrypted)

Stipulated direct damages - Cost of data breach notices, credit monitoring, call center, identity restoration services, consulting and attorney fees

Generally none, but if pressed, they will agree to separate liability bucket, and acknowledge notice and credit monitoring costs are recoverable

Be wary of commitment to perform “as required by law”

25

CLOUD COMPUTING

Outsourcing vs. Cloud contracting

Topic Outsourcing Cloud ServicesCustomer’s Termination Rights (cause and other)

Cause, Service Level Failures, Change of Control of Customer, Change of Control of Supplier, Force Majeure Events, Change in Laws, Increase in Taxes, Supplier’s Liability Cap, Regulatory Approval, Business Associate Addendum, Insolvency

For Supplier’s material breach

Supplier’s Termination Rights and Right to Suspend

Limited to: Failure to pay 2 month’s charges and Breach of Confidentiality

No right to suspend

Starting position is Supplier may terminate or suspend “for any reason” or for “breach of Acceptable Use Policy” or if Provider believes Customer’s use threatens providers network or ability to provide services

Can limit termination right to “Customer’s material breach”, and add cure rights

Can limit right to suspend only “to the extent” necessary to address the breach of the AUP, or to address the breach

26

CLOUD COMPUTING

Outsourcing vs. Cloud contracting

Topic Outsourcing Cloud ServicesTermination for Convenience Yes, but must make Supplier whole Yes, after initial commitment on 30 days

notice without cost

Also, if Supplier changes terms that adversely affects Customer, without cost

Termination Assistance Requires fairly extensive cooperation between customer, existing service provider and replacement service provider

12-18 months of assistance, with right to acquire hardware, software, contracts and people

Need to negotiate

Very limited cooperation required

Existing Cloud Provider provides a copy of all data resident in cloud environment for transfer to replacement service provider

No right to acquire assets

27

CLOUD COMPUTING

In sum . . .

By understanding:(1) where a Cloud Provider can negotiate, and(2) where the cloud model precludes negotiation, you can balance your risk reduction efforts against the Cloud Service benefits, to achieve best results for the Blue Plan.

28

CLOUD COMPUTING

e-Discovery and Subpoenas in the Cloud

29

CLOUD COMPUTING

Access to Cloud Data

• Subpoenas for data in the US– Not a lot of case law directly addressing discovery of corporate email held by Cloud Providers– Instructive analogs found in:

• Cases involving 3rd-party email providers under Stored Communications Act ("SCA") and • Cases addressing the concept of "control" under US Federal regulations

• US Civil Subpoenas– Basic test under FRCP: “possession, custody, or control”– U.S. courts construe “control” broadly

• Party often deemed to have control if it has the legal right, authority or practical ability to obtain the materials sought upon demand

– However, courts generally presume 3rd parties cannot be compelled to disclose electronic communications pursuant to a civil subpoena

– Courts tend to focus on whether email account holders who are parties in the underlying litigation can be ordered to authorize access to their email accounts, despite the SCA

30

CLOUD COMPUTING

Stored Communications Act Cases

Thayer v. Chiczewski (N.D. Ill. Sept. 11, 2009)• Civil rights suit against Chicago• City served a subpoena on AOL seeking production of several of plaintiff's

emails• Contrary to general practice, the court granted the motion over the objections

of both the plaintiff and AOL. • Court first acknowledged SCA usually prevents enforcement of civil

subpoenas against 3rd parties: – "The Court agrees that, although decisions analyzing the SCA have defined its

parameters in sometimes competing ways, most courts have concluded that third parties cannot be compelled to disclose electronic communications pursuant to a civil-as opposed to criminal-discovery subpoena."

31

CLOUD COMPUTING

Stored Communications Act Cases (cont.)

Thayer v. Chiczewski (N.D. Ill. Sept. 11, 2009) - continued• Court stated that because plaintiff would be required to produce relevant

emails if he were in possession of them, and AOL would be obliged to produce the emails at plaintiff's request, the emails were under the plaintiff's "control" for discovery purposes

• Court noted that plaintiff authorized production of at least one email and had put his mental state at time of relevant events at issue (which arguably would be shown by contemporaneous emails), thus, court assumed that plaintiff had authorized disclosure

32

CLOUD COMPUTING

Stored Communications Act Cases (cont.)

Chasten v. Franklin (No. C10-80205 MISC JW (HRL), 2010 WL 4065606 (N.D. Cal. Oct. 14, 2010)) •Defendant in civil rights case served subpoena on Yahoo seeking plaintiff's emails•Plaintiff argued SCA prohibited Yahoo from disclosing his emails•Court agreed and quashed subpoena stating:

– "Because no exception applies, compliance with the [third-party] subpoena would be an invasion of the specific interests that the SCA seeks to protect."

•Unlike Thayer, Chasten court did not examine whether plaintiff could/should be ordered to consent to Yahoo producing emails•Court's failure to discuss whether account holder could be forced to consent to disclosure was unique

33

CLOUD COMPUTING

Discovery Obligation Comes Back to You

• The fact that court does not force a Cloud Provider to turn overyour information simply brings the issue to your doorstep

• U.S. discovery system encourages extensive production of information

• Having data held by a Cloud Provider can make compliance with discovery obligations more challenging

34

CLOUD COMPUTING

Inadvertent Loss/Destruction

• What happens if a Cloud Provider loses / inadvertently deletes your information?

• Currently uncommon for a cloud agreement to reference e-discovery type requirements

– Difficult to claim Cloud Provider is responsible if there’s nothing in the contract on point • Legal analysis for a “spoilation claim” normally focuses on “possession,

custody or control” over the data, which would generally point back to you –even for hosted services

– Cloud Provider is not (normally) party to the litigation; court will typically focus its efforts on the parties appearing in court

• If court finds you responsible (i.e., it did not produce information in its possession, custody or control) then court can order sanctions

– Sanctions can range from fines to a terminating order that ends the case in the other party’s favor

35

CLOUD COMPUTING

Inadvertent Loss/Destruction

• If the data was lost due to the Cloud Provider’s actions (or inactions), you will need to argue that you were not at fault

– Trying to establish this fact would likely require going far beyond merely establishing who deleted the data

– You need to show you acted diligently in selecting Cloud Provider, negotiating terms, putting controls in place and notifying the provider in a timely manner — and that despite all of those efforts, data was lost through no fault of yours

– Even so, minimal (if any) case law guidance on whether this argument would be adequate– More likely, if the other party has been prejudiced by the loss of data, a sanction of some type

is likely to balance the playing field

• Recovery of fines from Cloud Provider unlikely– Based on standard limitation of liability approaches in most cloud contracts, you may not be

able to recover damages from Cloud Provider

36

CLOUD COMPUTING

The “Democratization” Wrinkle

• Employees may be using cloud services without the knowledge of the company (e.g., Google docs, Dropbox) or social media (e.g., Facebook)

• When employees leave, Plans may lose access to those password protected accounts

• BUT, if you end up in litigation you may have had a duty to preserve that information and/or produce it

– Cloud Providers may not store information in easily accessible, legally compliant (i.e., “reasonably usable”) format

– Facebook and other social media services are not e-discovery friendly– Obtaining information without employee’s password/cooperation may require

litigation against that Cloud Provider

37

CLOUD COMPUTING

The International Wrinkle

• What happens if a lawsuit is in the US but the other party’s headquarters is in another country? Or what if the data is in a country where the rules are different?

• U.S. Supreme Court has held that U.S. courts may order production of documents governed by foreign blocking laws

• Violation of French blocking statute to deliver documents in the U.S. has resulted in criminal sanctions in France

• AccessData Corp. v. ALSTE Technologies GMBH, 2010 WL 318477 (D. Utah Jan. 21, 2010)

– ALSTE argued German privacy laws prevented collection of company emails located in Germany – U.S. court held German law did not bar disclosure of information relevant to the litigation– U.S. court required ALSTE to proceed with e-discovery– Failure to produce the data after the court’s ruling would likely result in severe sanctions– However, German Data Protection authorities have sanctioning powers, as well

• Companies with data spread across different jurisdictions may have to make difficult choices if cloud-based data is implicated in litigation

38

CLOUD COMPUTING

Best Practices for Data in the Cloud

39

CLOUD COMPUTING

Best Practices for Data in the Cloud

When drafting your RFP / evaluating potential Cloud Providers / negotiating with the selected Cloud Provider

1. Know where Blue Plan data is/will be stored- Request data center locations and consider including in contract- Request geographic limits (e.g., “stored in the US”)

2. Protect Blue Plan data - ISO 27001 certification, SOC 2, Cloud Security Alliance Cloud Controls Matrix

3. Ensure Blue Plan can use its data- Make sure Blue Plan has right to access its data at all times (and the Cloud

Provider cannot hold your data “hostage” in a dispute) - Make sure that Blue Plan can export it in a useable format- Cloud Provider should be obligated to provide Disengagement Assistance

40

CLOUD COMPUTING

Best Practices for Data in the Cloud

4. Determine if Cloud Provider can comply with Blue Plan data retention/destruction policies- Including litigation holds

5. Subpoena / e-Discovery Requirements- Require notice of subpoenas received by Cloud Provider that could impact your data

- Ensure that Cloud Provider will assist with e-Discovery efforts and specify costs

6. Ensure there is financial responsibility for data breaches- Separate liability bucket

- Do not accept “as required by law” language

- Costs of notice, credit monitoring, call center should be recoverable (not consequential)

- Cyber Liability Insurance - Legal review is important !

41

CLOUD COMPUTING

Questions & Answers / Thank you!

Joseph KendallPartnerPillsbury Winthrop Shaw Pittman LLP+1 202.663.8350joseph.kendall@pillsburylaw.com

John NicholsonCounselPillsbury Winthrop Shaw Pittman LLP+1 202.663.8269john.nicholson@pillsburylaw.com

42