big data and the cloud - mfoa · it’s all about the data & data governance • today’s data...
TRANSCRIPT
Big Data and the CloudLegal Compliance Through Due Diligence
Lou Milrad BA, LLB.
Municipal Technology Lawyer
Milrad Law
647.982.7890
IPC "Access by Design" Ambassador
Presentation Outline
1. Big Data Definitions and Challenges
2. Data Availability and Ownership
3. Data & Data Governance
4. Contracting for Cloud Services
5. Legal and Policy Considerations and Challenges
6. Summary of BYOD & Social Media Risk
Defining Big DataHistorical, varying, and continually evolving!
• Interpretations are generally dependent on industry segment:
• Examples include:
Gartner: Big data is high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation (cf: http://www.gartner.com/it-glossary/big-data/).
Forbes: Big data is high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation (cf:12 Big Data Definitions: What's Yours?).
Wikipedia: Big data is a term for data sets that are so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, data curation, search, sharing, storage, transfer, visualization, querying, updating and information privacy. The term often refers simply to the use of predictive analytics or certain other advanced methods to extract value from data, and seldom to a particular size of data set. Accuracy in big data may lead to more confident decision making, and better decisions can result in greater operational efficiency, cost reduction and reduced risk.
(cf: https://en.wikipedia.org/wiki/Big_data).
Municipal Examples of Big Data Useage
• Use Big Data for a variety of public services, as for example:
• Water management and smart metering
• Welfare rolls: queries in search of flags that indicate fraud
• Transportation efficiency - routing and scheduling
• Police departments: criminal identification and investigation and predictive analysis by utilizing crime related data to forecast where incidents are most likely to occur
Big Data Challenges for Municipalities include
• Data governance
• data protection challenges
• Privacy
• IPC: Bridging Big Data and the Personal Data Ecosystem through Privacy by Design
• Legal Side of Managing & Combining Big Data
• Trending towards embracing cloud, big data and mobility
• But Opportunity to Bring municipalities Big Benefits - U.S. cities like Chicago, New York,
Philadelphia and San Francisco
Big Data Challenges for Municipalities
Data Availability and Ownership
Prerequisite for consideration:
• Understanding of the system architecture
– e.g. - How and in what format it keeps your data
• Tools that are available to you to access your data
• Covering off on e-discovery needs that may arise
• Remain mindful of compliance with enterprise-wide policies (existing
& under consideration/development) - AUP, MDM, BYOD, etc.
Data Availability and Ownership (Cont’d)
Additional Requirements
• Redundancy and backup
• Disaster recovery
• No vendor lock-in
• Exit strategies as required
• Protection of all designated confidential information and other intellectual property rights
• Confirmation that the vendor does not acquire and may not claim any security interest in
your data.
• Where does Open Data fit in?
It’s all about the Data & Data Governance
• Today’s Data Storage and Retrieval Sources
– Workplace & Personal
– Extends beyond traditional hard drives
• Personal – used at home and in cars, cloud storage and app access, and on
the move
• Business and Organizational use – desktop, mobile, local, remote and cloud
servers
• Mobile devices have empowered and evolved into a way of life – texting, emails, cell & Skype, virtual meetings, apps, etc.
• Consider Mobile Device Access, Security And Privacy as part of Your Cloud Strategy!
Contracting for Cloud Services
In shifting away from the traditional infrastructure approach of separately (or in combination) purchasing hardware, software and services to complete services solution (SaaS, IaaS, PaaS, (MaaS, SaaS, etc.),
Critical need to focus on– IT contracting strategy, and
– contract terms & conditions
Associated Legal issues have become somewhat more complex– Many are traditional (e.g. IT outsourcing and similar managed services
arrangements), but many are new and unique to or exacerbated by migration to the cloud.
– Dilemma - DATA and data server(s) location(s)
Primary Service Models:
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
Primary Deployment Models:
• Private
• Public
• Hybrid
• Community
Cloud Models – Revisited
Contracting for Cloud
ServicesSome Key Challenges in Cloud Adoption
Contracting for Cloud Services
• Key Departmental Players– Defining, Evaluating, Selecting, Negotiating &
Concluding• Information Technology (IT)
• Information Management (IM)
• Legal Department (Legal)
– Oversight - Offices of• City Manager
• CAO
• CFO
Contracting for Cloud Services
• Typically arise as a result of RFP/RFQ
• Level of complexity
• Provided with one or more Supplier's Standard forms
– Key issues include:
• Desired Functionality
• Responsiveness
• Guaranteed Uptime
• Security
• Privacy
• Server(s) Location
• Etc.
– Subcontracts for ancillary services e.g. backup
Assorted Contractual Issues Requiring Resolution
& Service Level Agreements
• Click-through Agreement as Opposed to a Negotiated Contract.
• Implementation Challenges
• Supplier Transfer
• Cloud Compliance Reporting
• Data Protection
– Categories
• Consumer data (e.g. Registrants from an organizational sponsored function) ?
• Business data –e.g. of cloud provider where there are contractual or submitted confidentiality
obligations?
• Personal Information
– (PIPEDA) - The Personal Information Protection and Electronic Documents Act?
(Canada)
– Personal Health Information Protection Act (Ontario)
• End of Term: Renewal vs. Transition
Contracting for Cloud Services
Service-level Agreements
• A service-level agreement (SLA) is a contract between a service provider and its internal or
external customers that documents what services the provider will furnish.
– SLAs measure the service provider’s performance and quality in a number of ways.
– Some metrics that SLAs may specify, include
• Uptime
• Performance and response time
• Error correction time
• Infrastructure/security[1]
[1] What is service-level agreement (SLA)? - Definition from .., http://searchitchannel.techtarget.com/definition/service-level-agreement (accessed October 11, 2015).
Assorted Contractual Issues Requiring Resolution
& Service Level Agreements
Continued
• Data Ownership, Location & Protection, Use & Liability For Loss
• Contract Termination Challenges
• Guarantee of 99.99% Uptime vs. "Commercially Reasonable Efforts"
• Cloud Provider’s or Sub-contractor’s Insolvency
• Security Breach at Cloud Provider’s or Sub-contractor’s Cloud Data Centre
• Failure(s) in Delivering Quality of Service
• Availability and Performance
Assorted Contractual Issues Requiring
Resolution & Service Level Agreements Continued
• Termination Rights and Associated Cost of Transition or Migration
• Licenses and IP ownership
• Dispute Resolution
• Jurisdictional Risk – Contract Stipulation(s) re Governing Laws
Contracting for Cloud Services
• Challenges presented through Mobile Devices– Particularly through permitting access to Organizational Information (Data)
– Typically through BYOD, COPE, or similar permitted access program
• Access to
– Organizational (secured) Servers
– Cloud applications
– Personal apps
– Peers, Friends, Family and others
Legal and Policy Considerations and Challenges
“We've now gone from mainframe computers to desktops and on to the coffee shop.”
Legal Perspective: As BYOD affords employees access to
Enterprise Resources, there is a need to safeguard against
potential downstream liability to
1. the municipality itself,
2. its employees & external advisors, and to
3. third parties.
BYOD Key Legal Challenges
It’s all about the Data & Data Governance
Data Security and Protecting Data Integrity
Prohibition against "jail breaking" or “rooting”
Confidential Information
Electronic communications, document preservation and evidentiary obligations
Insurance and Liability Considerations
General Duty of Care
Privacy (Personal Information)
Employee – Employer relationship
Training & education
Licensing & Intellectual Property Rights
Access & Storage & Control of the Device
• Access, Storage & Control of Mobile Devices
– Tablets, smartphones, GPS devices, flash drives, flash drives, solid state hard drives, and other devices
• The Cloud
– Dropbox, Box, Google Drive, One Drive, etc.
• Data Storage
– Devices store data differently than traditional computer hard drives.
– ”Jailbreaking” and “Rooting” further complicate matters
– Present real forensic collection challenges, and in terms of analysis, there are significant
issues – in not being able to verify if all data has effectively been gathered.
• Biggest Issue in data collection - who has control of the device?
Key Takeaway
In the end - It’s all about developing, implementing, and
managing an effective data governance strategy and
user agreed-to policy to secure and to maintain all of
your municipality’s proprietary and open data, both
onsite and in the cloud.
And remember...it's all most accessible via
smartphones and tablets.
What controls need to be implemented so as to ensure
only of authorized access?
Thank-you
Lou Milrad
Municipal Technology
Connecting People and Technology
647.982.7890
Time for Questions