big data and the cloud - mfoa · it’s all about the data & data governance • today’s data...

Big Data and the CloudLegal Compliance Through Due Diligence

Lou Milrad BA, LLB.

Municipal Technology Lawyer

Milrad Law

[email protected]

647.982.7890

IPC "Access by Design" Ambassador

Presentation Outline

1. Big Data Definitions and Challenges

2. Data Availability and Ownership

3. Data & Data Governance

4. Contracting for Cloud Services

5. Legal and Policy Considerations and Challenges

6. Summary of BYOD & Social Media Risk

Defining Big DataHistorical, varying, and continually evolving!

• Interpretations are generally dependent on industry segment:

• Examples include:

Gartner: Big data is high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation (cf: http://www.gartner.com/it-glossary/big-data/).

Forbes: Big data is high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation (cf:12 Big Data Definitions: What's Yours?).

Wikipedia: Big data is a term for data sets that are so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, data curation, search, sharing, storage, transfer, visualization, querying, updating and information privacy. The term often refers simply to the use of predictive analytics or certain other advanced methods to extract value from data, and seldom to a particular size of data set. Accuracy in big data may lead to more confident decision making, and better decisions can result in greater operational efficiency, cost reduction and reduced risk.

(cf: https://en.wikipedia.org/wiki/Big_data).

Municipal Examples of Big Data Useage

• Use Big Data for a variety of public services, as for example:

• Water management and smart metering

• Welfare rolls: queries in search of flags that indicate fraud

• Transportation efficiency - routing and scheduling

• Police departments: criminal identification and investigation and predictive analysis by utilizing crime related data to forecast where incidents are most likely to occur

Big Data Challenges for Municipalities include

• Data governance

• data protection challenges

• Privacy

• IPC: Bridging Big Data and the Personal Data Ecosystem through Privacy by Design

• Legal Side of Managing & Combining Big Data

• Trending towards embracing cloud, big data and mobility

• But Opportunity to Bring municipalities Big Benefits - U.S. cities like Chicago, New York,

Philadelphia and San Francisco

Big Data Challenges for Municipalities

Data Availability and Ownership

Prerequisite for consideration:

• Understanding of the system architecture

– e.g. - How and in what format it keeps your data

• Tools that are available to you to access your data

• Covering off on e-discovery needs that may arise

• Remain mindful of compliance with enterprise-wide policies (existing

& under consideration/development) - AUP, MDM, BYOD, etc.

Data Availability and Ownership (Cont’d)

Additional Requirements

• Redundancy and backup

• Disaster recovery

• No vendor lock-in

• Exit strategies as required

• Protection of all designated confidential information and other intellectual property rights

• Confirmation that the vendor does not acquire and may not claim any security interest in

your data.

• Where does Open Data fit in?

It’s all about the Data & Data Governance

• Today’s Data Storage and Retrieval Sources

– Workplace & Personal

– Extends beyond traditional hard drives

• Personal – used at home and in cars, cloud storage and app access, and on

the move

• Business and Organizational use – desktop, mobile, local, remote and cloud

servers

• Mobile devices have empowered and evolved into a way of life – texting, emails, cell & Skype, virtual meetings, apps, etc.

• Consider Mobile Device Access, Security And Privacy as part of Your Cloud Strategy!

Contracting for Cloud Services

In shifting away from the traditional infrastructure approach of separately (or in combination) purchasing hardware, software and services to complete services solution (SaaS, IaaS, PaaS, (MaaS, SaaS, etc.),

Critical need to focus on– IT contracting strategy, and

– contract terms & conditions

Associated Legal issues have become somewhat more complex– Many are traditional (e.g. IT outsourcing and similar managed services

arrangements), but many are new and unique to or exacerbated by migration to the cloud.

– Dilemma - DATA and data server(s) location(s)

Primary Service Models:

• Infrastructure as a Service (IaaS)

• Platform as a Service (PaaS)

• Software as a Service (SaaS)

Primary Deployment Models:

• Private

• Public

• Hybrid

• Community

Cloud Models – Revisited

Contracting for Cloud

ServicesSome Key Challenges in Cloud Adoption


• Key Departmental Players– Defining, Evaluating, Selecting, Negotiating &

Concluding• Information Technology (IT)

• Information Management (IM)

• Legal Department (Legal)

– Oversight - Offices of• City Manager

• CAO

• CFO


• Typically arise as a result of RFP/RFQ

• Level of complexity

• Provided with one or more Supplier's Standard forms

– Key issues include:

• Desired Functionality

• Responsiveness

• Guaranteed Uptime

• Security

• Privacy

• Server(s) Location

• Etc.

– Subcontracts for ancillary services e.g. backup

Assorted Contractual Issues Requiring Resolution

& Service Level Agreements

• Click-through Agreement as Opposed to a Negotiated Contract.

• Implementation Challenges

• Supplier Transfer

• Cloud Compliance Reporting

• Data Protection

– Categories

• Consumer data (e.g. Registrants from an organizational sponsored function) ?

• Business data –e.g. of cloud provider where there are contractual or submitted confidentiality

obligations?

• Personal Information

– (PIPEDA) - The Personal Information Protection and Electronic Documents Act?

(Canada)

– Personal Health Information Protection Act (Ontario)

• End of Term: Renewal vs. Transition


Service-level Agreements

• A service-level agreement (SLA) is a contract between a service provider and its internal or

external customers that documents what services the provider will furnish.

– SLAs measure the service provider’s performance and quality in a number of ways.

– Some metrics that SLAs may specify, include

• Uptime

• Performance and response time

• Error correction time

• Infrastructure/security[1]

[1] What is service-level agreement (SLA)? - Definition from .., http://searchitchannel.techtarget.com/definition/service-level-agreement (accessed October 11, 2015).

Assorted Contractual Issues Requiring Resolution

& Service Level Agreements

Continued

• Data Ownership, Location & Protection, Use & Liability For Loss

• Contract Termination Challenges

• Guarantee of 99.99% Uptime vs. "Commercially Reasonable Efforts"

• Cloud Provider’s or Sub-contractor’s Insolvency

• Security Breach at Cloud Provider’s or Sub-contractor’s Cloud Data Centre

• Failure(s) in Delivering Quality of Service

• Availability and Performance

Assorted Contractual Issues Requiring

Resolution & Service Level Agreements Continued

• Termination Rights and Associated Cost of Transition or Migration

• Licenses and IP ownership

• Dispute Resolution

• Jurisdictional Risk – Contract Stipulation(s) re Governing Laws


• Challenges presented through Mobile Devices– Particularly through permitting access to Organizational Information (Data)

– Typically through BYOD, COPE, or similar permitted access program

• Access to

– Organizational (secured) Servers

– Cloud applications

– Personal apps

– Peers, Friends, Family and others

Legal and Policy Considerations and Challenges

“We've now gone from mainframe computers to desktops and on to the coffee shop.”

Legal Perspective: As BYOD affords employees access to

Enterprise Resources, there is a need to safeguard against

potential downstream liability to

1. the municipality itself,

2. its employees & external advisors, and to

3. third parties.

BYOD Key Legal Challenges

It’s all about the Data & Data Governance

Data Security and Protecting Data Integrity

Prohibition against "jail breaking" or “rooting”

Confidential Information

Electronic communications, document preservation and evidentiary obligations

Insurance and Liability Considerations

General Duty of Care

Privacy (Personal Information)

Employee – Employer relationship

Training & education

Licensing & Intellectual Property Rights

Access & Storage & Control of the Device

• Access, Storage & Control of Mobile Devices

– Tablets, smartphones, GPS devices, flash drives, flash drives, solid state hard drives, and other devices

• The Cloud

– Dropbox, Box, Google Drive, One Drive, etc.

• Data Storage

– Devices store data differently than traditional computer hard drives.

– ”Jailbreaking” and “Rooting” further complicate matters

– Present real forensic collection challenges, and in terms of analysis, there are significant

issues – in not being able to verify if all data has effectively been gathered.

• Biggest Issue in data collection - who has control of the device?

Key Takeaway

In the end - It’s all about developing, implementing, and

managing an effective data governance strategy and

user agreed-to policy to secure and to maintain all of

your municipality’s proprietary and open data, both

onsite and in the cloud.

And remember...it's all most accessible via

smartphones and tablets.

What controls need to be implemented so as to ensure

only of authorized access?

Thank-you

Lou Milrad

Municipal Technology

Connecting People and Technology

[email protected]

647.982.7890

Time for Questions