privacy and data security issues in cloud computing
TRANSCRIPT
©2013 Vinson & Elkins LLP Confidential & Proprietary
Privacy and Data Security Issues in Cloud Computing
November 11, 2013
©2013 Vinson & Elkins LLP Confidential & Proprietary
• What is Cloud Computing
• Privacy and Data Security Laws and Regulations
• Data Breaches
• How Can Cloud Consumers Manage Risks
Roadmap
2
©2013 Vinson & Elkins LLP Confidential & Proprietary
• “complete gibberish”?
• In a nutshell, using a network of remote servers hosted on
the Internet (i.e., “cloud”) to store, manage, and process
data.
• NIST definition
Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
What is Cloud Computing
3
©2013 Vinson & Elkins LLP Confidential & Proprietary
Essential Characteristics
4
• On-demand self service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
©2013 Vinson & Elkins LLP Confidential & Proprietary
Actors in Cloud Computing
5
• Cloud Provider
– Makes a service available to Cloud Consumers
• Cloud Consumer
– Uses service from Cloud Providers
• Cloud Auditor
– Conducts independent assessment of cloud services, including
security audit and privacy impact audit
• Cloud Carrier
– provides connectivity and transport of cloud services from Cloud
Providers to Cloud Consumers
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Software as a Service (SaaS)
– e.g., Google Gmail, Google Docs, Facebook
• Platform as a Service (PaaS)
– e.g., Salesforce, Google App Engine
• Infrastructure as a Service (IaaS)
– e.g., Amazon Web Services, Rackspace, IBM Computing on Demand
Service Models
6
©2013 Vinson & Elkins LLP Confidential & Proprietary
Level of Control and Responsibility Across Different Service Models
7
Cloud Provider
SaaS
Paa
S
laaS
Cloud Consumer
SaaS
Paa
S
laaS
Application
Platform Architecture
Virtualized Infrastructure
Hardware
Facility
©2013 Vinson & Elkins LLP Confidential & Proprietary
Deployments Models
8
Public
Private
On or off Premises
Off Premises
Hybrid
Public
©2013 Vinson & Elkins LLP Confidential & Proprietary
• What is Cloud Computing
• Privacy and Data Security Laws and Regulations
• Data Breaches
• How Can Cloud Consumers Manage Risks
Roadmap
9
©2013 Vinson & Elkins LLP Confidential & Proprietary
• The Fourth Amendment
• Electronic Communication Privacy Act (ECPA)
• Compliance with sector specific laws
• Federal Trade Commission as the enforcer
• Borders within the cloud: transferring data outside the EU
• Understanding the NSA programs
Privacy and Data Security Laws
10
©2013 Vinson & Elkins LLP Confidential & Proprietary
“The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and
seizures, shall not be violated, and no Warrants shall issue,
but upon probable cause, supported by Oath or affirmation, and
particularly describing the place to be searched, and the persons
or things to be seized.”
• The two prong Katz test
–Governmental action must contravene an individual’s actual,
subjective expectation of privacy
–Expectation of privacy must be reasonable, in the sense that
society in general would recognize it as such.
Katz v. United States, 389 U.S. 347 (1967)
The Fourth Amendment
11
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Enacted in 1986
– Before WWW (1990) and the first web browser (1994)
• Amended the Wiretap Statute of 1968 and expanded the
protections to electronic data disclosure
• Regulates conduct between
– provider and customer
– government and provider
– different users
ECPA
12
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Warrant
– “probable cause”
• Court Orders under Section 2703(d)
– “specific and articulable facts”
• Subpoena
– reasonable relevance
– No judicial review required
• Higher-order process always valid
Three Standards
13
©2013 Vinson & Elkins LLP Confidential & Proprietary
The Contents of an Email Can be Treated Differently at Various Times
14
Type of Communication Required for Law
Enforcement Access
Statute
Email in Transit Warrant 18 U.S.C. § 2516
Email in Storage on Home
Computer
Warrant 4th Amendment, US
Constitution
Email in Remote Storage,
opened
Subpoena 18 U.S.C. § 2703
Email in Remote Storage,
unopened, stored for 180
days or less
Warrant 18 U.S.C. § 2703
Email in Remote Storage,
unopened, stored more
than 180 days
Subpoena 18 U.S.C. § 2703
©2013 Vinson & Elkins LLP Confidential & Proprietary
• The 180-day rule and distinction between open/unopened
emails are outdated
– Based on the traditional email server
– No longer as relevant today when customers have access to nearly
unlimited cloud storage
• Constitutional challenges
– 6th Circuit:Portions of the SCA unconstitutional to the extent that the
SCA enabled the government to obtain email content without a
warrant. See United States v. Steven Warshak et al., 631 F.3d 266 (6th Cir. 2010).
– Google Transparency Report: “requires an ECPA search warrant for
contents of Gmail and other services based on the Fourth
Amendment to the U.S. Constitution”
Cloud Computing Makes the Need for ECPA Reform More Urgent
15
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Electronic Communications Privacy Act Amendments Act of
2013
– Introduced by Senators Patrick Leahy and Mike Lee
– “only if the governmental entity obtains a warrant ... that is issued by
a court of competent jurisdiction directing the disclosure”
– eliminates the “180-day rule” and the distinction between
opened/unopened e-mails
– stricter notice requirements
Current ECPA Reform Proposals
16
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Plaintiffs’ ECPA claim
– Gmail system intentionally intercepted the content of emails that
were in transit to create user profiles and provide targeted advertising
• Google moves to dismiss
– “Ordinary course of business” exception
– Consent
• explicit consent from Gmail users under its terms of service
• implied consent from non-Gmail users for communicating to Gmail
user
ECPA Claims: In Re: Google Inc. Gmail Litigation
17
In re: Google Inc. Gmail Litigation, 13-MD-02430-LHK (N.D. Cal. Sept. 26, 2013)
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Plaintiffs have plausibly alleged that the interceptions fall
outside Google's ordinary course of business
– “the ordinary course of business exception is narrow”
– “Google’s alleged interception of email content is primarily used to
create user profiles and to provide targeted advertising — neither of
which is related to the transmission of emails”
– “The court further finds that plaintiffs’ allegations that Google violated
Google’s own agreements and internal policies with regard to privacy
also preclude application of the ordinary course of business
exception.”
Court: “Ordinary Course of Business” Argument Rejected
18
©2013 Vinson & Elkins LLP Confidential & Proprietary
• No explicit consent from Gmail Users
– “those policies did not explicitly notify the plaintiffs that Google would
intercept users’ emails for the purposes of creating user profiles or
providing targeted advertising.”
– Google’s Terms of Service
• “advertisements may be targeted to the content of information stored on the
Services, queries made through the Services or other information”
• collects “user communications . . . to Google” for purposes of “the display of
customized content and advertising” and “improve our services (including
advertising services)” (emphasis added by Court)
• “give Google . . . a world wide license to use . . . , create derivative works (such as
those resulting from translations, adaptions or other changes we make so that your
content works better with our Services)”
• No implied consent from non-Gmail Users
Court: Consent Argument Rejected
19
©2013 Vinson & Elkins LLP Confidential & Proprietary
Compliance with Sector Specific Laws
20
• Financial Institutions
– Gramm-Leach-Bliley Act (GLBA): Regulate how financial
institutions collect and share information about consumers
• Educational Institutions
– Family Educational Rights and Privacy Act (FERPA): Regulate
schools’ disclosure of students’ records
• Health Care
– Health Insurance Portability and Accountability Act (HIPAA)
– Health Information Technology For Economic and Clinical Health
(HITECH) Act
©2013 Vinson & Elkins LLP Confidential & Proprietary
Federal Trade Commission as the Enforcer
21
• Federal Trade Commission Act Section 5
– ‘‘unfair or deceptive acts or practices in or affecting commerce.’’
• Most of the cases settle
– Voluntary compliance
– Administrative complaint See In the Matter of Facebook, Inc., FTC File No.
0923184
– Seek injunctive relief in court See U.S. v. Google Inc., Case No. 5:12-cv-04177-
HRL (N.D. Cal. 2012)
• Obtained orders against Google and Facebook
– Require the companies to obtain consumers’ affirmative express
consent before materially changing certain of their data practices
– Require adoption of strong privacy programs subject to
independent third-party audit for 20 years
©2013 Vinson & Elkins LLP Confidential & Proprietary
Borders in the Cloud: Transfer Data Outside EU
22
• EU Data Protection Directive
– Personal data may only be transferred to third countries if that
country provides an adequate level of protection.
• U.S.–EU Safe Harbor Framework
– Approved by the EU in 2000
– Organizations must comply with the seven Safe Harbor Privacy
Principles
• Notice
• Choice: affirmative or explicit (opt in) choice for sensitive information
• Onward Transfer (Transfer to third parties)
• Access
• Security
• Data Integrity
• Enforcement: FTC
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Telephone metadata program
– Records of over 120 million Verizon subscribers
• PRISM
– Collects data directly from Cloud Providers
• MUSCULAR
– Tapping the Google and Yahoo private clouds outside the U.S
Understand the NSA Programs
23
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Signed into law in 2001
• Added the business records provision to Foreign
Intelligence Surveillance Act (FISA)
• Allows access to certain business records with a court
order
– “reasonable grounds to believe that the [records] are relevant to an
authorized investigation . . . to protect against international terrorism”
– The court order must be reviewed and reapproved by the federal
judges in the FISA court every 90 days.
Telephone Metadata Program: Section 215 of USA PATRIOT Act
24
©2013 Vinson & Elkins LLP Confidential & Proprietary
PRISM
25
• A wide range of data
are collected, including
contents of emails
• The details vary by
provider.
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Authorize a broad program of electronic surveillance
– “the targeting of [non-U.S.] persons reasonably believed to be
located outside the United States”
• “reasonably believed” defined by the NSA to require a 51 percent
confidence
• May compel an electronic communication service
provider to
– “immediately provide the Government with all information, facilities,
or assistance”
– “in a manner that will protect the secrecy of the acquisition”
• No individualized court orders required
– Only need FISA court’s approval of the required targeting protocols
and minimization procedures
PRISM: Section 702 of FISA Amendment Act 2008
26
©2013 Vinson & Elkins LLP Confidential & Proprietary
MUSCULAR: Getting Around the Limitations imposed by FISA?
27
• Rely on an unnamed
telecommunications provider
(“Cloud Carrier”) to offer
secret access to the traffic
• Take place overseas, where
the NSA is allowed to
presume that anyone using a
foreign data link is a
foreigner
• “It's an arms race” -- Eric Grosse, Google’s VP for security engineering
©2013 Vinson & Elkins LLP Confidential & Proprietary
• What is Cloud Computing
• Privacy and Data Security Laws and Regulations
• Data Breaches
• How Can Cloud Consumers Manage Risks
Roadmap
28
©2013 Vinson & Elkins LLP Confidential & Proprietary
The Dreaded Security Breach
29
• Cloud computing arrangements raise significant security
breach concerns
– Lack of control and visibility into abstracted resources
– Lack ways to measure the security services of the cloud
providers
– Cloud Consumers’ legal obligations to take appropriate security
measures to protect personal data
• Major 2012 security breaches
– Zappos 24 million customer accounts compromised
– LinkedIn 6.5 million passwords breached
©2013 Vinson & Elkins LLP Confidential & Proprietary
State Security Breach Notification Laws
30
• Following California data security breach notification law,
all but four states have enacted similar laws
– Exceptions: Alabama, Kentucky, New Mexico, and South Dakota
• Usually require notification of consumers of a breach of
personal information
– “as soon as possible, without unreasonable delay”
• The “owner” of the data, usually the Cloud Consumer, is
ultimately responsible for the breach notification.
• Exceptions
– Encrypted data; publicly available government data
– Some states: immaterial breach
©2013 Vinson & Elkins LLP Confidential & Proprietary
Data Breaches are Costly
31
• Cost of investigation, notification, and possibly credit
monitoring for affected individuals
• Class /private civil action lawsuits
• Regulatory action by state Attorneys General or other
regulators
• Damage to reputation
• Business partner costs/lawsuit/indemnification
©2013 Vinson & Elkins LLP Confidential & Proprietary
Prepare for the Inevitable
32
• Assessment
– Understand the data and the legal obligations
• Prevention
– Negotiate contractual provisions with service providers to secure
data and limit liability
– Adopt measures to maximize security of the data, e.g.,
encryption, password management
• Incidence Response Plan
– Identify the scope of affected data and the source of the intrusion
– Disclosure
– Communication (internally and externally)
©2013 Vinson & Elkins LLP Confidential & Proprietary
• What is Cloud Computing
• Privacy and Data Security Laws and Regulations
• Data Breaches
• How Can Cloud Consumers Manage Risks
Roadmap
33
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Compliance with applicable Federal, State, and
international privacy and security laws
• Data security breach notification
• Data access by the government or Cloud Providers
• Termination
Use Contracts to Manage Risks
34
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Clear definition of an actual or suspected “breach” or
“security incidence”
• Timeframe for notification of breach upon discovery
• Notification duties
• Costs
– Legal; Investigation; Reputational
• Indemnification
– Typically covers only third party claims, e.g. credit monitoring
Data Security Breach Notification Provisions
35
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Add a notification obligation on the Cloud Provider before it
makes a disclosure to the government
– Unless the Cloud Provider is prohibited by law from doing so
• Carefully review the uses contemplated by the Cloud
Provider
– “as necessary to operate this service or any other Provider service;”
“to protect Provider’s rights;” or “in order to improve Provider’s
products”
– Consider whether to seek specific limitations on such uses
Use of Data by the Government or the Cloud Provider Provisions
36
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Expressly state whether a data security breach incident is
to be considered a material breach of the contract
• Secure destruction of customer data at termination
– Specify the secure disposal methods
– Compliance with data disposal state laws
• Require entities to destroy, dispose, or otherwise make personal
information unreadable or undecipherable when the records are no
longer to be retained.
• Termination assistance provision
– Require the Cloud Provider to assist with the orderly transition either
back to the customer or to a new vendor
Termination Provisions
37
©2013 Vinson & Elkins LLP Confidential & Proprietary
Case Study: Los Angeles – CSC/Google Contract
38
• Fall 2009
– Los Angeles awarded a contract to Google Apps for 30,000 users
• December 2011
– LAPD bails on Google Apps because of security and privacy
concerns as it fails to follow the federal security guidelines
• October 2013
– Giving clouding computing another try!
– The city published a new Request for Proposal for a replacement
solution as Google’s contract expires in November 2013.
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Private cloud for sensitive data
• Mandatory data encryption
• Data storage only in U.S.
• Data access limited to U.S. citizens with high-level security
clearances
Case Study: Los Angeles – CSC/Google Contract
39
©2013 Vinson & Elkins LLP Confidential & Proprietary
• Perform a comprehensive data protection risk assessment
for cloud computing solutions before engaging them
• Use contract to ensure that a cloud computing solution
satisfies organizational security and privacy requirement
• Review the service and contract periodically to identify if
anything has changed
In Summary
40
©2013 Vinson & Elkins LLP Confidential & Proprietary
Hong Shi [email protected]
Thank you for attending.
Questions?