slide share cloudx_counsel ppt

1

Copyright © 2015CloudXCounsel pllc. All Rights Reserved. Any commercial use or distribution without the express written

consent of CloudXCounsel pllc is strictly prohibited

Emerging Issues: Reconsidering Intellectual Property in

Cloud Computing (November 10, 2015)

It would not be a CLE presentation without the requisite DISCLAIMER:

- Nothing in this presentation shall be construed as legal advice.- The information and opinions expressed in this presentation are solely my own

and not those of The Knowledge Group or the other speakers. - Copyright © 2015CloudXCounsel pllc. All Rights Reserved. Any commercial use

or distribution without the express written consent of CloudXCounsel pllc is strictly prohibited.

2

Where I have been … Director, Senior Legal Counsel, IT Offerings, Avanade Inc.

Special Legal Counsel, Adobe Systems, Inc. (NASDAQ: ADBE)

Director of Legal Affairs, Amdocs, Ltd. (NYSE: DOX)

General Counsel, DTI, Inc.(formerly Electronic Evidence Discovery)

General Counsel, Over-The-Air Wireless, Inc.

General Counsel, DocuTouch, Inc. (now DocuSign)

Special Counsel, ClassMates.com and Vulcan (a Paul Allen company)

Co-inventor U.S. Patent: “System, Method for Managing Transferable Records”

Copyright © 2015CloudXCounsel pllc. All Rights Reserved. Any commercial use or distribution without the express written consent of CloudXCounsel pllc is strictly prohibited. 3

Goal of PresentationUnderstand that success for online services whether already

operating within, or moving to the Cloud will require a different skill set and understanding.

In the Cloud DATA may very well be Intellectual Property

Three (3) Components of Review


Component No.1 Know Your Data: Elements

(and the CLOUD)

Operating in the “Cloud” has tremendous benefits, but the benefits are at the expense (loss) of data sovereignty (control).


Data: Two (2) Perspectives…1. Data Elements: What makes up Data? • Beyond the Bits & Bytes and Ones and Zeros• Personal information (name, address, DMV, SSN)• Private or Confidential information (identified by your company or industry)• Regulated information (healthcare or financial)• Unique information (passwords, identifiers)• Data protected as intellectual property

2. Data Handling: What happens to Data?• Beginning Point (upload/input): Who, Where, How, Why • Stored: for how long; in what condition; location?• Access, who and for what purpose (add-value, aggregate, anonymize, license, analytics) • Sold, licensed, shared, transferred, transmitted• Service Level (maintenance and support)


the “CLOUD” “a visible mass of condensed water vapor floating in the atmosphere, typically high above the ground.” “a state or cause of gloom, suspicion, trouble, or worry.” “a general term for the delivery of hosted services over the Internet requiring hardware and software

services and resources from a provider on the Internet (the "cloud"). Cloud computing comprises "software as a service" (SaaS), "infrastructure as a service" (IaaS) and "platform as a service" (PaaS).”

Cloud: 3 Distinguishing Features:

1. (Scalability) Cloud computing servers can be quickly configured to process more data or to handle larger, workloads;

2. (Speed) Cloud providers are connected to the Internet via multiple Tier 1 backbones for fast response times and fault tolerance; and

3. (Self Service) The customer (end user or IT professional) can sign up online, activate and use applications and services from start to finish without phoning a provider to set up an account.


EXAMPLE: Contextual Data AnalyticsContext as a Service (CaaS) is a concept where several external data inputs (location, temperature, brightness, motion) and internal (calendar, email) from a user’s mobile device are collected and analyzed to provide a richer understanding for mobile marketing purposes.

User w/iPhone at the beach every day between 2-3PM. CaaS enables the collection/analysis of data elements including: location, time, temperature, sound, motion (lack of) which provides a marketing opportunity for swim wear, sun tan lotion …

The collected data points individually do not raise a concern, but as a contextual analysis is completed, is there a privacy issue?


Component No.2 Data Mapping: Transmission and

Handling

Operating in the “Cloud” has tremendous benefits, but the benefits are at the expense (loss) of data sovereignty (control).



Data Mapping – A Best Practice “Computer Science”

Data Type: Identifying data is a computer science concept which classifies data as various types; real, integer or Boolean determining the possible values and the operations which can be done given that data type.

Data Mapping: Is a computing management concept typically used to map two distinct data models. Data mapping is used as a first step for a wide variety of data integration tasks including: Data transformation or data mediation between a data source and a destination, or moving data between 2 data bases.____________________________________________________________________________________________________________________________________________________________________________________________________________________________

“LEGAL”Data Type: Identifying those elements which make up the subject matter data; data owner, input, subject matter, security and privacy obligations, storage, access and transmission. Example: consumer data which is also PHI regulated by HIPAA.

Data Mapping: The process of following the data trail from beginning to end. How does it get into the system, does something happen to it, (aggregated, anonymized, encrypted), where can it be accessed and by whom (licensing), where is it stored and managed.

Platforms and Infrastructure:


Oh … those acronyms: SaaS / IaaS / PaaS … SaaS Software as a Service delivers the entire application to end user, relieving organization of hardware and software

maintenance. Examples: Web-based e-mail, Google Apps and Salesforce.com.

IaaS Infrastructure as a service (IaaS) provides the servers and operating systems.

PaaS Platform as a Service adds [to IaaS] databases, runtime engines and necessary software for customer to deploy its application

MBaaS Mobile Backend as a Service provides web and mobile app developers backend cloud storage and software/APIs.

XaaS Anything [Everything] as a Service. Term for any on demand service and applications

AaaS Attorney as a Service

OnPrem. Private (corporate) infrastructure

Public Cloud

A form of cloud computing where company relies on a third-party cloud service provider for services such as servers, data storage and applications, delivered to the company through the Internet.

Private Cloud

Cloud computing platform is implemented within the corporate firewall, under the control of IT department.

Hybrid Cloud

Mix of private and public clouds - critical data resides in corp. private cloud other data is stored in and accessible from public cloud. Goal: Deliver advantages of scalability, reliability, rapid deployment with the security, increased control and management of private clouds.


Examples: Data Type and DescriptionTYPE ID type of Data: Corporate, operational, customer, third-party, children, enterprise, consumer, healthcare,

financial, PHI/PII, subject matter (legal, sales, HR), meta-data, regulated (EU) data. OWNER ID owner of Data: Who owns, who has the rights (access, use) , locate all points data is introduced into

Platform or used by Software. At each point ask, whose data is it? What kind of data is it? CONTROLLER ID controller of Data: The individual, company or government in control and responsible the data.

PROCESSOR ID processor of Data: The person or company who processes/transmits data on behalf of the Controller.

DATA ACCESS ID all parties with access to data: What is being done to the data (uploaded, deleted, transmitted, viewed, processed or stored) and by whom (Customers, end-users, third-party vendors, licensees, operational resources)?

VERACITY Data Subjects must be given access to information, and the ability to correct or delete such information if it is inaccurate.

LICENSE Identify the license (use) rights and restrictions at all points in data's lifecycle; allow mapping and tie-back license rights to a commercial terms/paper. Vendors and third-party providers adding value and functionality to underlying Service may go unidentified resulting in liability (HIPAA/BAA regulations).


Data Path: Transmission; Storage and UseEntry: upload How is data introduced into the system/service? (company, user, other); describe how it is uploaded

(constraints)?

Transmission: Access; Onward Transfer

ID and describe transmission path of data and the protections/security efforts applied to data at all points of transit. ID all access points, and those with rights to access. Private data transferred to third-parties, only if the third-party follows adequate data protection principles.

Security & Management

ID security standards and how managed: Encryption process / where it occurs - Encryption (depending on type) is the ‘standard’ for protecting data

Delete; Retention

Define delete? Define Retention. If data is deleted what is schedule? Is it part of a Data Destruction (Disaster Recovery) Policy? What types of data are deleted (corporation vs., customer data)?

Notice Data Subjects must be given notice to opt-out of the collection and forward transfer of data to a third-party.

Data Security Data Controllers and Processors must make reasonable efforts to prevent loss or unauthorized use or access of private data.

Data Integrity Data must be relevant and reliable for the purpose collected, which must be clear to the data Subject and must not change without notice.

Component No.3 The LAW in the CLOUD

Now with an understanding of the data elements and the path which data takes through the Cloud; we can apply the law.


Data in the Cloud: A Compliance Challenge

• Data resides and is handled using 3rd party equipment, infrastructure and resources. This means that others may be adding value to the services you are contracting for – Do you know who has access and under what terms? Does this access result in a compliance violation (HIPAA)?

• Data is used in a multi-tenant manner (by more than a single user). This means the services may not be tailored to satisfy a regulatory standard that is unique to a service.

• Data is borderless, nationless and user agnostic and at times separately regulated. If electronic signatures are invalid in a country there is no technology restriction, to prohibit electronic signatures.

• Data may be subject to changing terms and conditions concerning support, maintenance and protection. Copyright © 2015CloudXCounsel pllc.

All Rights Reserved. Any commercial use or distribution without the express written consent of CloudXCounsel pllc is strictly prohibited. 15

The Law in the Cloud


When ‘thinking’ about the law and your Cloud services do so under the three (3) concepts: (1) First Concept: Know your data(2) Second Concept: What happens to your data (transmission, access, etc.)(3) Third Concept: Relevant laws, policies and regulations determined by knowing (1) and (2)

Individual Who is the user/consumer? Corporate/enterprise, consumer, regulated business.

Contract Are there contract terms with users, and third party vendors? ID terms and conditions between company offering the services and those adding value or using the services (customers, enterprise users (SaaS or Master Services agreement); are there terms of use and privacy terms which create legal obligations?

Industry / Technology

Are you operating or offering a service in a regulatory industry? Healthcare, and finance are heavily regulated industries (HIPAA and GLBA). Are you using electronic or digital signatures (ESIGN)?

State What state laws and regulations impact the services? Example: Data privacy breach notices statutes vary between states. State AG (and class action attorneys) frequently target companies violating laws which may not be widely known. See Auto Renewal Statue example.

Federal Federal laws may overlap with both industry and state laws (HIPAA/GLBA/ESIGN)

Global See EU Directive: US-Safe Harbor Example.



EXAMPLE: No.1 SAFE HARBOR

What happened? The Court of Justice of the European Union issued a ruling effectively invalidating the Safe Harbor option, (in place since 2000), as an option to transfer personal data outside the European Economic Area. What’s the impact? Safe Harbor, the most used of the options, approved as ensuring an “adequate” level of data protection has directly enabled the proliferation of technology and data services enhancing our professional and personal lives. With the ruling, companies must now figure out a way to proceed in order to avoid destroying businesses and/or being fined. The Binding Corporate Rules (“BCR”); Standard Contractual Clauses (“SCC”); Data Subject Consent options are still available.Now what? You must know your DATA and WHAT HAPPENS TO IT! Companies must fully understand their cross-border data flows (data mapping) identifying data; type, character, license, owner, status as well as how is it collected, used, transmitted, processed, accessed stored and secured. Understanding your data and its flow will enable an appropriate response as the regulatory (privacy) landscape continues to change and take shape while allowing businesses to consider alternative data transfer methods during this uncertain time-period.



EXAMPLE: No.2 AUTO RENEWAL

Class Action Notice: Your online service client just got hit with a ‘notice’ for settlement or class action.California Auto-Renewal Law (“CARL”) Section 17602 protects CA consumers from companies targeting them through online transactions. CARL has been a focus of litigation, triggering class action cases (against large well known companies) offering automatically renewing subscription services. Damages: Restitution = 100 percent of gross revenues received pursuant to a non-compliant automatic renewal term, whether or not the consumer actually wanted and used the service, even if the consumer was not actually deceived and otherwise lacks damages. The concept of the subscriptions considered a “gift” has also been offered.Compliance (CARL): • Clear and Conspicuous Terms and Presentation (continue/term, how to cancel, font proximity)• Consent (affirmative consent prior to charge) and Acknowledgement of Receipt (in form to be retained)• Contact Information for consumer to contact and Notice of Changes, must be conveyed Take Away: Operating in the Cloud subjects the business/service to laws, regulations and policies that are state specific, industry specific and globally relevant. Be aware, even the smallest concepts (auto-renewal) can trip up an online service!

Data Privacy & Data SecurityTWO SIDES OF THE SAME COIN


DATA PRIVACY DATA SECURITYData privacy is defined as the appropriate use of data. When companies and merchants use data or information provided or entrusted to them, the data should be used according to the agreed purposes. The Federal Trade Commission enforces penalties against companies that have failed to ensure customer privacy.

Data security is commonly explained as the Confidentiality, Availability, and Integrity of data. All of the practices and processes in place to ensure data isn't being used or accessed by unauthorized individuals or parties. Data security ensures data is accurate, reliable and available when those authorized need it.

The Relationship Between Data Security and Data Privacy. Data security ensures data privacy. You protect data (privacy) through strong data security measures put in place and documented in a Data Security Policy. To accomplish securing data, and ensuring privacy you must (1) know your data; (2) know how it is being used, accessed, stored, transmitted; and (3) the laws and regulations that impact you data.

Y2K REVISITEDLiability Up The Chain = Checking All The Boxes

Remember when the Y2K bug scared and clouded the judgments of so many businesses, causing them to seek out all sorts of offered solutions, allowing ‘vendors’ claiming to have a magic bullet to make all sorts of money, betting on the fact there would be no impact?

FAST FORWARD 25 years later … business are scared about data breaches. With executives facing potential liability they are reacting with instructions check all the boxes; ISO, PCI, Pen Tests, Bounties, etc.

The unintended result is high expense, resource drain, conflicting compliance actions, risk of failed vendor work and unnecessary complexities in trying to manage the various compliance policies.


Mark G. Sanders809 Olive Way, 1704 Seattle, WA 98101 (o) (206) 556-4310 / (m) (425) 422-9480

[email protected] www.cloudxcounsel.com

http://www.linkedin.com/in/msanderslaw

Copyright © 2015CloudXCounsel pllc. All Rights Reserved. Any commercial use or distribution without the express written consent of CloudXCounsel pllc is strictly prohibited.

21