This is a relatively long post. Specific areas covered:
3.1 Overview
3.1.1 Legal frameworks governing data protection and privacy
Conflicting requirements in different jurisdictions, and
sometimes within the same jurisdiction. Legal requirements may vary according
to
- Location of cloud provider
- Location of cloud consumer
- Location of data subject
- Location of servers/datacenters
- Legal jurisdiction of contract between the
parties, which may be different than the locations of those parties
- Any international treaties between the locations
where the parties are located
3.1.1.1 Common themes
Omnibus laws: same law applicable across all sectors
Sectoral laws
3.1.1.2 Required security measures
Legal requirements may include prescriptive or risk based
security measures.
3.1.1.3 Restrictions to cross-border data transfer
Transfer of data across borders can be prohibited. The most
common situation is a based on transferring personal data to countries that do
not have “adequate data protection laws”. This is a common theme in the GDPR.
Other examples are data covered by national security legislation.
For personal data, transfers to inadequate locations may
require specific legal instruments to be put in place in order for this to be
considered compliant with the stricter region’s legal requirements.
3.1.1.4 Regional examples
Australia
- Privacy act of 1988
- Australian consumer law (ACL)
The privacy act has 13 Australian privacy principles (APP’s)
that apply to all sectors including non-profit organizations that have an
annual turnover of more than 3 million Australian dollars.
In 2017 the Australian privacy act was amended to require
companies to notify affected Australian residents and the Australian
Information Commissioner of breaches that can cause serious harm. A security
breach must be reported if:
- There is unauthorized access or disclosure of
personal information that can cause serious harm
- Personal information is lost in circumstances
where disclosure is likely and could cause serious harm
The ACL protects consumers from fraudulent contracts and
poor conduct from service providers, such as failed breach notifications. The
Australian Privacy Act can apply to Australian customers/consumers even if the
cloud provider is based elsewhere or other laws are stated in the service
agreement.
China
China has introduced new legislation governing information
systems over the last few years.
- 2017: Cyber security law: applies to critical
information infrastructure operators
- May 2017: Proposed measures on the security of
cross-border transfers of personal information and important data. Under
evaluation for implementation at the time of issue of CCSP guidance v. 4.
The 2017 cybersecurity law puts requirements on
infrastructure operators to design systems with security in mind, put in place
emergency response plans and give access and assistance to investigating
authorities, for both national security purposes and criminal investigations.
The Chinese security law also requires companies to inform
users about known security defects, and also report defects to the authorities.
Regarding privacy the cybersecurity law requires that
personal information about Chinese citizens is stored inside mainland China.
The draft regulations on cross-border data transfer issued
in 2017 go further than the cybersecurity law.
- New security assessment requirements for
companies that want to send data out of China
- Expanding data localization requirements (the
types of data that can only be stored inside China)
Japan
The relevant Japanese legislation is found in “Act on the
Protection of Personal Information (APPI). There are also multiple sector
specific laws.
Beginning in 2017, amendments to the APPI require consent of
the data subject for transfer of personal data to a third party. Consent is not
required if the receiving party operates in a location with data protection
laws considered adequate by the Personal Information Protection Commission.
EU: GDPR and e-Privacy
The GDPR came into force on 25 May 2018. The e-Privacy
directive is still not enforced. TechRepublic has a short summary of differences
between the two regulations (https://www.techrepublic.com/article/gdpr-vs-epPRrivacy-the-3-differences-you-need-to-know/):
- ePrivacy specifically covers electronic
communications. It is evolved from the 2002 ePrivacy directive that focused
primarily on email and sms, whereas the new version will cover electronic communications
in general, including data communication with IoT devices and the use of social
media platforms. The ePrivacy directive will also cover metadata about private
communications.
- ePrivacy includes non-personal data. The focus is
on confidentiality of communications, that may also contain non-personal data
and data related to a legal person.
- The have different legal precedents. GDPR is
based on Article 8 in the European Charter of Human Rights, whereas the ePrivacy
directive is based on Article 16 and Article 114 of the Treaty on the
Functioning of the European Union – but also Article 7 of the Charter of
Fundamental Rights: “Everyone has the right to respect for his or her private
and family life, home and communications.”
The CSA guidance gives a summary of GDPR requirements:
- Data processors must keep records of processing
- Data subject rights: data subjects have a right
to information on how their data is being processed, the right to object to
certain uses of their personal data, the right to have data corrected or
deleted, to be compensated for damages suffered as a result of unlawful
processing, and the right to data portability. These rights significantly affect
cloud relationships and contracts.
- Security breaches: breaches must be reported to authorities
within 72 hours and data subjects must be notified if there is a risk of serious
harm to the data subjects
- There are country specific variations in some
interpretations. For example, Germany required that an organization has a data
protection officer if the company has more than 9 employees.
- Sanctions: authorities can use fines up to 4% of
global annual revenue, or 20 million EUR for serious violations, whichever
amount is higher.
EU: Network information security directive
The NIS directive is enforced since May 2018. The directive
introduces a framework for ensuring confidentiality, integrity and availability
of networks and information systems. The directive applies to critical infrastructure
and essential societal and financial functions. The requirements include:
- Take technical and organizational measures to
secure networks and information systems
- Take measures to prevent and minimize impact of
incidents, and to facilitate business continuity during severe incidents
- Notify without delay relevant authorities
- Provide information necessary to assess the
security of their networks and information systems
- Provide evidence of effective implementation of
security policies, such as a policy audit
The NIS directive requires member states to impose security
requirements on online marketplaces, cloud computing service providers and
online search engines. Digital service providers based outside the EU but that
supply services within the EU are under scope of the directive.
Note: parts of these requirements, in particular for
critical infrastructure, are covered by various national security laws. The
scope of the NIS directive is broader than national security and typically
requires the introduction of new legislation. This work is not yet complete
across the EU/EEC area. Digital Europe has an implementation tracker site set
up here: https://www.digitaleurope.org/resources/nis-implementation-tracker/.
Central and South America
Data protection laws are coming into force in Central and
South American countries. They include security requirements and the need for a
data custodian.
North America: United States
The US has a sectoral approach to legislation with hundreds
of federal, state and local regulations. Organizations doing business in the
United States or that collect or process data on US residents or often subject
to multiple laws, and identification of the regulatory matrix can be challenging
for both cloud consumers and providers.
Federal law
- The Gramm-Leach-Bliley Act (GLBA)
- The Health Insurance Portability and
Accountability Act, 1996 (known as HIPAA)
- The Children’s Online Privacy Protection Act of
1998 (COPPA)
Most of these laws require companies to take precautions
when hiring subcontractors and service providers. They may also hold organizations
responsible for the acts of subcontractors.
US State Law
In addition to federal regulations, most US states have laws
relating to data privacy and security. These laws apply to any entity that collect
or process information on residents of that state, regardless of where the data
is stored (the CSA guidance says regardless of where within the United States,
but it is likely that they would apply to international storage as well in this
case).
Security breach disclosure requirements
Breach disclosure requirements are found in multiple regulations.
Most require informing data subjects.
Knowledge of these laws is important for both cloud
consumers and providers, especially to regulate the risk of class action lawsuits.
In addition to the state laws and regulations, there is the “common
law of privacy and security”, a nickname given to a body of consent orders
published by federal and state government agencies based on investigations into
security incidents.
Especially the FTC (Federal Trade Commission) has for almost
20 years the power to conduct enforcement actions against companies whose
privacy and security practices are inconsistent with claims made in public
disclosures, making their practices “unfair and deceptive”. For cloud computing
this means that when a certain way of working changes, the public documentation
of the system needs to be updated to make sure actions are not in breach of
Section 4 of the FTC Act.
1.3.2 Contracts and Provider Selection
In addition to legal requirements, cloud consumers may have
contractual obligations to protect the personal data of their own clients,
contacts or employees, such as securing the data and avoiding other processing
that what has been agreed. Key documents are typically Terms and Conditions and
Privacy Policy documents posted on websites of companies.
When data or operations are transferred to a cloud, the
responsibility for the data typically remains with the collector. There may be
sharing of responsibilities when the cloud provider is performing some of the operations.
This also depends on the service model of the cloud provider. In any case a
data processing agreement or similar contractual instrument should be put in
place to regulate activities, uses and responsibilities.
3.1.2.1 Internal due diligence
Prior to using a cloud service both parties (cloud provider
and consumer) should identify legal requirements and compliance barriers.
Cloud consumers should investigate whether it has entered
into any confidentiality agreements or data use agreements that could limit the
use of a cloud service. In such cases consent from the client needs to be in
place before transferring data to a cloud environment.
3.1.2.3 External due diligence
Before entering into a contract, a review of the other party’s
operations should be done. For evaluating a cloud service, this will typically
include a look at the applicable service level, end-user and legal agreements,
security policies, security disclosures and compliance proof (typically an
audit report).
3.1.2.4 Contract negotiations
Cloud contracts are often standardized. An important aspect
is the regulation of shared responsibilities. Contracts should be reviewed
carefully also when they are presented as “not up for negotiation”. When certain
contractual requirements cannot be included the customer should evaluate if
other risk mitigation techniques can be used.
3.1.2.5 Reliance on third-party audits and attestations
Audit reports could and should be used in security
assessments. The scope of the audit should be considered when used in place of
a direct audit.
3.1.3 Electronic discovery
In US law, discovery is the process by which an opposing
party obtains private documents for use in litigation. Discovery does not have
to be limited to documents known to be admissible as evidence in court from the
outset. Discovery applies to all documents reasonably held to be admissible as evidence
(relevant and probative). See federal rules on civil procedure: https://www.federalrulesofcivilprocedure.org/frcp/title-v-disclosures-and-discovery/rule-26-duty-to-disclose-general-provisions-governing-discovery/.
There have been many examples of litigants having deleted or
lost evidence that caused them to lose the case and be sentenced to pay damages
to the party not causing the data destruction. Because of this it is necessary
that cloud providers and consumers plan for how to identify and extract all relevant
documents relevant to a case.
3.1.3.1 Possession, custody and control
In most US jurisdictions, the obligation to produce relevant
information to court is limited to data within its possession, custody or
control. Using a cloud provider for storage does not remove this obligation.
Some data may not be under the control of the consumer (disaster recovery,
metadata), and such data can be relevant to a litigation. The responsibility of
a cloud provider to provide such data remains unclear, especially in
cross-border/international cases.
Recent cases of interest:
- Norwegian police against Tidal regarding
streaming fraud
- FBI against Microsoft (Ireland Onedrive case)
3.1.3.2 Relevant cloud applications and environment
In some cases, a cloud application or environment itself
could be relevant to resolving a dispute. In such circumstances the artefact is
likely to be outside the control of the client and require a discovery process
to served on the cloud provider directly, where such action is enforceable.
3.1.3.3 Searchability and e-discovery tools
Discovery may not be possible using the same tools as in traditional
IT environments. Cloud providers do sometimes provide search functionality, or
require such access through a negotiated cloud agreement.
3.1.3.4 Preservation
Preservation is the avoidance of destruction of data relevant
to a litigation, or that is likely to be relevant to a litigation in the
future. There are similar laws on this in the US, Europe, Japan, South Korea
and Singapore.
3.1.3.5 Data retention laws and record keeping obligations
Data retention requirements exist for various types of data.
Privacy laws put restrictions on retention. In the case of conflicting requirements
on the same data, this should be resolved through guidance and case law. Storage
requirements should be weighed against SLA requirements and costs when using
cloud storage.
- Scope of preservation: a requesting party
is only entitled to data hosted in the cloud that contains data relevant to the
legal issue at hand. Lack of granular identifiability can lead to a requirement
to over-preserve and over-share data.
- Dynamic and shared storage: the burden of
preserving data in the cloud can be relevant if the client has space to hold it
in place, if the data is static and the people with access is limited. Because
of the elastic nature of cloud environments this is seldom the case in practice
and it may be necessary to work with the cloud provider on a plan for data
preservation.
- Reasonable
integrity: when subject to a discovery process, reasonable steps should be
taken to secure the integrity of data collection (complete, accurate)
- Limits
to accessibility: if a cloud customer cannot access all relevant data in
the cloud. The cloud consumer and provider may have to review the relevance of
the request before taking further steps to acquire the data.
3.1.3.7 Direct access
Outside cloud environments it is not common to give the
requesting party direct access to an IT environment. Direct hardware access in
cloud environments if often not possible or desirable.
3.1.3,8 Native production
Cloud providers often store data in proprietary systems that
the clients do not control. Evidence is typically expected to be delivered in
the form of PDF files, etc. Export from the cloud environment may be the only
option, which may be challenging with respect to the chain of custody.
3.1.3.9 Authentication
Forensic authentication of data admitted into evidence. The
question here is whether the document is what it seems to be. Giving guarantees
on data authenticity can be hard, an a document should not inherently be considered
more or less admissible due to storage in the cloud.
3.1.3.10 Cooperation between provider and client in e-discovery
e-Discovery cooperation should preferably be regulated in
contracts and be taken into account in service level agreements.
3.1.3.11 Response to a subpoena or search warrant
The cloud agreement should include provisions for
notification of a subpoena to the client, and give the client time to try to
fight the order.
3.2 Recommendations
The CSA guidance makes the following recommendations
- Cloud customers should understand relevant legal
and regulatory frameworks, as well as contractual requirements and restrictions
that apply to handling of their data, and the conduct of their operations in
the cloud.
- Cloud providers should clearly disclose
policies, requirements and capabilities, including its terms and conditions
that apply to the services they provide.
- Cloud customers should perform due diligence
prior to cloud vendror selection
- Cloud customers should understand the legal
implications of the location of physical operations and storage of the cloud
provider
- Cloud customers should select reasonable
locations for data storage to make sure they comply with their own legal requirements
- Cloud customers should evaluate and take e-discovery
requests into account
- Cloud customers should understand that click-through
legal agreements to use a cloud service do not negate requirements for a
provider to perform due diligence