communications briefing: navigating the clouds sam parr and ian walden wednesday 21 october 2009,...
Post on 18-Dec-2015
212 Views
Preview:
TRANSCRIPT
Communications Briefing:
Navigating the clouds
Sam Parr and Ian Walden
Wednesday 21 October 2009, 12.00 – 2.00 pm
©2009 Baker & McKenzie 2
Data security considerations
– “In the good old days, the bad guys needed to steal your laptop to get access to your secrets. Now they just need a username and password.”
– For users, data security is paramount operationally (eg business requirements, competitive advantage) and legally (eg contractual obligations, regulatory obligations)
– Increased impact of supplier failure/insolvency. Users less likely to have back up.
– As if to make the point.... 13 October 2009: Sidekick data security failure.
©2009 Baker & McKenzie 3
Data security solutions
– No easy answer
– Users may wish to consider using encryption technologies?
– Who controls the encryption?
– Contractual protections
– Audit rights
– Penetration testing
– Key point for users: Think about what you are putting into the cloud. Contractual protections are not a substitute for a proper risk assessment.
©2009 Baker & McKenzie 4
Availability
– The cloud suffers outages just like everyone else:
– January 2009: Salesforce 1 hour outage – 1m subs affected
– 5 October 2009: Bitbucket / Amazon Elastic Compute Cloud (EC2) 14 hour outage
– Bitbucket/Amazon was a network failure, not a server failure.
– Inherent weakness in using internet to deliver services?
– Reliability of telco providers v Internet providers
©2009 Baker & McKenzie 5
Availability / Service Levels
– Story so far: standard products, standard SLA, low business criticality, little/no negotiation
– Not appropriate for business critical services/functions?
– The future for the cloud is more critical services, but...
– Dangerous to offer meaningful SLA, as do not have end-to-end control
– Users will need to be educated
– Will “usual” service credits be acceptable to either party?
©2009 Baker & McKenzie 6
– Data Protection Directive (95/46/EC)
– Communications Privacy Directive (02/58/EC)– Regulation of Investigatory Powers Act 2000
– Privacy and Electronic Communications Regulations 2003
– Privacy relationships– Confidential information
– Controller – processor– Terms & conditions of supply
– Swift case
– State– i.e. law enforcement requirements
Privacy and Data Protection
©2009 Baker & McKenzie 7
Data transfers
– Exporting data outside the EEA
– i.e. Knowing where(ish) your data is located!
– e.g. Amazon Web Services
– ‘adequate level of protection’
– Art. 25 (compliance) or 26 (derogations) route?
– Security measures
– e.g. encryption
– Sufficient?
– Model contracts
©2009 Baker & McKenzie 8
Data retention
– Documents (things written) & records (events)
– e.g. memos and meta-data
– Why retain?
– Organisation need & regulatory requirements
– Obligations and risks
– Revenue, disclosure, data protection & limitation
– Public procurement rules & FOIA
– Solving the multi-jurisdictional problem
– One-size-doesn’t fit!
©2009 Baker & McKenzie 9
Data retention
– Communications data
– Directive 06/24/EC
– From 6-24 months– Home Office notification & negotiated arrangements
– Regulated activity?– ‘Electronic communications services’ & ‘information society
services’
– Distinguishing services
– Jurisdictional reach?– e.g. UK: “data are generated or processed in the United
Kingdom”
©2009 Baker & McKenzie 10
Law enforcement
– Public & private law enforcement
– Serving civil & criminal orders
– e.g. Twitter
– Access
– Searching remote data
– Council of Europe Cybercrime Convention, art. 32
– “lawful and voluntary consent”
– Failure to comply
– Specific performance, fines & imprisonment
– CSR and publicity concerns
Communications Briefing:
Navigating the clouds
Sam Parr and Ian WaldenBaker & McKenzie LLP is a limited liability partnership registered in England and Wales with registered number OC311297. A list of members' names is open to inspection at its registered office and principal place of business, 100 New Bridge Street, London, EC4V 6JA. Baker & McKenzie LLP is a member of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the terminology commonly used in professional service organisations, reference to a "partner" means a person who is a member, partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.
Baker & McKenzie LLP is regulated by the Solicitors Regulation Authority of England and Wales. Further information regarding the regulatory position is available at http://www.bakernet.com/London/Regulation.
top related