communications briefing: navigating the clouds sam parr and ian walden wednesday 21 october 2009,...

Communications Briefing:

Navigating the clouds

Sam Parr and Ian Walden

Wednesday 21 October 2009, 12.00 – 2.00 pm

©2009 Baker & McKenzie 2

Data security considerations

– “In the good old days, the bad guys needed to steal your laptop to get access to your secrets. Now they just need a username and password.”

– For users, data security is paramount operationally (eg business requirements, competitive advantage) and legally (eg contractual obligations, regulatory obligations)

– Increased impact of supplier failure/insolvency. Users less likely to have back up.

– As if to make the point.... 13 October 2009: Sidekick data security failure.


Data security solutions

– No easy answer

– Users may wish to consider using encryption technologies?

– Who controls the encryption?

– Contractual protections

– Audit rights

– Penetration testing

– Key point for users: Think about what you are putting into the cloud. Contractual protections are not a substitute for a proper risk assessment.


Availability

– The cloud suffers outages just like everyone else:

– January 2009: Salesforce 1 hour outage – 1m subs affected

– 5 October 2009: Bitbucket / Amazon Elastic Compute Cloud (EC2) 14 hour outage

– Bitbucket/Amazon was a network failure, not a server failure.

– Inherent weakness in using internet to deliver services?

– Reliability of telco providers v Internet providers


Availability / Service Levels

– Story so far: standard products, standard SLA, low business criticality, little/no negotiation

– Not appropriate for business critical services/functions?

– The future for the cloud is more critical services, but...

– Dangerous to offer meaningful SLA, as do not have end-to-end control

– Users will need to be educated

– Will “usual” service credits be acceptable to either party?


– Data Protection Directive (95/46/EC)

– Communications Privacy Directive (02/58/EC)– Regulation of Investigatory Powers Act 2000

– Privacy and Electronic Communications Regulations 2003

– Privacy relationships– Confidential information

– Controller – processor– Terms & conditions of supply

– Swift case

– State– i.e. law enforcement requirements

Privacy and Data Protection


Data transfers

– Exporting data outside the EEA

– i.e. Knowing where(ish) your data is located!

– e.g. Amazon Web Services

– ‘adequate level of protection’

– Art. 25 (compliance) or 26 (derogations) route?

– Security measures

– e.g. encryption

– Sufficient?

– Model contracts


Data retention

– Documents (things written) & records (events)

– e.g. memos and meta-data

– Why retain?

– Organisation need & regulatory requirements

– Obligations and risks

– Revenue, disclosure, data protection & limitation

– Public procurement rules & FOIA

– Solving the multi-jurisdictional problem

– One-size-doesn’t fit!


Data retention

– Communications data

– Directive 06/24/EC

– From 6-24 months– Home Office notification & negotiated arrangements

– Regulated activity?– ‘Electronic communications services’ & ‘information society

services’

– Distinguishing services

– Jurisdictional reach?– e.g. UK: “data are generated or processed in the United

Kingdom”


Law enforcement

– Public & private law enforcement

– Serving civil & criminal orders

– e.g. Twitter

– Access

– Searching remote data

– Council of Europe Cybercrime Convention, art. 32

– “lawful and voluntary consent”

– Failure to comply

– Specific performance, fines & imprisonment

– CSR and publicity concerns

Communications Briefing:

Navigating the clouds

Sam Parr and Ian WaldenBaker & McKenzie LLP is a limited liability partnership registered in England and Wales with registered number OC311297. A list of members' names is open to inspection at its registered office and principal place of business, 100 New Bridge Street, London, EC4V 6JA. Baker & McKenzie LLP is a member of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the terminology commonly used in professional service organisations, reference to a "partner" means a person who is a member, partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.

Baker & McKenzie LLP is regulated by the Solicitors Regulation Authority of England and Wales. Further information regarding the regulatory position is available at http://www.bakernet.com/London/Regulation.