9/16/2013 2

9/16/2013 3

The U.S. National Institute of Standards and Technology (NIST) defines cloud

computing as: “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Platform as a Service

Windows Azure

Application as a

Service

What is Cloud computing?

9/16/2013 6

Business

Model

Operational

Model

Architectural

Model

9/16/2013 7

Cloud Computing Bespoke IT Outsourcing Arrangement

Business Model • Scale – Large and diverse customer base

with smaller revenue streams per

transaction

• Operating control is critical due to cost

pressures

• Size of the Deal – Large multi-million or multi-

billion dollar and multi-year deals

• Individualized deal allows the flexibility to transfer

costs back to individual customers

Operating Model • Economies of scale requires consistency in

processes and operations

• Shared “multi-tenant” platform serves

potentially millions of customers

• Less flexibility to develop customized

features or operating requirements

• Bespoke nature of the deal allows outsourcers to

customize each arrangement

• Platform built to accommodate individual

customer needs with the customer directing the

arrangement

• Features and operations can be developed to

address individual customer needs

Costs • Shared platform and operations allows the

operating costs to be distributed across

large base of customers, leading to lower

costs due to economies of scale

• Higher costs due to bespoke nature of the deal

• Customer directly finances cost of the outsourcing

arrangement

Cloud computing may offer a less flexible contracting process

Most Cloud vendors offer standard contractual terms because of

the scale, multi-tenant design, and turnkey nature of Cloud

In-house counsel should be careful when a Cloud vendor is to

quick to agree to change their standard terms

9/16/2013 8

Contracting and Compliance Issues

Data processing agreements

Defined terms

New feature development

Terms and conditions

9/16/2013 10

Service level agreements

Examination rights

Limitation of liability

Certifications ISO 27001, SSAE 16, etc.

9/16/2013 11

Data location – Cloud data center infrastructure

EU data transfer requirements

Safe Harbor

EU Model Clauses

Applicable law and jurisdictions

9/16/2013 12

Who owns the data? What is the vendor business model?

Data use limited to providing Cloud services to the customer

Detailed security and privacy commitments

Data portability

9/16/2013 13

Sophisticated Cloud vendors perform rigorous analysis to

ensure compliance with generally applicable laws

EU Law (and Model Clauses)

HIPPA

FERPA

Breach notification

Customer is ultimately responsible for compliance with laws

and regulations

Cloud vendors should help customer’s understand how to

comply with major regulations, even if they don’t apply

directly to the Cloud vendor

9/16/2013 14

Jeffrey D. Bridges, esq.

Associate Director, Information Governance

Boehringer Ingelheim Pharmaceuticals, Inc.

Introduction

Learning Points:

Ways to protect intellectual data

Holding service providers accountable

Strategies in choosing a secure cloud service

provider

Managing content stored with a cloud provider

Thought

No Security system is a match for a careless employee.”

-- Steig Larsson

—The Girl Who Played With Fire

(2d of The Girl with the Dragon Tattoo series)

How Our World Appears:

Data Breach costs $194 per person breached.

- 2011 Ponemone –Cost of Data Breach Study

Breach costs in health care records custody continues

to grow.

Law Firms are increasingly targeted to get at client

information.

As much as 47% of business data stored on the Cloud.

Let’s Start The Discussion Some questions to get folks talking:

How many have content on the cloud?

Vendor hosted apps?

Third party review?

How many assess risk in environment?

How do you assess risk?

What’s the harm in storing content offsite?

Breach of non-public personal information

Breach of corporate “Confidential” or “Proprietary” content.

Mining for business intelligence and competitive advantage.

Who Should You Assess? What environment needs assessment?

Is vendor storing your information?

Is vendor storing information on your behalf?

Is vendor accessing or receiving your information?

Is vendor soliciting information on your behalf?

What is the nature of the information being gathered? Personal Information

Confidential or Proprietary

Other Internal Use

What Do You Assess? What are some questions?

Any security certifications? SAS 70

Password requirement

Access Controls

Pen Tests

Content logically separated

What is the physical environment of server

Server location

Assess Legal and RIM Who owns content

EU Safe Harbor certified

Records Management Policy

Metadata retained

Audit trails

Apply Retention

Preserve content

Contract Considerations Notice of Breach

Within 48-72 hours of discovery

Liability for Breach

Notice if vendor is outsourcing content or work New assessment

Ownership of content

Treatment of content at end of relationship

Other Considerations

Verify financial capabilities of vendor

Security/Integrity issue – may not be

overwhelming, but….

What happens if provider goes bankrupt?

Does vendor have liquidity to remain current

with technology threats?

Other Considerations Who owns vendor?

Folders logically separated from competitors?

What is underlying service/records created?

PHI? PII?

Call Center?

Marketing content creation?

On-site inspection? Evaluate work stations

Is your content visible to competitor’s workers?

“Trust, but verify"--Ronald Reagan

Questions?