Legal Cloud Central : Cloud Computing & Technology Attorneys & Lawyers : K&L Gates Law Firm

 By Marty Stern

The recent rise in frequency and sophistication of cyber attacks underscores the reality that nearly every company faces some sort of risk. Data security breaches and distributed denial-of-service (DDoS) attacks, among others, can target every industry from financial markets to social media. News headlines have highlighted attacks and breaches involving Sony, Citi, the New York Times, and LivingSocial, among others. These attacks create increasing prevention, regulatory, insurance, and recovery costs, suggesting that companies need to be aware of these risks and implement policies and procedures to protect their infrastructure, data, intellectual property, and other assets in efforts to mitigate and avoid exposure.

A K&L Gates presentation entitled “What Your Company Needs to Know about Cybersecurity,” recently focused on these issues and a series of cybersecurity best practices, featuring K&L Gates partners Roberta Anderson, David Bateman, and Bruce Heiman. The program provided an introduction to managing Advanced Persistent Threats on data and infrastructure, understanding the legal and regulatory developments surrounding cybersecurity, dealing with agency and class-action litigation risks, as well mitigating loss through insurance coverage relating to cyber risks. Noting that no single approach provides a silver bullet, the panel discussed a comprehensive strategy, focusing on prevention and deterrence, pursuit of perpetrators, response to attacks, avoidance of legal/regulatory liability, and loss mitigation.

An audio archive of the webcast is available here (free registration required; password “klgates”). To download the presentation slides, click here. For the additional presentation materials, click here. 

• Email This
• Print
• Comments
• Trackbacks

K&L Gates lawyers Nickolas Milonas, Marc Martin, and Paul Stimers have posted an article at TMT Law Watch covering the recent Cyberspace Executive Order signed by President Obama.  "Cybersecurity Executive Order Aims to Increase Information Sharing and Strengthen Defenses" addresses  the contents of the order as well as the reception by industry groups, privacy groups and legislators.  A key part of the Executive Order is the requirement that NIST develop cybersecurity best practices within the next eight months:   

 

The order also directs the Commerce Department’s National Institute of Standards and Technology (NIST) to work with companies that operate critical infrastructure components in developing a set of cybersecurity best practices within 240 days of the order. The order requires that NIST’s framework be “technology neutral” and focused on “cross-sector security standards and guidelines applicable to critical infrastructure.” As part of this process, federal agencies will need to review their existing cybersecurity regulations, in consultation with the industries they regulate, to determine if existing measures are consistent with NIST’s new standards.

 

These best practices will certainly filter down to cloud providers and could eventually be viewed as the minimum industry standard security practices for the cloud industry.  For this reason, cloud providers and cloud customers should pay special attention as they develop.

You can read the full article here.

• Email This
• Print
• Comments
• Trackbacks

A recent Symantec survey shows some troubling issues in cloud usage among businesses, including "rogue clouds" and how using them them might expose a company's confidential information.

• Email This
• Print
• Comments
• Trackbacks

By: Dr. Friederike Gräfin von Brühl

In an effort to ease concerns regarding security of personal information, some European companies and cloud providers are pushing for a “German Cloud” where customer’s data is held in data centers located only in Germany. This would not only help companies comply with Germany’s strict data protection requirements, but would also keep cloud data out of the reach of other governments, including requests by the US government under the US Patriot Act.

• Email This
• Print
• Comments
• Trackbacks

The Cloud Security Alliance (CSA), a non-profit coalition of industry practitioners, corporations, associations and other key stakeholders, today announced the CSA Open Certification Framework, an initiative aimed at allowing global, trusted certification of cloud service providers.  The CSA's goal is to increase trust and confidence in cloud security by providing for a level of security certification or attestation for cloud service providers similar to the SAS 70 / SSAE 16 standard in the public accounting industry.

• Email This
• Print
• Comments
• Trackbacks

The European Network and Information Security Agency (ENISA) is a center of network and information security expertise for the EU, its member states, the private sector and Europe's citizens that works to develop advice and recommendations on good practice in information security.  On April 2, 2012, ENISA published a guide to monitoring of security service levels in cloud contracts, in which ENISA sets forth a number of service levels that can be used to provide a monitoring framework for cloud customers. The main focus of the guide is on the public sector; however, much of the guide is also applicable to the private sector. 

• Email This
• Print
• Comments
• Trackbacks

By: Susan Altman

With limited exceptions, lawyers across America have an ethical duty to not reveal confidential information relating to the representation of a client unless the client consents, a duty to act with appropriate diligence, and a duty to take appropriate steps to safeguard the client’s property. How these duties translate into practical advice for lawyers using cloud computing is the source of much discussion by state bar associations. 

• Email This
• Print
• Comments (1)
• Trackbacks

By: Juliana W. Chen

The Cloud Security Alliance (CSA), a non-profit organization that comprises various cloud computing stakeholders, recently announced that several cloud vendors intend to submit reports to the CSA Security, Trust, and Assurance Registry (STAR). What is the CSA STAR, and why have Google, Verizon, Intel, McAfee, and Microsoft agreed to submit reports to it?

• Email This
• Print
• Comments
• Trackbacks

The National Institute of Standards and Technology ("NIST"), whose definition of cloud computing has been widely referenced and recognized, has a long-term goal of providing leadership and guidance around cloud computing to effectuate its use in industry and government.  NIST also was designated by the Federal CIO to help accelerate the U.S. government's secure adoption of cloud computing as part of FedRAMP.  To further that effort, NIST recently released a cloud computing reference architecture in which NIST sets forth the components and offerings of cloud computing, as well as a cloud computing standards roadmap in which NIST identified current standards, standards gaps, and standardization priorities.  

• Email This
• Print
• Comments
• Trackbacks

For those of you in Dallas, Texas, I'll be on a panel this Thursday, August 25th at the Dallas Technology Summit discussing "Security in an Era of Cloud Computing" .  The free event is from 3:00 - 5:00 p.m. at the Hilton Lakes in Grapevine, Texas.  If you're a tennis fan, there will be complimentary tickets to the WTA Texas Open at the same venue immediately after the discussion. 

• Email This
• Print
• Comments
• Trackbacks

Yesterday the TechAmerica Foundation released a report from the Commission on the Leadership Opportunity in U.S. Deployment of the Cloud ("Cloud2") titled "Cloud First, Cloud Fast: Recommendations for Innovation, Leadership and Job Creation." The Commission, which consists of 71 companies and organizations primarily from industry, developed the report at the encouragement of the Federal Chief Information Officer and the U.S. Department of Commerce.  The Commission was tasked with developing recommendations for accelerating adoption of cloud technologies and to identify public policies that will help foster U.S. innovation, leadership, and economic growth in cloud computing. 

The report delivers detailed guidance through 14 recommendations that are categorized into four themes: Trust, Transnational Data Flows, Transparency, and Transformation.  Of particular interest to those who draft, structure and negotiate cloud computing contracts are the following five recommendations of the Commission. 

• Email This
• Print
• Comments
• Trackbacks

Over the past several years, if a company performed outsourced services (including cloud computing services) that affected the financial statements of another company, the service provider often was required under its customer contract to provide a SAS 70 report.  Indeed, I received a contract last week that contained a provision requiring my client to conduct an annual SAS 70 Type II audit.  The problem is, while SAS 70 has had a nice run, it was replaced in the United States effective June 15, 2011 by Statement on Standards for Attestation Engagements No. 16 ("SSAE 16").  It's time to update those form contracts, because SAS 70 is no longer relevant.

• Email This
• Print
• Comments
• Trackbacks

Ask any customers considering cloud computing services to identify their primary concern, odds are that security will be somewhere near the top of the list.  That concern is leading some in the industry to contemplate an expanding role of the IT security professional from developing and implementing corporate security policies to becoming more heavily involved in cloud computing contract negotiations and service level enforcement.   In my experience, however, that is only part of the expanding role of IT security professionals. 

• Email This
• Print
• Comments
• Trackbacks

Das BSI veröffentlicht Eckpunktepapier zu Sicherheitsempfehlungen für Cloud Computing Anbieter

By: Dr. Tobias Bosch

[Note: English translation appears below]

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) veröffentlichte Mitte Mai 2011 die finale Fassung seines Eckpunktepapiers zu Sicherheitsempfehlungen für Cloud Computing Anbieter (Cloud Service Provider, CSP). Das Papier entstand auf Grundlage des im September 2010 vom BSI vorgestellten Entwurfs hierzu und seiner Kommentierung durch Anbieter, Anwender, Verbände und sonstige Marktteilnehmer. Die Empfehlungen des BSI sind rechtlich zwar nicht bindend, gleichwohl soll das Eckpunktepapier eine Grundlage zum Austausch zwischen CSPs und Cloud-Anwendern bieten und als Richtschnur zur Absicherung von Cloud-Services genutzt werden.

• Email This
• Print
• Comments
• Trackbacks

Because cloud computing involves outsourcing an application, infrastructure or function to a third party, cloud computing relationships inherently involve risk.  Examples of these risks include:

• the third party platform will fail or be severely degraded,
• the third party will hold data hostage,
• the third party will use customer data without permission,
• the third party systems will be susceptible to attacks or hackers, and
• the third party will "go dark" and data will vanish.

While cloud users can never be immune from these risks, they can mitigate their risks by conducting due diligence on the cloud provider and ensuring that cloud contracts allow for ongoing reviews and audits.

• Email This
• Print
• Comments
• Trackbacks

In an effort to protect confidential company information from snooping border and customs agents, more companies appear to be issuing "snoop-proof" laptops, iPads and cell phones to personnel traveling outside the United States.  These devices have minimal software and are configured to work primarily with cloud-based applications and storage approved by the company.  

• Email This
• Print
• Comments
• Trackbacks

One of the most heavily negotiated provisions of a cloud computing contract is the provision dealing with physical and data security. Several years ago, the typical Application Service Provider (ASP) agreement required the service provider to comply with “industry standard security practices” while performing the services. Customers and service providers soon realized the “industry” didn’t have a defined set of security standards.

• Email This
• Print
• Comments
• Trackbacks