The power of the lawyer is in the uncertainty of the law.

—Jeremy Bentham

This quote by Mr. Bentham perfectly sums up the legal issues surrounding cloud computing. The legal aspect of the cloud is a two-pronged issue for your firm. On one hand, governments can take years to create laws that always seem to play catch-up with technology. On the other hand, and more importantly from a CCSK exam perspective, all jurisdictions move at different speeds, and quite often laws in one country can be markedly different from laws in other jurisdictions.

This chapter covers primary legal issues raised by moving data to the cloud, dealing with contracts with cloud service providers (CSPs), and electronic discovery. Be forewarned that you will not be a legal expert after reading this chapter. The goal of this chapter is to deliver an understanding as to the importance of having your company’s legal counsel involved in procuring cloud services, especially when dealing with cloud providers (or even customers) across multiple jurisdictions. In addition, be aware that laws and regulations change frequently, so you should verify the relevancy of information contained in this domain before relying on it. This domain focuses on the legal implications of public and third-party–hosted private clouds. A private cloud owned and operated by a company is more of a technical issue than a legal one, as an on-premises private cloud is really just the automation and orchestration of corporately owned and managed computing assets.

Legal Frameworks Governing Data Protection and Privacy

Many countries have their own legal frameworks requiring appropriate safeguards to protect the privacy of personal data and the security of information and computer systems. In the European Union, for example, most of these privacy laws have been around since the late 1960s and 1970s. These were ultimately the basis for the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines, which were adopted in 1980. This then fed the formation of the Data Protection Directive, aka Directive 95/46/EC, which superseded the General Data Protection Regulation (GDPR, covered later in this chapter). The main point is this: These privacy laws aren’t new. They have been built over years and are only now being rigorously enforced.

From a legal perspective, three entities are involved when cloud services are consumed (shown in Figure 3-1), and all have different requirements from a legal perspective.

Figure 3-1   Legal entities involved with storing end-user data in cloud

•   Provider/Processor This one is straightforward. This is the cloud service provider. The provider must operate in accordance with the laws in the jurisdictions in which they operate.

•   Custodian/Controller This is the entity that holds end-user data. The naming of this role is dependent on the location you’re in. In the United States, it’s called the “data custodian”; in Europe, it’s called the “data controller.” Either way, this entity is legally accountable for properly securing end-user data. As an example of a data custodian/controller, if your company uses an Infrastructure as a Service (IaaS) provider to store your customer data, you are the data custodian/controller of that end-user data. The custodian/controller must operate in accordance with the laws of the jurisdiction in which the company operates.

•   End User/Data Subject This entity (such as you and I) has their data being held by a controller/custodian.

These privacy laws define numerous obligations, such as confidentiality and security obligations that a custodian/controller and provider/processor must abide by. The data custodian/controller is prohibited from collecting and processing personal data unless certain criteria are met. For example, the data custodian/controller is limited to what the end user has consented to regarding the collection and proposed uses of the end user’s data, according to the consent agreement. When using a data processor (such as a CSP) to process data on its behalf, a data custodian/controller remains responsible (accountable by law) for the collection and processing of that data. As the data custodian/controller, you are required to ensure that your provider/processor takes adequate technical and organizational security measures to safeguard the data. This, of course, requires that you perform proper due diligence with regard to the provider.

Despite common themes among countries on all continents, each has developed data protection regimes that may conflict with another’s regime. As a result, cloud providers and cloud users operating in multiple regions struggle to meet compliance requirements. In many cases, the laws of different countries may apply according to the following criteria:

•   The location of the cloud provider

•   The location of the data custodian/controller

•   The location of the end user

•   The location of the servers

•   The legal jurisdiction of the contract between parties, which may be different from the locations of any of the parties involved

•   Any treaties or other legal frameworks between those various locations

Now do you see why the CSA Guidance covers the legal aspects of cloud services? Figuring out all these issues and how they interact on a global scale must be done by your company’s legal counsel, but as a CCSK holder, you’ll need to know when to call legal in. After all, only legal counsel has any authority to advise executives on the legal risks involved with anything your company does, right? The bottom line is this: the location where an entity operates is critical knowledge that plays an important role in determining due diligence requirements and legal obligations. Figure 3-2 shows the various legal issues that exist in every jurisdiction around the world.

Figure 3-2   Legal aspects involved with the use of cloud services. (Used with permission from CSA.)

Required Security Measures

Many countries have adopted privacy laws that are either omnibus (covers all categories of personal data) or sectoral (covers specific categories of personal data). These laws often require that appropriate security measures be in place to ensure that privacy-related data is properly protected. These security measures may require companies to adopt technical, physical, and administrative measures. These measures may of course be used to protect more than just personal information; they will likely be leveraged to protect other sensitive data sets such as financial data and trade secrets, for example.

Treaties

A treaty is an agreement between two political authorities. There are two treaties worthy of discussion to help you prepare for the CCSK exam. You may have heard of the International Safe Harbor Privacy Principles, otherwise known as the Safe Harbor agreement, between the United States and the European Union. This treaty basically allowed companies to commit voluntarily to protecting EU citizens’ data stored in the United States the same way that it would protect the data if it were held in the European Union. This agreement was terminated in 2015, however, and was replaced shortly afterward with a new agreement, the EU-US Privacy Shield. Privacy Shield operates in much the same way as Safe Harbor, in that Privacy Shield allows for personal data transfer and storage between the European Union and the United States. Companies self-certify as having appropriate privacy measures in place, and Privacy Shield serves as a data transfer mechanism under the EU GDPR.

Restrictions to Cross-Border Data Transfers

Barring a treaty such as the Privacy Shield in place, which establishes an adequate level of protection, many countries prohibit data being stored outside of their boundaries. If no treaty is in place, however, it is still possible to store data in a foreign country, although it requires a more complex solution. In this scenario, the data importer and exporter may sign a contract ensuring privacy rights for end users. The complexity may come from some cases requiring prior permission from a data protection commissioner before data can be transferred into or out of the country.

In the CSA Guidance, two examples are cited as countries that prohibit data from being exported—Russia and China. These countries’ data localization laws require that data pertaining to individuals residing in their countries be stored within the individual’s home country. Make no mistake; there are other countries and even Canadian provinces that have the same laws, but the CSA Guidance addresses only these two countries (which are covered more in depth later in this chapter).

CLOUD Act

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was introduced in the United States in 2018. Its purpose is to finalize some legal issues surrounding the US government’s ability to issue subpoenas or warrants to access client data stored by an American provider, regardless of where that data is physically stored.

A great example of the importance of the CLOUD Act is a court case between Microsoft and the US Department of Justice (DOJ). The DOJ wanted access to data stored in an Irish data center. Microsoft defended its client (which a CSP should always do!) by refusing DOJ access because the data itself was held outside of the United States. A court battle ensued and went all the way to the Supreme Court. During this time, the CLOUD Act was passed, and the Supreme Court declared the case moot because the CLOUD Act gave the DOJ access to the data because Microsoft is an American company.

Regional Examples

As mentioned earlier in this chapter, many countries around the world have their own laws that address privacy and security requirements. We will be addressing some examples from the CSA Guidance as part of this section.

Asia Pacific Region

(Used with permission from CSA.)

The Asia Pacific region covered in the CSA Guidance consists of Australia, China, Japan, and Russia.

Australia

In Australia, the Privacy Act of 1988 (Privacy Act) and the Australian Consumer Law (ACL) of 2010 serve to protect end users. The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to all private-sector and not-for-profit organizations with revenues greater than AUD $3 million, all private health service providers, and some small businesses. The Privacy Act can apply to (protect) any Australian customer even if the CSP is based outside of Australia and even if other laws are stated in a contract.

Australia amended its 1988 Privacy Act in February 2017 to require companies to notify affected Australian residents and the Australian Information Commissioner in the event of a security breach. A breach of security must be reported under two conditions: if there is unauthorized access or disclosure of personal information that would be likely to result in serious harm, or if personal information is lost in circumstances where unauthorized access or disclosure is likely to occur—and if it did occur, it would be likely to result in serious harm to any of the individuals to whom the information relates.

China

Over the past few years, China has implemented legal structures to address the privacy and security of personal and company information. Its 2017 Cyber Security Law (2018 updates are covered later) governs the operations of network operators and critical information infrastructure operators. The 2017 law requires these operators to implement a series of security requirements, including the design and adoption of information security measures; the formulation of cybersecurity emergency response plans; and assistance and support to investigative authorities, where necessary, for protecting national security and investigating crimes. The law requires providers of network products and services to inform users about known security defects and bugs and to report such defects and bugs to relevant authorities.

In addition, the law includes a data localization provision, which requires that personal information and other important data be stored within the territories of the People’s Republic of China. (What constitutes “important data” in the 2017 Cyber Security Law is extremely vague and subject to great debate in the legal community.)

The 2018 update of the Cyber Security Law gave more power to China’s Ministry of Public Security (MSP). Additional powers effectively allow the MSP to perform penetration testing of systems (on-site or remote), check for prohibited content, and copy any user information and share any information with other state agencies. In the event of an on-site visit, two members of the People’s Armed Police are allowed to be present to ensure that procedures are followed.

Japan

Like many countries, Japan’s Act on the Protection of Personal Information (APPI) requires the private sector to protect personal information and data securely. There are several other national laws, such as the Law on the Protection of Personal Information Held by Administrative Organs (not a typo), and sector-specific laws, such as the healthcare industry that requires registered health professionals to maintain the confidentiality of patient information.

Japan also limits the ability to transfer personal data to third parties (such as cloud providers). The prior consent of the data subject is required in order to transfer data to a third party. This consent is not required if the country of destination has an established framework for the protection of personal information that meets the standard specified by the Personal Information Protection Commission. Such a framework between Japan and the EU was ratified in 2018, around the same time the GDPR came into effect.

Russia

The Russian data protection laws state that citizen data must be localized. In other words, like China, Russian citizen data must be stored within Russia. Roskomnadzor, the Russian Data Protection regulator, is responsible for enforcement of the law and has already blocked access to multiple web sites based on the fact that they may store Russian citizen data but do not do so within Russia. Essentially, if you see that a web site isn’t available in Russia, it’s because the web site owners don’t operate and store such data within Russia.

(Used with permission from CSA.)

European Union and European Economic Area

The EU adopted the GDPR in 2016 (which became enforceable in May 2018), which is binding on all EU member states, as well as members of the European Economic Area (EEA). It replaced Directive 95/46/EC on the Protection of Personal Data, which had been the legal basis of data protection laws of all EU and EEA member states.

Another document you should know about that governs protection of personal data in the EU/EEA is Directive 2002/58/EC on Privacy and Electronic Communications. This directive is being phased out and is expected to be replaced with the new E-Privacy Regulation, but this new regulation has been delayed for years, and these delays are likely to continue for the foreseeable future.

Of course, privacy isn’t possible to implement without some form of security. The Network Information Security Directive (NIS Directive) addresses these security requirements. Adopted alongside the GDPR in 2016, the NIS Directive was implemented in May 2018. This saw EU/EEA member states implementing new information security laws for the protection of critical infrastructure and essential services. The next two sections address both GDPR and the NIS Directive.

General Data Protection Regulation

The GDPR applies to any legal entity engaged in economic activity (both organizations and individuals) that processes data associated with EU citizens, and it will be adjudicated (a legal term for making an official decision) by the data supervisory authorities or the courts of the member states that have the closest relationship with the individuals or the entities on both sides of the dispute. The following list covers the GDPR’s basic points:

•   Applicability The GDPR applies to the processing of personal data in the context of the activities of a controller or processor in the EU/EEA, regardless of whether or not the processing takes place in the EU/EEA. It also applies to the processing of personal data of data subjects who are in the EU/EEA by a controller or a processor not established in the EU/EEA if the processing relates to the offering of goods or services (paid or not) or the monitoring of the behavior of a data subject when the behavior takes place within the EU/EEA.

•   Lawfulness Processing personal data is permitted only if the data subject has freely given specific, informed, and unambiguous consent to the processing of their personal data, or the processing is authorized by a statutory provision.

•   Accountability obligations The GDPR has created numerous obligations for companies, including requiring that companies retain records of their processing activities. A data protection impact assessment must always be conducted when the processing could “result in a high risk to the rights and freedoms of natural persons.” Companies are expected to develop and operate their products and services in accordance with “privacy by design” and “privacy by default” principles.

•   Data subjects’ rights Data subjects have rights regarding the processing of their data. The big ones are the right to object to use of their personal data, the right to be forgotten, and the right to have corrections made to their data.

•   Cross-border data transfer restrictions Personal data cannot be transferred outside the EU/EEA to a processor or custodian/controller that is located in a country that does similar protection of personal data and privacy rights. A company can prove that it will be offering the “adequate level of protection” required by executing Standard Contractual Clauses (SCC), signing up to the EU-US Privacy Shield, obtaining certification of Binding Corporate Rules (BCRs), or complying with an approved industry code of conduct or approved certification mechanism. In rare cases, the transfer may be allowed with the explicit, informed consent of the data subject, or if other exceptions apply.

•   Breaches of security The GDPR requires that data controllers report security breaches within 72 hours of detection. The reporting requirements are risk-based, and there are different requirements for reporting the breach to the Supervisory Authority and to the affected data subjects.

•   Discrepancies among member states The GDPR allows member states to implement additional requirements above and beyond the GDPR baseline. For example, Germany (one of the leading countries when it comes to privacy regulations prior to GDPR) requires that a data protection officer be appointed if the company has more than nine employees.

•   Sanctions Violations of the GDPR expose a company to significant sanctions. These sanctions may reach up to 4 percent of the company’s global gross income, or up to EUR 20 million, whichever is greater.

Network Information Security Directive

The NIS Directive required each EU/EEA member state to implement the directive into its national legislation by May 2018 and identify Operators of Essential Services (OES), such as energy, transport, banking, financial market infrastructures, health, drinking water supply, and distribution, by November 2018. In addition to these OES, the NIS directive addresses (albeit to a less stringent regime) digital service providers (DSPs). The specific types of companies considered to qualify as a DSP include cloud service providers, online marketplaces, and search engines. DSPs should be aware that the NIS Directive also applies to companies based outside of the European Union whose services are available within the European Union. These companies are obliged to assign an EU-based representative to act on their behalf in ensuring NIS Directive compliance.

The NIS Directive establishes a framework to enable networks and information systems to resist, at a given level of confidence, actions that compromise the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or the related services that are offered by or accessible through those networks and information systems.

The requirements to be implemented into national laws include the following:

•   Each member state must create a computer security incident response team (CSIRT). These CSIRTs will work in cooperation with CSIRTs across all EU/EEA members as part of a cohesive EU-wide network.

•   Those organizations who qualify as DSPs under the Directive’s criteria must implement a range of risk management measures, both technical and operational. DSP organizations must comply with the Directive’s incident reporting protocol, which requires that organizations notify “without undue delay” CSIRTs and other relevant bodies about any significant security incidents encountered.

•   Each member must provide evidence of the effective implementation of security policies, such as the results of a security audit.

•   Each member must take technical and organizational measures to manage risks posed to the security of networks and information systems used in their operations.

•   Each member must take appropriate measures to prevent and minimize the impact of incidents affecting the security of the networks and information systems used for the provision of such essential services, to facilitate the continuation of those services.

•   Each member must provide information necessary to assess the security of their networks and information systems.

•   Each member must notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service.

The NIS Directive states that the responsibility to determine penalties for noncompliance rests with the individual member states and not the European Union. The Directive does, however, state that penalties must be “effective, proportionate, and dissuasive.”

The Americas

(Used with permission from CSA.)

As with all other jurisdictions previously covered, all the various jurisdictions across the Americas have differing laws and regulations that companies must abide by. Most important, however, are the US laws and regulations. This importance is not just from a CCSK exam perspective, as the exam is global in nature. It is important that you remember that CSPs must follow laws and regulations in their own jurisdictions. I believe it is fair to assume that you will be consuming cloud services from at least one American provider, regardless of where you or your company are physically located.

US Federal Laws

There are a few examples of US laws and regulations that apply to organizations in the United States. These include financial regulations in the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Children’s Online Privacy Protection Act of 1998 (COPPA). All these regulations contain provisions that pertain to the privacy and the adoption of reasonable security measures surrounding processing of personal information.

Most of these laws require companies to take precautions when hiring subcontractors and service providers (including CSPs). They may also hold organizations responsible for the acts of their subcontractors. For example, both GLBA and HIPAA require that covered organizations use written contract clauses requiring third parties to use reasonable security measures and comply with data privacy provisions.

US State Laws

Most security and privacy laws and regulations in the United States are driven at a state level. These laws apply to any entity that collects or processes personal information (as narrowly defined in the applicable law) of individuals who reside in that state, regardless of where in the United States the data is stored.

State laws differ widely across the United States, down to the most basic element of what is considered “protected information.” For example, California declares that a username and a password are considered protected data. Meanwhile, across the street in Arizona, a username and password are not considered protected data. When it comes to playing it safe and ensuring that you are compliant with all standards, you’re going to want legal counsel involved to determine the “hardest” state-level privacy requirements and follow those.

Security Breach Disclosure Laws

Several federal and state security and privacy laws or rules require entities that have suffered a breach of security that compromised specified categories of data, such as personally identifiable information (PII) and especially patient health information (PHI), to notify affected individuals promptly, and in many cases, notify state or federal agencies of the occurrence of the breach of security.

For a state breach disclosure law, I like to point out Washington State’s Breach Notification Law (enacted in 2015). This law states that any breach that is reasonably expected to impact more than 500 Washington State residents must be reported to the Washington State attorney general within 45 days following discovery. All breach notifications are published on the Washington State Attorney General web site. Contrast this law with the breach notification law in Alabama, which was the final state to implement a breach notification law in June 2018. Alabama requires notification to individuals within 45 days if lost data is “deemed to cause substantial harm.” Notification to consumer reporting agencies and the state attorney general must be performed if more than 1000 Alabama citizens are impacted. All states have wildly different requirements regarding what data constitutes a breach, notification times, damages, and so forth.

Understanding these laws is critical for both cloud customers and cloud providers, because breaches of security are resulting in larger fines than ever before. As a result of a breach of PII data, Equifax is currently facing a cost of $700 million in fines and litigation alone. This is above and beyond any costs the company incurred to fix security issues, reputational damage, and all other “standard” costs associated with a breach.

Federal and State Agencies

Cloud providers and consumers should also be aware that laws don’t live in a vacuum; they continuously change. US government agencies, such as the Federal Trade Commission (FTC), and the state attorneys general have used their power under federal or state “unfair and deceptive practices” acts to fine companies whose privacy or security practices are inconsistent with their claims, thus making their practices unfair or deceptive. From a privacy and security enforcement perspective, the FTC has the ability to issue fines and consent orders that outline FTC findings and how a company will address any issues (and generally includes a requirement of 20 years of FTC oversight). Both consent orders and fines can be used by legal counsel to update or modify security and privacy statements based on the new precedents they provide.

The FTC has the ability to impose significant fines on companies found to be in violation of a consent order. In July 2019, for example, the FTC fined Facebook $5 billion for violations of a consent order the company agreed to in 2011.

Central and South America

Central and South American countries are adopting data protection laws at a rapid pace. Argentina, Chile, Colombia, Mexico, Peru, and Uruguay have passed data protection laws inspired mainly by the EU Directive 95/46/EC and may include references to the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. These laws include security requirements and assign the data custodian/controller the burden of ensuring the protection and security of personal data wherever the data is located, and especially when data is being transferred to a third party, such as a cloud provider.

Contracts and Provider Selection

In addition to the various laws and regulations you may face as a cloud customer, you will likely have contractual obligations that require you to protect the personal information of your own clients, contacts, or employees (aka stakeholders) to ensure that data is not used for any reason other than its original intent and is not shared with third parties. These clauses are usually found in the terms and conditions and/or privacy statement that a company posts on its web site, or from written contracts. For example, a Software as a Service (SaaS) cloud provider (data processor) may be bound by the terms of its service agreement to process personal data only for certain purposes.

The main thing to remember when it comes to contracts and provider selection is that you must do what you say you do, and this is true whether you state it in a contract or in a privacy statement on your web site. This is also true when you’re outsourcing data processing or storage to a cloud provider. If you tell end users that their data will be secure in your hands (such as data encrypted at rest), you must make sure this is possible in a cloud environment. You must admit it would be fairly ridiculous to tell customers their data will be protected in a certain fashion as long as that data is in your own data center, but if it happens to be moved to a cloud environment, then this statement doesn’t apply.

If the privacy notice follows the GDPR (which most legal counsel will insist upon as a general precaution) and allows individual data subjects to have access to their personal data and to have this information modified or deleted, the CSP must also allow these access, modification, and deletion rights to be exercised to the same extent as it would in a non-cloud relationship.

The terms and conditions and privacy statements tell your end users how you will handle their data, period. As the data custodian/controller, your company is legally responsible and accountable for making sure those protections are in place. Know the old saying, “ignorance is no excuse”? What do you think would happen if one of your clients sued you for loss of data and you told the judge you didn’t know the provider didn’t secure data once you moved it? You need a full understanding of what the provider does (external due diligence) and what you must do to support your claims and capabilities to do so (internal due diligence), and you must get everything in writing. If the provider lied to you (in writing) and you get sued by your end users, you at least have an ability to launch a lawsuit against the provider. Who wins in this situation? Probably the lawyers and nobody else.

The laws, regulations, standards, and related best practices discussed earlier also require data custodians/controllers to ensure that these obligations will be fulfilled by conducting due diligence (before execution of the contract) and security audits (during performance of the contract).

Internal Due Diligence

As you know, as the data custodian/controller, you face legal repercussions if you do not meet a potential global mix of requirements imposed on safeguarding end-user data entrusted to your organization. Even then, you may be restricted from transferring your client data to a third party because of contract obligations.

Both cloud providers and customers must consider their own respective practices, needs, and restrictions to identify relevant legal and compliance requirements. As part of internal due diligence, a cloud customer should determine whether its business model allows for the use of cloud computing services in the first place and under which conditions. For example, you may be restricted by law from relinquishing control of company data if you work in a critical infrastructure capacity. Alternatively, a cloud vendor may find it prudent to evaluate in advance the cost of compliance in jurisdictional areas that may be subject to legal requirements with which the vendor is unfamiliar.

At all times, you must consider the “cloud friendliness” of data that will be migrated to a cloud environment. If the data processed by the company is so sensitive or confidential that its disclosure would lead to a disastrous scenario for your company, you might want to reconsider transferring it to a cloud service or take significant precautions for its transfer and storage. Just remember that not all data has the same value and/or regulations surrounding it. You always need to take a risk-based approach. Financial reports for a publicly traded company have Sarbanes-Oxley (SOX) requirements and need to be tightly controlled, but the latest marketing blog content for the same organization likely doesn’t have the same security requirements.

Monitoring, Testing, and Updating

The cloud environment is very dynamic. As such, any cloud customer needs to be fully aware of any changes being made by the provider. This will likely force the customer to adapt to a rate of change that may be unfamiliar. You may have developers using new services or entirely new ways of computing if a change is left unchecked. Periodic monitoring, testing, and evaluation of cloud services are recommended to ensure that required privacy and security measures are followed. Without periodic testing of both cloud services and your use of cloud services, you may be taking on unacceptable risk without even knowing it.

New security threats, laws, and compliance requirements need be addressed promptly. Both cloud clients and cloud providers must keep abreast of relevant legal, regulatory, contractual, and other requirements, and both must ensure that security controls continue to evolve as new technologies emerge.

External Due Diligence

Due diligence of prospective CSPs must be performed prior to your using their services. This requires that you request and review all relevant documentation from the provider, such as security documentation, contracts, terms and conditions, and acceptable use policies. The goal here is not just to assess the overall service provider but to investigate the actual services you are consuming! After all, what’s the sense of inspecting a service that you won’t be using?

Everything you do from a due diligence perspective must be risk-based. Does it make sense to spend the same amount of effort assessing a service, whether the workload is a payroll system or the latest “cats with hats” marketing program? Of course it doesn’t. The criticality of the workload should always be considered when performing due diligence of a service.

Sources of information need not be limited to documentation supplied by the vendor. You may find a treasure trove of information from sources such as other customers, online searches about the vendor’s reputation, and reviews of any reports of litigation filed against the provider. These sources may highlight the quality or stability of a service and support capabilities, for example.

Contract Negotiations

Once your due diligence is performed and you decide that you are comfortable using a particular provider and service, the next step is ensuring that you and/or your legal team have fully read and understood the conditions included in the contract. After all, a contract is intended to describe accurately the understanding of all parties. As the nature of cloud computing is based on economies of scale, it is highly likely that you will find many contract clauses to be non-negotiable. This isn’t to say that all providers will have non-negotiable clauses (or entire contracts for that matter). You may be able to negotiate contract terms with smaller providers if you are willing to be a reference client for them, for example. If a provider isn’t open to changing contract clauses, it doesn’t mean you need to abandon them as a service provider. It means that you need to understand your requirements, what the provider is contractually obligated to deliver, and fill any potential gaps by implementing appropriate controls. Alternatively, risk acceptance is always an option. Your organization’s risk tolerance will determine the appropriate course of action.

Third-Party Audits and Attestations

Most large providers will not allow your company to perform an audit of their data centers. The reality is that you will be reliant on third-party audits and attestations to serve as assurance of compliance with aspects of the provider’s infrastructure. This transparency is critical for the provider to have available to prospective and current customers. It is the customer’s responsibility to evaluate the most recently available audit or attestation, its scope, and the features and services included in the assessment. You will want to also take into consideration the date of the documentation you are reviewing. Does it reflect the way things are today, or is the report you’re relying on five years old, with little applicability to the current environment?

Electronic Discovery

The laws surrounding discovery and collection of evidence in a lawsuit are not limited to the United States. The CSA Guidance points out many American laws as part of e-discovery, but the general concepts are the same in many jurisdictions in which you may be operating. Of course, consulting with your legal counsel is the best way to understand and identify any e-discovery differences between jurisdictions.

In the United States, the Federal Rules of Civil Procedure (FRCP) govern the procedure in all civil actions and proceedings in US district courts. Of all the rules contained in the FRCP, we are most concerned with Rule 26: Duty to Disclose; General Provisions Governing Discovery. The rule requires that a party make disclosures based on information reasonably available and must also disclose any witnesses who will present evidence at trial.

Evidence can either be used in support of your case or against it. You might think of e-discovery as a requirement in the case of a judge’s request for a litigation hold, or a hold order (which asserts that documents relevant to a case may not be destroyed), but the reality is that data can also be used to support a case. Many litigants have lost cases as a result of not having supporting documentation because they deleted, lost, or modified data that would have been instrumental in their court case. On the flipside, if a judge deems data was purposefully deleted or otherwise destroyed, he or she may issue an instruction of “adverse inference” to the jury. This means the jury must consider the data as being purposefully deleted and will assume it contained worst-case damaging evidence.

From a cloud perspective, the cloud provider may be required to collect electronically stored information (ESI). As the consumer, you must work with the provider to plan how you will identify all documents that may pertain to a particular e-discovery request. The following sections address the requirements associated with the FRCP in a cloud environment that should be addressed in advance of engaging a provider.

Possession, Custody, and Control

This is a simple requirement. If you can produce data (electronic or not), you are legally obligated to produce it. It doesn’t matter where the data is stored—it could be in your system; it could be in a provider’s system. What does matter is that you, as the customer, may not be able to produce the evidence, and the provider must be engaged. For example, say there’s a case where an originating IP address is in question. You won’t have this data in the case of an SaaS provider, so the provider must be able to produce that evidence for the court.

Relevant Cloud Applications and Environment

There may be a question as to what a particular application does or how data is processed within the system. In this scenario, the CSP will be subpoenaed by a judge directly.

Searchability and E-Discovery Tools

The tools you use today for e-discovery may not be applicable in a scenario in which you are using a provider to store or process data. The lack of tools may increase the amount of time (and therefore expense) required to produce any relevant data. The capabilities and costs of a provider to assist or minimize efforts associated with a customer’s requirement to address discovery should be negotiated in advance. If it’s not negotiated in advance, “surprises” such as a provider’s inability to assist or astronomical bills may result, and nobody likes bad surprises.

Preservation

As mentioned earlier in this book, e-discovery and data preservation laws are not unique to the United States and the FRCP. The European Union governs this under Directive 2006/24/EC. Japan, South Korea, and Singapore have similar laws, as do South American countries Brazil (Azeredo Bill) and Argentina (Data Retention Law of 2014).

Data Retention Laws and Recordkeeping Obligations

A myriad of laws deal with data retention periods. All of these must be addressed by your company, which can lead to additional costs related to storage of data that can be reasonably expected to be requested in the event of a court case. The CSA Guidance lists the following questions customers should consider before migrating data to the cloud:

•   What are the ramifications of retaining data under the service level agreement (SLA)?

•   What happens if the preservation requirements outlast the terms of the SLA?

•   If the client preserves the data in place, who pays for the extended storage, and at what cost?

•   Does the client have the storage capacity under its SLA?

•   Can the client effectively download the data in a forensically sound manner so it can be preserved offline or nearline?

Another important aspect of data retention is the scope of preservation. Legal requests must be very specific as to the data requested. However, if a customer is unable to retain specific information sets with the necessary granularity, they may be in a situation where they have to “over-preserve.” This can lead to increased costs, as someone (such as a client-paid attorney’s staff) has to sift through all this information to determine what is actually required by the courts. This is called a document review or privilege review.

With all of the new technologies associated with the cloud, e-discovery is becoming increasingly complex in a world where storage is more dynamic than ever. For example, take an SaaS cloud environment that programmatically modifies or purges data when uploaded by a client, or one in which the data is shared with people or other systems that are unaware of the need to preserve. The trick is to realize what data may realistically be required in a court of law and to work with the provider to understand the best way to preserve such data.

Data Collection

Cloud services (especially SaaS) may not give you the same level of access that you are accustomed to. Collection of data may be impacted, ranging from being unable to retrieve data yourself, to a dramatic increase in the effort required to access data because of a potential lack of transparency of how data is stored and/or processed within a cloud service. This lack of transparency may lead to issues with validating that any data found is complete and accurate. Additional challenges may arise as a result of the functionality of the application storing the data. For instance, although five years’ worth of data may be stored in a provider’s service, if the provider limits the data exported to a month’s worth at a time, it means that additional effort and expense will be associated with collection of that data.

Other issues regarding collection of data from a cloud service that generally isn’t experienced within a data center is the bandwidth available for exporting data from a cloud environment and ensuring that the export is done in a forensically sound manner (with all reasonably relevant metadata preserved) and that it follows appropriate chain-of-custody requirements. As the old saying goes, never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.

Finally, it is important to note that the FRCP does include a clause, 26(b)(2)(B), that excuses a litigant from presenting data that is truly not reasonably accessible. The mere complaint that additional effort is required to retrieve data does not fall into this category, however, and you will be responsible for the extra time and cost associated with such data collection.

Forensics

I’ll sum up this topic with a common saying I use for the cloud: you need virtual tools for a virtual world. You will not be able to take a hard drive, make a bit-by-bit image of it, and perform your investigations using this exact replica. You will be forced to use virtual tools to perform forensics on cloud workloads. In fact, not being able to present a bit-by-bit copy of a drive serves as a great example of the FRCP 26(b)(2)(B) clause that excuses presentation of data if it’s not reasonably accessible. In reality, this type of forensic analysis is rarely warranted in cloud computing, because of the nature of storage (virtualized) that doesn’t provide significant additional relevant information.

Reasonable Integrity

In order for evidence to be considered admissible in a court of law, it must be considered accurate and authenticated. This is true regardless of where such evidence is held. “Authenticated” is the key word. This legal term means the data is considered genuine. This is where a chain of custody comes into play. If data cannot be authenticated, it cannot be considered admissible evidence in a court of law (barring any extenuating circumstances). The cloud does change how chain of custody is ensured. Take an example of a cloud provider that may allow you to export data, but any metadata is stripped as part of the process. But the metadata may be required to validate that the data is indeed genuine and therefore admissible in a court of law.

Direct Access

Direct access may be impossible from both the customer and the SaaS provider (for example) you have a contract with if the provider, in turn, is using a third-party IaaS to store and process data. After all, the SaaS provider in this example is just another customer of the IaaS provider and may not have any access to the hardware or facilities. As such, in this example, a requesting party may need to negotiate directly with the IaaS provider for any access.

Native Production

When digital evidence is requested, it is expected to be produced in standard formats such as PDF or CSV. If a cloud provider can export data from their highly proprietary system in a proprietary format only, this data may not be admissible as evidence in a court of law. The only circumstance that may require the export of data in a proprietary format is if relevant metadata would be lost if converted to a standard format.

Authentication

As discussed earlier, authentication in a legal sense means evidence is considered genuine and has nothing to do with identity management (we cover that in Chapter 12). The mere notion of storing data in a cloud has nothing to do with its authentication. The issue is the integrity of the data and that it wasn’t altered or modified since creation (chain of custody), just as it would be if it were stored on a server in your own data center.

Cooperation Between Provider and Client in E-Discovery

When multiple parties are involved in storing data, all parties should reasonably expect to be involved in producing ESI, especially when proprietary systems are used by the provider. The issues surrounding e-discovery covered in this chapter should be accounted for in SLAs between the provider and the customer. Providers should also consider creating systems with “discovery by design” to attract clients. (Discovery by design essentially means the provider has planned for discovery requests being an expected occurrence and that extreme measures, such as limiting other tenants from updating their data in the event of a litigation hold, do not need to be performed.)

Response to a Subpoena or Search Warrant

A general best practice for providers is to have their customers’ best interests in mind at all times, and this includes responding to subpoenas and search warrants for access to customer data. Providers should fight overbroad or otherwise problematic demands for information when possible. As the customer, you cannot reasonably expect a provider to break the law to protect your data from being handed over to a government agency, as the provider may be compelled by law to do so based on the jurisdiction in which they are operating.

Chapter Review

This chapter discussed the legal issues surrounding the use of cloud services, the importance of performing both internal and external due diligence, and some aspects of e-discovery and the admissibility of electronically stored information (ESI).

From an exam perspective, you’ll want to be comfortable with the following:

•   Cloud customers should understand the relevant legal and regulatory frameworks, contractual requirements, and restrictions that apply to the handling of their data or data in their custody, and the conduct of their operations before moving systems and data to the cloud.

•   Cloud providers should clearly and conspicuously disclose their policies, requirements, and capabilities, including all terms and conditions that apply to the services they provide.

•   Cloud customers should conduct a comprehensive evaluation of a proposed cloud service provider before signing a contract, and they should regularly update this evaluation and monitor the scope, nature, and consistency of the services they purchase.

•   Cloud providers should publish their policies, requirements, and capabilities to meet legal obligations for customers, such as electronic discovery.

•   Cloud customers should understand the legal implications of using particular cloud providers and match those to their legal requirements.

•   Cloud customers should understand the legal implications of where the cloud provider physically operates and stores information.

•   Cloud customers should decide whether to choose where their data will be hosted, if the option is available, to comply with their own jurisdictional requirements.

•   Cloud customers and providers should have a clear understanding of the legal and technical requirements to meet any electronic discovery requests.

•   Cloud customers should understand that click-through legal agreements are legally binding.

Questions

1.   What does “authentication” mean in a trial?

A.   Evidence is considered genuine.

B.   This is the stage at which a judge is assigned and known to both parties.

C.   A witness is approved as an expert and their testimony will be considered.

D.   Both parties involved in a lawsuit are declared.

2.   Which organization deals with privacy rights at a federal level in the United States?

A.   Federal Communications Commission (FCC)

B.   Federal Trade Commission (FTC)

C.   Federal Office of the Attorney General

D.   Homeland Security

3.   GDPR replaced which Data Protection Directive?

A.   PIPEDA

B.   FRCP

C.   Directive 95/46/EC

D.   NIS

4.   When is a party excused from presenting evidence in a court of law?

A.   When it doesn’t exist

B.   When it is too expensive to retrieve

C.   Never; a party must always present data when it’s requested by a judge

D.   When it is not reasonably accessible

5.   What format should be used when presenting electronically stored information (ESI) in a court of law?

A.   PDF

B.   CSV

C.   Standard format

D.   Native format

6.   Which of the following may lead to issues with validating that any data found is complete and accurate when stored in a cloud environment?

A.   Transparency

B.   Use of unknown hardware at provider location

C.   There are no issues with validating data stored in the cloud

D.   Lack of metadata in cloud environments

7.   Which of the following is the minimum retention period for any data that may be required in a court of law?

A.   1 year

B.   5 years

C.   Any data that may be considered evidence must be retained in perpetuity.

D.   There is no general minimum retention period of data.

8.   What is the most important item to consider when reviewing third-party audits and attestations?

A.   The firm that performed the audit

B.   The services being consumed by the customer

C.   The location of services

D.   The service provider certification

9.   What should a customer do when dealing with a non-negotiable contract where controls may be lacking?

A.   Do not use the service provider.

B.   Identify any gaps and fill them with appropriate controls.

C.   Purchase cyberinsurance to mitigate the associated risk.

D.   Accept the risk the provider accepts.

10.   The Australian Privacy Act requires that a breach disclosure be performed in which scenario?

A.   When any data pertaining to a citizen is disclosed

B.   When personally identifiable information is disclosed

C.   When disclosure would be likely to cause serious harm to the individual

D.   The Australian Privacy Act does not address breach notification requirements

Answers

1.   A.“Authentication” means that the data evidence is considered genuine and is therefore admissible in a court of law.

2.   B. The FTC is the federal organization responsible for consumer protection and privacy rights. The state attorney general performs the same activity at the state level.

3.   C. GDPR replaced the Data Protection Directive 95/46/EC. PIPEDA is a Canadian data protection law. FRCP is the set of rules governing civil law. NIS is the EU-wide cybersecurity legislation.

4.   D. FRCP clause 26(b)(2)(B) permits data not being presented as evidence when it is not reasonably accessible. This may be applicable, for instance, when a bit-level copy of a drive is required when the data is stored in a cloud environment.

5.   C. The best answer is that evidence is most useful if it is presented in a standard format. Although both PDF and CSV can be considered standard formats, neither is the best answer here, because standard format is more accurate as a response. Presentation of native format may be required if metadata isn’t properly preserved as part of an export routine.

6.   A. Transparency issues may cause issues with validating that any data found is complete and accurate. Any issues must be identified as part of due diligence of the provider environment.

7.   D. There are no mandated retention periods that are generically applied to all data sets. Different retention periods will be applied by laws or other means (such as standards, continued value to the company, and so on) based on the type of data. Although data that can be reasonably expected to serve as evidence in a court case should be preserved by an organization, there is no retention period mandated for these data sets.

8.   B. The services being consumed by the customer is the most important item to consider when reviewing third-party audits and attestations. Although all of the other options are certainly valid, they are of little value if the services consumed are not part of the scope of the audit being reviewed.

9.   B. The best answer is to identify potential gaps and implement controls to address perceived risk. Although risk response may include avoiding the risk by not using the provider, accepting the risk, and mitigating financial damages by purchasing cyberinsurance, the best answer is to identify the controls the provider is contractually required to supply, determine your requirements, and address gaps by deploying controls.

10.   C. The Australian Privacy Act requires that a breach of security must be reported when personal information that may lead to serious harm is disclosed.