InfoLawGroup is very pleased to congratulate our partners Justine Gottshall and Jamie Rubin on their inclusion in the Chambers USA's top ranking of Media & Entertainment: Transactional practices in Illinois. As noted in Chambers, Ms. Gottshall and Mr. Rubin represent major studios and retail companies involved in advertising, as well as publishers and other media companies. We are also thrilled to announce that our partner Boris Segalis has been selected to serve as one of the co-chairs of IAPP KnowledgeNet for New York City.
Yesterday the National Institute of Standards and Technology announced "the final release of Special Publication 800-145, The NIST Definition of Cloud Computing." NIST's definition of Cloud Computing has been very influential in setting tent pegs in the ground to cabin the scope and discussion of the often nebulous definition of cloud computing.
In the next in our series of free webinars on cloud computing, Information Law Group Attorney Richard Santalesa examines implications arising from NIST's "Guidelines on Security and Privacy in Public Cloud Computing," with a focus on the legal considerations any team tasked with implementation of security best practices will need to grapple with.To register for this free one hour webinar on May 24 at 12pm ET, visit - http://bit.ly/kyRdku
I hope you will tune in Monday, January 31, 2011, 8-9 am Pacific (11-12 Eastern), to Privacy Piracy, audio streaming on www.kuci.org (or locally in Southern California on KUCI 88.9 FM in Irvine, CA). Mari Frank will interview me on hot topics in information law and compliance.
Needless to say, due in part to our numerous writings on the legal ramifications of Cloud computing, the InfoLawGroup lawyers have been involved in much Cloud computing contract drafting and negotiating, on both the customer and service provider side. As a result, we have seen a lot in terms of negotiating tactics, difficult contract terms and parties taking a hard line on certain provisions. During the course of our work, especially on the customer side, we have seen certain "roadblocks" consistently appear which make it very difficult for organizations to analyze and understand the legal risks associated with Cloud computing, and in some instances can result in a willing customer walking away from a deal. Talking through some of these issues, InfoLawGroup thought it might be a good idea to create a very basic "Bill of Rights" to serve as the foundation of a cloud relationship, and allow for more transparency and enable a better understanding of potential legal risks associated with the cloud.
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That's not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com
A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.
I will be speaking on various aspects of cloud computing at two upcoming webinars in May:* Cloud Computing: Emerging E-Discovery Trends, Strafford webinar, May 4, 2010 (1:00 pm Eastern) * Negotiating and Preparing Cloud Contracts, IAPP web conference, May 13, 2010 (1:00 pm Eastern)
As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter). Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations). Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper. These are not direct quotes, unless specifically designated as such. Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space. For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age. Without further ado, here are my notes. Would love to hear your thoughts/reactions.
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days.
As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release.
The European Commission has announced a new set of standard contractual clauses to be used in agreements with processors located outside the EU / EEA. The new SCCs represent an effort to better ensure privacy protection when European personal data are passed on to subcontractors in business process outsourcing, cloud computing, and other contexts of successive data sharing.
Data integrity is a potential challenge in cloud computing, with implications for both operational efficiency and legal evidence. Vendors should consider a standards-based approach to assuring data integrity, and customers should address the issue in due diligence and in contracting.
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!