cloud computing, NIST, standards
Definition of Cloud Computing - NIST Releases Final SP 800-145
By InfoLawGroup LLP on October 21, 2011
Yesterday the National Institute of Standards and Technology announced "the final release of Special Publication 800-145, The NIST Definition of Cloud Computing." NIST's definition of Cloud Computing has been very influential in setting tent pegs in the ground to cabin the scope and discussion of the often nebulous definition of cloud computing.
AICPA, best practices, BITS, cloud computing, COBIT, contracts, FIPS, information security, ISO 27001, ISO 27002, NIST, outsourcing, PCI DSS, SAS 70, SP 800-53, standards
Information Security Standards and Certifications in Contracting
By W. Scott Blackmer on May 26, 2010
It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.
compliance, contract management, data protection, data security, information governance, information security, management, pia, privacy, privacy audit, privacy governance, privacy impact assessment, procurement, risk management, security governance, standards
Information Governance
By W. Scott Blackmer on May 06, 2010
Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations.
compliance, ISO 27001/2, legal defensibility, privacy notice, reasonable, risk, risk assessment, Security, security measures, security program, service provider, standards
The Legal Defensibility Era is Upon Us
By InfoLawGroup LLP on May 04, 2010
Cloud, Department of Commerce, jurisdiction, PET, privacy, privacy enhancing technologies, Regulation, self-regulatory, standards, transborder data flows
Observations on the Dept. of Commerce's Privacy Inquiry
By InfoLawGroup LLP on April 29, 2010
4A-202, banking, Breach, FFIEC, litigation, measures, online, reasonable, reasonable security, Security, security breach litigation, Shames-Yeakel, standards, UCC, UCC 4A-202
The Curious Case of EMI v. Comerica: A Bellwether on the Issue of "Reasonable Security"?
By InfoLawGroup LLP on February 24, 2010
cloud computing, data integrity, evidence, proof, standards
Data Integrity and Evidence in the Cloud
By W. Scott Blackmer on January 29, 2010
Data integrity is a potential challenge in cloud computing, with implications for both operational efficiency and legal evidence. Vendors should consider a standards-based approach to assuring data integrity, and customers should address the issue in due diligence and in contracting.
agreements, breach notice, certification, compliance, confidentiality, contracts, incident response, indemnification, information security, insurance, liability, risk management, standards
Information Security Clauses and Certifications - Part 1
By W. Scott Blackmer on January 17, 2010
Service contracts that involve protected personal information should include provisions allocating responsibility for protecting that information and responding to security breaches. Increasingly, this means incorporating specific references to applicable laws and information security standards, and often certifications of conformance.
banking, FFIEC, measures, online, online banking, reasonable, reasonable security, Security, security breach litigation, security breach litigation security measures, security standards, Shames-Yeakel, UCC 4A-202
Online Banking and "Reasonable Security" Under the Law: Breaking New Ground?
By InfoLawGroup LLP on January 13, 2010
Confidentiality agreements, intellectual property, NDA, nondisclosure agreements, standards, trade secrets, uniform trade secrets act, UTSA
NDAs: Worth the Effort?
By W. Scott Blackmer on November 16, 2009
In business or technical discussions with potential investors, customers, suppliers, licensors, franchisees, or joint venture partners, it is often very difficult to determine how much needs to be disclosed and exactly who "owns" which information and ideas. Were the parties just brainstorming? Did they independently develop a similar approach to a problem? Litigation over NDAs can be costly, public, and ultimately unsatisfactory to the party claiming a breach, especially if it is hard to prove the intended scope of the agreement and the actual source of information. When is it worthwhile using NDAs, and how can they be made more effective?
