Tag Archives: Cloud

NIST Releases Public Draft SP800-53 Addressing Cybersecurity Threats & Privacy Controls

Yesterday the National Institute of Standards and Technology (NIST) released the 4th revision of its "Security and Privacy Controls for Federal Information Systems and Organizations." Despite the long title it will ultimately be a mainstay reference for federal agencies required to comply with provisions of the Federal Information Security Management Act (FISMA) and FIPS 200. As a result it should have a significant affect on cloud security practices effecting commercial non-governmental cloud usage. … Continue Reading

Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?

As organizations of all stripes increasingly rely on cloud computing services to conduct their business, the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. However, most Cloud customers find it very difficult to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem. … Continue Reading

NIST Issues Finalized Guidelines for Managing Security & Privacy in Public Cloud Computing

Say what you will about the federal government, the Nat’l Institute of Standards & Technology (“NIST“), part of the Department of Commerce, has certainly been busy over the past year releasing numerous special drafts and reports addressing cloud computing recommendations, security and issues. [Full disclosure: I’m a member of several NIST working groups, including one currently working … Continue Reading

Contracting for Cloud Computing Services

The Knowledge Group/The Knowledge Congress Live Webcast Series, a leading producer of regulatory focused webcasts, has announced that InfoLawGroup attorney, Richard Santalesa, will be speaking at the Knowledge Congress’ webcast entitled: “Contracting for Cloud Computing Services: What You Need to Know” scheduled for February 14, 2012 from 12:00 PM to 2:00 PM ET. For more … Continue Reading

Data Breach in the Clouds

As we move into 2011 it should be obvious that cloud computing is not a fad, but rather a computing model that is becoming ubiquitous. Cloud computing offers a slew of advantages including efficiency, instant scalability and cost effectiveness. However, these advantages must be balanced against the control organizations may lose over their information technology operations when they are reliant on a cloud provider to provide key processes. The issues that arise out of this loss of control are apparent when considering data breach response and liability in the cloud. When a cloud customer puts its sensitive data into the cloud it is completely reliant on the security and incident response processes of the cloud service provider in order to respond to a data breach. This situation poses many fundamental problems. … Continue Reading

Cloud Computing Customers’ “Bill of Rights”

Needless to say, due in part to our numerous writings on the legal ramifications of Cloud computing, the InfoLawGroup lawyers have been involved in much Cloud computing contract drafting and negotiating, on both the customer and service provider side. As a result, we have seen a lot in terms of negotiating tactics, difficult contract terms and parties taking a hard line on certain provisions. During the course of our work, especially on the customer side, we have seen certain "roadblocks" consistently appear which make it very difficult for organizations to analyze and understand the legal risks associated with Cloud computing, and in some instances can result in a willing customer walking away from a deal. Talking through some of these issues, InfoLawGroup thought it might be a good idea to create a very basic "Bill of Rights" to serve as the foundation of a cloud relationship, and allow for more transparency and enable a better understanding of potential legal risks associated with the cloud. … Continue Reading

European Reservations?

German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That's not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations. … Continue Reading

Legal Implications of Cloud Computing — Part 4.5 (Extending the Discussion of E-Discovery in the Cloud)

My colleagues Dave Navetta, Tanya Forsheit and Scott Blackmer have framed a definition and outlined the essential legal implications of cloud computing. Tanya has started a discussion of the application of electronic discovery and electronic evidence issues in the cloud. This post extends Tanya's discussion of the intersection between electronic discovery and the cloud. … Continue Reading

What’s in Google’s SaaS Contract with the City of Los Angeles? Part Three.

This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com … Continue Reading

What’s in Google’s SaaS Contract with the City of Los Angeles? Part Two.

This blogpost is the second in our series analyzing the terms of Google and Computer Science Corporation’s (“CSC”) Cloud contract with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In this installment, we will focus on terms related to compliance … Continue Reading

What’s in Google’s SaaS Contract with the City of Los Angeles? Part One.

At the beginning of April, I wrote a blogpost on the City of Los Angeles’ selection of Google Apps to provide the City with Cloud services. As summarized, news outlets reported that Google was willing to compete on various contract provisions in order to win the City’s business. They also identified various contractual concessions Google … Continue Reading

Cloud Providers Competing on Data Security & Privacy Contract Terms

I ran across an interesting article in PC World the other day concerning a head-to-head competition between Google Apps (Google’s SaaS offering) and Microsoft’s Office to provide certain day-to-day applications to the City of Los Angeles.  The end result of this competition is that Google will be providing Google Apps (SaaS) to the City of Los … Continue Reading

Thoughts from the RSA Conference

As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes. … Continue Reading

Compliance as a Service (CaaS): The Enabler Role of Legal, Security and Privacy Professionals

Cloud computing promises incredible benefits for companies looking for inexpensive and scalable computing solutions without the need (or the costs or employees) to do it all themselves. However, as foreshadowed in the InfoLawGroup's "Legal Implications of Cloud Computing" series (see Part One, Part Two and Part Three) data security, privacy and legal compliance issues are beginning to cause great concern. Stories like this highlight these concerns. High profile information security snafus (fairly or unfairly) have also stoked the fire: Rackspace power outage, Amazon denial of service attack, and the Sidekick Data Loss. Data leakage is maybe problematic as well based on Cloud architecture. In fact, the InfoLawGroup has encountered some companies that are taking a pass on cloud computing ("v. 1.0") because of regulatory, privacy and security concerns. Do these compliance concerns threaten the Cloud computing model or potentially reduce the cost benefits it promises? … Continue Reading

Legal Implications of Cloud Computing — Part Three (Relationships in the Cloud)

While there is much debate on the IT side as to whether Cloud computing is revolutionary, evolutionary or "more of the same" with a snazzy marketing label, in the legal context, Cloud computing does have a potential significant impact on legal risk. Part three of our ongoing Cloud legal series explores the relationships in the Cloud, and the potential legal implications and impacts suggested by them. … Continue Reading