Download PDF - 224 kb - Davis LLP

AgendaWhat is cloud computing?Legal implications and Managing the Risks1. Litigation readiness2. Privacy/Confidentiality3. Employment law issues

What is Cloud Computing? Cloud computing is a marketing term fortechnologies that provide computation, software,data access, and storage services that do notrequire end-user knowledge of the physicallocation and configuration of the system thatdelivers the services. (Wikipedia) Delivered over a network (typically, the Internet)

Types of Services Infrastructure as a Service (“IaaS”) and Storage• Delivers computer infrastructure, along with storage andnetworking. Software as a Service (“Saas”)• Delivers software without the need to install and runapplications. Platform as a Service (“PaaS”)• Allows the development and deployment of applicationswithout the need to purchase specific hardware orsoftware.

Private, Public and Hybrid Types

Advantages of cloud computing Cost Scalability User mobility Customizability Reliability? Performance? Security?

Litigation Readiness Key: Ability to meet basic discovery obligationsefficiently and cost-effectively Basic obligations: To disclose every documentrelevant and proportionate to the matter that is orhas been in that party’s possession, control orpower Document is defined very broadly Serious consequences for non-disclosure, failureto preserve, spoliation

Kelly’s Gold Standard in Litigation ReadinessA records management policy that is implemented with automation:• Each record is automatically classified by the computer system, retainedfor the period of time determined by a well thought-out retentionschedule, automatically destroyed when its value comes to an end,unless a legal hold has been triggeredA detailed litigation readiness plan would include:• A "data map", which details the entire IT infrastructure of the companyand shows where each type of information managed by the organizationis located, in terms of the hardware and software housing it and itsphysical location, and how it can be accessed and by whom• Details of the well thought-out team and policies in place (Retention andDestruction Policy, Email Use Policy, Social Media Use Policy, Policy fordealing with the data of departing employees,...)• Litigation Hold Policy and Procedures: As soon as the company becomesaware of a piece of litigation/ regulatory investigation, team members aremobilized and a hold is triggered so that all potentially relevantdocuments are taken out of the normal destruction cycle and preserved• Collection procedures

Cloud Computing and Litigation Readiness Cloud computing doesn’t change a party’sobligation to preserve and disclose its data Just because your documents are “in the cloud”doesn’t mean that you have relinquished“possession, control or power” in the legal sense However, since you give up actual possession ofyour documents, you are at risk of not being ableto meet your discovery obligations – requirescooperation of your service provider Courts unlikely to be sympathetic

So you need to ask…Can the information stored in the cloud be preserved andproduced…• efficiently?• cost effectively?• without altering relevant metadata?Who can access the data? [More about this…privacyimplications]What is the risk that adversaries, government agencies,foreign governments will serve subpoenas on the cloudprovider to get access to the company’s data?Where is the cloud located? Is it possible to ensure the datais kept only on Canadian-based servers? Does it matter?Does the cloud provider have squadrons of security people?

Risk management –Examine/Negotiate the contract Access and rights to data Security and encryption Notification requirements Physical location of data Search, retrieval and production abilities Ability to implement destruction and legal holdpolicies Suspension and termination of services

Risk management - Examine the provider Due diligence is important:• How financially sound is the service provider?• What type and how much insurance do theycarry?• Have they dealt with litigation discoveryobligations in the past?

Cloud Computing and Private/Confidential InformationIt’s 9:00 A.M.Do you know where your confidential/personalinformation is?Has it been transferred to a cloud?By a current or former employee?Is it accessible to third parties?

Risks of cloud computing to confidential/personal informationIntentional Leaks (Improper Disclosure)Unintentional Leaks (Accidental Disclosure)Ownership ConfusionUnintentional Data Retention

Specific breaches of privacy lawBreach of Consent ObligationsBreach of Retention ObligationsBreach of Accuracy ObligationsBreach of Individual Access ObligationsBreach of Safeguard ObligationsBreach of Notification ObligationsViolation of Legislation / Guidelines Prohibiting Storage Outside Canada

Employment Law Risks of Cloud ComputingRisk of Inappropriate BehaviourCloud Computing Extends the Scope of the WorkplaceEmployees may believe the cloud space they use to be private and fortheir personal use only.However, employees extend the scope of the workplace and the reachof employment policies when they:• Post company information on cloud computing sitesOR• Access cloud computing sites from the workplace

10 Tips for Managing Privacy & Employment Risks1. Educate Yourself about the Risks of Cloud Computing Learn what cloud computing is Know the risks associated with cloud computing Take steps to protect against these risks

10 Tips for Managing Privacy & Employment Risks2. Educate Your Employees about the Risks of Cloud ComputingEducate employees and hold training sessions designed to:• Explain what cloud computing is and the risks it poses to thecompany and the company’s confidential information• Draw employees’ attention to new employment policy provisionsdesigned to address and minimize cloud computing risks• Obtain written confirmation from employees that they understandthe risks associated with cloud computing and agree to abide bycompany policies put in place to address these risks

10 Tips for Managing Privacy & Employment Risks3. Restrict Cloud Storage to Employer-Approved CloudsSome cloud hosts are more transparent about the security of their clouds andhave promoted self-policing in the cloud computing community, e.g. Microsoft.To ensure that confidential or personal information is not being sharedextra-provincially, make certain that the company knows the jurisdiction of thecloud host as well as the cloud server or hard drive where user information willbe stored.Consider requiring that employees use only private or internally managedclouds over which the company may have more control.

10 Tips for Managing Privacy & Employment Risks4. Limit Cloud Storage to Certain Types of InformationConsider prohibiting cloud storage of documents containing tradesecrets, intellectual property, information about other employees orcommunications protected by solicitor-client privilege.

10 Tips for Managing Privacy & Employment Risks5. Limit Cloud Storage to Certain EmployeesAllow only management or employees with express approval to storecompany information in clouds.

10 Tips for Managing Privacy & Employment Risks6. Require Management Approval Before Information isTransferred to CloudsEnsure that the company can track which employees are using cloudcomputing and what company information is being stored in clouds.

10 Tips for Managing Privacy & Employment Risks7. Obtain Continuing Access to Clouds where Information isStoredEnsure employees using clouds to store company information providethe company with continuing access to such information, i.e. loginsand passwords.If and when an employee is terminated, the company may wish todelete the information or change the cloud’s access privileges so thatthe former employee can no longer access company informationthrough the cloud.

10 Tips for Managing Privacy & Employment Risks8. Revise Your Confidentiality PoliciesThe purpose is to prevent an employee from sharing confidentialinformation they obtain during the course of their employment withthird parties and subsequent employers.Ensure that your confidentiality policies:• Capture company information stored in clouds within the definition ofconfidential information owned by the company.• Address whether storage of company information in clouds constitutes thedisclosure of confidential information.• Establish that the company has the right to access and/or removeinformation stored in clouds by an employee upon termination ofemployment.

10 Tips for Managing Privacy & Employment Risks9. Revise Your Computer and Internet Use PoliciesThe purpose is to protect the employer’s right to access and monitorinformation stored on company owned equipment or servers whichmay also be used by employees for personal use.Ensure that your computer and internet use policies:• Expressly include clouds containing company information in the list ofequipment or servers that the company has a right to access and monitor.• Require that employees obtain express approval from management beforetransferring company information to a cloud.• Expressly state that employment policies apply to employees who store oraccess company information through cloud computing sites or accesscloud computing sites from the workplace.

10 Tips for Managing Privacy & Employment Risks10. Revise Your Privacy PoliciesThe purpose is to maintain the security, confidentiality and privacy ofall personal information about individuals collected by the company, incompliance with applicable privacy legislation, i.e. PIPEDA orprovincial privacy legislation.Ensure that your privacy policies describe the safeguards thecompany has put in place to protect against the risks to personalinformation of cloud computing, i.e. employment policies andemployee training.

Thank you!Kelly Friedman416.369.5263, kfriedman@davis.ca