3. “Legal Issues, Contracts, and Electronic Discovery” - DONE Flashcards
What may make you reconsider migrating your data to the cloud?
If the data processed by the company is so sensitive or confidential its disclosure would lead to a disastrous scenario for your company.
Not all data has the same value so you need to take a risk-based approach
“Legal Frameworks Governing Data Protection and Privacy”
“Many countries have their own legal frameworks requiring appropriate safeguards to protect the privacy of personal data and the security of information and computer systems. ”
“These were ultimately the basis for the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines This then fed the formation of the Data Protection Directive, aka Directive 95/46/EC, which was superseded by the General Data Protection Regulation (GDPR, covered later in this chapter).
The main point is this: These privacy laws aren’t new. They have been built over years and are only now being rigorously enforced.”
“From a legal perspective, three entities are involved when cloud services are consumed (shown in Figure 3-1), and all have different requirements from a legal perspective.”
“Of the three models, you should get your head around the role of the controller/custodian and remember that jurisdiction is very important to determine applicable laws.”
“*Provider/Processor
This one is straightforward. This is the cloud service provider. The provider must operate in accordance with the laws in the jurisdictions in which they operate.
*Custodian/Controller
This is the entity that holds end-user data. The naming of this role is dependent on the location you’re in. In the United States, it’s called the “data custodian”; in Europe, it’s called the “data controller.” Either way, this entity is legally accountable for properly securing end-user data. As an example of a data custodian/controller, if your company uses an Infrastructure as a Service (IaaS) provider to store your customer data, you are the data custodian/controller of that end-user data. The custodian/controller must operate in accordance with the laws of the jurisdiction in which the company operates.
*End User/Data Subject
This entity (such as you and I) has their data being held by a controller/custodian.”
Excerpt From
CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide
Graham Thompson
This material may be protected by copyright
These privacy laws define numerous obligations, such as confidentiality and security obligations that a custodian/controller and provider/processor must abide by.
“The legal requirement on the data custodian/controller is no joke. Being labelled the data custodian has very real legal ramifications. If your company holds end-user data and is found to be negligent in privacy or security as required by laws (or even prudent practice) in your company’s jurisdiction, your company is open to being sued.”
The “data custodian/controller is prohibited from collecting and processing personal data unless certain criteria are met. For example, the data custodian/controller is limited to what the end-user has consented to regarding the collection and proposed uses of the end user’s data, according to the consent agreement. When using a data processor (such as a CSP) to process data on its behalf, a data custodian/controller remains responsible (accountable by law) for the collection and processing of that data.
As the data custodian/controller, you are required to ensure that your provider/processor takes adequate technical and organizational security measures to safeguard the data. This, of course, requires that you perform proper due diligence with regard to the provider.
Despite common themes among countries on all continents, each has developed data protection regimes that may conflict with another’s regime. As a result, cloud providers and cloud users operating in multiple regions struggle to meet compliance requirements. In many cases, the laws of different countries may apply according to the following criteria:
“*The location of the cloud provider
*The location of the data custodian/controller
*The location of the end user
*The location of the servers
*The legal jurisdiction of the contract between parties, which may be different from the locations of any of the parties involved
*Any treaties or other legal frameworks between those various locations
Required Security Measures
“Many countries have adopted privacy laws that are either omnibus (covers all categories of personal data) or sectoral (covers specific categories of personal data). These laws often require that appropriate security measures be in place to ensure that privacy-related data is properly protected. These security measures may require companies to adopt technical, physical, and administrative measures. These measures may of course be used to protect more than just personal information; they will likely be leveraged to protect other sensitive data sets such as financial data and trade secrets, for example.”
Treaties
“A treaty is an agreement between two political authorities. There are two treaties worthy of discussion to help you prepare for the CCSK exam. You may have heard of the International Safe Harbor Privacy Principles, otherwise known as the Safe Harbor agreement, between the United States and the European Union. This treaty basically allowed companies to commit voluntarily to protecting EU citizens’ data stored in the United States the same way that it would protect the data if it were held in the European Union.
This agreement was terminated in 2015, however, and was replaced shortly afterward with a new agreement, the EU-US Privacy Shield. Privacy Shield operates in much the same way as Safe Harbor, in that Privacy Shield allows for personal data transfer and storage between the European Union and the United States. Companies self-certify as having appropriate privacy measures in place, and Privacy Shield serves as a data transfer mechanism under the EU GDPR.”
“Restrictions to Cross-Border Data Transfers”
Barring a treaty such as the Privacy Shield in place, which establishes an adequate level of protection, many countries prohibit data being stored outside of their boundaries. If no treaty is in place, however, it is still possible to store data in a foreign country, although it requires a more complex solution.
In this scenario, the data importer and exporter may sign a contract ensuring privacy rights for end users. The complexity may come from some cases requiring prior permission from a data protection commissioner before data can be transferred into or out of the country.
“In the CSA Guidance, two examples are cited as countries that prohibit data from being exported”
“Russia and China. These countries’ data localization laws require that data pertaining to individuals residing in their countries be stored within the “individual’s home country. Make no mistake; there are other countries and even Canadian provinces that have the same laws, but the CSA Guidance addresses only these two countries”
CLOUD Act
“A CSP should always defend clients from over-reaching access requests by any authorities. Customers should look for this language in contracts.”
“The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was introduced in the United States in 2018. Its purpose is to finalize some legal issues surrounding the US government’s ability to issue subpoenas or warrants to access client data stored by an American provider, regardless of where that data is physically stored.
A great example of the importance of the CLOUD Act is a court case between Microsoft and the US Department of Justice (DOJ). The DOJ wanted access to data stored in an Irish data center. Microsoft defended its client (which a CSP should always do!) by refusing DOJ access because the data itself was held outside of the United States. A court battle ensued and went all the way to the Supreme Court. During this time, the CLOUD Act was passed, and the Supreme Court declared the case moot because the CLOUD Act gave the DOJ access to the data because Microsoft is an American company.”
Australia
“n Australia, the Privacy Act of 1988 (Privacy Act) and the Australian Consumer Law (ACL) of 2010 serve to protect end users. The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to all private-sector and not-for-profit organizations with revenues greater than AUD $3 million, all private health service providers, “and some small businesses. The Privacy Act can apply to (protect) any Australian customer even if the CSP is based outside of Australia and even if other laws are stated in a contract.
Australia amended its 1988 Privacy Act in February 2017 to require companies to notify affected Australian residents and the Australian Information Commissioner in the event of a security breach. A breach of security must be reported under two conditions: if there is unauthorized access or disclosure of personal information that would be likely to result in serious harm, or if personal information is lost in circumstances where unauthorized access or disclosure is likely to occur—and if it did occur, it would be likely to result in serious harm to any of the individuals to whom the information relates.”
China
Its 2017 Cyber Security Law (2018 updates are covered later) governs the operations of network operators and critical information infrastructure operators. The 2017 law requires these operators to implement a series of security requirements, including the design and adoption of information security measures; the formulation of cybersecurity emergency response plans; and assistance and support to investigative authorities, where necessary, for protecting national security and investigating crimes. The law requires providers of network products and services to inform users about known security defects and bugs and to report such defects and bugs to relevant authorities.
the law includes a data localization provision, which requires that personal information and other important data be stored within the territories of the People’s Republic of China. (What constitutes “important data” in the 2017 Cyber Security Law is extremely vague and subject to great debate)
Japan
“Like many countries, Japan’s Act on the Protection of Personal Information (APPI) requires the private sector to protect personal information and data securely. There are several other national laws, such as the Law on the Protection of Personal Information Held by Administrative Organs (not a typo), and sector-specific laws, such as the healthcare industry that requires registered health professionals to maintain the confidentiality of patient information.
Japan also limits the ability to transfer personal data to third parties (such as cloud providers). The prior consent of the data subject is required in order to transfer data to a third party. This consent is not required if the country of destination has an established framework for the protection of personal information that meets the standard specified by the Personal Information Protection Commission. Such a framework between Japan and the EU was ratified in 2018, around the same time the GDPR came into effect.”
Russia
“The Russian data protection laws state that citizen data must be localized. In other words, like China, Russian citizen data must be stored within Russia. Roskomnadzor, the Russian Data Protection regulator, is responsible for enforcement of the law and has already blocked access to multiple web sites based on the fact that they may store Russian citizen data but do not do so within Russia. Essentially, if you see that a web site isn’t available in Russia, it’s because the web site owners don’t operate and store such data within Russia.”
“European Union and European Economic Area”
“The EU adopted the GDPR in 2016 (which became enforceable in May 2018), which is binding on all EU member states, as well as members of the European Economic Area (EEA). It replaced Directive 95/46/EC on the Protection of Personal Data, which had been the legal basis of data protection laws of all EU and EEA member states.”
“Another document you should know about that governs protection of personal data in the EU/EEA is Directive 2002/58/EC on Privacy and Electronic Communications. This directive is being phased out and is expected to be replaced with the new E-Privacy Regulation, but this new regulation has been delayed for years, and these delays are likely to continue for the foreseeable future.
Of course, privacy isn’t possible to implement without some form of security. The Network Information Security Directive (NIS Directive) addresses these security requirements. Adopted alongside the GDPR in 2016, the NIS Directive was implemented in May 2018. This saw EU/EEA member states implementing new information “security laws for the protection of critical infrastructure and essential services. The next two sections address both GDPR and the NIS Directive.
General Data Protection Regulation
“The GDPR applies to any legal entity engaged in economic activity (both organizations and individuals) that processes data associated with EU citizens, and it will be adjudicated (a legal term for making an official decision) by the data supervisory authorities or the courts of the member states that have the closest relationship with the individuals or the entities on both sides of the dispute.”
“The following list covers the GDPR’s basic points:
”
*Applicability - The GDPR applies to the processing of personal data in the context of the activities of a controller or processor in the EU/EEA, regardless of whether or not the processing takes place in the EU/EEA. It also applies to the processing of personal data of data subjects who are in the EU/EEA by a controller or a processor not established in the EU/EEA if the processing relates to the offering of goods or services (paid or not) or the monitoring of the behavior of a data subject when the behavior takes place within the EU/EEA.
*Lawfulness - Processing personal data is permitted only if the data subject has freely given specific, informed, and unambiguous consent to the processing of their personal data, or the processing is authorized by a statutory provision.
*Accountability obligations - The GDPR has created numerous obligations for companies, including requiring that companies retain records of their processing activities. A data protection impact assessment must always be conducted when the processing could “result in a high risk to the rights and freedoms of natural persons.” Companies are expected to develop and operate their products and services in accordance with “privacy by design “and “privacy by default” principles.”
“The following list covers the GDPR’s basic points:
”
*Data subjects’ rights
Data subjects have rights regarding the processing of their data. The big ones are the right to object to use of their personal data, the right to be forgotten, and the right to have corrections made to their data.
*Cross-border data transfer restrictions
Personal data cannot be transferred outside the EU/EEA to a processor or custodian/controller that is located in a country that does similar protection of personal data and privacy rights. A company can prove that it will be offering the “adequate level of protection” required by executing Standard Contractual Clauses (SCC), signing up to the EU-US Privacy Shield, obtaining certification of Binding Corporate Rules (BCRs), or complying with an approved industry code of conduct or approved certification mechanism. In rare cases, the transfer may be allowed with the explicit, informed consent of the data subject, or if other exceptions apply.
*Breaches of security
The GDPR requires that data controllers report security breaches within 72 hours of detection. The reporting requirements are risk-based, and there are different requirements for reporting the breach to the Supervisory Authority and to the affected data subjects.
“The following list covers the GDPR’s basic points:
”
*Discrepancies among member states
The GDPR allows member states to implement additional requirements above and beyond the GDPR baseline. For example, Germany (one of the leading countries when it comes to privacy regulations prior to GDPR) requires that a data protection officer be appointed if the company has more than nine employees.
*Sanctions
Violations of the GDPR expose a company to significant sanctions. These sanctions may reach up to 4 percent of the company’s global gross income, or up to EUR 20 million, whichever is greater.”
“Network Information Security Directive”
“The NIS Directive required each EU/EEA member state to implement the directive into its national legislation by May 2018 and identify Operators of Essential Services (OES), such as energy, transport, banking, financial market infrastructures, health, drinking water supply, and distribution, by November 2018. In addition to these OES, the NIS directive addresses (albeit to a less stringent regime) digital service providers (DSPs). The specific types of companies considered to qualify as a DSP include cloud service providers, online marketplaces, and search engines. DSPs should be aware that the NIS Directive also applies to companies based outside of the European Union whose services are available within the European Union. These companies are obliged to assign an EU-based representative to act on their behalf in ensuring NIS Directive compliance.
The NIS Directive establishes a framework to enable networks and information systems to resist, at a given level of confidence, actions that compromise the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or the related services that are offered by or accessible through those networks and information systems.”
“Regarding “authenticity” versus “integrity”:”
“Integrity can be defined as assurance of the accuracy and reliability of information and systems from its original state (called a “reference version”). Authenticity is defined as assurance that the “reference version” data has not been altered from what it was when another party was in control of it”
“Network Information Security Directive
“The requirements to be implemented into national laws include the following:”
“*Each member state must create a computer security incident response team (CSIRT). These CSIRTs will work in cooperation with CSIRTs across all EU/EEA members as part of a cohesive EU-wide network.
*Those organizations who qualify as DSPs under the Directive’s criteria must implement a range of risk management measures, both technical and operational. DSP organizations must comply with the Directive’s incident reporting protocol, which requires that organizations notify “without undue delay” CSIRTs and other relevant bodies about any significant security incidents encountered.
*Each member must provide evidence of the effective implementation of security policies, such as the results of a security audit.
*Each member must take technical and organizational measures to manage risks posed to the security of networks and information systems used in their operations.
*Each member must take appropriate measures to prevent and minimize the impact of incidents affecting the security of the networks and information systems used for the provision of such essential services, to facilitate the continuation of those services.
*Each member must provide information necessary to assess the security of their networks and information systems.”
*Each member must notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service.
The NIS Directive states that the responsibility to determine penalties for noncompliance rests with the individual member states and not the European Union. The Directive does, however, state that penalties must be “effective, proportionate, and dissuasive.”
