Cloud

Investigation and E-discovery in the Cloud Albert Barsocchini, Esq.barsocchini@gmail.comE-Discovery and International Data Privacy and Protection legal Series

Definitions of termsA customer or potential customer of a cloud computing service is a user. The user may be an individual, business, government agency, or any other entity.The organization that offers the cloud computing service is a cloud service provider, or cloud provider. A cloud provider may be an individual, a corporation or other business, a non-profit organization, a government agency or any other entity.A cloud service provider is one type of third party that maintains information about, or on behalf of, another entity.

Cloud Types: PublicVia web applications/web services, from an off-site third-party provider who uses a shared resources. Not much new here this is traditional online email and other related service that are typically freeHotmail, Yahoo Mail, Gmail and many others.Paid for by marketing, advertising and/or your contact information.

Cloud Types: PrivateHosted dedicated hardware and software, which can also utilized virtualized systems.

Amazon Elastic Compute Cloud (also known as "EC2") allows users to rent computers on which to run their own computer applications. EC2 allows scalable deployment of applications by providing a web service through which a user can boot an Amazon Machine Image to create a virtual machine instance containing any software desired.

The Rackspace Cloud is a web application hosting/cloud platform provider ("Cloud Sites") that bills on a utility computing basis[1]. It has since branched out into cloud storage ("Cloud Files") and cloud infrastructure ("Cloud Servers").

Paid for buy customer.Cloud Types: HybridEnvironment consisting of multiple internal and/or external providers.A hybrid cloud can describe configuration combining a local device, such as a Plug computer with cloud services. It can also describe configurations combining virtual and physical, co-located assets—for example, a mostly virtualized environment that requires physical servers, routers, or other hardware such as a network appliance acting as a firewall or spam filter.Existing as emulates cloud computing environments on private networks. These (typically virtualization automation) products claim to "deliver some benefits of cloud computing without the pitfalls", capitalizing on data security, corporate governance, and reliability concerns. They have been criticized on the basis that users "still have to buy, build, and manage them" and as such do not benefit from lower up-front capital costs and less hands-on management, essentially "[lacking] the economic model that makes cloud computing such an intriguing concept".Irrespective of the provider, most hybrid cloud environments relies on the use of Virtual Machines (VMs) and some combination of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS). VMs are software implementations of a computer which can execute programs like a real computer and can be spawned on any computer as needed. There are two types of VMs: VM’s which supports the execution of a complete operating system and VM’s which are designed to run a single program supporting a single process.

What are the major legal issues?Transborder Data Flow.Reasonable SecurityeDiscovery

Top Legal ConsiderationsCloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information.A user’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider.For some types of information and some categories of cloud computing users privacy and confidentiality rights, obligations, and status may change when a user discloses information to a cloud provider.Disclosure and remote storage may have adverse consequences for the legal status of or protections for personal or business information.The location of information in the cloud may have significant effects on the privacy and confidentiality protections of information and on the privacy obligations of those who process or store the information.Information in the cloud may have more than one legal location at the same time, with differing legal consequences.Laws could oblige a cloud provider to examine user records for evidence of criminal activity and other matters.Legal uncertainties make it difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users.Responses to the privacy and confidentiality risks of cloud computing include better policies and practices by cloud providers, changes to laws, and more vigilance by users.

eDiscovery IssuesLitigation holdData accessData formatDue diligenceData PrivacyData SecurityResponse capabilityData access contracts

Subpoena IssuesPrivacy policies at some websites promise to provide notice of subpoenas to users when legally permissible to do soThe more activity that a user conducts in the cloud, the greater the risk of third party disclosure.cloud providers will have obligations to monitor users in some cases. For example, some jurisdictions in the United States require computer technicians to report evidence of child pornography that they find when repairing or otherwise servicing computers to police or prosecutors.

Other Legal IssuesElectronic Communications Privacy Act (ECPA)USA PATRIOT ActHIPAA and compelled disclosuresFair Credit Reporting ActBankruptcy of a cloud providerGramm-Leach-Bliley ActTrade secretsTax Preparation LawsLegally Privileged InformationProfessional Secrecy Obligations

Policy ConsiderationsResponses to the privacy and confidentiality risks of cloud computing should include better policies and practices by cloud providers.Cloud computing industry should establish standards that will help users to analyze the difference between cloud providers and to assess the risks that users face.Users should pay more attention to the consequences of using a cloud provider and, especially, to the provider’s terms of service.For those risks not addressable solely through policies and practices, changes in laws may be needed.

General Discussion IssuesWhat kind of data will be in the cloud?Where do the data subjects reside?Where will the data be stored? Where are the servers? Will the data be transferred to other locations and, if so, when and where?Can certain types of data be restricted to particular geographic areas?What is the compliance plan for cross-border data transfers?

General Discussion IssuesIf our business becomes the target of a criminal investigation. What is the impact of temporarily migrating our environment to a cloud environment to provide a means for business continuity during the investigation?

When information is transported across the Internet, it is done in the form of bits and bytes wrapped in data packets, which contain lots of information about the information that is being transmitted. Each data packet has a header and a "payload." While the header keeps overhead information about the packet, the service and other transmission-related things, the payload is the data itself. Is this packet information discoverable in a way similar to how meta data is sometime discoverable for user created files?Data Breaches and Potential ConsequencesPonemon Institute estimates costs of data breach at $204/record for a US companyWhen storing data in the cloud, ensure data breach protocols are in place in the event a data breach occursPrivacy insurance generally covers costs of compliance with state data breach notification laws and legal fees

Cloud

More Related Content

What's hot (20)

Viewers also liked (10)

Similar to Cloud (20)

Cloud