Re: [U2] Cloud Legal Question - and a request for Contact Info - ITLegal Issues
On 01/12/11 01:20, John Hester wrote: As far as liability for data theft, it sounds like that's negotiable between the client and cloud provider. I doubt there's any standard at this point. There are a whole host of federal and state regulations that come into play regarding theft of personal data, though. If you're storing business to consumer sales data, there is potentially a lot to consider. Business to business data is probably much less of an issue. Given that I can't tell from the OP's gmail address whether he's American or not, federal and state rules may not apply. However, international rules may. Bear in mind that it is legally VERY dangerous for a European company to store personal data in a cloud, given that most cloud companies are American. As the law currently stands, the American government can subpoena ANY information that the American head office has access to. BUT it is a criminal offence for a European to let their data fall into non-European hands. So if, as a European company, you store personal data on a cloud server, expect to be sued ... or worse ... Cheers, Wol ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Cloud Legal Question - and a request for Contact Info - ITLegal Issues
I am in the United States. Thanks for the info. I'm sure our internal legal person will be interested to know. On Fri, Dec 2, 2011 at 4:22 AM, Wols Lists antli...@youngman.org.uk wrote: On 01/12/11 01:20, John Hester wrote: As far as liability for data theft, it sounds like that's negotiable between the client and cloud provider. I doubt there's any standard at this point. There are a whole host of federal and state regulations that come into play regarding theft of personal data, though. If you're storing business to consumer sales data, there is potentially a lot to consider. Business to business data is probably much less of an issue. Given that I can't tell from the OP's gmail address whether he's American or not, federal and state rules may not apply. However, international rules may. Bear in mind that it is legally VERY dangerous for a European company to store personal data in a cloud, given that most cloud companies are American. As the law currently stands, the American government can subpoena ANY information that the American head office has access to. BUT it is a criminal offence for a European to let their data fall into non-European hands. So if, as a European company, you store personal data on a cloud server, expect to be sued ... or worse ... Cheers, Wol __**_ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/**mailman/listinfo/u2-usershttp://listserver.u2ug.org/mailman/listinfo/u2-users -- John Thompson ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Cloud Legal Question - and a request for Contact Info - ITLegal Issues
From: John Thompson The company I work for is looking at a product that stores a bunch of our sales data in the cloud Our internal legal person had a look at the contract that the company is proposing and apparently it has a little clause in their that they are not liable if the data gets stolen. Is this standard with cloud products? There is a separation of responsibilities that needs to be understood by everyone these days. We expect the data centers for cloud companies to be secure. Once we give them data we expect them to hold onto it. And if we are paying them to do something with the data, we expect them to do that with full reliability. That's Their responsibility. But we also pay these cloud services for increasing types of accessibility to our data. With more accessibility, there are more opportunities for data exposure. We cannot expect them to accept responsibility for vulnerabilies which we ourselves may create, which includes: - transport outside of a VPN - transport of plain text data - open transport of credentials (user/psw) - exposure of credentials whether on lost devices, stickynotes on the monitor, or a list in one's wallet And in this world of networked data we must understand that security is always a moving target. The environment that is secure today could be compromised tomorrow after a patch is applied or simply through the constantly improving skills of bad guys. It's very difficult for a company to accept responsibility for constantly changing details outside of their control. Sure, we expect that a cloud company will protect data on-site against theft or acts of nature, but in a networked environment there are points of exposure. They can strive to protect their systems and networks against hacks but this is a huge ongoing expense and it's an imperfect science where occasionally even the top professionals are caught unaware. They can strive to create a contract that explains how they will accept responsibility for their side of the environment while not being liable for damages due to issues outside of those definitions. But that leaves contracts vague and open to contention. It's better for them simply to say they're not liable for losses. Accept it or don't. There is also the question of what liability really is. Is a compromise of your data worth $100 or $1 Million? To avoid such evaluation in a claim, it's better to just get the issue waived up front. You can accept this or reject the premise and try to get someone else with an insurance company that will settle high-value claims. In a non-litigious world, the simplest and most honest contract might read We really do the best job we can, and we think we do better than our competition, but if anything at all bad happens, we simply can't accept blame or pay any damages. Welcome to the modern world. If you accept this, we'd love to do business with you. If not, we're sorry, but we can't take a chance on going out of business for something that's not related to what we really do. For your part, when you do host data off-site, use every encryption and security mechanism available to protect your business outside of the scope of the services provided by the cloud host. This becomes your responsibility. Then you need to figure out how you're going to convey Your position on liabilities to Your clients. We really do the best job we can... So the bottom line here is that you get the best contract you can, and try to get clarifications or commitments in writing. But you also need to balance expectations with an understanding of the world we're living in, and cover for vulnerabilities with your own solutions where possible. T ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Cloud Legal Question - and a request for Contact Info - ITLegal Issues
There's a decent bullet-point presentation on cloud legal issues available on Cisco's site: http://www.cisco.com/web/about/doing_business/legal/privacy_compliance/d ocs/CloudPrimer.pdf As far as liability for data theft, it sounds like that's negotiable between the client and cloud provider. I doubt there's any standard at this point. There are a whole host of federal and state regulations that come into play regarding theft of personal data, though. If you're storing business to consumer sales data, there is potentially a lot to consider. Business to business data is probably much less of an issue. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of John Thompson Sent: Wednesday, November 30, 2011 1:25 PM To: U2 Users List Subject: [U2] Cloud Legal Question - and a request for Contact Info - ITLegal Issues The company I work for is looking at a product that stores a bunch of our sales data in the cloud Our internal legal person had a look at the contract that the company is proposing and apparently it has a little clause in their that they are not liable if the data gets stolen. Is this standard with cloud products? Also, I remember some folks at Spectrum talking about this, and I still have the business cards, but, I am not in the office, AND I foolishly forgot to store them in my contacts. Susan J., I think you probably talked about this? Maybe I can have my legal person fill out a contact form on your site? (sj+ dot com) -- John Thompson ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
