Tag Archives: Cloud Computing

Strategies for Evaluating Cloud Computing Agreements

Posted on July 14, 2011 by Hunton & Williams LLP

In April 2011, a technical malfunction suffered by the Amazon Elastic Compute Cloud resulted in a multi-day outage affecting hundreds of businesses.  The incident offered high-profile evidence of both the widespread popularity of cloud computing and the potential consequences of storing company data in the cloud.  It also drew attention to cloud service contracts, raising questions about performance levels and backups in the event of a service disruption.  With more and more businesses seeking to take advantage of the efficiency and cost savings offered by cloud computing, the lessons of the Amazon outage underscore the complexities involved in negotiating cloud computing agreements.  In an article published in Bloomberg Law Reports, Technology Law, Andrew Geyer and Melinda McLellan discuss some of the key commercial issues and privacy and data security concerns to consider when evaluating a cloud services contract.

Download a pdf copy of the article.

Tags: , ,

PCI Data Security Standards Council Provides Cloud Compliance Guidelines

Posted on June 21, 2011 by Hunton & Williams LLP

On June 14, 2011, the PCI Security Standards Council’s Virtualization Special Interest Group published its “Information Supplement: PCI DSS Virtualization Guidelines”(the “Guidelines”) to Version 2.0 of the PCI Data Security Standard (“PCI DSS”).  The Guidelines provide context for the application of the PCI DSS to cloud and other virtual environments, and offer at least three critical reminders:

  • the PCI DSS applies to cloud environments without exception; 
  • critical analysis of the application of the PCI DSS to rapidly evolving cloud offerings is essential to compliance; and
  • cloud providers must be prepared to document and contract for necessary controls.

Continue reading…

Tags: , , , ,

European Data Protection Supervisor Publishes 2010 Annual Report; Sets Agenda for the Future

Posted on June 17, 2011 by Hunton & Williams LLP

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights. Continue reading…

Tags: , , , , , , ,

Live Coverage from Budapest: Day One of the Hungarian International Data Protection Conference

Posted on June 16, 2011 by Hunton & Williams LLP

On June 16, 2011, the Hungarian Presidency of the Council of the European Union hosted the first day of a high-level international data protection conference in Budapest.  The conference was attended by approximately 150 people, most of whom are representatives of EU governments, data protection authorities (“DPAs”), the European Commission, and other governmental groups such as the Council of Europe. 

Continue reading…

Tags: , , , , , , ,

Complaint to FTC Alleges Cloud Service Dropbox Fails to Sync Security with Representations

Posted on May 26, 2011 by Hunton & Williams LLP

According to a complaint submitted to the Federal Trade Commission on May 11, 2011, the popular cloud-based data storage provider Dropbox, Inc. made false claims about the security of its users’ data, thereby putting them at risk while gaining an unfair advantage over competitors that actually offer the sort of security Dropbox advertised.  The Dropbox service allows users to create folders on their computers that automatically sync with corresponding folders on Dropbox’s servers.  Users can specify whether their folders are public or private.  The allegations concern the folders designated as private, which are touted as being protected by encryption.  According to the complaint, which was filed by Christopher Soghoian (a security researcher and former technologist at the FTC’s Division of Privacy and Identity Protection), although Dropbox represented that its encryption features would render a user’s files completely inaccessible to any person other than the user, in fact, Dropbox employees maintained copies of the encryption keys and could therefore access the contents of users’ files.  This left Dropbox users’ files susceptible to unauthorized access (e.g., governmental demands for data, hacking attacks, rogue insiders). Continue reading…

Tags:

German Federal Office for Information Security Issues Final Framework Paper on Information Security for Cloud Computing

Posted on May 16, 2011 by Hunton & Williams LLP

On May 10, 2011, the German Federal Office for Information Security, (the Bundesamt für Sicherheit in der Informationstechnik or “BSI”) released the final framework paper on information security issues related to cloud computing.  The paper describes the minimum requirements for information security for cloud computing services.  As we previously reported, in September 2010, the BSI had presented the draft framework paper which received positive reviews and constructive comments from cloud computing providers, users, associations and other stakeholders.  The comments and contributions have been incorporated in the final framework paper.  According to the BSI, the paper provides “Best Practices” and serves as a basis for the discussion between cloud computing service providers and cloud users.  Based on the paper, concrete recommendations for companies or public authorities may be developed, including at the international level.

Tags: , ,

Legal Bisnow Features Marty Abrams and Lisa Sotto

Posted on May 2, 2011 by Hunton & Williams LLP

On April 25, 2011, Legal Bisnow interviewed Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, and Hunton & Williams partner Lisa Sotto about hot topics in privacy and data protection.

Read Legal Bisnow’s article, “Hottest Practice Area?”.

Tags: , , , ,

European Parliament Meeting Offers Update on Review of EU Data Protection Directive

Posted on March 16, 2011 by Hunton & Williams LLP

On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels.  The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.

Continue reading…

Tags: , , , , , , , , , , , , , ,

NIST Issues Guidelines on Security and Privacy in Public Cloud Computing

Posted on February 7, 2011 by Hunton & Williams LLP

The National Institute of Standards and Technology (“NIST”) has issued draft Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) (the “Guidelines”) for public comment. The Guidelines provide an overview of the security and privacy challenges pertinent to public cloud computing, and identify considerations for organizations outsourcing data, applications and infrastructure to a public cloud environment. The Guidelines are intended for use by federal agencies. Use in nongovernmental settings is voluntary.

Continue reading…

Tags: , ,

Article 29 Working Party Releases Opinion on the Applicability of European Data Protection Law

Posted on January 4, 2011 by Hunton & Williams LLP

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.

Continue reading…

Tags: , , , , , , ,