This document discusses several key legal issues related to cloud computing including:
1. Data privacy and security are major concerns as personal and business information is stored remotely by third-party cloud providers. Laws regulating data location, access, and disclosure must be considered.
2. eDiscovery processes like legal holds, data access, and format preferences are complicated by remote data storage. Contracts with cloud providers must address these capabilities.
3. Government and law enforcement access to data stored in the cloud raises issues of privacy, electronic surveillance, and users' legal rights. Transparency is important for assessing these risks.
1. Investigation and E-discovery in the Cloud Albert Barsocchini, Esq.barsocchini@gmail.comE-Discovery and International Data Privacy and Protection legal Series
2. Definitions of terms A customer or potential customer of a cloud computing service is a user. The user may be an individual, business, government agency, or any other entity. The organization that offers the cloud computing service is a cloud service provider, or cloud provider. A cloud provider may be an individual, a corporation or other business, a non-profit organization, a government agency or any other entity. A cloud service provider is one type of third party that maintains information about, or on behalf of, another entity.
3. Cloud Types: Public Via web applications/web services, from an off-site third-party provider who uses a shared resources. Not much new here this is traditional online email and other related service that are typically free Hotmail, Yahoo Mail, Gmail and many others. Paid for by marketing, advertising and/or your contact information.
4.
5. Amazon Elastic Compute Cloud (also known as "EC2") allows users to rent computers on which to run their own computer applications. EC2 allows scalable deployment of applications by providing a web service through which a user can boot an Amazon Machine Image to create a virtual machine instance containing any software desired.
6. The Rackspace Cloud is a web application hosting/cloud platform provider ("Cloud Sites") that bills on a utility computing basis[1]. It has since branched out into cloud storage ("Cloud Files") and cloud infrastructure ("Cloud Servers").
7.
8. What are the major legal issues? Transborder Data Flow. Reasonable Security eDiscovery
9. Top Legal Considerations Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. A user’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider. For some types of information and some categories of cloud computing users privacy and confidentiality rights, obligations, and status may change when a user discloses information to a cloud provider. Disclosure and remote storage may have adverse consequences for the legal status of or protections for personal or business information. The location of information in the cloud may have significant effects on the privacy and confidentiality protections of information and on the privacy obligations of those who process or store the information. Information in the cloud may have more than one legal location at the same time, with differing legal consequences. Laws could oblige a cloud provider to examine user records for evidence of criminal activity and other matters. Legal uncertainties make it difficult to assess the status of information in the cloud as well as the privacy and confidentiality protections available to users. Responses to the privacy and confidentiality risks of cloud computing include better policies and practices by cloud providers, changes to laws, and more vigilance by users.
10. eDiscovery Issues Litigation hold Data access Data format Due diligence Data Privacy Data Security Response capability Data access contracts
11. Subpoena Issues Privacy policies at some websites promise to provide notice of subpoenas to users when legally permissible to do so The more activity that a user conducts in the cloud, the greater the risk of third party disclosure. cloud providers will have obligations to monitor users in some cases. For example, some jurisdictions in the United States require computer technicians to report evidence of child pornography that they find when repairing or otherwise servicing computers to police or prosecutors.
12. Other Legal Issues Electronic Communications Privacy Act (ECPA) USA PATRIOT Act HIPAA and compelled disclosures Fair Credit Reporting Act Bankruptcy of a cloud provider Gramm-Leach-Bliley Act Trade secrets Tax Preparation Laws Legally Privileged Information Professional Secrecy Obligations
13. Policy Considerations Responses to the privacy and confidentiality risks of cloud computing should include better policies and practices by cloud providers. Cloud computing industry should establish standards that will help users to analyze the difference between cloud providers and to assess the risks that users face. Users should pay more attention to the consequences of using a cloud provider and, especially, to the provider’s terms of service. For those risks not addressable solely through policies and practices, changes in laws may be needed.
14. General Discussion Issues What kind of data will be in the cloud? Where do the data subjects reside? Where will the data be stored? Where are the servers? Will the data be transferred to other locations and, if so, when and where? Can certain types of data be restricted to particular geographic areas? What is the compliance plan for cross-border data transfers?
15.
16.
17.
18. Will the addition of cloud computing to my companies environment add to the complexity my computer forensics program?
19. How does working in a cloud based virtualized environment change my investigation since we do not have physical access?
20. How do you audit systems in a cloud computing environment?
21. How does the use of a shared resource impact a forensic investigation?
22. How do you collect data from a system in a cloud computing environment?