The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Section 7 of the Order turns to the Cybersecurity Framework.  Section 7 requires the Director of the National Institute of Standards and Technology to lead the development of a Cybersecurity Framework “to reduce cyber risks to critical infrastructure.”  The Framework will include “a set of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks” and “shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”  The Framework’s guidance to critical infrastructure owners and operators will be “technology neutral” and preserve “a competitive market for products and services that meet the standards, methodologies, procedures and processes developed to address cyber risks.”  The Framework will be subject to “an open public review and comment process,” with a preliminary version to be published within 240 days and a final version to be issued within one year of the Order.

Section 8 of the Order directs the Secretary of Homeland Security and sector-specific agencies to establish a “voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure.”  The Secretary of Homeland Security is further directed to “coordinate establishment of a set of incentives” to promote participation by owners and operators of critical infrastructure in the Framework program.

The Order also contemplates regulation by sector-specific agencies based on the Cybersecurity Framework.  Section 10 directs sector-specific agencies that regulate critical infrastructure to report to the President on “whether the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure” and “any additional authority required.”

For additional details and analysis, please see our client alert on the Executive Order.

The supplement considers “cloud computing” to mean a model for enabling on-demand network access to a shared pool of computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.  Both cloud computing users and cloud service providers (CSPs) have compliance responsibilities under the supplement that depend on a number of variables, including (1) the purpose for which the client is using the cloud service, (2) the scope of PCI DSS requirements that the client is outsourcing to the CSP, (3) the services and system components that the CSP has validated within its own operations, (4) the service option that the client has selected to engage the CSP (Infrastructure as a Service, Platform as a Service, or Security as a Service), and (5) the scope of any additional services the CSP is providing to proactively manage the client’s compliance. 

The supplement provides cloud-related considerations for each of the PCI-DSS standards and allocates responsibility for each consideration between the user and CSP depending on the specific service option.  There are a number of compliance challenges associated with the use of cloud computing, such as the lack of visibility into CSPs’ security infrastructure and oversight of cardholder data storage, and the supplement provides guidance for addressing those challenges within the context of the user-CSP relationship.

• Due Diligence – Institutions should conduct due diligence with respect to the cloud computing provider to assess the provider’s controls to protect the confidentiality and integrity of data stored in the cloud, to determine whether data will be stored on servers used by other clients of the provider and, if so, the provider’s access controls, and to evaluate the provider’s disaster recovery and business continuity plans.
• Vendor Management – Institutions may require additional controls to manage cloud computing providers that have little experience with financial institution clients and may determine that retention of a particular provider is unacceptable due to the provider’s unwillingness or inability to satisfy bank regulators’ supervisory guidance.
• Audit – Institutions’ audit coverage should include outsourced cloud computing. 
• Information Security – Institutions should incorporate cloud computing services in existing information security policies, standards, and practices and ensure that data is protected and access to data is properly restricted.  An institution also should effectively monitor data security threats to the institution’s systems and to the provider’s systems and develop incident response methodologies. 
• Legal, Regulatory, and Reputational Considerations – Institutions should assess the extent to which cloud computing services increase the complexity of complying with applicable legal and regulatory requirements.  In addition, contracts with cloud computing providers should specify the providers’ obligations with respect to institutions’ responsibilities for compliance with privacy laws, for responding to and reporting security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.
• Business Continuity – Institutions should determine whether the provider and the provider’s network carriers have adequate plans and resources to ensure institutions’ continuity of operations, as well as the ability to recover and resume operations if an unexpected disruption occurs.

Among other things, those regulations—most of which took effect in March 2010— require companies to implement a written information security program containing certain elements, including a requirement that personal information be encrypted when transmitted wirelessly or across public networks, and when stored on portable computing devices (including laptops).  The regulations also require companies to take “reasonable steps” when selecting a service provider to ensure that the provider is capable of maintaining appropriate measures for the protection of personal information.  

To be clear, the service provider contract provision has been in effect since March 2010 for all contracts entered into after that date.  But the provision contains a grandfather clause that exempted pre-March 2010 contracts from the requirement.  This exemption expires on March 1, 2012.

The new NIST security guidelines do not recommend any particular services, providers, or service models; instead, the guidelines highlight the steps organizations should take and the issues they should consider when evaluating any public cloud service.

• Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. Security and privacy should be considered at the initial planning stage and throughout the system lifecycle. “Attempting to address security and privacy issues after implementation and deployment is not only much more difficult and expensive, but also exposes the organization to unnecessary risk.”
• Understand the public cloud computing environment offered by the cloud provider. Organizations should establish a clear delineation of the respective responsibilities of the organization and the cloud provider; analyze the technologies and system architecture used by the cloud provider; and, as much as possible, independently verify providers’ security and privacy assurances.
• Ensure that a cloud computing solution satisfies organizational security and privacy requirements. Organizations may need to negotiate non-standard agreements with public cloud providers to account for particular security or privacy needs, although non-standard agreements may reduce the economies of scale that make public cloud computing attractive. Alternatively, organizations should consider whether they can implement controls that compensate for a public service’s shortcomings, or whether using an internal private cloud would be more appropriate than relying on a public service.
• Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing. A compromised client device — such as a desktop computer infected with a keystroke logger or other malware — can undermine the security of any public cloud service the client accesses. Organizations considering a move to public cloud services should assess their existing policies for dealing with client-side threats such as vulnerable browser components, social-engineering attacks and lost mobile devices.
• Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments. An organization should “conduct ongoing monitoring of the security of [the] organization’s networks, information, and systems.” Where it is not possible to directly monitor the cloud provider’s operations, the organization will need to assess its confidence in the provider’s security based on third-party audits or on other evidence the provider can offer about the effectiveness of its security controls. “Ultimately, the organization is accountable for the choice of public cloud and the security and privacy of the outsourced service.”

The guidelines are the latest effort from NIST to provide direction to federal agencies on the use of cloud computing services.  The Obama Administration’s Federal Cloud Computing Strategy, released in February 2011, set a goal “to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” The strategy gives NIST a “central role” in developing cloud-computing standards, in cooperation with the other agencies, the private sector and international bodies. In November, NIST released a draft roadmap for federal agencies looking to implement cloud technology, and previously NIST had published the government’s definition of cloud computing.

Diebold is developing ATMs that will both store data remotely and run software from the cloud.  Diebold describes the system they are developing as “virtualized” ATMs, and their CTO stated that they believe that no other ATM manufacturer has yet deployed fully cloud-based ATMs.  Despite physical and software security measures, ATMs are unusually vulnerable both because they are by necessity publicly accessible and because the data the financial data they process is especially valuable for fraud and identity theft.  Of course, ATMs also store money, and as InformationWeek reports, thieves in some countries have stolen entire ATMs, raising the risk that they will access not only the cash contained in the device but also any locally-stored data.

Given the unusual risks, it is perhaps not surprising that Diebold is developing cloud-based ATMs.  In particular, Diebold’s move highlights the risks involved in local computing and storage where the storing computers are readily accessible or contain especially valuable data.  Companies facing such circumstances or others that render local storage risky may contemplate a shift toward cloud computing, but in doing so should be sure to account for security in choosing a cloud service provider or developing their own cloud systems, in order to avoid simply replacing old risks with new ones.

The roadmap is composed of three volumes: Volume I establishes priorities for implementation and provides a general understanding and overview of the background, purpose, and next steps for the U.S. government’s cloud computing initiatives.  Volume II is a technical reference guide for people actively working on cloud computing initiatives, while volume III is intended for policymakers who are implementing cloud computing solutions.  Volume I identifies ten requirements that must be satisfied in order for cloud computing initiatives to be implemented, including international interoperability, portability, and security standards; defined government regulatory requirements, technology gaps, and solutions; and defined and implemented reliability design goals.

• A recent General Services Administration (“GSA”) cloud computing procurement solicitation attempted to address data security concerns by limiting the foreign countries where vendors’ servers could be located, but this requirement was rejected on October 17 as unduly restrictive.  Noting that the GSA had failed to explain its basis for differentiating between acceptable and unacceptable locations, the Government Accountability Office (“GAO”) recommended that the solicitation be revised to reflect the agency’s actual needs. 
• On October 18, Sen. Daniel Akaka (D-HI) introduced the Privacy Act Modernization for the Information Age Act of 2011 to strengthen privacy protections for government records.  Among other things, the bill would create a federal chief privacy officer position, update penalties for violating the Privacy Act, and establish a centralized website for information about records maintained by individual agencies. 

This initiative follows decisions by other European DPAs, earlier this year, to reject the use of cloud services by public authorities because of security risks. In February 2011, The Danish DPA rejected the Municipality of Odense's planned use of Google's cloud computing services within schools. More recently, on September 29, 2011, the German federal and state DPAs issued a resolution on cloud computing and compliance with data protection law. In their statement, they urge cloud service customers to use cloud services only if they are in a position to fulfil their obligations as data controllers and have verified that the appropriate data security requirements are in place.

• Obtain a search warrant before compelling a service provider to disclose a user’s private communications or documents stored online;
• Obtain a search warrant before tracking the location of a cell phone or other mobile communications device;
• Obtain a court order based on demonstrating relevance to an authorized criminal investigation, before obtaining transactional data in real time about when and with whom an individual communicates using e-mail, instant messaging, text messaging, the telephone, or any other communications technology.
• Obtain a court order based on demonstrating relevance to an authorized criminal investigation, before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect.

Most law enforcement, industry, and consumer advocates would concede that ECPA, which was passed before the Internet was widely available, is outdated.  Efforts to modernize the bill have been made repeatedly, particularly in 1998 and 2000.  ECPA sets inconsistent and increasingly irrational standards over the life of electronic content.  For example, access to an email may depend on whether it is stored by the service provider or on a local computer, and whether it is opened by its recipient.  An electronic document may be protected by the Fourth Amendment when stored locally, but potentially available to law enforcement without a warrant if stored in the cloud. 

But differences in views with respect to how the law should be updated have complicated the legislative process.  The Department of Justice (DOJ), concerned that lawmakers may revise ECPA in a way that hinders prosecutors in expediently obtaining digital data to assist in investigations, supports only clarifications in the law that would reflect the DOJ’s interpretation of the current law.  However, Senators Wyden and Kirk, along with Representative Jason Chaffetz (R-Utah) in the House) have introduced legislation consistent with the Digital Due Process Coalition’s goals.  A similar bill was introduced by Senate Judiciary Chairman Patrick Leahy (D-Vt.) earlier this year.  Senator Leahy noted today during a floor speech that he is aiming to mark up the bill “before the end of the calendar year."

Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data.  In this regard, one of the principal privacy-based concerns raised in connection with US cloud-based services is that the use of such services will afford the US government greater access to the enterprise customer’s data, including in particular under the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001” (also known as the USA PATRIOT Act or Patriot Act).  However, this concern—which has been prevalent in connection with EU enterprises’ and government’s use of cloud services—is often based on a misunderstanding of the Patriot Act and the law governing government access to data both in the United States and abroad.

Contrary to many popular descriptions of it, the Patriot Act was not itself a vehicle for the US government to access user data, but rather a compilation of amendments to pre-existing federal statutes.  The amendments, for example, authorized the US government to apply to terrorism matters certain investigative tools that it previously was authorized to use to fight organized crime; enhanced the US government’s authorities to investigate foreign intelligence surveillance activity to encompass activities of terrorist organizations and other clandestine intelligence activities directed at the US;  and expanded authorities to combat international money laundering and financing of terrorism. 

Thus, the Patriot Act did not create the underlying authorities for the US government to access online data.  Rather, those authorities already existed in various criminal statutes and procedures, and they remain subject to the protections of existing law and the US judicial system.  

The Patriot Act also did not create or extend the jurisdictional reach of the United States.  Long before the Patriot Act was enacted, US courts held that a company with a presence in the United States was obligated to respond to a valid demand for information from the US government – regardless of the location of that information – so long as the company retained “possession, custody or control” of the data.   This legal principle, which is not dissimilar to the approach followed by some EU Member States (whose rules permit law enforcement to exercise jurisdiction over data that is “accessible” in-country), has long required companies that have contacts with or a presence in the US to comply with lawful US government requests for information — including EU companies and their data held in the EU.

Another misconception is that an EU enterprise’s use of US-based cloud services will impair the enterprise’s ability to comply with the EU Data Protection Directive.  If the US-based provider certifies and complies with the EU-US Safe Harbor Agreement and makes appropriate contractual commitments as mandated by the Directive to the EU enterprise, the EU enterprise would be in essentially the same position, from a compliance perspective, as if it stored data in-house.

We have addressed these and other items related to whether and how the use of cloud services implicates the USA PATRIOT Act and compliance with the EU Data Protection Directive further in the question and answer document found here. 

Please click here to view the Japanese translation.

To some customers of computing storage, processing and online services, the “cloud” seems no different from the traditional information technology services they have used for years.  Amazon’s cloud computing outage last week, and the associated downtime and data loss suffered by a number of Internet web sites, highlights how public cloud computing services are different – and how the contracts for those services are different, too.  Here are just three ways that typical cloud contracts may not be adequate to protect a customer’s interests in the cloud.

No Quality of Service Commitment.  Cloud computing is becoming a commoditized service, provided like a public utility.  Contracts for public cloud services are often presented to customers as non-negotiable, take-it-or-leave-it agreements.  For many customers, the cost benefits of cloud services may seem to outweigh the legal costs associated with negotiating a specific service agreement.  But typically, cloud service contracts include no commitments regarding quality of service, uptime, security, or other key factors that customers have come to expect from traditional IT providers.  In the case of an outage, then, customers may have no contractual recourse against the cloud provider, even for catastrophic data loss.

No Security and Back-Up Services.  Most IT contracts include detailed provisions, with an allocation of responsibility, for data protection and data back-up and disaster recovery.  Not so in most cloud computing contracts.  In the cloud, the customer is usually ultimately responsible for basic security, such as encryption, to protect critical data.  Yet cloud customers may not realize that certain services they use are in the cloud, and that the data provided in these services is unprotected.  Similarly, customers do not necessarily get commitments from cloud providers on data back up to protect critical information and systems in the event of a network outage or other service failure.  The cloud may be an easy resource for customers who need to provide their own redundancy – so a customer can use one service provider one as a primary service, and one for data back-up.  (Of course, this only works if one service provider is not simply reselling cloud services provided by the other – due diligence is important.)  But in general, each customer is ultimately responsible for protecting its own critical data.  It cannot blindly assume the cloud provider is securing, or protecting, its data.

No Audit Rights.  The cloud, and its inherent efficiencies for data storage and processing, makes any audit to evaluate and verify system operations difficult.  The cloud allocates spare processing and data capacity to wherever it is needed, whenever it is needed.  This elasticity creates the impression that computing resources are infinite, and infinitely available.  But customers will not know at any particular time where its data is actually physically located.  Certainly, this creates regulatory risk of which any customer using the cloud to store and process sensitive data (personally identifiable information, credit card information, health information) must be aware.  But separately, the very benefits of the cloud make it difficult for customers to examine whether the service they have purchased is really working the way it ought to be working.

At a minimum, last week’s Amazon outage should encourage cloud customers to reexamine the commercial terms on which they purchase cloud services, and to rethink what terms they can live with in the cloud.

One issue that frequently comes up is whether cloud computing is really new or different.  That depends on how you look at it.  As a legal matter, the model itself is not that different.  You can view it as another form of outsourcing, which is hardly new.  Or, you can draw the analogy to per-seat software licensing for enterprises, which is also not new.  What is new and different, however, is both the elasticity (the use of cloud can be scaled up or down with ease) and the volume of data that it can involve -- and it’s really that volume that makes the subject so interesting and that raises many of the questions most often discussed in connection with cloud computing. 

Another question that frequently comes up is how companies should approach using the cloud and addressing the complex jurisdictional issues that can arise as data freely crosses borders.  These are hard issues with no silver bullet solutions.  But the questions underscore the importance of approaching the issue holistically and taking a principled approach to the cloud.   The first order of business should be to take a look internally and ask whether your organization has a clear, principled, and coherent way for addressing these myriad issues -- privacy, security, responding to law enforcement requests -- in the use of cloud computing services.  For example, on the issue of law enforcement requests (for those businesses that receive them), businesses will be far better off if they take the time, really examine their practices, and develop principles and guidelines for how they will deal with requests globally.

There is another potential benefit to taking such a principled approach on privacy and security issues, too.  It is quite possible that the business “winners” in the cloud will be those that offer the best products and services and compete on things that matter to customers, including security and privacy.  Customers care about how their data will be protected.  For users to make informed evaluations and decisions, however, they need to have some baseline information – which requires some degree of transparency around privacy practices, at least a general description around security, and information on where the data will be stored.  The most successful businesses are likely to be those that are best able to engage with customers and communicate their core principles, values, and practices.

The Epsilon data breach illustrates some of the security challenges when dealing with cloud computing environments.  Although there are security risks associated with any outsourcing solution, the potential effect of a breach is magnified in a multi-tenant cloud.  Only 2% of Epsilon’s estimated 2,500 clients were affected by the attack, and that still amounted to millions of exposed records.  According to one estimate, the total number of affected individuals could be as high as 100 million. 

Dave Frankland of Forrester Research observes that this incident may cause companies to question whether a multi-tenant deployment model is the best way to process customer data, given that a single breach can give a perpetrator access to a wealth of data. 

• The U.S. Secret Service is reportedly investigating the breach, as is the Australian Federal Privacy Commissioner.  Sen. Richard Blumenthal (D-CT) has asked U.S. Attorney General Eric Holder to investigate as well. 
• Sen. Al Franken (D-MN), chairman of the Senate Subcommittee on Privacy, Technology and the Law, told Politico that he would be keeping an eye on the situation.  “Most of the people affected by the Epsilon breach had never heard of that company before this week,” Franken said in a statement. “We need to give Americans more awareness about who has their information and greater ability to protect it.”
• On the House side, Reps. Mary Bono Mack (R-CA) and G.K. Butterfield (D-NC) sent Epsilon’s parent company a list of questions regarding the incident and the firm’s response.  Said Ken Johnson, one of Rep. Bono Mack’s senior advisers, “There’s a very good chance we will hold a hearing to try and find out what went wrong and what needs to be done to better protect American consumers.”   

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. 

One aspect of the DOC green paper that I like is the idea of a safe harbor for companies that do implement FTC-approved codes of conduct.  Perhaps one of these codes of conduct could be a set of baseline principles for contracts with IT service providers.  Creating an optional, but enforceable and standard set of principles on privacy and security would create some new efficiencies in contract negotiations.  It is unrealistic to create a one-size-fits-all set of security standards and mechanisms, as IT contracts are so diverse and cover so many different types of environments.  But a code of conduct could create some baselines for IT contracts.  For example, basic principles could include a requirement for reasonable security measures, a prohibition on any use of customer data beyond what is necessary for service delivery and a right to conduct reasonable audits and assessments or a right to receive regular shared audit reports conducted by an independent third party. 

The safe harbor protection would offer the “carrot” necessary to encourage the market to adopt these as standard principles and dispense with some of the threshold quibbling as to whether it is appropriate for the contract to include such terms.  Such a code of conduct would directly support consumer privacy, because companies can only provide assurances to consumers regarding privacy and security if they have sufficient control over the consumers’ data, including control over the data when it is in the hands of third parties such as IT service providers.  Even if no new legislation materializes as a result of the FTC and DOC documents, it is clear that companies simply cannot take a passive approach to these issues in relation to IT contracts. 

In my next post I provide observations on some changes to consider for form contracts based on  the FTC report’s commentary on the PII vs non-PII distinction and re-indentification of data. 

The report acknowledges that cloud computing has the potential to offer public administrations substantial benefits and improvements over current IT provisioning, such as increased availability and reliability, stronger security and better value.  However, the report recommends private and community clouds over public clouds, and ultimately urges European governments to adopt a staged approach in integrating cloud computing into their operations.

Speaking at a Commission conference on the Directive, Malmström strongly defended the necessity of the law.  “[D]ata retention is here to stay, and for good reasons,” she said.  “Access to telecommunications data are, at least in some cases, the only way of detecting and prosecuting serious crime.”

However, speaking at the same conference, European Data Protection Supervisor Peter Hustinx sharply criticized the Directive.  “[R]etaining communication and location data of all persons in the EU, whenever they use the telephone or the internet, constitutes a huge interference with the right to privacy of all citizens,” he said.  “The Directive is without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”

Hustnix said that under European law retention of traffic data must be proportionate and “strictly necessary,” criteria that the Directive does not appear to meet.  He also noted that the Directive has failed to harmonize Member State rules in this area, one of its key purposes.

“The evaluation we are now waiting for is the moment of truth for the Data Retention Directive,” Hustinx said.  “Evidence is required that it really constitutes a necessary and proportionate measure.  Without such evidence, the Directive should be withdrawn or replaced by an instrument which does meet the requirements of necessity and proportionality.” 

While repeal of the Data Retention Directive is very unlikely, the statements of Malmström and Hustinx suggest that the review of the Data Retention Directive will be contentious, with data protection advocates pushing to significantly narrow the Directive while law enforcement authorities argue for its importance as a crime-fighting tool.