what's in the news

Courtesy of Thames Valley Business Magazine February 2012

The start of a new year is an opportunity to reflect on possible developments over the next year.  The legal environment of the technology sector is unlikely to see any drastic changes in the next twelve months and we expect the issues below to form the basis of much of the discussions in the next year.  Hopefully, we will see many Thames Valley firms exploiting the commercial opportunities these issues throw up.

Software Development: A 2011 judgment from the European Court is likely to give food for thought to software developers who assumed that user interfaces in computer programs cannot be protected by copyright, thereby reducing the cost of developing applications able to link with other, copyright-protected applications.  The Advocate General’s opinion in SAS v WPL suggests that there may be elements or expressions of a computer program other than object code or source code (traditionally regarded as protectable by copyright) which can also be protected-provided they form a substantial portion of the source program.

ISP and intermediaries: The injunction on BT in the Newzbin2 case showed that courts are willing to force ISPs to put reasonable measures in place to prevent access to websites which contain copyright-infringing material. The judgment in Scarlet v SABAM also shows that ISPs are unlikely to be asked to put in place blanket measures that affect all its users. Neither judgment clarifies the cost implications of these measures and intermediaries will be keeping an eye out for further developments in this space.

Data Protection: Early this year, the European Commission will publish its proposals to reform data protection law in the EU. From the draft published in late 2011, we know that some of the changes will make it easier for businesses to comply with data protection law, while others will give data subjects greater rights in relation to their personal data, as well as impose a higher monetary penalty for serious breaches. The balance struck will be vital for those businesses at the frontline of data protection, e.g. those active in developing behavioural advertising applications.

Cloud Computing: An increasingly mature technology, this is likely to see greater use by small and medium sized businesses and individuals – especially in relation to online storage of music and other data (subject to the relevant copyright licences). However, important questions such as compliance with data protection law (in particular, transfer of data outside the EU) and data portability will continue to be of relevance, with smaller businesses and individuals unlikely to have the bargaining power to negotiate material changes in a supplier’s terms of business.

Apart from the specific issues above, the current economic climate will continue to force technology businesses to get the most out of their technology and intellectual property assets and their clients to get the most out of any money spent on new technology. Appropriate licensing and purchase strategies, with an element of flexibility, will continue to be at the core of legal work in this sector.

Rustam Roy
Senior Solicitor, Technology
T: 0118 957 0180
E: rroy@pitmans.com

Pitmans hosted an evening seminar on 1 February, sponsored by Prolinx, a specialist IT security solutions provider, at which delegates were stimulated by a panel of experts who highlighted some of the current threats and challenges posed by cyber risk.

The key note presentation was made by Professor Sadie Creese of Cybersecurity at the University of Oxford. Professor Creese kicked off with the scale which faced today’s society, highlighting that by 2020, there will be 31 billion connected devices and 50 trillion gigabytes of data created. This, in turn, will result in an increasingly vast ‘attack surface’ which presents those seeking to protect cyber assets with an enormous challenge. Professor Creese, amongst other things, pointed out the scarcity of meaningful metrics in relation to data security as well as the importance of preparing to ‘respond and recover’. As part of current research, it was clear that much needed to be done to develop invaluable analytics to measure security. And that, above all, the ability to attribute an identity to hackers or intruders remained a perennial vulnerability.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, explained that the World Economic Forum’s recent Risk Report now lists cyber threats as one of the top 5 most risks threatening society in terms of likelihood. Philip highlighted the risks this poses to the current intellectual property enforcement regime: in the absence of identifying culprits, it remains difficult to take criminal action against those responsible and that all that will be left will be a dispute between the victim and its suppliers as to who is to blame. In addition, investors and companies will be increasingly reluctant to invest in R&D if valuable intangible assets cannot be protected from extraction. Philip also summarised the EU’s recent draft Data Protection Regulation which seeks to introduce a much stricter regime for serious breaches of data security (calculated as a percentage of global turnover) and a concept of accountability so that data controllers are encouraged to take responsibility for the protection of personal data.

Simon Milner, Head of Cyber Risk at JLT Speciality Limited, then provided a realistic explanation of the insurance landscape and what solutions are available to customers on today’s insurance market. Simon picked up on some of the themes touched on by previous speakers including the need to develop better analytics to assist risk grading and assessment. In particular, it was clear that many in industry were not necessarily aware of the variety of products currently available in this space, e.g. to cover reputation management, legal costs and re-constitution of lost data.

Finally, Nick Baskett, Chairman of Matta Consulting, a penetration and vulnerability consultancy, provided an invaluable insight into the gaps and strengths in existing data security systems, including:

• an amusing, if scary, expose on how effective intrusion detection systems can be when they are not correctly implemented; and
• how a software house subsequently discovered (after passing on the opportunity to carry out a security audit on a number of previous occasions) that a trojan was residing in its primary code repository.

Nick then stressed the distinction between carrying out a forensic investigation following an incident dependent on whether it was necessary to collect evidence or not (and the related costs involved). 

A copy of the WEF Global Risks Report is available here.

Following the session, McAfee have also released their 2012 Threats Predictions – click here for further details.

For further discussion of this seminar or other issues, please contact:

Pitmans’ Data Privacy & Information Law team

Pitmans’ Cyber Risk Management team

Philip James
Partner, Head of Data Privacy & Cyber Risk Management
T: +44 (0) 207 634 4655
E: pjames@pitmans.com

This article was published by Workbooks.com

Philip James, Partner, and Carolyn Butler, Solicitor at Pitmans LLP examine some of the legal issues you should consider when moving to cloud computing and selecting a vendor.

1. Know the flight plan (negotiation and contract)

Carefully review the terms on which you are intending to contract with your cloud provider. Is the contract open to negotiation or are you expected to contract on the cloud provider’s standard terms? If the former, consider your specific requirements, and ensure your contract:
 
• adequately reflects your requirements in unambiguous language in a layout that’s easy to follow (in other words, don’t bury your specifications across numerous schedules);
• clearly delineates the roles and responsibilities of both the cloud provider and your organisation; and
• has quantifiable metrics or KPIs to verify the performance of your cloud provider.

If the latter, review the terms carefully to ensure, firstly, that they are fair and that there are no unpleasant surprises lurking and, secondly, that they cover everything you need them to. If not, seek to vary the standard terms with your cloud provider accordingly.

Look at the extent of the remedies available under the contract. The contract will probably contain limitations of liability, so if you are intending to outsource critical internal infrastructure, check whether those limitations adequately reflect the allocation of liability to your cloud provider.

• What limitation should apply?
• Are there risks for which liability should or should not be excluded? E.g. does the supplier exclude liability for loss of data (this is not much good if you are outsourcing your CRM database!)

In some cases, damages for breach of contract may not be a sufficient remedy if things go wrong, and you may wish to set out alternative, more appropriate remedies under the contract. Other key issues to look out for in your contract are explored in more detail below. In all cases, always seek specific legal advice if you are unsure about the effect of any element of your contract.

Before negotiating a contract with a cloud provider, the European Network and Information Security Agency’s Information Assurance Framework for Cloud Computing, which sets out questions that an organisation should ask a cloud provider, is essential reading¹.

2. First class, business class or economy class? (service levels)

Service levels need to be agreed upfront, and should be expressed in the service-level agreement in terms that are both clear and measurable, including maximum periods of downtime, the relative importance to the business of different elements of the service and processes for remedying defaults. While many businesses look to cloud providers as part of their business continuity strategy, it is also necessary to consider what would happen if the cloud provider’s operations become disrupted. How does your cloud provider manage its response to incidents such as natural disasters or security breaches to ensure disruption is kept to a minimum?

Before you sign up, ask your cloud provider about any extra costs and charges, work out which of these are relevant to your business and budget accordingly. You should also ensure your future as well as your present needs are taken into account: find out how quickly and by how much your cloud provider can scale up the services it provides, and, if you plan to expand your business abroad, whether your provider has the capabilities to meet your needs in other jurisdictions.

It is important that the ramifications of failing to meet the agreed service levels are clearly set out (often a service credits mechanism is used) and that the parties agree a process of escalating remedies in the event that problems supplementary to the agreed remedial mechanisms arise. The resolution of disputes can be a costly and time-consuming exercise, and it is in the interests of both parties to have workable and effective escalation processes in place to ensure problems are worked out amicably, the business relationship is preserved and any disruption is kept to a minimum.

3. Security checkpoints (security and data protection)

It is essential to verify with your cloud provider what responsibilities for security lie within the remit of your organisation and which are their responsibility.

While your cloud provider may be unable to give you precise details about the security measures it has in place (since a detailed disclosure of the systems in use could impair their integrity), a high-level description of those measures should be given, for example, the extent to which data encryption is used, whether anomaly detection systems are applied, the protocols in place to deal with the theft of user credentials and the physical security used to protect the locations where data is stored. Your cloud provider should also be able to tell you whether it meets any of the existing web standards² and give you details of the security features on offer for users, such as user authentication and authorisation/administration controls. Find out whether your cloud provider offers any guarantees that customer resources are fully isolated from one another, and to what degree data, metadata or other traces of use by your organisation is erased before machines are reallocated. You should request sufficient information to allow you to make a sensible judgement about the adequacy of the security measures offered by your cloud provider, whether additional measures are required and need to be agreed in your contract.

Further, your cloud provider may intend to outsource or subcontract any of the operations that it is contracted to supply to you, and, if they do, find out who those third parties are, where they are based, what procedures are used to verify and monitor the quality of services they provide, and the security controls in place to protect your data. For instance, it is not much use having contractual protections in your agreement with your provider if the ‘subbie’ to whom the service is sub-contracted is not subject to the same terms agreed with your supplier (you may also not have conducted due diligence in respect of that subbie).

4. Final destination (location)

Just as importantly, find out where your cloud provider will physically hold your data. Your data should be stored in a jurisdiction where an acceptable level of protection is mandated by law. Data protection standards vary from one jurisdiction to another and, although efforts are being made to harmonise the requirements across the EU as a whole, outside of the EU they may be non-existent. Nevertheless, if you are a business based in the UK, and the data in question is being processed in the context of that business, the full extent of the UK rules will most likely apply.

Further, if you are intending to store personal data in the cloud, such as HR records, take note that the transfer of personal data to a country or territory outside of the EEA is prohibited, unless equivalent protection in that country or territory is assured (and in this respect, if it is to be stored outside the EEA, seek specific legal advice on this issue as there are a number of compliance requirements which may need to be dealt with). Where this is concerned, it is always easier from a data privacy compliance perspective to engage a supplier whose data centre is located in the UK or Europe than enter into an arrangement with a supplier whose servers are in the US or China (or worse still, in a virtual data centre i.e. you don’t know where it is stored!).

Note also that, where HR data is concerned, it is also likely to contain sensitive personal data. As such, there are a number of more stringent restrictions as to how this type of data may be processed and specific consents may need to be obtained from the data subjects (i.e. the person to which such personal data relates). Ideally, find a cloud provider based in your jurisdiction that can provide assurances that data (and at the bare minimum, personal data) will not be transferred outside of the EEA.

It is important to ensure your contract with your cloud provider clearly states the choice of territorial jurisdiction (that is, the country in which any dispute in relation to the country will be heard) and the choice of law that the courts will apply in determining any dispute. Ideally, this should be a jurisdiction in which your organisation operates. If a dispute arises, and the choice of law and jurisdiction has not been specified, under EU law a defendant may be sued where they live, or where the contractual obligation was performed. The applicable law, however, will be the law with the closest connection to your contract. It is easy to see how this can create problems in a cloud computing environment where there are cloud providers all over the globe eager for your business, and where your data could potentially be stored anywhere in the world, so explicitly state in the contract what’s intended.

5. Take a moment to find the nearest exit (transitioning)

Although it may feel like a remote prospect, before you enter into a cloud contract it is necessary to anticipate how you intend to exit those arrangements. Care should be taken to ensure the portability of your data, including your metadata. Review your contract to determine what events could trigger a right to terminate the agreement by either you or your cloud provider. Ask what procedures are in place to export your data (in an orderly fashion) if you change cloud providers or in the event that the agreement is terminated. Find out whether those procedures are regularly tested to ensure that they work.

Also, if there is a specific format in which you expect to receive your ported data, you should try and specify that (to the extent that is possible) in your contract with your supplier. Please note: there may be additional costs associated with ensuring your data is in a format which is compatible with your systems. The ownership of intellectual property (IP) can be a particularly contentious issue in the cloud environment. Examine the IP provisions in the agreement with your cloud provider to determine how data ownership is dealt with, and whether those provisions are acceptable to you. IP is a technical area of law; as such, therefore, if in doubt, always seek specific legal advice to ensure you are adequately protected.

Once you have moved your data, you will no doubt be seeking assurances from your cloud provider that all traces of your data will be deleted as soon as possible. So, before you commit to a particular cloud provider, find out whether this is a realistic prospect: it may take a number of weeks for your data to be deleted if it is stored in more that one place (for example, if it is copied on to back-up tapes) and it may be impossible to destroy your data completely if your cloud provider allows you to share disk space with other customers. If that’s not good enough, give your cloud provider the opportunity to put satisfactory processes in place for you.

For further information in relation to the issues raised by this note, please contact:

Philip James
Partner
pjames@pitmans.com
+44 (0) 207 634 4655

Carolyn Butler
Solicitor
cbutler@pitmans.com
+44 (0) 118 957 0234

¹ http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/?searchterm=assurance framework

² Such as ISO27001 (http://www.27001-online.com/), which implements OECD (Organisation for Economic Cooperation and Development) principles governing security of information and network systems, and the SAS70 auditing standard (http://sas70.com/)

PLEASE NOTE: This note has been prepared to provide general guidance on the benefits as well as some of the risks associated with cloud computing. As such, it should not be relied on. Always seek specific legal advice in relation to your specific circumstances in question.

Courtesy of Data Protection Law & Policy – May 2011

Last November, the EU Commission set out its aims to modernise the 1995 EU Data Protection Directive in a November 2010 Communication. Philip James, Partner at Pitmans, reviews some of the responses to the Commissioner’s consultation in relation to a particular conundrum facing the Commission – data portability.

This long-overdue overhaul of the existing data protection framework is intended to address some of the key challenges facing current data privacy regulation, namely: the collection and use of personal data via new technologies, harmonisation and simplification of notification throughout the EU, and globalisation and cross-border data flows.

The purpose is to reinforce an individual’s right to privacy, whilst on the other, to harmonise and simplify data privacy regulation. The Commission has indicated that the revised framework may include a possible EU-wide notification process, involving a central EU Information Commissioner.
 
A key part of this harmonisation process will depend upon the establishment of precedents, template data processing agreements and fair processing notices. In addition, organisations will be required to adopt Privacy Impact Assessments (PIA) and Privacy by Design (PbD) into new technologies from inception through to implementation and day-to-day operation, rather than immediately prior to launch. In short, privacy is to be embedded into the development of business and technology from the word go.

A Refresher of the Review

Key objectives of the modernised data privacy strategy are to:

- Strengthen individuals’ rights and clarify what types of information will fall into the definition of ‘personal data’, such as user profile information.

- Increase transparency for data subjects, for example, by introducing mandatory personal data breach notification.

- Create new responsibilities for data controllers by making the appointment of an independent Data Protection Officer mandatory.

- Place a duty on data controllers to carry out PIA where appropriate, and promote the use of Privacy Enhancing Technologies (PET) and the PbD model of system design.

- Enhance individuals’ control over their data including the socalled ‘right to be forgotten’ and empower users with a right to port their personal information, otherwise known as data portability.

- Raise and finance public awareness and promote the application of approved ‘privacy seals’ for organisations which meet certain minimum privacy standards.

- Ensure informed and free consent (and, in so doing, provide pre-approved data privacy notices on EU standard forms).

- Harmonise the conditions for processing sensitive data and review the categories of information which may be classed as sensitive.

- Make remedies and sanctions more effective and promote an active infringement policy.

- Clarify and simplify the rules for international data transfers.

- Encourage self-regulatory initiatives.

Data Portability

Cloud providers and social network providers will need to pay particular attention to the proposed right for users to port their personal information to an alternative provider, as well as their right to erase their digital footprints, pursuant to their right to be forgotten. It may not have gone unnoticed that Google has recently launched a range of Chrome laptops, in conjunction with Acer and Samsung, which provides users with a suite of solely cloud-based applications, i.e. just the barebones on the machine itself; applications aren’t installed locally but accessed remotely. The service is a direct challenge to Microsoft’s enterprise offering. What is clear is that cloud-based computing isn’t going away anytime soon.

The right for consumers to port their data to a new provider will also be of a specific concern to social networks whose servers continue to brim over with usergenerated content.

In theory, the right for users to require providers to transfer their data to a new provider should promote cloud shopping. This, in turn, will promote greater competition between providers. One of the most effective weapons customers have in their armoury is to switch providers. Permitting users to transfer their personal portfolios of friends, photos and documents to an alternative supplier offering greater control and security will be a powerful means of promoting privacy. This is an ideal that should be pursued.

Data Liberation

Notably, Google is supporting this initiative by means of its Data Liberation campaign. This is to be welcomed, although it remains uncertain whether the genuine motive is to relieve its competitors of their data buckets, rather than liberate its customers’ own data. This will come as no surprise, given the continuing data and PR battle between the digital woolly mammoths, Facebook and Google.

In practice, the story is somewhat different. There are some significant hurdles to truly liberal customer data migration policy. The Commission asked organisations and interested sector groups to respond to its consultation in relation to the Directive review by 15 January 2011. There is a wealth of feedback, and after reviewing some select responses, the following were of particular interest.

Microsoft’s response to the Commissioner’s consultation is particularly helpful on this issue. In recognising the brand value of winning customers’ trust, the report starts with ’Microsoft’s success depends on users having confidence in our ability to responsibly manage and protect their data’ and continues the theme in Section C. (Enhancing control over one’s own data): ’An essential element of a user’s control over that data is the ability to retrieve that data in a simple and costefficient way….Microsoft strives to build capabilities into those services to give the user that control’.

Practical Challenges

However, at the same time, the response outlines the practical and commercial realities that may inhibit data portability:
 
- Any right must draw a distinction between a user’s own data and underlying applications or related metadata or stats generated by use of the service.

- The right should be limited to data held by the provider.

- Any data transferred will depend on the format of the data and APIs (application programme interfaces) in question. Whilst there are industry standard formats and APIs, few service providers store data in the preferred format for data exchange.

- In addition, the richer the data format, the harder it may be to transfer data to a new provider.

The more raw the data, the easier the transfer.

In short, there are significant, technical challenges and users cannot have it both ways – have a specialised, slick user interface, then expect to be able to click a button and transfer their whole data suitcase to a new data ‘hotel’.

The risks of data portability cannot be understated. In Nokia’s response, the risks of failing to identify correctly the user who is requesting the data transfer are significant (page 10). One recommendation is to ensure that only ‘identified individuals’ can exercise their rights. In addition, there may be some benefit to limiting the frequency with which a user can exercise this right.

Promoting a Privacy Market

Cloud customers often marry at haste and repent at their leisure. In other words, unless users are provided with clear information about what will happen to their data at the end of the relationship (call it a ‘data pre-nup’ if you will), privacy is likely to suffer. In reality, a limited number of data oligarchs are likely to retain market control over customers’ data, based on first mover advantage, rather than necessarily providing the most effective platform for maintaining their customers’ privacy. Facilitating data portability will in itself generate healthy competition in relation to privacy enhancing technologies and empower customers’ with control over their data. Comparisons can be drawn with the mobile network market and the ability of customers to switch provider. For a long time, there was great resistance which was eventually overcome.

Industry Standards

Requiring providers to allow competitors access to their technology to produce compatible exchange interfaces and promoting common, standard industry data exchange formats (where reasonably practical) should assist users in migrating to a new provider. However, as ever, where there are associated costs of porting data, such costs should be reasonable and users should be informed of what these costs are in advance of ‘moving in’.

What Questions Should I Ask?

Google has succinctly distilled the questions a user should ask before signing up to a cloud service, in its Data Liberation site, as: 

- Can I get my data out at all?

- How much is it going to cost to get my data out?

- How much of my time is it going to take to get my data out?

These are questions both consumers and businesses should be asking before they embrace the economically attractive cloudbased services on offer. It may come as no surprise that many cloud services offer low introductory fees, whilst the costs to switch to a new provider in the future may be astronomical.

Directive or Regulation?

The Commission will propose legislation this year. It should be borne in mind that the option remains open to the Commission to introduce new legislation in the form of a Regulation, rather than as a Directive. The upshot of this being that the law would be directly applicable and there may be a genuine opportunity for the Commission to achieve greater harmonisation within the EU.

Philip James
Media & Entertainment Partner
+44 (0)207 634 4655
pjames@pitmanssk.com