Every one of the eleven presenters at a May 11 Practising Law Institute seminar program entitled “Cloud Computing 2012: Cut Through the Fluff and Tackle the Critical Stuff” recognized privacy and data security as critical issues faced by cloud computing customers and service providers alike. Opening the program with an introduction to cloud computing, program co-chair Janine Anthony Bowen, a partner at Jack Attorneys and Advisors (Atlanta), characterized privacy and data security as risks that must be recognized and managed by those seeking the cost savings, scalability and other benefits that cloud computing can offer. Her co-presenter, Rachel Beth Evans, Senior Legal Counsel at Accenture (San Francisco), included privacy and data security among the primary areas on which prospective cloud computing customers should pursue due diligence inquiries with respect to their own needs, based not only on the types of data they propose to put into the cloud but also service provider policies and practices.
Hogan Lovells partner Chris Wolf (Washington, DC) surveyed the panoply of laws and regulations with which cloud computing customers and, in many cases, service providers must comply. He also offered attendees a preview of a Hogan Lovells White Paper that surveys the rights of national governments in ten jurisdictions to access data in the cloud. The complete White Paper will be published on this blog on May 23. Audrey Roh, Senior Attorney with the U.S. Department of Housing and Urban Development (Washington, DC), who surveyed cloud computing initiatives by U.S. government agencies, highlighted “information security, cybersecurity and privacy” as challenges in government cloud computing contracts. Her co-presenter, Jason Silverman, a partner at McKenna, Long and Aldridge (Washington, DC), directed attention to compliance with export regulations in connection of movement of data to the cloud and discussed “deemed exports” that can occur even when service providers do not send data outside the country.
Megan Herzler, Assistant General Counsel and Director of Data Privacy at Xcel Energy (Minneapolis, MN), and Boris Segalis, a partner at InfoLawGroup (New York City), offered practical guidance for managing privacy and data security risks in cloud computing transactions beginning with RFPs and service provider due diligence and continuing through the life of a cloud computing contract. Their thought-provoking recommendations included the importance of making preparations for the eventuality of a data security breach and having in place contractors who can assist with responses such as breach notification, credit monitoring and call center support for affected persons. Hogan Lovells partner Philip Porter (Northern Virginia), a program co-chair, and H. Ward Classen, Deputy General Counsel of Computer Sciences Corporation (Hanover, MD), engaged in a mock negotiation of a hypothetical cloud computing contract, which included defining privacy and data security obligations and remedies for breach of those obligations. The program concluded with a dialogue by Jeremy Feinberg, Statewide Special Counsel for Ethics for the New York State office of Court Administration, and Maura Grossman, a partner at Wachtell, Lipton, Rosen & Katz, on obligations of lawyers to their clients when the lawyers move client data to the cloud. At the forefront of these obligations is the use of reasonable care in selecting service providers and in exploring the service providers’ policies and procedures for maintaining the confidentiality and security of client data.
While the program explored a broad range of issues that must be addressed and risks that must be managed in cloud computing transactions, the presenters made it clear that privacy and data security issues are in the forefront. Practising Law Institute will sponsor a similar program in San Francisco and by webcast on June 11.