Challenge

Empty promises

• "reasonable security for your data"
  • open to considerable interpretation and argument, reasonable = low cost for the vendor
• "industry security standard"
  • what standard? the vendors are likely to indicate irrelevant standards standards often describe the solutions that have already been broken cloud technology is developing so fast that the standards are likely to describe outdated technology (to process of issuing a standard takes a couple of years!)
• "state-of-the-art security solutions"
  • effectively: this is an excuse for installing insecure solutions (there is nothing better)
  • getting rid of responsibility (we did everything possible, this is you that has taken the risk!)

Necessary elements of a contract

• "reasonable security for your data"
  • contract must be based on a formal document formalizing the values protected, risk analysis and conditions sufficient to protect the values according to the risks
  • Common Criteria documents may apply   link to CC  
• "industry security standard"
  • a standard is a double edge sword - it may prohibit some secure solutions. Use standards mainly for ensuring compatibility.
• "state-of-the-art security solutions"
  • instead of an obligation stating properties of the system at some moment, the service provider should be responsible for any security breaches whenever a flaw becomes known

What to do with security relevant events?

• state in the contract that this is a problem of service provider?
  • No. It can be treated as gross negligence from the legal point of view
• whom to report? The end users only too?
  • recommendation: an obligation to inform every potential victim should be the vendor's responsibility

Non-standard access to data

• the contract describes the services needed now. Is it enough?
  • NO. The user may be trapped into a solution not allowing any extensions for future needs But how to predict the future needs? the future is unpredictable!
• Can anything help to achieve flexibility?
  • Yes. As much information about the internal organization and architecture of the vendor's solution. White box architectures bring more hope than black box ones.

Free tools for e-discovery

limited resources

Requirements for data location

• cloud technology does not determine explicitly data location, so should we care?
  • YES. Many legal obligations in diverse regulations. e.g. personal data and their export to abroad (see personal data protection subsection)
• criminal law: crime against information protection   read more   
  Situation: data in a cloud abroad, loosing control over data due to e.g. political reasons, no access to data.
  Penalties for the person signing the contract based on e.g. this article:
  Kto, nie będąc do tego uprawnionym, niszczy, uszkadza, usuwa lub zmienia zapis istotnej informacji albo w inny sposób udaremnia lub znacznie utrudnia osobie uprawnionej zapoznanie się z nią, podlega grzywnie, karze ograniczenia wolności albo pozbawienia wolności do lat 2.
    

Responsibility for the end-users

• due to cloud specifics the users are less controlled and may behave in a malicious way or just witlessly, especially when security is concerned
• who will be responsible for your employees or customers?
• providers may try to write some statements into the contract instead of installing technical solutions preventing or minimizing consequences,   read more    what can be really done to ensure that the end users will comply with the vendors conditions of use?  
• does the contract oblige you to inform the cloud provider to inform about security accidents/problems and inappropriate actions of end users?   read more    informing about everything might generate high costs and require be very hard  

Unauthorized use, inappropriate use

in case of a public cloud you might be affected by actions of other cloud systems and their users

• the service provider may try to limit his responsibility for actions of other customers
• ... instead of strict separation of their access possibilities

Interrupting service

Is it allowed to stop temporarily the service due to important reasons such as security problems?   fact    can be easily misused as the customer has little insight into the internal situation inside the cloud  

Terminating service

You have to be prepared to:

• going out of business by the cloud provider
• terminating the contract due to business motivation
    fact 1   
  any company can go bankcrupt. Are you prepared for that? your data may be lost as well
       fact 2   
  in case of troubles there is even no access to data storage  

\( \Rightarrow \) obligations in the contract for intermediate period and continuity or a shadow cloud by another provider as a backup copy

Jurisdiction

Which country law applies? it is easy to be trapped if the reference is to the legal system of a third country.
Problems:

• continental versus common law   fact    costs of lawyers familiar with common law in a continental law country?!  
• differences between EU countries (despite harmonization of legal rules)

EU Expert group

Expert Group on Cloud Computing Contracts set up in 2013 by European Commission.

• The Expert Group was established to assist the Commission in identifying safe and fair contract terms and conditions for cloud computing services for consumers and small firms.
  The group shall take account of existing best market practices in terms and conditions in cloud computing contracts and the protection of individuals with regard to the processing of personal data and on the free movement of such data.