You are on page 1of 3

IT Law Notes- 4/24

I) Cyber security
 Different than information security
o Information Security=protecting the information itself
o Cyber Security= how to protect the systems (like the
internet), which might make the information available
 Not a ton of law out there regarding cyber security, but
government is paying attention to cybersecurity:
o A) How secure are federal systems from attack?
o B) How secure are critical infrastructures? They are not
under the control of government, but they greatly affect
society’s ability to do things
 Ex. All financial transactions rely on the internet
nowadays
 Block chain complicates cyber security
o What is block chain?
 A secure verifiable way to make sure transactions
happen (an electronic transaction control)
 Uses encryption
 Ensures that transactions can happen
independently of human interaction
 Facilitates electronic contracting in the legal
world
 Prevalent in the financial world
 Both sides know that the triggering event for a
certain transaction has happened
 Block chain gives us a permanent record
that a contingency was met and that we
moved on to the next part of the
transaction

II) Cloud
 3 categories of the services that are available through the
cloud:
o 1) IaaS- infrastructure as a service
 You don’t have to go out and buy a bunch of
hardware- servers take up a lot of space
 Can use the servers run by Amazon
 You can store you information on these
servers without ever having to buy any
servers
o 2) PaaS- platform as a service
 Ex. application/service like PayPal
 PayPal is hosted elsewhere (payment
platform)
o 3) SaaS- software as a service
 Software as a service
 Ex. office 365
 Everything you would have had locally can be stored
somewhere else now
 Poses some concerns for cybersecurity
o Ability to use the information (availability/integrity of
info is in hands of service provider)
 Legal issues that come up with cloud
o 1) Privacy and security
 Cloud provider counts as BA under HIPPA
 What constitutes disclosure? Does handing
off of the health information to the cloud
count?
 Yes if no BA agreement
 What is the information is encrypted
and the server doesn’t have the key?
o Still counts as disclosure
 Implementing reasonable security measures
 How do you know the cloud vendor is
capable of implementing such measures?
 Contractually, the risk may still lay on
the discloser who owns the
information
 You need to do your diligence when
choosing a cloud provider
 What if there is sensitive info on the cloud- how
will we know if there has been a breach?
 Do they have a duty to disclose to you that
they had a security incident?
 It depends on what’s in the contract
 Who should pay for the notification?
 Who should notify the state attorney
general?
o 2) IP Infringement
 Patents: the server in the cloud may either have
components that infringe a patent, or the service
itself may violate someone else’s patent
 If the cloud creates an infringement, your
computer is using the cloud, and engaging
the infringing service could be infringement
itself
 Copyright infringement possible if the server in
the cloud infringes someone’s software code
 Use of IP rights
 Pay attention to the contract
 Ex. Grant of license that says the
cloud vendor can do X with your
information
 Be careful to define the scope of the license
 “You can use my info for this purpose
and this purpose, but solely for the
purpose of providing this service to
me or my customers”
 Does your software license allow you to load it
onto a cloud in hands of third party?
 No privity between software provider and
cloud provider
o 3) Where is the data located physically?
 International: can US subpoena data that is
stored overseas?
 Is the data subject to retrieval?
 State jurisdictional issues
 Ex. UCITA law in MD and VA
 Very possible that VA state law can
get attached because your data is just
sitting there
o 4) What happens when the relationship with cloud is
severed?
 Depends on contract
 Negotiate for provision that information will be
deleted (delete vs. secure delete)
 Need to actually override and destroy the
information

You might also like