Professional Documents
Culture Documents
I) Cyber security
Different than information security
o Information Security=protecting the information itself
o Cyber Security= how to protect the systems (like the
internet), which might make the information available
Not a ton of law out there regarding cyber security, but
government is paying attention to cybersecurity:
o A) How secure are federal systems from attack?
o B) How secure are critical infrastructures? They are not
under the control of government, but they greatly affect
society’s ability to do things
Ex. All financial transactions rely on the internet
nowadays
Block chain complicates cyber security
o What is block chain?
A secure verifiable way to make sure transactions
happen (an electronic transaction control)
Uses encryption
Ensures that transactions can happen
independently of human interaction
Facilitates electronic contracting in the legal
world
Prevalent in the financial world
Both sides know that the triggering event for a
certain transaction has happened
Block chain gives us a permanent record
that a contingency was met and that we
moved on to the next part of the
transaction
II) Cloud
3 categories of the services that are available through the
cloud:
o 1) IaaS- infrastructure as a service
You don’t have to go out and buy a bunch of
hardware- servers take up a lot of space
Can use the servers run by Amazon
You can store you information on these
servers without ever having to buy any
servers
o 2) PaaS- platform as a service
Ex. application/service like PayPal
PayPal is hosted elsewhere (payment
platform)
o 3) SaaS- software as a service
Software as a service
Ex. office 365
Everything you would have had locally can be stored
somewhere else now
Poses some concerns for cybersecurity
o Ability to use the information (availability/integrity of
info is in hands of service provider)
Legal issues that come up with cloud
o 1) Privacy and security
Cloud provider counts as BA under HIPPA
What constitutes disclosure? Does handing
off of the health information to the cloud
count?
Yes if no BA agreement
What is the information is encrypted
and the server doesn’t have the key?
o Still counts as disclosure
Implementing reasonable security measures
How do you know the cloud vendor is
capable of implementing such measures?
Contractually, the risk may still lay on
the discloser who owns the
information
You need to do your diligence when
choosing a cloud provider
What if there is sensitive info on the cloud- how
will we know if there has been a breach?
Do they have a duty to disclose to you that
they had a security incident?
It depends on what’s in the contract
Who should pay for the notification?
Who should notify the state attorney
general?
o 2) IP Infringement
Patents: the server in the cloud may either have
components that infringe a patent, or the service
itself may violate someone else’s patent
If the cloud creates an infringement, your
computer is using the cloud, and engaging
the infringing service could be infringement
itself
Copyright infringement possible if the server in
the cloud infringes someone’s software code
Use of IP rights
Pay attention to the contract
Ex. Grant of license that says the
cloud vendor can do X with your
information
Be careful to define the scope of the license
“You can use my info for this purpose
and this purpose, but solely for the
purpose of providing this service to
me or my customers”
Does your software license allow you to load it
onto a cloud in hands of third party?
No privity between software provider and
cloud provider
o 3) Where is the data located physically?
International: can US subpoena data that is
stored overseas?
Is the data subject to retrieval?
State jurisdictional issues
Ex. UCITA law in MD and VA
Very possible that VA state law can
get attached because your data is just
sitting there
o 4) What happens when the relationship with cloud is
severed?
Depends on contract
Negotiate for provision that information will be
deleted (delete vs. secure delete)
Need to actually override and destroy the
information