RELEVANT CLOUD COMPUTING BACKGROUND - PDF

Please download to get full document.

View again

of 19
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Bills

Published:

Views: 10 | Pages: 19

Extension: PDF | Download: 0

Share
Related documents
Description
C L O U D C O M P U T I N G A N D C O M P L I A N C E W I T H K E Y C O N S U M E R P R O T E C T I O N L A W S A N D R E G U L A T I O N S Alysa Z. Hutnik Partner 1 Kelley Drye & Warren LLP 3050 K Street,
Transcript
C L O U D C O M P U T I N G A N D C O M P L I A N C E W I T H K E Y C O N S U M E R P R O T E C T I O N L A W S A N D R E G U L A T I O N S Alysa Z. Hutnik Partner 1 Kelley Drye & Warren LLP 3050 K Street, NW Washington, DC F E B R U A R Y This briefing provides an overview of key consumer protection legal considerations for cloud computing service providers, including an overview of applicable cloud computing terminology, general consumer protection obligations, best practices to limit third-party liability risks, consumer privacy and data security requirements, and guidance for responding to requests for customer data. RELEVANT CLOUD COMPUTING BACKGROUND I. THE CLOUD COMPUTING VALUE PROPOSITION Cloud computing provides a means by which companies can avoid acquiring and maintaining computer equipment and software. Cloud computing allows computer technology to be easily accessed as a service over the Internet or via a private network from any location, so that computer technology, software programs, and data can be available when and where the user needs them. Specific elements of the cloud computing value proposition include the following: The customer only pays for as much technology capacity as it needs. For computer processing, a company using cloud computing can avoid the capital expenditure and the ongoing expense of maintaining the computer infrastructure. The same concept applies to the software application, allowing the company to avoid the upfront license fee; Flexible pricing on a pay-for-use basis is a big piece of the value proposition, along with the rapid increase and decrease of usage with minimal involvement by the service provider. Rather than buying and maintaining server capacity and operating systems or paying upfront licensing fees, an enterprise can acquire that same capability from a cloud provider, access it over the Internet, and pay a pre-defined price for the service. 1 Special thanks goes to Matthew Sullivan, an associate at Kelley Drye & Warren LLP, who coauthored this publication. 1 II. DEFINITIONS The term cloud computing is used in a variety of contexts within the information technology industry. The Commerce Department's National Institute of Standards and Technology (NIST) has attempted to provide structure to the cloud computing industry by defining the three basic types of service models for cloud computing as follows: 2 Cloud Infrastructure as a Service (IaaS) involves the provisioning of fundamental computer resources (e.g., processing, storage, networks); Cloud Software as a Service (also known as Software As a Service or SaaS ) involves access to a provider s software applications running on a cloud infrastructure; and Cloud Platform as a Service (PaaS) involves the capability to deploy onto the cloud infrastructure applications created by the user with provider-supported programming languages and tools. In addition, NIST describes the following four models for deployment of the cloud infrastructure: 3 Private clouds maintain all the technology components, servers, and software for a single organization. The solution may be managed by the user or a third party but is provided for the benefit of only one organization. The customer makes better use of its current assets; for example, not every laptop has to be loaded with the software and have the data stored on it. These private clouds are increasingly being deployed within larger enterprises. A public cloud, such as salesforce.com, Amazon s cloud offering, or Google s Gmail, is available to anyone or to large industry groups and in either case is owned by the provider of the service. This deployment model offers the greatest potential flexibility and savings but also involves granting the service provider the substantial control over the enterprise s technology capabilities. Many large enterprises are using this deployment for discrete services and are evaluating ways to further use the model. The service models may be deployed using a community cloud, which NIST defines as cloud infrastructure shared by several organizations and that supports a specific community that has shared concerns, such as the mission of the organizations or security, privacy, policy, or regulatory compliance. Hybrid clouds consist of a combination of two or more of the three preceding models. 2 NIST, The NIST Definition of Cloud Computing (Sept. 2011), available at 3 Id. 2 III. RATIONALE FOR EVOLVING CONSUMER PROTECTION LAWS AND REGULATIONS TO ADDRESS CLOUD COMPUTING Traditional, or pre-cloud, computer networking environments were defined by the following characteristics: Point-to-Point Transfers data transfers were discrete, scheduled, and occasional, and relied upon proprietary transfer protocols and specialized communications lines Non-networked the use of centralized databases and segmented customer files Cloud computing has introduced a new paradigm in the storage and flow of consumer data that is defined by the following characteristics: 4 The scale of data flows, individually and in the aggregate, has increased massively Data flows are now multi-directional Processing involved in data flows has expanded to include highly complex and processoriented steps implemented within systems of networks Oversight over data flows has evolved into a model of collaboration and resource commitments COMPLIANCE WITH CONSUMER PROTECTION LAWS & REGULATIONS I. GENERAL CONSUMER PROTECTION CONSIDERATIONS FOR CLOUD COMPUTING PROVIDERS A. Negotiations Relating to Legal Compliance Negotiations between the cloud service provider and its potential customer should include discussions on compliance with applicable laws and regulations. The cloud service provider should be willing to contractually agree that it is complying with laws generally applicable to its business. Similarly, the client will need to provide assurances that it will remain in compliance with laws applicable to its business upon commencement of the cloud computing offering. As with traditional outsourcing and software licensing arrangements, addressing compliance with changes in laws over time may be challenging depending on the laws applicable to the delivery and receipt of the cloud computing services. Providers of cloud service tailored for specific regulated industries may agree to monitor and modify their offerings to address changes in laws over time. In any event, a regulated customer 4 Presentation, Emerging Law and Policy Issues in Cloud Computing - Managing Global Data Privacy in the Cloud (Mar. 19, 2010), Professor Paul Schwartz, Berkeley Law, University of California, available at 3 will need to conclude that it can maintain its compliance with laws and will need to develop a reasonable plan for migrating off the cloud computing platform if necessary to comply with changes in laws that are not addressed by the provider s offering. B. Enforcement of Consumer Protection Laws and Regulations With respect to consumer protection legal obligations, much of the enforcement authority for applicable laws and regulations resides with the U.S. Federal Trade Commission ( FTC ) and the state attorneys general. 1. FTC Authority Section 5 of the FTC Act prohibits unfair or deceptive acts or practices. 5 Through policy statements, the FTC has provided its interpretation of unfair or deceptive business practices. A deceptive act or practice is based on three core elements: (a) a representation, omission or practice, (b) about a material fact, (c) that is likely to mislead a consumer acting reasonably under the circumstances. 6 For a cloud service provider, a deceptive act or practice could relate to information that the provider gives to clients explaining how it will handle and safeguard the clients data. o Example Deceptive Practices: U.S. v. Path, Inc. (2013) 7 In January 2013, the FTC announced a settlement with social networking app developer Path, Inc. over charges that it deceived its users, in violation of Section 5, by collecting personal information from their mobile device address books without their knowledge and consent. According to the FTC s Complaint, Path automatically, and without users consent, collected and stored available names, addresses, phone numbers, addresses, dates of birth, and Facebook and Twitter usernames contained in a user s address book. An unfair act or practice is also based on three core elements: (a) an act or practice that causes substantial injury to consumers, (b) which consumers cannot reasonably avoid, and (c) which is not offset by benefits to consumers or competition. 8 In the cloud computing context, an unfair practice could relate to the cloud provider s failure to take reasonable measures to protect the consumer data maintained within its cloud U.S.C. 45. FTC Policy Statement on Deception (1983), appended to Cliffdale Assocs., 103 F.T.C. 110, 174 (1984). 7 U.S. v. Path, Inc., No. C (N.D. Cal. Complaint Filed Jan. 31, 2013), available at 8 FTC Policy Statement on Unfairness, reprinted in Int l Harvester Co., 104 F.T.C. 949, 1070 (1984). 4 o Example Unfair Practices: In re Vision I Properties, LLC (d/b/a CartManager Int l.) (2005) 9 CartManager licensed an online shopping cart software to retailers and provided a hosted online service to thousands of small online retail merchants. According to the FTC, some merchants who used CartManager s software stated in their privacy policies provided to customers that they did not sell, trade, or lend customer information. Nevertheless, CartManager allegedly collected and rented the personal information of nearly one million consumers who shopped at merchant sites. The FTC claimed that CartManager did not adequately inform consumers or merchants that it would collect and rent this information and that it acted knowing that renting the information was contrary to merchants privacy practices. The FTC claimed that CartManager s actions constituted unfair acts or practices in violation of Section 5. Violations of Section 5 of the FTC Act can present significant legal, reputational, and compliance risks for cloud service providers. A determination about whether a particular act or practice may be construed as unfair or deceptive will depend on an analysis of the facts and circumstances. Although individual violations or inbound complaints may appear isolated, they may, when considered in the context of additional information, including other violations or complaints, raise concerns about unfair or deceptive acts or practices. 2. State Attorneys General Most states have enacted consumer protection laws that prohibit unlawful, unfair or fraudulent business acts or practices. 10 State Attorneys General have broad authority to enforce these laws to protect the residents of their states. In addition, many state statutes expressly provide that their consumer protection laws are to be construed in a manner consistent with the FTC Act and its interpretations by the FTC. 11 II. THIRD-PARTY LIABILITY FOR CLOUD SERVICE PROVIDERS Cloud service providers can inadvertently expose themselves to third-party liability issues by overlooking red flags relating to the business practices of their customers. The FTC continues to take aggressive action in imposing liability on companies that handle consumer data and that partner with entities that engage in fraud or other unlawful practices. The FTC s Bureau of Consumer Protection, for example, has increased its focus on third-party liability as a policy issue. The FTC s determination of liability is based on whether a party knew, or should have known 12 or consciously avoided knowing 13 that it was assisting or facilitating the fraudulent activities of a client or partner. 9 In re Vision I Properties, No. C-4135 (Final Consent Apr. 26, 2005), Complaint available at See, e.g., Cal. Bus. & Prof. Code et seq., et seq. See Md. Code, Com. Law See., e.g., U.S. v. ACB Sales & Serv., 590 F. Supp. 561, 575 n.11 (D. Ariz. 1984) ( 5(m) of the FTC Act requires that the defendant or his agent have some knowledge, actual or constructive, of the requirements of the [rule] such that defendant know or should have known that the conduct was unlawful. ). 5 Under the knew or should have known standard, entities have some duty to investigate their clients potentially fraudulent business practices. 14 In contrast, the conscious avoidance standard may be met if there is evidence that the entity knew or deliberately ignored the fraudulent conduct. 15 Under both standards, the FTC will consider whether clear warning signs were ignored intentionally or unintentionally and whether the company failed to enforce its own procedures designed to identify and mitigate a client s fraud. For example, SaaS providers that operate a legitimate software product that, nevertheless, can be used for fraudulent purposes would be at risk for regulator scrutiny depending on the level of visibility that the provider has into its clients businesses or its ability to monitor clients use of its software. A. Risk Factors for Third-Party Liability The following elements represent potential risk factors that could expose the cloud service provider to potential liability for the conduct of its clients: Lack of Due Diligence: A client s initial application information (or missing information), or materials submitted by potential clients during the initial negotiations for service, may provide early warning signs of unfair or deceptive behavior. The FTC expects a certain level of due diligence to identify such warnings signs using screening procedures that can include collecting background information on the potential client, checking references, and verifying the intended use of the cloud service. The Client s Business Model: Certain businesses and industries (e.g., mortgage relief services, telemarketing, government grant services, credit card promotions) automatically attract increased scrutiny from regulators based on their potential for fraud. Regulators have stated that even a client s company name may present some evidence of fraudulent intent. Cloud providers that target services to high-risk industries should conduct reasonable due diligence into their client s business practices. Complaints: Complaints about unauthorized activity (for a SaaS provider, this could be complaints directly relating to the client s use of your hosted software) may originate from customers, law enforcement, the Better Business Bureau, and even employees. The FTC will evaluate the number of complaints as well as handling and response to such complaints. 13 See, e.g., Telemarketing Sales Rule, 16 C.F.R (b) (Assisting and facilitating It is a deceptive telemarketing act or practice and a violation of this Rule for a person to provide substantial assistance or support to any seller or telemarketer when that person knows or consciously avoids knowing that the seller or telemarketer is engaged in any act or practice that violates 310.3(a), (c), or (d), or of this Rule. ). 14 See Telemarketing Sales Rule, 60 Fed. Reg (Aug. 23, 1995), n. 103, citing to Citicorp Credit Services, Inc., FTC Dkt No. C-3413 (Consent Order, Feb. 4, 1993) (In finding that Citigroup knew or should have known about its clients fraudulent activities, the FTC stated that [t]he final consent order imposes a duty on Citigroup Credit Services to investigate merchants with high chargeback rates, and to terminate them if they are found to be engaging in fraudulent, deceptive or unfair practices. ). 15 See 68 Fed. Reg. 4580, 4612 (Jan. 29, 2003). 6 Support of and Visibility into Clients Business Activities: The extent to which the cloud provider can view and access its client s data or provide hands-on services that assist with the client s business activities will be one factor that regulators will consider when assessing whether the cloud service provider was aware that a client was engaging in illegal business practices. B. Examples of Third-Party Liability Enforcement Activity FTC v. YourMoneyAccess, LLC (2010) 16 Financial Services Industry: o The FTC, along with the attorneys general of seven states, alleged that Your Money Access, LLC ( YMA ), a payment processor, violated Section 5 of the FTC Act by unfairly processing debit transactions to consumers bank accounts, and violating the Telemarketing Sales Rule ( TSR ) by assisting sellers or telemarketers that it knew, or consciously avoided knowing, were violating the TSR. o YMA allegedly accepted clients whose applications contained signs of deceptive activity (no physical address), including sales scripts with statements that were highly likely to be false. The FTC s Complaint further alleged that YMA closely monitored its merchant clients return rates, yet continued to process payments despite 20 to 80 percent of transactions that were returned or reversed. FTC v. InterBill (2009) 17 Financial Services Industry: o FTC alleged that InterBill, a payment processor, violated Section 5 of the FTC Act by unfairly processing debt transactions to consumers bank accounts on behalf of Pharmacycards, a fraudulent provider of discount pharmacy cards. o Prior to working with Pharmacycards, InterBill allegedly failed to follow its own new client procedures, which included collecting adequate background information, checking merchant references, and verifying a physical address. The FTC further alleged that InterBill failed to obtain proof that consumers had authorized debits to their accounts, and knew or should have known of unauthorized transactions based on a return or cancellation rate of 70 percent, along with complaints from consumers and banks. In June 2009, a federal court ordered InterBill to cease its illegal practices and pay $1.7 million in consumer redress. U.S. v. Ebersole (2012) 18 Telemarketing 16 FTC v. YourMoneyAccess, LLC, No (E.D. Pa. Complaint Filed Dec. 6, 2007), available at 17 FTC v. InterBill, Ltd., No. 2:06-cv (D. Nev. Complaint Filed Dec. 26, 2006), available at 18 U.S. v. Ebersole, No. 3:12-cv LRH-VPC (D.C. Nev. Filed Feb. 23, 2012). 7 o FTC alleged that Voice Marketing, Inc., an hosted telemarketing software provider, assisted and facilitated companies engaged in unauthorized telemarketing in violation of the Telemarketing Sales Rule. According to the FTC, Voice Marketing provided substantial assistance to clients by giving them access to computers, telecommunications services, and a dialing software available online that the telemarketer clients used to place millions of phone calls with prerecorded messages that contained sales solicitations. FTC v. Global Marketing Group (2007) 19 Financial Services and Telemarketing o According to the FTC, Global Marketing Group ( GMG ) processed payments on behalf of clients whose sales scripts clearly indicated that the clients intended to violate the Telemarketing Sales Rule and industry rules that prohibit the processing of electronic banking transactions for outbound telemarketers. o The FTC claimed that GMG s support and assistance included drafting and reviewing sales scripts, fielding customer complaints, and payment processing and order fulfillment services that were conducted prior to performing any due diligence into its client s business practices. C. Best Practices to Minimize Potential Third-Party Liability Scrutiny Know your clients and business partners, and implement procedures to conduct reasonable due diligence for evaluating potential new clients or partners; Turning a blind eye won t absolve your company of responsibility. You may be held liable if you knew or should have known or deliberately ignored that a client is engaging in deceptive practices. If there is an indication that a client may be engaging in illegal activity through the use of the cloud service, failing to investigate is not a good business strategy. Red flag evidence of a client or partner s questionable conduct already may be in your files. Establish procedures for regularly reviewing client corresp
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks