Legal Issues, Contracts and Electronic Discovery
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> Welcome back. In this module
00:00
we're going to talk about legal issues,
00:00
contracts, and electronic discovery.
00:00
Specifically, we're going to take a look at
00:00
the legal considerations for data in the Cloud.
00:00
We'll talk about the contracts with
00:00
Cloud service providers in a bit more detail.
00:00
We're going to talk about electronic discovery,
00:00
which is a major part of modern day litigation.
00:00
The material in this module is not going to
00:00
give you a law degree nor will it make you an expert.
00:00
We will talk about legal implications
00:00
to the degree that you need to understand them,
00:00
for the CCSK exam,
00:00
but by no means will this be
00:00
a replacement for true legal counsel.
00:00
Keep in mind that laws and regulations
00:00
affecting the Cloud change frequently.
00:00
Different regions and jurisdictions
00:00
change at different paces.
00:00
Some of the regulations discussed may have
00:00
changed even between the time of recording this,
00:00
and when you're actually watching this.
00:00
As it turns out, I'm recording it during
00:00
the shelter in place of COVID-19.
00:00
In the United States,
00:00
there's a lot of talk about how do we deal with that,
00:00
and how can we track immunity
00:00
and vaccines, and so forth.
00:00
That's also brought up a real need for more details
00:00
around a federal level privacy law
00:00
within the United States.
00:00
At the time of recording this,
00:00
there is no federal level for those laws.
00:00
Just that alone is a great example
00:00
of why this stuff is moving fast.
00:00
In the remainder of this video,
00:00
we're going to talk about data privacy basics.
00:00
Specifically, I'm going to introduce you to
00:00
data privacy concepts and terminology.
00:00
Privacy laws define numerous obligations
00:00
such as confidentiality,
00:00
and security obligations that
00:00
a custodian or a controller provider must abide by.
00:00
The EU and the US have regulations,
00:00
and they break down,
00:00
and those specific roles that are
00:00
involved in data and processing data.
00:00
We're going to go through the roles.
00:00
They're often called by different names
00:00
in different regions,
00:00
and different privacy regulations.
00:00
The nuances in legal definitions and
00:00
details of those may vary.
00:00
But here's a summary of those roles,
00:00
at least at a level of detail good
00:00
enough to get you through the exam.
00:00
We start with the data controller.
00:00
This is the entity company
00:00
typically that has
00:00
the primary relationship with the consumer.
00:00
Sometimes this is called the data custodian as well.
00:00
Then you have the data subject.
00:00
This is the consumer itself, the individual,
00:00
or the person that the data pertains to,
00:00
also referred to as the end-user.
00:00
Then finally, we have the data processor.
00:00
This is the third party entrusted by
00:00
the data controller to process the data,
00:00
also referred to as the provider.
00:00
Knowing the three major roles
00:00
when we're looking at data,
00:00
let's talk about some common themes
00:00
in privacy law throughout the globe.
00:00
These privacy laws, they really aren't new.
00:00
They've been built over years,
00:00
and are really now being adjusted to clarify,
00:00
because the specific impacts that technology has.
00:00
We really want to increase the rigor of
00:00
enforcement of these privacy laws,
00:00
because the power that technology brings, for example,
00:00
big data, big data mining,
00:00
how you can quickly and easily
00:00
track millions of data points,
00:00
millions of individuals with modern technology.
00:00
These are things that you really couldn't do
00:00
back in the late '60s and '70s.
00:00
But frankly, a lot of
00:00
the privacy principles in these laws were
00:00
established in the Fair Information Act
00:00
of the late '60s and '70s,
00:00
and they are ultimately intended
00:00
to protect the individuals.
00:00
The responsibilities of the different roles
00:00
we discussed in the previous slide,
00:00
the controller, the subject,
00:00
the processor, they have
00:00
certain obligations under the different laws.
00:00
The specifics will vary by individual regulation.
00:00
But overall, here's some of the obligations.
00:00
Data controller is required to ensure
00:00
data processor safeguards data,
00:00
and can be held liable.
00:00
The data controller themselves can be held liable if
00:00
they are giving data to a data processor,
00:00
and that data processor is not
00:00
doing what they're supposed to be doing.
00:00
They're not safeguarding the data,
00:00
or they are misusing the data.
00:00
In the last module, we talked about
00:00
Facebook and Cambridge Analytica.
00:00
In this case, Facebook
00:00
was for most part the data controller,
00:00
and Cambridge Analytica was the data processor.
00:00
As we saw in that example,
00:00
and indeed the data controller, Facebook,
00:00
was held liable for the way that the data processor,
00:00
Cambridge Analytica decided to
00:00
use the information that Facebook had.
00:00
Continuing on, the data subject
00:00
must consent to
00:00
the data controller's collection and use intentions.
00:00
You have to tell the consumer,
00:00
here's what I'm going to use your data for.
00:00
You have to be clear, concise, and specific.
00:00
You can't then at a later point,
00:00
decide to use that data for additional things,
00:00
without obtaining additional consents
00:00
from those individuals.
00:00
Data controllers and processors
00:00
must adopt security measures
00:00
to ensure protection of an individual's privacy.
00:00
This can include things like anonymization,
00:00
taking general data, specific names of individuals,
00:00
social security numbers, physical addresses,
00:00
and scrubbing them out for
00:00
different purposes to provide additional analysis.
00:00
It does happen that there are data breaches,
00:00
and so a lot of these laws actually require that
00:00
those data breaches be reported
00:00
by the data controller to certain entities.
00:00
Some laws require that
00:00
the data subjects themselves be made aware of it.
00:00
Some laws require that government agencies
00:00
in specific regions be made aware of the data breaches.
00:00
Again, the specific regulation is
00:00
going to dictate who you need to report it to.
00:00
Just understand that,
00:00
if something goes wrong,
00:00
there is a legal obligation to let
00:00
somebody else know outside of your own organization.
00:00
Don't try to cover up the data breach like
00:00
Uber did in late 2019.
00:00
Cloud really breaks a lot of geographic boundaries.
00:00
It's not always clear where physically are
00:00
the servers and services being used running.
00:00
But the data itself is often
00:00
bound to geographical boundaries.
00:00
If you're going to transfer data
00:00
between borders of two different regions,
00:00
two different countries, let's say
00:00
the Europe and United States,
00:00
or let's say outside of China,
00:00
there are often and common that there are laws in
00:00
different countries that disallow
00:00
moving the data transfer,
00:00
if you're taking it from one country which
00:00
has very strict data laws,
00:00
and you're moving into a region or
00:00
an area that has less protections,
00:00
and less stringencies around how that data is managed.
00:00
It really makes sense,
00:00
they don't want it to get out of their hands and go
00:00
into an area where the data is less protected.
00:00
Because there's a reason that that particular region
00:00
decided to have regulations
00:00
that are really protecting that data.
00:00
This last point, really piggybacks on the transfer,
00:00
in that, there are situations where they say no,
00:00
you actually cannot transfer.
00:00
In fact, we need to make sure that the data
00:00
itself physically resides within the physical territory.
00:00
As we'll see later in our overview
00:00
of the different regional laws,
00:00
Russia is very strict about this,
00:00
and so is China.
00:00
Even though there are common themes
00:00
that we just discussed,
00:00
it really does come down to specific regulations.
00:00
How do you determine which particular privacy laws
00:00
are applicable to your situation,
00:00
your company, and your use of the Cloud?
00:00
Well, here are some questions that
00:00
will impact the answer to that.
00:00
First and foremost, where's your business located?
00:00
What is the country, the region,
00:00
the state that it is headquartered in, it resides in?
00:00
Then where is the Cloud provider themselves located,
00:00
where are their headquarters?
00:00
Where's the data subject located?
00:00
The people that you're collecting the data around,
00:00
where are they physically located?
00:00
Also, where are their citizenships.
00:00
In a world where we have
00:00
a lot of individuals with dual citizenships,
00:00
and even multiple citizenships,
00:00
this can be a very tricky question to look at.
00:00
Then finally, where are
00:00
the provider's physical equipment?
00:00
We have major Cloud providers,
00:00
Amazon Web Services, Microsoft Azure, and Google.
00:00
But they have physical data cell locations
00:00
all across the globe,
00:00
and that's going to impact where you store the data,
00:00
and the data about
00:00
which data subjects can
00:00
reside in these different regions.
00:00
When you operate across multiple regions
00:00
and can transact with users throughout the globe,
00:00
you need to ensure compliance
00:00
with the applicable regulations.
00:00
If you're a Cloud provider,
00:00
this means you make sure your different locations
00:00
meet requirements,
00:00
and you identify the controls you have to
00:00
address the different privacy of machines.
00:00
As a Cloud user, you need to understand what
00:00
the provider will and will not be doing for you,
00:00
so you know the gaps that you need to fill.
00:00
This all dovetails nicely with
00:00
the shared responsibilities' model we've hit
00:00
on so many times in this course.
00:00
Just keep in mind, the Cloud user will be
00:00
ultimately accountable for adhering to the regulations.
00:00
In the coming lessons, we will provide an overview of
00:00
different laws and regional regulations.
00:00
But for this video,
00:00
we covered data privacy terminology,
00:00
data controller, data processor,
00:00
data subject. What are those?
00:00
We talked about common themes in data privacy laws.
00:00
Then we also reviewed, key questions
00:00
and factors that are going to
00:00
influence which data privacy laws
00:00
are applicable to your scenario.
Up Next
Similar Content
