ITECH Law Annual Conference (2012)
In my post from 5/5 I wrote about my experience at the Digital Hollywood (DH) and ITECH Law conferences last week. This post, which borrows from my 5/5 post, focuses exclusively on #ITechLaw_DC (http://www.itechlaw.org/washington2012/index.shtml).
ITech Law Associati0n (formerly the Computer Law Association) holds its annual conference in May, usually in close proximity to INTA. The last 2 conferences have been in San Francisco (2011) and Boston (2010). While I moderated a panel on IT Contracting last year, this year I attended simply as an observer. I was again pleased with the topics, each of which had an international dimension and ranged from cloud computing, information security and data privacy to open source hardware to a program on how technology (e-filing, videoconferencing, etc.) has streamlined litigation in Brazil (where apparently last year there were 100 million lawsuits for 200 million inhabitants).
Cloud seemed to elicit a number of reactions. To be sure, there was some Cloud fatigue. If you trace Cloud back to SaaS and to ASPs, arguably we as practitioners have been doing Cloud deals since at least 2000. To be sure, the technologies (e.g., virtualization, web services, etc.) have changed, but the deals (structurally) may not be terribly different. Of course, in reviewing a cloud services agreement, technologies used by the vendor need to be considered, so by definition the analysis today cannot be the analysis of 12 years ago. A good example is web services, which allow the aggregation of data from multiple sources in a common repository (e.g., Cloud-based CRM). As a technology attorney, I need to understand where the data is coming from, if the Cloud vendor has or needs an API license to access the data, whether the data source owns or has a sufficiently broad license to the data, including distribution rights, etc.
Others (including me) seemed to take the view that while the Cloud may not be that novel, it continues to present a number of interesting and highly complex issues, such as conflict of laws, information security, and data privacy. Plus, in “Cloud” we finally have a common term, given the progeny of hosted, on-demand, Internet or Web-based, SaaS, ASP, etc.
Many are aware of the tension between the EU Data Privacy Directive and the U.S. Patriot Act; I assume the conflict is being resolved at a fairly high level. Fewer seem to be aware of the fact that the Patriot Act is not unusual, and that other governments may access data in connection with a terrorism, espionage or, more broadly, criminal investigation without the data subject’s knowledge, or that requests from the FBI, etc. are likely being routed through the equivalent agencies in EU member countries before being presented to the U.S. based data processor. Presumably, if you live in the EU, you’re more uncomfortable with U.S. authorities accessing such data than your own government’s authorities. Just a guess.
Use of the Cloud in highly regulated industries (e.g., financial services or healthcare) continues to present many interesting questions. For example, is a Cloud services provider that hosts PHI (even if encyrpted) a business associate, under HIPAA, and thus now (under the OMB Final Rules) obligated to implement the HIPAA Security Rule? While the “conduit” theory has some appeal, it should be of little comfort to the customer, as ultimately a judge would need to decide whether the vendor is in fact a business associate. And, in the end, labeling or not labeling a Cloud services provider a business associate should have no effect on the determinati0n, though it would still be preferable (if you’re the customer) to have the vendor either sign a business associate agreement or incorporate as many salient terms of that document into the cloud services agreement. Here’s the link to the new rules: http://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201110&RIN=0945-AA03
A noteworthy comment was made during one of the Cloud presentations that as practitioners we may be treating Cloud as a monolith. That is, we’re taking a “one-size-fits-all” approach to our analysis and not distinguishing among the various service models (SaaS, PaaS and IaaS) in terms of security, etc. Perhaps the best example is security in IAAS (infrastructure as a service), i.e., storage, where, at least in theory, because the customer is at the bottom of the stack, it has the greatest control over the deployment, and the vendor requirements should be less stringent as a result.
Do not expect a comprehensive federal privacy law anytime soon. Global harmonization is virtually impossible, though, as mentioned, and I’m surprised I had not thought of it in this way, 900 million people have already agreed to a common privacy framework (Facebook). The prospects for a comprehensive federal cybersecurity law are actually rather good, even despite the current political environment.
There was also limited discussion of Big Data. More on that later.
Of course, it was not all business. A banquet was hosted at the Institute of Peace (pictured below) on Thursday night, and there were a number of opportunities to meet other attendees.
The next ITech Law annual meeting is in Scottsdale, in May 2013. If you’re a technology attorney, I encourage you attend.