 Welcome back, Jeff Frick here from Silicon Angles of the Cube. We're at Percona Live 2014, at Santa Clara Convention Center in the heart of Silicon Valley. We're here for our second day of wall-to-wall coverage, here at Percona Live covering everything that is MySQL. So, we are proud to announce our next guest here in the Cube, Keith Molesdale, partner from Whiteford, Taylor, and Preston. Welcome to the Cube. Thanks for having me. So, we get all kinds of people in the Cube. We get big tech executives. We get practitioners. We had analysts on earlier. We get other press people. But I have to say, we don't get a lot of lawyers in the Cube. So, this should be fun and interesting. So, I don't know if you guys are hiding out or you don't like to come on the Cube. I wonder if there's a reason I don't know that I shouldn't be here. Well, let's jump into it. So, your specialty is cybersecurity. Yes. Obviously, a very hot topic. There's breaches in the news all the time. With the incredible movement in the cloud, right? There's always issues that come up with data security. And in fact, one of the major knocks, at least historically, maybe not so much anymore with Amazon Web Services is, is it enterprise ready? Is it enterprise grade? Then there's the whole international thing and points of presence and German data law versus U.S. data law. So, there's a whole lot of stuff. So, you must be really busy and business must be good. Absolutely, for sure. Let's talk about some of the real hot button issues, both that are the obvious ones that you deal with on a day-to-day basis and then maybe get into some of the more, or it's lesser known or more arcane areas that you deal with with your clients. Well, the biggest hot button issue for us is that most people don't understand what their obligations are. The bigger companies, the public companies, the mid-sized companies understand what their obligations are and are working hard to comply with applicable law and protect data, but it's the smaller companies or the non-profits, the trade associations who really don't know what their obligations are. So, there's a lot of, I'd say the biggest hot button is helping people understand what they need to do and how critical the issue is from a liability perspective to protect their company or their association. So, we hear about the breaches, the high-profile breaches, the target breaches, et cetera. So, what are some of those really big obligations at just a high level? Because we don't really hear about the repercussions per se except maybe they give everybody 10% off on a Saturday. What are some of the real significant things that people need to be thinking of in terms of the repercussions of the right policy? Well, the target breach is a great example. I think I just read an article today which it's an estimate, of course, but I think they were estimating that the liability to target and its vendors could be as high as $18 billion. $18 billion with a B. $18 billion with a B. So, of course, it's an extraordinary example because I think there were 70 million people whose PII was affected and I think 40 million credit cards. But if you dive down into figuring out where those numbers come from, in the case of a breach, you've got an immediate issue where you've got to figure out what's wrong, what happened. And so there's a huge expense in hiring forensic investigators, rolling up your sleeves and figuring how to fix that. That can cost hundreds of thousands of dollars, especially for a company as large as Target. There's reputational damage. You know, what happens to my brand? What happens to my customers? How angry are they? Are they going to stop buying things on my website? There's, of course, hiring lawyers, which is my favorite part, but hiring lawyers, of course, is expensive. Not anything to really laugh about for a customer who's been hit. But they really have to dive down and figure out what are my legal obligations. The biggest obligation, if PII's been stalling, is notifying affected individuals. But in the U.S., there's this complex patchwork of laws, both federal and state, which don't really sync very well. So unless you're in a highly regulated industry where it's clear what your laws are, that apply to you like HIPAA and healthcare, or Gramleach, Blyli, and financial services, there's this really complex patchwork of laws that need to be complied with. And it gets even more complex if you've got customers and servers overseas, et cetera. So figuring out just what that notice duty is can be a very complicated matter. And then you complicated it further with this whole notion of basically shared infrastructure, whether it's an Amazon Cloud or some other public cloud that you're on. You've got open source components throughout, throughout the infrastructure stack. So how does open source play as well as you're using a third party provider for your infrastructure? Right, that's a great question. There's several laws, for example, Massachusetts has the strictest state law for data security. And basically what it says is that if you outsource data security, you're responsible for making sure that all of your obligations flow down to your vendor. So you can't just hire someone like AWS and say, oh, great, I'm fine. You really have to do what you do with any vendor. You've got to do due diligence and make sure they actually have the infrastructure in place and are going to abide by the obligations that apply to you. So if you're a healthcare related institution and you're engaging AWS, you've got to make sure that they're HIPAA compliant and have them sign a BAA agreement. And then that's kind of in a way easy on the front end because it just due diligence, taking your time, figuring out things to make sure they're right. But it gets even more complicated on the back end. If there's a breach, the breach is happening at a place remote to you which you don't control. Someone else controls that infrastructure. And they actually, for their own security reasons, don't want to give you close access to it. So it can be a bit tense in the event of a breach. So how's the concept of place changed in the world that we live in today? Because you say Massachusetts has this different set of laws than they have in Connecticut, right next door. But especially in these cloud environments, there's a lot of replication. I mean, these computers put bits and pieces of stuff all over the place, which is part of their value proposition and part of why they can offer better up time and better service and this and that. Where is the data if the data is everywhere in the cloud? How does the law deal with that? Yeah, well the law is struggling to deal with all of these issues because the law almost always lags behind technology. So this is a struggle for everyone. But the question is a great one because when you hire somebody and some third-party infrastructure, some cloud vendor, they're going to virtualize your data. That's, like you say, where the value proposition comes from. So the data is being spread over servers, God knows where. So one of the first issues that we talk to clients about when they're hiring a cloud vendor is find out exactly which servers are in play. If the answer is, well, it could be any servers. Yeah, well they're on a server somewhere. That's probably not a great answer, especially if you, for example, have to happen to be in a business where you are subject to export control laws or ITAR related to, so if you're a government contractor, that's not a very good answer. So you really have to dive down and figure out where the data is to figure out what laws will apply. So let's talk about, I mean, we could go for a long time. Let's talk about, and use your license of agreements. One is how much can companies basically push off some of that responsibility in the EULA? And two, does anybody really think that anyone actually ever reads those things before they click on the accept? I mean, we kind of joke and I'm sure if it's an agreement between IBM and GM, their lawyers are looking at it. Before a whole lot of people, especially if you're buying services in small bits from a service provider like an AWS, I mean, I can go in and spin up an instance, load some data, run an app, it's pretty simple. What's kind of the current state of EULAs in terms of the teeth that they carry and the ability for people to either push off some of that data or when it comes to the court a lot, you clicked on the yes. Where does that go? Well, EULAs are interesting in the consumer context where you're mentioning it because the consumer has almost no leverage. It's really, usually some consumer doesn't have a choice. They feel like they have to have this service or good and no matter where they go in the market, they're facing another EULA which probably says the same thing. So that's, it's almost impossible for a consumer really to negotiate those terms. But there are some advocates on the side of the consumer. So there are unfair and deceptive trade practice laws at the state level and also the federal level. And so the enforcement agencies, the FTC, the federal level, they really come in and make efforts to make sure that there's at least compliance across the board in the EULAs. So the FTC has brought actions against some of the big players in the industry where they didn't believe that the vendor was acting above board. Okay, and what triggers that action? Some case, somebody gets wrong somehow and they bring it up? I think that's right. Normally the enforcement agencies don't bring an action just because of one instance. It's usually a matter of repeated instances over and over again. So they're usually quite fair and try to inform the vendor and say, please change this behavior, we think it's wrong and they give them many chances. But there becomes a tipping point where the federal agency or the state agency actually takes action. Okay, so again, I could go forever on here. So another kind of interesting thing that's happening today is an exchange of value between a service and your data instead of a service and your money. And that isn't necessarily always clearly laid out. But if I download some free app and I click on my EULA and I start using it, for most of those companies, the value that they derive from the data that I put in exceeds the cost of the delivery. So it's really a different economic ball. I'm not paying them money, but I'm paying a value that they can exploit other ways. I presume a lot of times, again, that's not necessarily clearly stated. And you said, you know, you guys have a privacy practice as well. Does that start tripping into privacy concerns when I'm not, I don't think most people really have figured that out, that they're not giving it to you for free for fun. They're actually extracting more value from your data than it costs them to deliver that service. You're exactly right. And I think 99.9% of the consumers, certainly on the consumer side, haven't really thought it through. They just think it's great that I got this service and I can use it whenever I want and then get angry when it gets taken away. So there's a real lack of connection between the value they get and what they're giving up for it. But I think people are really starting to wise up on this issue. And I think that's starting to change and that's why I think there's more pressure at the federal level in the US to change laws and why overseas, for example, in Europe, the laws are already stronger because the consumer advocates there have really pushed changes in the laws and actually Europe's really led in this issue from a privacy perspective. Is it been more in the European side from the consumers and consumer advocates or is it more from the government or is it government as an agent for the consumer advocacy? I think it's the latter. I think it's government as an agent for the consumers and actually Europe's been quite aggressive in the privacy area since probably 14 or 15 years since around the 2000 and have really led and been on the cutting edge of privacy issues. And do you see a collision course with, again, the increasing adoption of infrastructure as a service as it continues to grow and expand and everyone we've had on here today basically says, no, your infrastructure should be like ADP. Most people don't have a core competency in managing infrastructure, which oh, by the way, happens to contain data. And then you add the fact that apparently Google mail never deletes a mail, ever. It's easier for them just to keep them and then to delete them. So it just seems like it's going to get more and more complicated. Probably good for you, good for business. Well, I think you're right. We're on a collision course. And I think unfortunately for most people, this is good business for me because I think things are going to get worse before they get better. Between the US and the EU for many years has been a safe harbor that was negotiated between the State Department and the Europeans. And I think that was fine 10 or 15 years ago where there really wasn't as much international transfer of data and there certainly wasn't as much hacking and there wasn't as much value in data sets. But now these data sets as we know are massive and there's huge amounts of value and huge amounts of risk. And so I think the policies in the US are definitely on a collision course with the European policies in this regard. Interesting. So one of my favorite lines I like to pull up was Scott McNeely years ago, right? Years ago, I don't even know how long. Should look it up, look it up like in the radio. Look it up, guys. When he said there is no privacy, right? Get over it. And this goes back way before cloud, way before we were all packing, you know, these things all over the place. So where do you see kind of evolution of privacy given the fact that in some instances there isn't a lot. In another instance, everybody's willing to give up a lot of personal information for the value benefit. You know, my Google Maps knows where I am. It helps me find the closest Starbucks. I'm not really thinking about the fact that I'm telling everybody where I am. Even if I don't have Google Maps turned on, this phone knows where I am all the time anyway. So how's the kind of concept of privacy evolving and also with kind of the younger generation that are used to this world versus the older generation maybe who are, you know, more close to the vessel and everything. Do you see the laws changing? Do you see the reactions changing? I see a combination. I think Orson Welles really got it right. I mean, our privacy is diminishing day by day and you're exactly right. It's an issue of age, generation, and also culture. So I think, for example, if you were to go to parts of Africa there wouldn't be a real sense of privacy or parts of Asia unlike here where we've traditionally had stronger sense of privacy. And for my generation, certainly I feel, you know, my peers feel like our privacy is diminishing but my daughters who are a bit younger than me obviously, you know, don't feel it the same way that we do. Right, when you're 10 and nine and eight you just have fun on the internet and you don't think about the consequences. But I think it's kind of the obligation of our generation to help the younger generations protect what we've had and enjoyed. I think it's going to get worse before it gets better but interestingly, there are lots of privacy and data security laws being passed all over the world even in very small countries, even in China. So I think they're just- They just dress things off if they don't like it. They just go out to the edge and just cut the wire, right? I mean, the law is there. It doesn't mean it's enforced but it's there. So it's there in concept anyway. So why are you here? What brings you to a place like Prokona Live? Well, I've been a licensing attorney for a long, long time and several of my clients are here. So I'm here to connect with those clients and also to meet new people. Good, and then last question kind of open source. Open source continues to gain momentum. You know, MySQL is one of the older open source projects but we're going to ton of open source shows that keep popping up all over the place. From a legal perspective, how has open source and the growth of open source changed the game? And you know, it's interesting, we've had a few companies on here that will have some portion of their business that's the open source piece and some portion of the business that's their commercial closed source piece. Like a dual licensing model. Like a dual licensing model. That's got to make things a little bit complicated. So how has the growth of open source impacted your world and the advice you're giving to clients? And immensely, you know, I can remember first talking to a group about 14 years ago on open sourced, a bunch of lawyers, and none of them had ever heard of open source. Fast forward to today and everyone's heard about open source and commercial software companies of all stripes, even those who really don't per se distribute open source and aren't in the open source ecosystem. At least they don't think they are. You know, when you peel back the layers, you find they are really extensive users of open source and may not even know it, which could actually cause them problems because they may not be compliant with the open source licenses. So it's really changed licensing immensely in the last 15 years. That's great. Well, Keith, thanks for coming on. Keith's not feeling too well a little bit under the weather, so I appreciate you suffering through with us here. So Keith Molesdale, partner, Whiteford, Taylor and Preston, one of the rare lawyers we've had on theCUBE, excited to have them on. I could keep going on the legal ramifications of all this stuff. Continue to lag, you know, the cutting edge DevOps culture and push out code and go, go, go, go, go. And that will always be the case and that's probably not always a bad thing. So we'll be right back to Percona live with our next guest after this short break.