Embed Size (px)
DESCRIPTION
The growth of cloud computing in Australia has been exponential and analysts forecast that cloud computing will dominate the Australian IT landscape within the next decade. It has a reputation for delivering economies of scale, reducing overheads and driving increased efficiencies within organisations. However, the reality is that, like any IT procurement, implementing a cloud computing solution for your business still requires careful planning, effective project management, robust contracts and sound oversight. Russell Kennedy Lawyers delve into the risks and rewards of adopting Cloud Computing in Australia.
Citation preview
Cloud Computing in Australia: Separating Hype from Reality
Craig SuboczBE (Hons), LLB, LLM, Grad. Cert. in Entrepreneurship & Innovation
Senior Associate
7 May 2014
The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly.
Disclaimer
Agenda
The use of cloud
computing in Australia
The risks of cloud
computing
Risk minimisation
strategy
Cloud Computing in Australia
Source: 2012 CCH Technology Survey (US)
Cloud Computing in Australia
Risks
Security
Confidentiality and privacy
Intellectual property
Service availability and service levels
Disaster recovery and
business continuity
Termination, insolvency and transition-out
Risks - Security
• Secure access to data
• Customer access
• Provider access
• Secure data transfer
• Identity management
• Architecture security
Risks - Confidentiality
• A key risk magnified if your provider has access to your data
• Essential to manage the risk of inadvertent disclosure of your confidential information
• Contractual provisions protecting confidentiality of your information assist
• Issue of proof may be difficult
Risks - Privacy
• New privacy laws from 12 March 2014
• Private entities with annual turnover exceeding $3 million bound by the Privacy Act and the Australian Privacy Principles
• APP 8 deals with cross-border disclosure of personal information (NB: not use of personal information offshore)
Risks - Privacy
• APP 8 – two choices
• APP 8.1: Before disclosure, reasonable steps to ensure recipient does not breach APPs
• Due diligence on provider pre-contract
• Contract provisions
• APP 8.2: Several options
• Reasonable belief about o/s laws
• Individuals consent to disclosure
• Disclosure authorised or required by law
Risks - Privacy
• Victorian government agencies still bound by Information Privacy Act 2000 (Vic) and IPP 9.
• Can only transfer information about an individual to someone outside Victoria only if:
• Reasonable belief about the law binding the recipient
• The individual consents
• Transfer is necessary for the performance of a contract between you and the individual
• Transfer is necessary for the performance of a contract between you and a 3rd party for the benefit of the individual
Risks - Privacy
How can an entity use a cloud provider based outside Australia?
Informed consent of individuals
how practical?
Reasonable belief about the laws
binding the provider
what happens if location(s) of
provider’s data centre(s) change?
Capacity to contract with
provider
how strong is your bargaining
position?
Risks - Privacy
• Other APPs (IPPs) are also relevant.
• APP 10 – quality of personal information
• APP 11 – security of personal information
• APP 12 – access to personal information
• APP 13 – correction of personal information
• But consider all the Privacy Principles
Risks – Intellectual Property
• Service, not software, provided
• Sufficient IP rights needed
• Different considerations apply depending on context
• Public cloud versus private cloud
Risks – Service Levels
• What service levels are appropriate?
• What is the risk to your business if the cloud service fails to meet the service levels?
• Reputational risk
• Legal risk (including contract breach)
• What rights and remedies do you have if provider fails a service level?
Risks – Disaster Recovery
• You trust your provider to keep your data safe
• This trust is earned through assessing how a provider will react to a disaster event
• Assess whether trusting your critical systems to cloud is worth the risk
• What contingencies do you have to mitigate against a disaster event affecting your business?
• Weigh this against the benefits of moving to cloud
Risks – Termination & Transition-Out
• Nothing lasts forever
• What procedures are in place to transition out from your engagement?
• What assistance will the provider give?
• At what cost?
• Who pays?
• Effect of provider’s insolvency
• What happens to your data at the end of the engagement?
Risk Mitigation Strategies
Minimising legal risks
Pre-contract
During contract
Post-contract
Risk Mitigation Strategies
• Why cloud?• Due diligence (including
evaluation)• Vendor selection
Pre-engagement
Pre-Engagement
Why move to the cloud?
Identify a clear business need
Why is this model the preferred delivery model?
Risk Mitigation Strategies – Pre-Engagement
Plan for the following risks:
• Security breaches
• Misuse/unauthorised disclosure of confidential information or personal information
• Adequate IP rights secured
• Clear service levels and remedies for service level non-compliance
• Clear means for a “graceful exit”
During Engagement
• Non-compliance with privacy laws (APP 1)
• Physical locations of data centres – which laws apply?
• Is the provider bound to hand over personal information to foreign governments?
• Transfers between data centres (APP 8/IPP 9)
• Right to be notified if provider seeks to transfer your data to a new centre
• Notification of breaches (APP 11/IPP 4)
• Responsibility for conduct investigations into breaches
During Engagement
During Engagement
• Seek information on service level compliance
• Regular written reports
• Dashboard software
• Independent audits keep provider honest
• Customer remedies for non-compliance with service levels
• Are service rebates your only remedy?
• Need flexibility regarding serious or repeated breaches
During Engagement
• What happens if a disaster event occurs and the data needs to be restored?
• Ensuring clear lines of responsibility and communication
• Disaster recovery and business continuity plan to be provided before contract starts
• Plan to be updated, maintained and tested during contract term.
• Verification that the plan is functional essential to maintaining your trust in the provider
Post-Engagement
• Data transfer post expiry or termination
• Immediate transfer as a provision in the contract
• Transfer to the customer directly or to new provider
• When the cloud provider becomes insolvent
• Customer may deal with a liquidator
• different priorities to the cloud provider
• Understand rights of controller under Corporations Act to dispose of assets
Post-Engagement
• Survival of key obligations
• Privacy
• Confidentiality
• Customer should ensure that provider no longer holds customer’s data following the contract
• Possible conflict with data protection laws in data centre locations
