Cloud Computing & IT in the Boardroom

Cloud Computing & IT in the Boardroom

Legal Issues

Brendon Noney Partner26 April 2012

Outline

• What legal contracts and provisions should be put in place for IT

• Liability issues and insurance

• Privacy obligations and protecting data – key legislation and its application

Cloud Computing – What is it?

The Future of Cloud Computing, Opportunities for European Cloud Computing Beyond 2010, Lutz Schubert

Cloud Computing – It is........

• A form of outsourcing but more complex than standard outsourcing

• Traditionally was software services on infrastructure managed by IT providers

• Past 5 to 10 years now wholesale provision of infrastructure, software and platforms housed in large data centres where a provider or reseller sells services to the public or private clients utilising those platforms

Cloud Computing – It is........

• Many definitions - complicated, technical or lengthy

• Preferred definition is that of the American information technology research and advisory company, Gartner (slightly modified):

“A style of computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies.” – Daryl Plummer, Gartner Blog Network

http://blogs.gartner.com/daryl_plummer/2009/01/27/experts-define-cloud-computing-can-we-get-a-little-definition-in-our-definitions/

Key concepts from Gartner definition

• Services

˗ Delivery of services – results not components˗ Implementation is not significant consideration – provided the

result of implementation can be measured as a service (e.g. ITILv3 2011 - used to demonstrate compliance and to measure improvement)

˗ Therefore, associated service-levels needed˗ Payment for the services is based on use of the service not the

assets used to provide the service


• Scalability and elasticity

˗ Reduced cost due to economies of scale˗ Flexibility of services – upscale, downscale according to need –

e.g. special project˗ Add users with little disruption to the business˗ Low barriers to entry˗ Avoidance of heavy up front capex on in-house IT infrastructure


• Internet technologies are used

˗ Ubiquitous network access

• Leverage of resources

˗ Services are shared and provided to many external customers˗ Increases economies of scale˗ Has ability to reduce a business’ carbon footprint via the use of

modern greener technology and reduced energy costs

Contracts and legal provisions

• Many ICT contracts that enterprise may use in business• Examples:

˗ software licensing/software development˗ web development and maintenance˗ hardware installation and acceptance and systems integration˗ subcontracting and consultancy˗ outsourcing˗ data warehousing˗ managed services˗ cloud services and computing˗ the list goes on...........................

Contracts and legal provisions

• Cloud computing and related agreements˗ No standard best practice˗ No one size fits all˗ Wide variety of cloud services available to enterprises (e.g. all

the services that make up IaaS, PaaS, SaaS as well as VOIP services)

• What terms and conditions are necessary in such agreements?

• Terms tend to differ according to the context of the deployment

Deployments

• Public cloud – can be generic and provide little scope for negotiation of the terms – compare large enterprise/government vs SME

• Private cloud– most scope for negotiating terms and drafting can be bespoke as the cloud offering is designed specifically for a single enterprise’s needs– again compare large enterprise/government vs SME

• Community cloud – some commonalty of interest between users so some rigidity in pleasing everyone

• Hybrid cloud– scope for negotiating terms depending on how two or more clouds are provided or bound together

Categories of terms and conditions

• Broadly - 4 main categories:

• Terms of serviceUsually the commercial terms in a "paid for" service and includes:˗ Jurisdiction and applicable law˗ Dispute resolution˗ Variation and amendment˗ Intellectual property rights˗ Transition in and transition out arrangements˗ Warranties and limitation of liability

Categories of terms and conditions

• Service level agreements ˗ level of service a user may expect˗ compensation where the service fails (usually service credits)

• Acceptable use policies˗ prohibited uses of cloud services

• Privacy policies ˗ Use and protection of personal information held on behalf of the

user

Form

• Forms of agreement

˗ All categories of terms in the one documentor

˗ General terms of service document with service level agreements, privacy and acceptable use policies annexed

• Balance of power˗ Tends to be favourable to the provider ˗ Reluctance to negotiate but will do if deal if large enough

Liability issues

• Provider Professional Indemnity Insurances˗ Sufficient cover of risks (incl. breach of privacy)˗ Clause that permits inspection of the policy during the contract

• Business Insurances˗ Business interruption˗ Loss of profits

• Business specific compliance˗ APRA Outsourcing Guidelines

Liability issues

• Negotiate indemnities˗ Have the provider indemnify for loss – loss of profits, business

interruption – rare• Careful attention

˗ most providers offer poor service guarantees and limited financial redress on failure of the service (e.g. service credits)

˗ Watch get out and exclusion of liability clauses˗ Check privacy policies carefully

• Reputation˗ A downtime in the cloud service provided by a third party will

impact on your enterprises reputation

Privacy

• Privacy generally˗ Lack of consistency in laws across foreign jurisdictions

• Legislation – relevant to private sector˗ Privacy Act 1988 (Cth)˗ National Privacy Principles – in particular NPP 4 and 9˗ Draft Australian Privacy Principles – APP 8 - disclosures

• Data sovereignty ˗ Foreign laws˗ USA Patriot Act – provider not permitted to advise customer˗ Computer Misuse Act – Singapore – Police access to and

inspection of computer any time – with consent of Public Prosecutor require release of information to decrypt data

Privacy

• Regulatory restrictions

˗ APRA – authorised financial services institution must:˗ notify APRA of any transfer of data offshore˗ demonstrate appropriate risk management procedures are in

place˗ secure guarantees in contracts to permit APRA access and

site visits

Example checklist for terms

• Performance Service level agreements – meaningful service guarantees Flexibility of services Disaster recovery and business continuity Uptime and response times Utilisation of latest technology Subcontractors Change in control Unilateral change of terms Transition in arrangements


• Integrity and protection of data

Audit of the provider Confidentiality and privacy Security and harmful code Transborder data flows/disclosures and foreign laws Control of export of the data Deal with effect of Personal Properties Securities Act 2009 (Cth)

(data on third party’s equipment that may have security interests created over it)


• Liability

Provider’s unilateral change of terms Limitations on liability Indemnities Legal requirements and standards for managing records Intellectual property ownership and use Compensation for misuse or loss of data Publicity


• Jurisdictional matters

Choice of law – U.S. providers – U.S. Law (USA Patriot Act)

• Dispute resolution

Pre-Court procedures – e.g. mediation Injunctive relief


• Termination

Default by either party Provider’s right to terminate Terminating events – insolvency of provider? Convenience – e.g. how much notice Payment of early termination fees Transition out arrangements

Data and migration - what form, is it useful?Extra costs – paying is preferred to no assistance

Example - basic cloud deployment

Final notes – act wisely

• Conduct a thorough due diligence˗ Cost/benefit analysis˗ Identify data to go to cloud and requirements for protection and

privacy (sensitive business intelligence/confidential information)˗ Legal and compliance obligations˗ On vendors being considered

˗ where is the data housed – Australia or elsewhere?˗ how are the services provided – to standard ITILv3 2011?˗ who provides the services – multiple parties in cloud stack?˗ any certifications to ISO standards – e.g. ISO/IEC2700:12005˗ they are in practical effect becoming a unit of your business˗ What is their viability, reputation and service quality?

˗ Consider internal processes and controls and review


• Serious legal and contractual issues

˗ Not properly addressed, catastrophic consequences˗ Mission critical software and data at stake

• Don’t assume

˗ contract adequately gives protection˗ or is not negotiable


• Be aware of providers

˗ That will not agree to your ‘must have’ terms(is the service you want in the cloud too critical to put there?)

˗ the overly keen provider that agrees to anything(penalty for failing on the service is inconsequential - less costly to fail than deliver the service)

Questions?

About the presenter

Brendon NoneyPartner – CorporateT: +61 2 8248 [email protected]

Brendon advises local and international clients on legal issues relating to ICT including cloud computing, contractual arrangements with data centres, contracts relating to the establishment and delivery of cloud computing services including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), cross border data flow and disclosure issues, privacy, intellectual property relating to ICT, licensing, software development and maintenance contracts and website development and maintenance agreements.

Thomsons Lawyers is a fully integrated national law firm, with 400+ partners, lawyers and staff across offices in Sydney, Melbourne, Brisbane and Adelaide. Thomsons is one of Australia’s top 15 law firms by size.