cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DESCRIPTION
This workshop has been held at Legal Business Day on 8 September 2011.Across the globe organisations are contending with this latest technology panacea - cloud computing. The multijurisdictional nature of the internet - which cares not for geographical boundaries - creates a variety of challenges and opportunities for businesses, regardless of the country in which they are based and are transferable to any industry in the private or public sector.What key considerations should your organisation be aware of? In this workshop we share our opinions on how to handle the legal challenges surrounding cloud computing such as data protection and security, the importance of getting the contract right and on the current lack of consistent, international legal protection.TRANSCRIPT
Cloud computing:
Joris Willems
Kristof de Vulder
Arend Lagemaat
Deze presentatie is beschikbaar op
legalbusinessday.nl
'Everything you always wanted to know (…but were afraid to ask)'
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 3
Agenda
Cloud computing - What is it?
(Contracting) issues in the cloud
Security
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 4
Cloud Computing - Definition
'Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet)'.
wikipedia.org
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 5
Cloud Computing - Numbers
49% / 45%
1 in 4
80%
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 6
Cloud Computing - Rationale
Need to increase flexibility
Avoid technology lock-in
Refresh the technical landscape
Save money
Switch capex to opex
Improve performance
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 7
Cloud Computing - Types of…
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 8
Cloud Computing - Examples
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 9
Choosing a Cloud Provider
Typically customers will pay attention to:
Quality of service Vendor’s history of incidents Vendor’s incident response policy
Financial stability of cloud service provider
Adequacy of security policies
But also contract terms!
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 10
Bridging the gap
Typical customer positions (e.g. bank, telco, public body, large retail):
Wide rights to seek redress and high limit of liability
Unlikely to give indemnities
Vetted personnel
Flexibility
Regulatory 'must have's'
Analysis of cloud provider terms shows that the delta is (potentially) enormous!
Discuss, negotiate and agree a middle ground?
Create an overlay?
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 11
Typical positions of Cloud Provider
Limited Cloud Provider obligations
Limit on liability
Changes and vendor lock-in
Data protection
Suspension and termination clauses
Service Level Agreement
Applicable law and jurisdiction
Security and compliance risks
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 12
Limited Cloud Provider obligations
Warranty from cloud provider Compliance with service described by documentation
AS IS
Back-up obligation
Reasonable efforts
Lessons learned on passed incidents: You may need a backup for your cloud provider’s backup!
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 13
Limit on liability
Reverse warranties
Damages
Consequential damages waiver
Limited to payments during a period
Limited to direct loss
Potential Exceptions
IP Rights
Gross negligence/willful misconduct
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 14
Changes and vendor lock-in
Unilateral changes during the contract term
Check reduction in services performance
Notice
Period of notice
Period of advance notice for discontinued services
Watch for other methods of modification
Revision of definition of “services”
Revision of SLA
Transition to third party provider
Exit obligations
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 15
Data Protection
Where is my data?
Data protection regime: European Data Protection Directive
Data controller
Data processor
Data controller must choose appropriate data processors and must seek adequate contractual protection from them
Transfer of personal data outside of EU
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 16
Suspension and Termination
Suspension of access to the service
Termination of cloud computing contract by the supplier
notice period
exit obligations
de facto termination resulting from supplier being out of business
Termination of cloud computing contract by the customer
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 17
Service Level Agreement
Is a SLA part of the cloud computing contract?
Service levels description of service levels
measurement / reporting
service credits / penalties
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 18
Applicable Law and Jurisdiction
Applicable law Laws based on which the cloud computing contract will be construed
Impact on the scope of rights and obligations under the contract
Jurisdiction The competent court that will settle any dispute
Impact on enforcement of cloud computing contract
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 19
Security - Some Quotes
"I think there is a lot of myth and scaremongering around date in the cloud as we speak"
Bill McCluggage, UK Cabinet Office
"Everybody loves talking about cloud computing, but everybody is scared to do it"
Marco Kerschen, Polo Ralph Lauren
"We can only enjoy the full benefit of Cloud computing if we can address the very real privacy and security concerns that come along with storing sensitive personal data information in databases and software scattered around the Internet"
Office of the Information and Privacy Commissioner of Ontario
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 20
Security - Some Considerations
Assessing provider
type of cloud services
criticality of the data
location of the service
Certification
SAS 70 II, ISO 27001/2, FISMA
not the answer, but an indication
Standard bodies
78+ industry groups
Cloud Security Alliance (widest participation users & vendors)
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 21
How DLA Piper can help you
We have drafted cloud terms for vendors, telco's and users in a variety of industries (pharma, financial services, public sector)
We have solved complex cross-border data transfer issues
We have commissioned and written insightful research.
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 22
Contact
Joris WillemsE: [email protected]: 020 5419 992
Kristof de VulderE: [email protected]
T: +32 2 500 1520
Arend LagemaatE: [email protected]: 020 5419 819
08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 23
legalbusinessday.nl
Twitter mee over Legal Business Day: #LBD11 #dlapiper