cloud computing: 'everything you always wanted to know (but were aftaid to ask')

Cloud computing:

Joris Willems

Kristof de Vulder

Arend Lagemaat

Deze presentatie is beschikbaar op

legalbusinessday.nl

'Everything you always wanted to know (…but were afraid to ask)'

08-09-2011DLA Piper - Legal Business Day 2011 - Cloud computing 3

Agenda

Cloud computing - What is it?

(Contracting) issues in the cloud

Security


Cloud Computing - Definition

'Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet)'.

wikipedia.org


Cloud Computing - Numbers

49% / 45%

1 in 4

80%


Cloud Computing - Rationale

Need to increase flexibility

Avoid technology lock-in

Refresh the technical landscape

Save money

Switch capex to opex

Improve performance


Cloud Computing - Types of…


Cloud Computing - Examples


Choosing a Cloud Provider

Typically customers will pay attention to:

Quality of service Vendor’s history of incidents Vendor’s incident response policy

Financial stability of cloud service provider

Adequacy of security policies

But also contract terms!


Bridging the gap

Typical customer positions (e.g. bank, telco, public body, large retail):

Wide rights to seek redress and high limit of liability

Unlikely to give indemnities

Vetted personnel

Flexibility

Regulatory 'must have's'

Analysis of cloud provider terms shows that the delta is (potentially) enormous!

Discuss, negotiate and agree a middle ground?

Create an overlay?


Typical positions of Cloud Provider

Limited Cloud Provider obligations

Limit on liability

Changes and vendor lock-in

Data protection

Suspension and termination clauses

Service Level Agreement

Applicable law and jurisdiction

Security and compliance risks


Limited Cloud Provider obligations

Warranty from cloud provider Compliance with service described by documentation

AS IS

Back-up obligation

Reasonable efforts

Lessons learned on passed incidents: You may need a backup for your cloud provider’s backup!


Limit on liability

Reverse warranties

Damages

Consequential damages waiver

Limited to payments during a period

Limited to direct loss

Potential Exceptions

IP Rights

Gross negligence/willful misconduct


Changes and vendor lock-in

Unilateral changes during the contract term

Check reduction in services performance

Notice

Period of notice

Period of advance notice for discontinued services

Watch for other methods of modification

Revision of definition of “services”

Revision of SLA

Transition to third party provider

Exit obligations


Data Protection

Where is my data?

Data protection regime: European Data Protection Directive

Data controller

Data processor

Data controller must choose appropriate data processors and must seek adequate contractual protection from them

Transfer of personal data outside of EU


Suspension and Termination

Suspension of access to the service

Termination of cloud computing contract by the supplier

notice period

exit obligations

de facto termination resulting from supplier being out of business

Termination of cloud computing contract by the customer


Service Level Agreement

Is a SLA part of the cloud computing contract?

Service levels description of service levels

measurement / reporting

service credits / penalties


Applicable Law and Jurisdiction

Applicable law Laws based on which the cloud computing contract will be construed

Impact on the scope of rights and obligations under the contract

Jurisdiction The competent court that will settle any dispute

Impact on enforcement of cloud computing contract


Security - Some Quotes

"I think there is a lot of myth and scaremongering around date in the cloud as we speak"

Bill McCluggage, UK Cabinet Office

"Everybody loves talking about cloud computing, but everybody is scared to do it"

Marco Kerschen, Polo Ralph Lauren

"We can only enjoy the full benefit of Cloud computing if we can address the very real privacy and security concerns that come along with storing sensitive personal data information in databases and software scattered around the Internet"

Office of the Information and Privacy Commissioner of Ontario


Security - Some Considerations

Assessing provider

type of cloud services

criticality of the data

location of the service

Certification

SAS 70 II, ISO 27001/2, FISMA

not the answer, but an indication

Standard bodies

78+ industry groups

Cloud Security Alliance (widest participation users & vendors)


How DLA Piper can help you

We have drafted cloud terms for vendors, telco's and users in a variety of industries (pharma, financial services, public sector)

We have solved complex cross-border data transfer issues

We have commissioned and written insightful research.


Contact

Joris WillemsE: [email protected]: 020 5419 992

Kristof de VulderE: [email protected]

T: +32 2 500 1520

Arend LagemaatE: [email protected]: 020 5419 819


legalbusinessday.nl

Twitter mee over Legal Business Day: #LBD11 #dlapiper