cloud computing: managing the legal...
TRANSCRIPT
Presenting a live 90‐minute webinar with interactive Q&A
Cloud Computing: Managing the Legal RisksMitigating Liabilities in Outsourcing Virtual Storage and Applications
T d ’ f l f
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, MARCH 29, 2011
Today’s faculty features:
Janine Anthony Bowen, Partner, Jack Attorneys & Advisors, Atlanta
Daniel A. Masur, Partner, Mayer Brown, Washington, D.C.
Lora L. Fong, Managing Counsel, Salesforce.com, Inc., New York
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Conference Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the + sign next to “Conference Materials” in the middle of the left-hand column on your screen hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open. Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
Continuing Education Credits FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• Close the notification box
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the blue icon beside the box to send
Tips for Optimal Quality
S d Q litSound QualityIf you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection.
If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-888-450-9970 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key againpress the F11 key again.
Cloud Computing:Managing the Legal RisksManaging the Legal RisksPrimer and Risk Mitigation
Janine Anthony Bowen, Esq., CIPPjbowen@jack‐law.com (678) 823‐6611March 29 2011March 29, 2011
©2011 Jack Attorneys & Advisors. All Rights Reserved
Agenda
•Brief Overview of CloudBrief Overview of Cloud Computing
•Later Minimizing &•Later…Minimizing & Mitigating Legal Risk
66
Cloud Computing Pl i E li h D fi i iPlain English Definition
• From the User’s Perspectivep– Data processing and storage, application development, and software hosting over the Internet instead of on a personal computer or over a business’ network
– Available on an ‘on demand’ basis
– Location of information stored ‘in the Cloud’ is potentially unknown at any given point in timeat any given point in time
– Relatively inexpensive
7
National Institute of Standards & Technology’s DefinitionStandards & Technology s Definition
• Cloud computing is a model for enabling convenient, on‐demandp g gnetwork access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
8
NIST Definition (cont)
• Essential Characteristics– On‐demand self‐service
•Deployment Models– Private CloudOn demand self service
– Broad network access
– Resource pooling
Private Cloud
– Community Cloud
– Public Cloud
– Rapid elasticity
– Measured Service
– Hybrid Cloud
9
Three Service Models
SaaS (Software as a Service)The consumer uses the provider’s
SoftwareSoftware
The consumer uses the provider s applications running on a cloud infrastructure. (e.g. Google Apps)
PlatformPlatform
SoftwareSoftwareAs A ServiceAs A ServicePaaS (Platform as a Service)
The consumer has control over the deployed applications and possibly
InfrastructureInfrastructure
PlatformPlatformAs A ServiceAs A Service
p y pp p yapplication hosting environment configurations. (e.g. Force.com)
IaaS (Infrastructure as a Service) Infrastructure Infrastructure As A ServiceAs A Service
IaaS (Infrastructure as a Service)The consumer is able to deploy and run arbitrary software. (e.g. Amazon EC3)
10
EC3)
Virtual Server
11
Multi‐tenant
ABC Company XYZ Company
ABC Company User
yPurchasingApplication
yPurchasingApplication
Acme Atlas
XYZ Company User
Acme CompanyCompanyInventory
Application
CompanyInventory
Application
Top-Notch Small Biz
Acme Company User
Top-Notch Company User
InternetConnection
Top Notch CompanyLogistics
Application
Small Biz Company
PayrollApplication
Hypervisor
Small Biz Company User
Virtual Server with
HypervisorOperating System Atlas Company
User
Tenants
12
Multiple TenantsTenants
Contracting for Cloud Computing Contracting for Cloud Computing Services — Key Considerations
March 29, 2011Dan MasurPartner202 263 3329 [email protected]
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. The Mayer Brown Practices are known as Mayer Brown JSM in Asia. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
@ y
Top SecretThe Real Value of Cloud Computing!e ea a ue o C oud Co pu g
1
Contracting for Cloud Computing ServicesThe Road to the Cloud!
2
Breadth of Cloud-Based Offerings
“Nice to have” business tools
Routine, non‐sensitive data
Limited scope of business use Mission critical applicationsLimited scope of business use pp
Regulated or business sensitive data
Enterprise‐wide use
Each end of the spectrum presents different legal and contractual challenges, options and trade‐offs
12
Cloud Customers Must Make Informed Tradeoffs
Th i d d “f ” h ill k f•There is no standard contract “form” that will work for each situation
– Traditional outsourcing and software licensing terms may be useful, but can not be inflexibly applied to cloud computing
•More robust contractual protection may or may not be the correct answer — it dependscorrect answer it depends
•Prospective cloud customers must take into account– Criticality of the software, data and services in question
U i i i d i h l d i– Unique issues associated with cloud computing– Availability and pricing of various alternatives
•For “nice‐to‐have” business tools or routine data, a low cost solution may outweigh contractual protections
•Requiring robust contractual protections may increase the price and eliminate certain providers altogetherprice and eliminate certain providers altogether
16
Key Issues in Cloud Computing
17
“…more than 75 percent of senior business leaders believe that safety, f y,security and privacy are top potential risks of cloud computing.” risks of cloud computing.
Brad Smith, GC, Microsoft
18
Issues with Cloud ComputingPrivacy and Security — the Elephant in the Roomy y p
•Data transfer issues (EU and similar jurisdictions)( j )
•Data location issues•Location of users accessing data•Movement and storage of data•Use of subcontractors•Use of multiple platforms•Use of multiple platforms•Lack of transparency and control
•Data breach issues•Data destruction issues
b l d•Ability to impose security and privacy requirements
19
Issues with Cloud Computing Privacy and Security — USy y
•Gramm‐Leach‐Bliley Act (GLBA) • Federal Trade Commission Act (FTCA)•Health Insurance Portability and
Accountability Act (HIPAA)
•Health Information Technology
Act (FTCA)
• ID Theft Red Flags
• State Privacy Security LawsHealth Information Technology for Economic and Clinical Health (HITECH)
State Privacy Security Laws (Breach Notification — 46 States and Encryption (MA and NV), use of SSN’s etc )• Fair Credit Reporting
Act/FACT Act
use of SSN s, etc.)
• Industry Standards (PCI)
• Litigation and enforcement cases• Litigation and enforcement cases
20
Issues with Cloud Computing Privacy and Security — USy y
•General security of personal information laws (e.g., Arkansas, California, Indiana, Maryland, Massachusetts, Nevada, Rhode Island, Texas and Utah).
•Standard: reasonable security procedures and practices appropriate to the nature of the information.pp p
•Massachusetts regulations far exceed most other laws and regs. – Create duty to protect and have detailed system requirements– Require a written security programRequire a written security program– Requires that companies oversee service providers by selecting providers who
are capable of maintaining appropriate security measures consistent with the MA regsR i h i id i h i l d– Requires that service provider contracts require them to implement and maintain appropriate security measures
– Requires encryption of personal information across public networks, wireless networks and portable devices (laptops, hard drives, etc.)
16
Issues with Cloud ComputingPrivacy and Security — Non-USy y
In EEA and other jurisdictions where data protection and data transfer regulation is strict cloud computingdata transfer regulation is strict, cloud computing challenges and issues increase
21
Issues with Cloud ComputingPrivacy and Security — Non-USy y
•Transfers of personal data out of EU are highly regulated.
•Even viewing data outside of EU is a transfer.
•Very few countries are approved for data transfers (Norway, Liechtenstein, Iceland, Switzerland, Argentina, Canada, Isle of Man, Jersey, Guernsey, Faeroe Islands) .
•EU approved clauses (controller to processor) are the•EU approved clauses (controller to processor) are the most common means of transferring data between companies and service providers.
•EU recently updated the clauses to require that processors obtain prior written consent of controllers before using sub‐processors.
Other Critical Contracting Issues for Cloud Customers
Regulatory and Compliance Challenges
Other Key Issues and Challenges
•Auditability
•Lack of transparency and
•Service levels
• Disaster recovery and control
•Subcontracting and flow d f i i
business continuity
• Intellectual property issuesdown of provisions
•Export control issues• Change management issues
• Exit rights•Electronic discovery issues
•Record retention issues• Financial stability of providers/due diligence
22
Cloud ComputingSo now what? Can we even do this?
23
Contracting for Cloud ComputingYES!
•Keep your eye on
– Criticality of the software, data and services
U i i i d– Unique issues associated with cloud computing
– Availability and pricing of– Availability and pricing of various alternatives
•Look to traditional outsourcingLook to traditional outsourcing contracts and software and data use agreements as a good starting point
24
Cloud Computing Case StudyLos Angeles – CSC/Google Contractg / g
•Establish and maintain robust information
•Data access limited to U.S. citizens with high levelrobust information
security program
•Clearly defined
citizens with high‐level security clearances
•Notice of data/security•Clearly defined data ownership
•Private cloud for
•Notice of data/security requests and breaches
•Service Levels with•Private cloud for sensitive data
•Mandatory data encryption
•Service Levels, with meaningful penalties
•E‐Discovery functionalityMandatory data encryption
•Data storage only in U.S.
E Discovery functionality
26
Case StudyLos Angeles – CSC/Google Contract, cont’dg / g ,
•Mandatory subcontractor flow down
•Broad indemnification obligation with unlimitedflow down
•Broad audit rights. Including annual SAS 70
obligation, with unlimited liability for certain breaches
•Clearly defined exit rightsIncluding annual SAS 70 audit at provider expense
•Disaster recovery –
•Clearly defined exit rights, including retention and delivery of data at no charge•Disaster recovery –
data/service restoration within 4 hours
Source: “The City of Los Angeles Steps into the Cloud,” Randy Gainer27
Questions?
30
Minimizing and Mitigating Risks
•AgendaAgenda– Considerations in Vendor Selection
– Contracting Models
– Impact of Industry StandardsStandards
31
Why not just rely on the contract? Who you are drives what you can expect
• Cloud users should clearly understand what they are getting and y y g ggetting into:– Generally speaking, only the largest implementations get negotiated contract terms
– No negotiation likely in most cases – risk mitigation analysis should establish ‘business level’ comfort
•Where negotiation is possible risk mitigation should drive negotiation•Where negotiation is possible, risk mitigation should drive negotiation of key provisions
3232
But first, how’s cloud computing different?
•Geography – Data in the cloud can be anywhere; multiple copies can be in multiple locations
• The potential for brokering capacity exists, this is ‘surge computing’
• In current state of play cloud providers assume virtually no liability – all i k id ith thrisk resides with the user
•Difficult for a user to know where liability rests, even if it were properly assigned
• The nature of the potential legal issue depends on where a user plugs into the cloud
•Virtually complete loss of control by data owner (who holds it and where•Virtually complete loss of control by data owner (who holds it and where is it?)
•Relatively inexpensive OPEX instead of CAPEX
33
Quick List of Potential Mitigation ConsiderationsConsiderations
Functionality of solution Pricing
Uptime Response time
Quality of service Data Security/Privacy
Backup and disaster recovery Integration with existing systems
Data access Customer service/support
Adapted from “Evaluating SaaS Solutions: A Checklist for Small and Mid‐sized Enterprises”p g phttp://www.saugatech.com/thoughtleadership/TL_October2009_Eval_SAP.pdf
34
Some Areas of Concern
•Service quality/SLAs/Availability
•Disaster recoveryDisaster recovery
•Provider competence
•Provider Viability
3535
Mitigation Considerations:SLAsSLAs
• Control‐oriented– System availabilityy y– System response time– Fail‐over for disaster recovery
•Operations‐oriented– Data retrieval– Data integrityT iti i t– Transition assistance
•Business‐orientedError resolution time– Error resolution time
– Timeliness re: professional services around cloud solutions
3636
Mitigation Considerations:Disaster RecoveryDisaster Recovery
•How are backup systems architected? – Complete redundancy? Multiple redundancies? Duplicate systems? p y p p yReal‐time backup?
•Where are backup systems located geographically?
•Are third party backup systems utilized (partially/totally)?
•How long would a catastrophic event at a data center affect system g p yavailability?
• Concerns for physical assets based on geography
3737
Mitigation Considerations:Competence IssuesCompetence Issues
• Provider track record of success?•Views of commentators/bloggers•Views of commentators/bloggers• Is the pricing right for the breadth of offering?• Perceived level of sophistication of the vendor (e.g. over the phone, email))– Knowledge of industry– Knowledge of the business
• If vendor is an early stage company, who is supporting it financially?•Does the site look sophisticated or sophmoric?•Are there integration partners?
3838
Mitigation Considerations: Vi bilit f th Cl d P idViability of the Cloud Provider
•Viability matters. Why? A cloud user makes an investment when choosing cloud provider. For example:– Integrating cloud services into business processes
– Migrating data from its environment
• Lack of standardization makes moving to a new cloud provider difficult
Wh t h t l d ’ d t i th t f•What happens to a cloud user’s data in the event of:– Bankruptcy
– M&A
– Escrow
39
Cloud Contracting Preliminaries:Cloud vs Outsourcing vs ASPCloud vs. Outsourcing vs. ASP
Cloud Computing Outsourcing ASP
Location of Service/Data
unknown known knownService/Data
Owner of Technology
provider company provider
Contract non‐negotiable highly negotiated negotiated
Contract Risk company provider shared
Scalability Yes No Maybe
40
Cloud Contracting Models:License vs Service AgreementLicense vs. Service Agreement
License Service Agreement Necessary in CloudAgreement
License Grant Yes. No. No. No physical transfer of SW.
IP Infringement Yes. No. No. No physical Protection transfer of SW.
Ownership Yes. Yes. Yes. Use of cloud pProtection does not translate
into ownership transfer.
41
Cloud Contracting Models:Online Agreement vs Standard ContractOnline Agreement vs. Standard Contract
Online Agreement Standard Contract
Negotiable No. Yes, generally.Negotiable No. Yes, generally.
Limits Placed on Yes Very little or no Yes Risk shared byLimits Placed on Provider’s Liability
Yes. Very little or no liability to provider.
Yes. Risk shared by provider and user.
Ri k i h E f B b B bRisk in the Event of Problems
Born by user. Born by party responsible.
42
Cloud Contracting Models:Terms of Use & Privacy PolicyTerms of Use & Privacy Policy
• The Privacy Policy and Terms of Use specify the privacy protections in place as well as the terms under which the services are offered
•Mini Case Study – Google’s Terms and Privacy Policy– User grants content license – Google can modify the content to deliver the service
– User’s use of services is ‘as is’ and ‘as available’
– No liability for user’s damages, including for deletion, corruption, or failure to store a user’s data
– Effect on a Gmail user is one consideration, but what about a Google Apps (PaaS) user?
43
Impact of Industry Standards
•What standards applicable to cloud computing exist?– Payment Card Industry Data Security Standards
•A set of requirements for enhancement of payment account data security– ISO 27000 Series Standards
•An information security standard that provides best practices for those o at o secu ty sta da d t at p o des best p act ces o t oseimplementing an information security management system
– Open Cloud Manifesto
•Basic premise is that cloud computing should be open like other technologies (e.g. use open source technologies) to enhance ability: (a) for a user to transfer to a new provider, (b) for companies to work together, and (c) to speed and ease integrationspeed and ease integration
44
Take Aways
• Be thoughtful about which parts of your business are cloud‐worthyof your business are cloud worthy. All business processes are not suitable.
• Have a plan to deal with mistakes pthat will happen in the cloud (business, technology, legal). What level of risk can you tolerate?
•Work with your key internal and external advisors to think through
l d Ayour cloud strategy. A cross‐functional strategy is in order.
4545
Q&AContact MeContact Me
•Janine Anthony Bowen, Esq., CIPPJanine Anthony Bowen, Esq., CIPPjbowen@jack‐law.comwww.visualcv.com/jdabowenwww linkedin com/in/jdabowenwww.linkedin.com/in/jdabowen
•678‐823‐6611
•Twitter ‐@cloudlawyer
•www.jack‐law.com
4646JACK Attorneys & Advisors: Technology/IP Law & the Business of Technology ‐ Quite Simply, We Get It.
47©2010 J.A. Bowen. All Rights Reserved 47
Contracting in the CloudContracting in the CloudLora L. Fong, Esq.M i C lManaging [email protected]
March 29, 2011
Copyright 2010 salesforce.com, inc
Disclaimer
My views are my own, and generally (but not always) reflect those of salesforce.com - the leader in enterprise cloud computing
Sales Cloud™The world’s #1 sales applicationThe world’s #1 sales application.
Service Cloud™The future of customer service.
Chatter - Collaboration CloudCollaboration apps and platform. Work with colleagues—real time.
Force.com - Custom Cloud 2The leading cloud platform for custom application development
49
Agenda
– Technology model
– Key legal issues and contracting strategiesy g g g
50
Technology Model
Ten Year Computing Cycles10x more users with each cycle
2000s Mobile Cloud Computing2000s Mobile Cloud Computing
1990 D kt Cl d C ti1990s Desktop Cloud Computing
1980s Client/server Computing
1970 Mi i C ti
1980s Client/server Computing
1970s Mini Computing
1960s Mainframe Computing
52
Next Generation Devices Changing How We Access the Internet
Device Shipments
Tablets
Smartphones
Mobile PCs
Desktop
Mobile PCs
Source: Gartner Research; Smartphone, Tablet, and PC Forecast, December, 2010.
53
Social Networking Surpasses Email
Email Users
Social Networking Users
Source: Comscore, 2010
54
Fundamental Shift in Cloud Computing
Easy . Fast . Low Cost Social . Mobile . Open
55
What’s in the Cloud?
Traditionally Managed On-Premise– ServersServers
– OS
– Application software
– Development environment
– Upgrade/Maintenance
– Security
– Backup
Disaster Recovery/BCP– Disaster Recovery/BCP
56
NIST Definition of Cloud Computing (Authors: Peter Mell and Tim Grance, Version 15, 10-7-09)
Cloud computing is a model for enabling convenient, ondemand network access to a shared pool ofdemand network access to a shared pool ofconfigurable computing resources (e.g., networks,servers, storage, applications, and services) that can beg pp )rapidly provisioned and released with minimalmanagement effort or service provider interaction. Thiscloud model promotes availability and is composed offive essential characteristics, three service models, andf d l t d lfour deployment models.
57
NIST Definition of Cloud Computing (Authors: Peter Mell and Tim Grance, Version 15, 10-7-09)
Five Essential Characteristics1 On-Demand Self-Service: Consumer provisions computing1. On Demand Self Service: Consumer provisions computing
capabilities without provider intervention
2. Broad Network Access: Accessible via standard mechanisms promoting use by various “client” platforms (smart phones, pdas, tablets, laptops)\
3 Resource Pooling: Provider resources pooled using multi-3. Resource Pooling: Provider resources pooled using multitenant model to serve multiple consumers.
4. Rapid Elasticity: scale up, scale down
5. Measured Elasticity: control and optimization with metrics on resource consumption/allocation
58
NIST Definition – 3 Service Models (Authors: Peter Mell and Tim Grance, Version 15, 10-7-09)
Software as a Service (SaaS)– Provider’s applications, infrastructure
– Accessible via client devices over web browser interfaceAccessible via client devices over web browser interface
– Consumer doesn’t manage or control infrastructure
– Consumer may have configurable application settings (e.g. user permissions)
Platform as a Service (PaaS)Platform as a Service (PaaS)– Consumer created or acquired applications
– Use of programming languages & tools supported by cloud provider
– Consumer control over deployed applications
– Provider managed infrastructure
Infrastructure as a Service (IaaS)( )– Consumer capability to provision processing resources
– Provider controls underlying cloud infrastructure
– Consumer able to deploy arbitrary software (OS, Apps)Consumer able to deploy arbitrary software (OS, Apps)
59
NIST Definition - 4 Deployment Models(Authors: Peter Mell and Tim Grance, Version 15, 10-7-09)
1. Private Cloud – operated by a single organization
2. Community Cloud –shared by multiple organizations
3. Public Cloud – available to general public
4 Hybrid Cloud – two or more distinct clouds bound together4. Hybrid Cloud two or more distinct clouds bound together
60
NIST Definition of Cloud Computing (Authors: Peter Mell and Tim Grance, Version 15, 10-7-09)
Three Features of “Mature” SaaS Applications
Scalability Scalability– 1 to N users
Multi-Tenancy Multi-Tenancy– One code base supporting multiple logical instances
Metadata driven ConfigurabilityMetadata driven Configurability– Users configure via metadata vs. application code changes
61
Multi-Tenancy Makes Public Cloud Computing Possible
Single-Tenant (O P i H t d)
Multi-Tenant(On-Premise or Hosted)
D di t d A St k f E h O Si l St k f AllDedicated App Stack for Each Application
One Single Stack for All Applications
62
Metadata: How Multi-Tenant Services Deliver a Unique Experience to Every CustomerUnique Experience to Every Customer
90,000+ Customers
11 Million + 100+ M
Salesforce A
ISV Apps 850
Custom Apps 100k+
Metadata11 Million +
Customizations100+ M
Integration Calls / Day
Apps 850+ 100k+
31+ major upgradesj pgCustomizations, Integrations and apps run on the latest release automatically
63
Cloud ComputingLiberates the Consumer from IT Burdens
...By using cloud services, the Federal Government will gainaccess to powerful technology resources faster and at loweraccess to powerful technology resources faster and at lowercosts. This frees us to focus on mission-critical tasks insteadof purchasing, configuring, and maintaining redundantinfrastructure. The Obama Administration is committed toleveraging the power of cloud computing to help close thetechnology gap and deliver for the American peopletechnology gap and deliver for the American people..
Vivek Kundra, the U.S. government’s first Chief Information Officer.http://www.whitehouse.gov/blog/2010/05/13/moving-cloud (emphasis added)
64
Shifting the Burden to the Cloud
Application and Platform – DevelopmentDevelopment
– Maintenance
– Functional Enhancements
Infrastructure– Hardware resource acquisition, management
– Economies of scale• (e.g. salesforce.com supports approximately 83,000 customers
currently on only 1 500 Dell PCs plus an additional 1 500 forcurrently on only 1,500 Dell PCs, plus an additional 1,500 for redundancy/Disaster Recovery etc.).
65
Faster Rollouts and Innovation
Faster implementation of applications
Faster Vendor Innovation Faster Vendor Innovation
Flexibility and scalability to serve companies of all sizes (1 – X users)(1 – X users)
Code base developed, maintained, enhanced by the providerprovider
• Upgrades tested and deployed
• Security
A dit hi t t ki• Audit history tracking
• Tuning
• Backups
• Disaster Recovery
66
The Cloud Serves Companies of Every Size
ENTERPRISE
MID-MARKET
SMALL BUSINESS
67
Subscription Model
Fixed # of Users / Period / Product
For customerSubscription
For customer– Minimal up-front investment
– FlexibilityFlexibility
For vendor– Financial predictabilityp y
– Cash flow
Pricing – Provider may discount for greater commitment
68
Contracting in the Cloud
Legal Issues – No Software License if Outside Customer’s Firewall
Inside customer’s firewall– Licensing modelLicensing model
– Software license seeks to avoid first sale doctrine (allows purchaser to sell or give away a copy of a copyrighted work
once lawfully obtained)
Outside customer’s firewallN i di t ib t d i l d ti th f ft– No copies distributed in cloud computing, therefore no software license needed
– Cloud computing is a “service” that is “provided” or “made p g pavailable” to customer (SaaS, PaaS, IaaS)
70
Legal Issues - Maintenance & Support
On premises model typically requires customer to purchase maintenance or support in addition topurchase maintenance or support in addition to software license
Multi-tenancy model may or may not include– Functional enhancements, upgrades, pg
– Fixes, patches
– User support
71
Legal Issues – Data Privacy & Security
Best Practices– Transparency:Transparency:
• explain their information handling practices
• disclose the performance and reliability of their services
– Use Limitation.• Provider disclaims ownership rights in customer data
• Use customer data only as their customers instruct them or to fulfill• Use customer data only as their customers instruct them or to fulfill their contractual or legal obligations.
– Disclosure.• Provider discloses customer data only if and to extent legally
require & provide affected customers prior notice of any such compelled disclosure if permitted.
72
Data Privacy & Security Best Practices (cont.)
– Security Management System. • Provider maintains robust security management system that is
based on an internationally accepted security framework (e.g.ISO 27001)27001)
– Customer Security Features. • Customers have configurable security features to implement in
their usage of the cloud computing services
– Data Location. • Provider should tell customers the countries in which customerProvider should tell customers the countries in which customer
data is hosted
73
Data Privacy & Security Best Practices (cont.)
Breach Notification. – Provider should notify customers of known security breaches that
affect the confidentiality or security of the customer data.
Audit Audit.– Provider should use third-party auditors to ensure compliance with its
security management system.
Data Portability.– Provider should make available to customers their data in an
industry-standard, downloadable format.y
74
Legal Issues – Liability Considerations
For cloud computing vendor, risk of data security breach outstrips all othersp
Multi-tenancy enables single incident to affect thousands of customers, changing risk calculus
Critical to think through worst-case scenarios, and re-think as company grows and evolves – Types of harm– Damages available– Settlement valuesSettlement values– Insurance coverage
75
Legal Issues – Limitation of Liability
Cloud computing provider must decide what it is willing to sustain in worst-case scenario and draft contractsto sustain in worst case scenario, and draft contracts accordingly
Will provider pay damages/settlements arising from 3dWill provider pay damages/settlements arising from 3d party claims, e.g. security breach/data loss fines/credit monitoring fees
Typically, provider will not cover consequential damages (i.e., customer’s lost profits) resulting from security breach
76
Legal Issues – Third-Party Applications
Trend: cloud computing platforms allowing applications from multiple sources to integrate and share datafrom multiple sources to integrate and share data
Assure consent to sharing of data
77
Legal Issues - Indemnification
In most technology contracts, key indemnity agreed to by providerby provider– IP infringement
In cloud computing, customer inputs content intoIn cloud computing, customer inputs content into provider’s systems– Provider doesn’t control, or often even see, customer content,
but hosts it
78
Legal Issues – Indemnification - CDA
Does Communications Decency Act§230 protect provider?– “No provider or user of an interactive computer service shall be treated
as the publisher or speaker of any information provided by another information content provider.”
– CDA § 230 "creates a federal immunity to any cause of action that would make service providers liable for information originating with a third-party user of the service…. [L]awsuits seeking to hold a service liable for its exercise of a publisher’s traditional editorial functions –such as deciding whether to publish withdraw postpone or altersuch as deciding whether to publish, withdraw, postpone or alter content – are barred.” Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997), cert. denied, 524 U.S. 937 (1998)
Doesn’t apply to IP infringement claims or claims outside U SDoesn t apply to IP infringement claims or claims outside U.S.
79
Legal Issues - Indemnification
Cloud computing provider should indemnify customer for IP claims based on technology or content providedfor IP claims based on technology or content provided by vendor
Customer should indemnify cloud computing vendor for:Customer should indemnify cloud computing vendor for:– IP claims based on content submitted by users
– Claims that storage, processing, display of content violates any law or third-party right (especially privacy)
80
Legal Issues – Reliability & Availability
Service Levels– Multi-tenancy motivates provider to deliver high availabilityMulti tenancy motivates provider to deliver high availability
– If service unavailable for one, almost certainly unavailable for many or all
– Effect on business will usually impose much greater discipline on vendor than contractual remedies
T d i t d t Trend is toward transparency
81
Legal Issues – Data Ownership, Access & Destruction
Explicit provisions as to who owns the data
Assurances as to ability to access data During the contract term– During the contract term
– After termination
– In a format that is usable
Obligation to destroy the data – After termination
– At any time if necessary (tricky multi-tenancy issues)
82
Legal Issues – Source Code Escrow
Escrow Agreements - Common in enterprise software license agreement where vendor ceases to supportlicense agreement where vendor ceases to support software
Makes sense in behind-the-customer-firewall model
Doesn’t make sense in multi-tenant model– Much more practical for customer to take its content and load itMuch more practical for customer to take its content and load it
in alternative service
83
Legal Issues – Other Customer Obligations
Self-Service – administrative function is customer role
Access to data – permissions profiles record or field levelAccess to data permissions, profiles, record or field level controls
Password security, no sharing of passwords
Responsibility for accuracy, quality, integrity and legality of customer’s content and means by which it acquired content
Use service in accordance with applicable laws
Not use service to store or transmit infringing, libelous, or th i l f l t ti t i l t totherwise unlawful or tortious material, or to store or
transmit material in violation of third-party privacy rights
84
Lora L. Fong, Esq.Managing Counselsalesforce.com, inc.