SlideShare una empresa de Scribd logo

The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30

T
This account is closed

The document discusses key considerations for contracting cloud services. It notes that cloud contracts replace on-premises infrastructure agreements and outlines important clauses like data security, service level agreements, auditing rights, and ensuring access to data if the provider exits. The document also recommends due diligence on provider security practices and insurance to cover risks from outages or breaches at third-party providers. Overall it provides guidance on structuring contracts to maintain control over data and set clear performance standards when transitioning IT services to cloud models.

Derecho
1 de 23
Descargar para leer sin conexión
The Cloud Computing Contract Playbook - Contracting for Cloud Services September 30, 2015 Paul Armitage*, Partner * Law Corporation
2 The Cloud is Everywhere The cloud is everywhere and for anything • SaaS (applications) • Customer accesses and uses cloud provider’s applications running on cloud provider’s infrastructure (e.g., Salesforce.com) • PaaS (platform) • Customer deploys and controls own (developed/licensed) applications running on cloud provider’s infrastructure (e.g., IBM Smartcloud, and also Salesforce.com!) • IaaS (infrastructure) • Customer deploys and controls applications, operating systems, storage, and networking components running on cloud provider’s infrastructure (e.g., AWS)
The Cloud is Everywhere Expanding use of the cloud – from consumer to the enterprise • The cloud is no longer just for free or low-cost consumer offerings • Mission critical functions: finance, billing, database storage, networks • Regulated industries (e.g., financial institutions, healthcare) 3
The Irresistible Force of the Cloud • Significant cost reductions • Lower total cost of ownership: no servers or licenses to be bought – just pay as you go • Cheaper to implement, customize and configure • No upgrade fees for ongoing maintenance to stay current with latest versions of the software and operating systems • Cost certainty • Predictable fees based on metrics (e.g., per user, log-in, record, device) • Renewal pricing: PRACTICAL TIP - contractually ensure cost certainty on renewal! 4
The Irresistible Force of the Cloud • Speed of delivery • Greatly reduces time required to implement, customize and configure the solution, and to train users • Scalable and elastic (metered, on-demand service) • Increased connectivity and solution mobility (accessible anywhere and by any Internet enabled device) • Can allow an organization to achieve security standards which are difficult or expensive to achieve in-house (e.g., diversity or disaster recovery requirements) 5
What’s Different about Contracting for Cloud Computing? “Cloud” solution • No on-premises installation at customer • Customer gets a subscription to access and use someone else’s solution, on someone else’s computer, hosted somewhere else, all done via the internet – the “cloud” • In lieu of an in-house IT department where you can structure your computing environment and know first-hand what security safeguards are in place, you now have… a contract with your cloud provider 6
Storing Personal Information in the Cloud • Storing personal information in the cloud is generally speaking permitted, so long as: • Socio-economic and legal environment of the hosting jurisdiction, and sensitivity of the information are taken into consideration • Individuals are provided with notice of the cloud storage, and that while their information is stored outside Canada it may be accessed by foreign courts, law enforcement and security authorities • The cloud provider is contractually required to safeguard the personal information against unauthorized use, access, collection, disclosure, copying modification, and destruction, having regard to the sensitivity of the information, and providing a comparable level of protection to (a) if processed in-house, and (b) as is legally required in Canada 7
Storing Personal Information in the Cloud • Additional Alberta requirements • Alberta Personal Information Protection Act: • An organization must have policies about its use of “service providers” (includes contractors and affiliates) outside of Canada to process personal information, including as to (a) which countries, and (b) the purposes of processing, and must make its policies available on request • An organization must, before or at the time of collecting or transferring the information outside Canada, notify the individual of (a) how to obtain information about the organization’s policies on use of service providers outside of Canada, and (b) the contact information of the person at the organization who is able to answer questions about those policies 8
Storing Personal Information in the Cloud • Exceptions: • B.C. public bodies - FOIPPA, s. 30.1 • Personal information in the custody or control of a public body must be stored in Canada and accessed only in Canada, unless one of the following applies: (a) individual consent, (b) allowed under FOIPPA (including by ministerial order), or (c) in connection with payments to or by a public body • Limited exceptions for cloud-based email solutions and social media • Similar restrictions exist for Nova Scotia public bodies 9
Know Your Cloud Provider • Due diligence on cloud provider • Review financial statements / regulatory filings (SEC 10K) • Financial performance (look for positive growth) and self- disclosure of risks by cloud provider • Data security measures – look for (and include in the contract) the following types of protections: • Physical, e.g. restricted access to data centres • Organizational, e.g. security clearances, background checks, privacy and security policies, training • Technological, e.g. (a) firewall, (b) encryption (consider three data states for encryption: (1) at rest, (2) in transit, (3) in process), (c) identity and access management (password protection), (d) patch management and network maintenance, (e) secure data deletion, (f) intrusion monitoring, (g) virus filters 10
Know Your Cloud Provider • ISO 27001 standard for information security systems • Certification to demonstrate industry-minimum cyber security measures have been adopted 11
Know Your Cloud Provider • ISO 27018 standard for protection of personally identifiable information (PII) in the cloud • Requires cloud provider to (among other things): • Only process PII in accordance with the customer’s instructions • Only process PII for marketing or advertising purposes with the customer’s express consent • Disclose to the customer the identity of subcontractors and locations where PII is processed • Ensure that personnel who have access to PII enter into confidentiality agreements and receive appropriate training • Assist the customer in complying with notification obligations in the event of a security breach 12
Know Your Cloud Provider • PCI DSS (Payment Card Interface – Data Security Standard) for (1) payment card processing, (2) securing cardholder data (e.g., storage or encryption), (3) cardholder data environment (e.g., infrastructure, data centres), (4) application development with access to cardholder information / data environment • Standards for cardholder data security and consistent data security measures 13
Crucial Clause: Data Security Clause • Elements of a data security clause • Data remains owned and under the control of the organization while in the cloud provider’s possession • Cloud provider must only use the data for the purpose of performing its services • Cloud provider must provide notice of any data breach • Cloud provider must provide notice of any lawful access where legally permitted • Continued access to data is assured (restrict cloud provider’s ability to cut-off or suspend access, e.g., for non-payment) • Disaster recovery/business continuity plan to provide access to data under adverse conditions • Continued access to data for a period after subscription ends to allow for transitioning to another provider or service repatriation • Return of data on termination (specify cost and a format you can use) 14
Heart of the Deal: Specifications and Service Levels • Specifications define what the cloud solution is supposed to do • A lot of cloud providers’ contracts don’t say anything about what the solution does! • Incorporate specifications / software components and guard against future changes removing functionality • Service levels set minimum performance standards for the cloud solution. Examples: • 99.999% uptime – but what’s “uptime”? • Need to include the concept that “uptime available minutes” are those when the services are operating to specifications, or without errors • Speed to perform a function • Support call response • Recovery time objectives 15
Audit • Right to audit cloud provider by client (and by client’s regulators if applicable) • Third party auditors to ensure compliance with cloud provider’s security program • Type of audit: SSAE 16 (US), CSAE 3416 (Canada), ISAE 3402 (International) • Type of report: • SOC 1: controls over financial reporting • SOC 2: controls related to security, availability, processing integrity, confidentiality, and privacy for a specific customer – “restricted report” • SOC 3: same as SOC 2, but for general release (i.e., all customers) • Frequency of report: Type I (point in time) vs. Type II (over period of time) 16
Bringing Territory Back The cloud is typically thought of as not tied to territory, but consider: • Statutory prohibitions (e.g., FOIPPA, s. 30.1) • Sectoral laws requirements (e.g., Bank Act) • Your own policies and contracts – have you committed to persons that their data won’t be stored outside of Canada? • Which laws you must comply with – are they also binding on the cloud provider? • Specify in the contract what laws must be complied with, e.g., Canadian laws for personal information protection • Insurance – territorial limits on coverage 17
Bringing Territory Back • Export controls – four areas of concern: • US-origin technology (including technical data) • Controlled technology: encryption, dual-use (civilian), military, nuclear • Cloud provider or user is located in sanctioned countries • Designated persons subject to economic sanctions 18
Insurance Issues Gaps in traditional policies - general liability and E&O do not cover: • Business interruption due to your cloud provider suffering an outage as a result of computer or network security failure • Indemnification for security breach notification costs (including credit monitoring) • Defence and indemnification for regulatory action due to a breach of privacy laws • Liability for disclosure of electronic data, confidential information, and personal information • Liability for economic harm suffered by others due to failure of your computer or network security 19
Insurance Issues • Cyber security & privacy liability insurance may be used to fill-in these gaps. Conditions of coverage: • Maintain same or better level of security as when coverage was taken-out (may include audit of your and your cloud provider’s systems and security) • Compliance with legal regulations • Notice of claims – therefore, must contractually require cloud provider to provide notice of security breach • There must have been a security failure (e.g., poor planning or unforeseen usage levels are not covered) 20
Insurance Issues • Cyber security & privacy liability insurance – yours or your cloud provider’s? • Will your cloud provider’s coverage be there to protect you? • Cost of security breach based on number of records compromised: 100,000 records - $8.6m* (if the cloud provider has a 1,000 customers, that’s a $8.6b loss!) * Marsh, “Cyber & Privacy Liability” • Cloud provider business model is usually about reducing costs – providers therefore may have low insurance, high deductibles, and resist naming customers as additional insureds • Your insurance: covers data compromised in the hands of a cloud provider (with insurer subrogation against cloud provider) 21
What Happens if your Cloud Provider Goes Out of Business? • Third party cloud continuity solutions – the new software escrow • Short term (e.g., 30 - 90 days) solution to keep your cloud provider’s service running while you transition to a new provider or repatriate the service • Two main variations: • Basic: escrow company contracts with cloud provider’s IaaS hosting provider to allow escrow company to keep the solution “up” if cloud provider goes out of business • More advanced: escrow company runs a mirrored solution in its own environment that can be cut-to as a fail-over if cloud provider goes out of business (or just goes down – also a diversity service) • May be coupled with traditional source code escrow 22
Thank You montréal  ottawa  toronto  hamilton  waterloo region  calgary vancouver  beijing  moscow  london Paul Armitage Tel: 604-891-2779 Email: paul.armitage@gowlings.com

Recomendados

The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the Boardroom
Brendon Noney
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
wdsnead
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 

Recomendados

The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the Boardroom
Brendon Noney
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
wdsnead
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal Issues
Ikuo Takahashi
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
This account is closed
 
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Financial Poise
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
Safe Harbor Webinar
Safe Harbor WebinarSafe Harbor Webinar
Safe Harbor Webinar
Ethisphere
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
TrustArc
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
TrustArc
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
AltheimPrivacy
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
TrustArc
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
Risks and Benefits of Cloud Computing
Risks and Benefits of Cloud ComputingRisks and Benefits of Cloud Computing
Risks and Benefits of Cloud Computing
DLA Piper (Canada) LLP
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
NguyenNM
 
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
Livingstone Advisory
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
Lisa Abe-Oldenburg, B.Comm., JD.
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
lisaabe
 
Cloud security
Cloud securityCloud security
Cloud security
Adeel Javaid
 

Más contenido relacionado

La actualidad más candente

How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
TrustArc
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
TrustArc
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
TrustArc
 

La actualidad más candente (16)

Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal Issues
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
 
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Safe Harbor Webinar
Safe Harbor WebinarSafe Harbor Webinar
Safe Harbor Webinar
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 

Similar a The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30

UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
Livingstone Advisory
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Ahmad Abdalla
 
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of TradeSecuring Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Lisa Abe-Oldenburg, B.Comm., JD.
 
IT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid Them
IT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid ThemIT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid Them
IT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid Them
Meyers Nave
 
Cloud Computing in Business and facts
Cloud Computing in Business and factsCloud Computing in Business and facts
Cloud Computing in Business and facts
Arun Ganesh
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
Kresimir Popovic
 

Similar a The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30 (20)

Risks and Benefits of Cloud Computing
Risks and Benefits of Cloud ComputingRisks and Benefits of Cloud Computing
Risks and Benefits of Cloud Computing
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
 
Cloud security
Cloud securityCloud security
Cloud security
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
 
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of TradeSecuring Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
 
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal AspectsSLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
 
Cloud Security.ppt
Cloud Security.pptCloud Security.ppt
Cloud Security.ppt
 
Cloud security issues and concerns
Cloud security issues and concernsCloud security issues and concerns
Cloud security issues and concerns
 
Cyril Bartolo: European Users’ recommendations for the success of Public Clou...
Cyril Bartolo: European Users’ recommendations for the success of Public Clou...Cyril Bartolo: European Users’ recommendations for the success of Public Clou...
Cyril Bartolo: European Users’ recommendations for the success of Public Clou...
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Cloud computing and its security issues
Cloud computing and its security issuesCloud computing and its security issues
Cloud computing and its security issues
 
IT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid Them
IT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid ThemIT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid Them
IT Equipment and Services Agreements: Contractual Pitfalls and How to Avoid Them
 
Cloud Computing in Business and facts
Cloud Computing in Business and factsCloud Computing in Business and facts
Cloud Computing in Business and facts
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 

Más de This account is closed

Trans-Pacific Partnership Treaty & Intellectual Property
Trans-Pacific Partnership Treaty & Intellectual PropertyTrans-Pacific Partnership Treaty & Intellectual Property
Trans-Pacific Partnership Treaty & Intellectual Property
This account is closed
 
Cross-Border M&A: Canada is Open for Business
Cross-Border M&A: Canada is Open for BusinessCross-Border M&A: Canada is Open for Business
Cross-Border M&A: Canada is Open for Business
This account is closed
 
Directors and fficers duties van law-1662964-v1
Directors and fficers duties van law-1662964-v1Directors and fficers duties van law-1662964-v1
Directors and fficers duties van law-1662964-v1
This account is closed
 

Más de This account is closed (20)

Brands, Trademarks, and Advertising
Brands, Trademarks, and AdvertisingBrands, Trademarks, and Advertising
Brands, Trademarks, and Advertising
 
Le gestion de crise : considérations juridiques et pratiques pour traverser l...
Le gestion de crise : considérations juridiques et pratiques pour traverser l...Le gestion de crise : considérations juridiques et pratiques pour traverser l...
Le gestion de crise : considérations juridiques et pratiques pour traverser l...
 
CPD Professionalism Program for General Counsel
CPD Professionalism Program for General CounselCPD Professionalism Program for General Counsel
CPD Professionalism Program for General Counsel
 
Financing nuclear projects — A. Abdel Aziz
Financing nuclear projects — A. Abdel AzizFinancing nuclear projects — A. Abdel Aziz
Financing nuclear projects — A. Abdel Aziz
 
Nuclear Supply Chain Symposium - Canadian Contracting Models
Nuclear Supply Chain Symposium - Canadian Contracting ModelsNuclear Supply Chain Symposium - Canadian Contracting Models
Nuclear Supply Chain Symposium - Canadian Contracting Models
 
Trans-Pacific Partnership Treaty & Intellectual Property
Trans-Pacific Partnership Treaty & Intellectual PropertyTrans-Pacific Partnership Treaty & Intellectual Property
Trans-Pacific Partnership Treaty & Intellectual Property
 
Life Sciences Licensing — Trends and Issues
Life Sciences Licensing — Trends and IssuesLife Sciences Licensing — Trends and Issues
Life Sciences Licensing — Trends and Issues
 
Legal issues associated with project management and consulting
Legal issues associated with project management and consultingLegal issues associated with project management and consulting
Legal issues associated with project management and consulting
 
Cross-Border M&A: Canada is Open for Business
Cross-Border M&A: Canada is Open for BusinessCross-Border M&A: Canada is Open for Business
Cross-Border M&A: Canada is Open for Business
 
PLSAs, SEPs and PAEs: The Antitrust/IP Acronyms You Should Know and Understand
PLSAs, SEPs and PAEs: The Antitrust/IP Acronyms You Should Know and UnderstandPLSAs, SEPs and PAEs: The Antitrust/IP Acronyms You Should Know and Understand
PLSAs, SEPs and PAEs: The Antitrust/IP Acronyms You Should Know and Understand
 
IP ownership for R&D companies: Cautionary tales and best practices
IP ownership for R&D companies: Cautionary tales and best practicesIP ownership for R&D companies: Cautionary tales and best practices
IP ownership for R&D companies: Cautionary tales and best practices
 
Manufacturing Success Seminar - April 29, 2015
Manufacturing Success Seminar - April 29, 2015Manufacturing Success Seminar - April 29, 2015
Manufacturing Success Seminar - April 29, 2015
 
Employment and Labour Law Seminar - May 5, 2015
Employment and Labour Law Seminar - May 5, 2015Employment and Labour Law Seminar - May 5, 2015
Employment and Labour Law Seminar - May 5, 2015
 
Employment and Labour Law Seminar - May 6, 2015
Employment and Labour Law Seminar - May 6, 2015Employment and Labour Law Seminar - May 6, 2015
Employment and Labour Law Seminar - May 6, 2015
 
Social Media and the Workplace: Navigating in a New World
Social Media and the Workplace: Navigating in a New WorldSocial Media and the Workplace: Navigating in a New World
Social Media and the Workplace: Navigating in a New World
 
Top 10 Developments in Employment, Labour & Human Rights Law
Top 10 Developments in Employment, Labour & Human Rights LawTop 10 Developments in Employment, Labour & Human Rights Law
Top 10 Developments in Employment, Labour & Human Rights Law
 
Disability Accommodation in the Workplace
Disability Accommodation in the WorkplaceDisability Accommodation in the Workplace
Disability Accommodation in the Workplace
 
Enforceability of Termination Provisions
Enforceability of Termination ProvisionsEnforceability of Termination Provisions
Enforceability of Termination Provisions
 
Employment & Labour Law Panel Discussion - April 29th, 2015
Employment & Labour Law Panel Discussion - April 29th, 2015Employment & Labour Law Panel Discussion - April 29th, 2015
Employment & Labour Law Panel Discussion - April 29th, 2015
 
Directors and fficers duties van law-1662964-v1
Directors and fficers duties van law-1662964-v1Directors and fficers duties van law-1662964-v1
Directors and fficers duties van law-1662964-v1
 

Último

一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
F La
 
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
bd2c5966a56d
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
Airst S
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
Fir La
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
irst
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
bd2c5966a56d
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 

Último (20)

It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
Chambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&AChambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&A
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?
 
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in India
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 

The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30

  • 1. The Cloud Computing Contract Playbook - Contracting for Cloud Services September 30, 2015 Paul Armitage*, Partner * Law Corporation
  • 2. 2 The Cloud is Everywhere The cloud is everywhere and for anything • SaaS (applications) • Customer accesses and uses cloud provider’s applications running on cloud provider’s infrastructure (e.g., Salesforce.com) • PaaS (platform) • Customer deploys and controls own (developed/licensed) applications running on cloud provider’s infrastructure (e.g., IBM Smartcloud, and also Salesforce.com!) • IaaS (infrastructure) • Customer deploys and controls applications, operating systems, storage, and networking components running on cloud provider’s infrastructure (e.g., AWS)
  • 3. The Cloud is Everywhere Expanding use of the cloud – from consumer to the enterprise • The cloud is no longer just for free or low-cost consumer offerings • Mission critical functions: finance, billing, database storage, networks • Regulated industries (e.g., financial institutions, healthcare) 3
  • 4. The Irresistible Force of the Cloud • Significant cost reductions • Lower total cost of ownership: no servers or licenses to be bought – just pay as you go • Cheaper to implement, customize and configure • No upgrade fees for ongoing maintenance to stay current with latest versions of the software and operating systems • Cost certainty • Predictable fees based on metrics (e.g., per user, log-in, record, device) • Renewal pricing: PRACTICAL TIP - contractually ensure cost certainty on renewal! 4
  • 5. The Irresistible Force of the Cloud • Speed of delivery • Greatly reduces time required to implement, customize and configure the solution, and to train users • Scalable and elastic (metered, on-demand service) • Increased connectivity and solution mobility (accessible anywhere and by any Internet enabled device) • Can allow an organization to achieve security standards which are difficult or expensive to achieve in-house (e.g., diversity or disaster recovery requirements) 5
  • 6. What’s Different about Contracting for Cloud Computing? “Cloud” solution • No on-premises installation at customer • Customer gets a subscription to access and use someone else’s solution, on someone else’s computer, hosted somewhere else, all done via the internet – the “cloud” • In lieu of an in-house IT department where you can structure your computing environment and know first-hand what security safeguards are in place, you now have… a contract with your cloud provider 6
  • 7. Storing Personal Information in the Cloud • Storing personal information in the cloud is generally speaking permitted, so long as: • Socio-economic and legal environment of the hosting jurisdiction, and sensitivity of the information are taken into consideration • Individuals are provided with notice of the cloud storage, and that while their information is stored outside Canada it may be accessed by foreign courts, law enforcement and security authorities • The cloud provider is contractually required to safeguard the personal information against unauthorized use, access, collection, disclosure, copying modification, and destruction, having regard to the sensitivity of the information, and providing a comparable level of protection to (a) if processed in-house, and (b) as is legally required in Canada 7
  • 8. Storing Personal Information in the Cloud • Additional Alberta requirements • Alberta Personal Information Protection Act: • An organization must have policies about its use of “service providers” (includes contractors and affiliates) outside of Canada to process personal information, including as to (a) which countries, and (b) the purposes of processing, and must make its policies available on request • An organization must, before or at the time of collecting or transferring the information outside Canada, notify the individual of (a) how to obtain information about the organization’s policies on use of service providers outside of Canada, and (b) the contact information of the person at the organization who is able to answer questions about those policies 8
  • 9. Storing Personal Information in the Cloud • Exceptions: • B.C. public bodies - FOIPPA, s. 30.1 • Personal information in the custody or control of a public body must be stored in Canada and accessed only in Canada, unless one of the following applies: (a) individual consent, (b) allowed under FOIPPA (including by ministerial order), or (c) in connection with payments to or by a public body • Limited exceptions for cloud-based email solutions and social media • Similar restrictions exist for Nova Scotia public bodies 9
  • 10. Know Your Cloud Provider • Due diligence on cloud provider • Review financial statements / regulatory filings (SEC 10K) • Financial performance (look for positive growth) and self- disclosure of risks by cloud provider • Data security measures – look for (and include in the contract) the following types of protections: • Physical, e.g. restricted access to data centres • Organizational, e.g. security clearances, background checks, privacy and security policies, training • Technological, e.g. (a) firewall, (b) encryption (consider three data states for encryption: (1) at rest, (2) in transit, (3) in process), (c) identity and access management (password protection), (d) patch management and network maintenance, (e) secure data deletion, (f) intrusion monitoring, (g) virus filters 10
  • 11. Know Your Cloud Provider • ISO 27001 standard for information security systems • Certification to demonstrate industry-minimum cyber security measures have been adopted 11
  • 12. Know Your Cloud Provider • ISO 27018 standard for protection of personally identifiable information (PII) in the cloud • Requires cloud provider to (among other things): • Only process PII in accordance with the customer’s instructions • Only process PII for marketing or advertising purposes with the customer’s express consent • Disclose to the customer the identity of subcontractors and locations where PII is processed • Ensure that personnel who have access to PII enter into confidentiality agreements and receive appropriate training • Assist the customer in complying with notification obligations in the event of a security breach 12
  • 13. Know Your Cloud Provider • PCI DSS (Payment Card Interface – Data Security Standard) for (1) payment card processing, (2) securing cardholder data (e.g., storage or encryption), (3) cardholder data environment (e.g., infrastructure, data centres), (4) application development with access to cardholder information / data environment • Standards for cardholder data security and consistent data security measures 13
  • 14. Crucial Clause: Data Security Clause • Elements of a data security clause • Data remains owned and under the control of the organization while in the cloud provider’s possession • Cloud provider must only use the data for the purpose of performing its services • Cloud provider must provide notice of any data breach • Cloud provider must provide notice of any lawful access where legally permitted • Continued access to data is assured (restrict cloud provider’s ability to cut-off or suspend access, e.g., for non-payment) • Disaster recovery/business continuity plan to provide access to data under adverse conditions • Continued access to data for a period after subscription ends to allow for transitioning to another provider or service repatriation • Return of data on termination (specify cost and a format you can use) 14
  • 15. Heart of the Deal: Specifications and Service Levels • Specifications define what the cloud solution is supposed to do • A lot of cloud providers’ contracts don’t say anything about what the solution does! • Incorporate specifications / software components and guard against future changes removing functionality • Service levels set minimum performance standards for the cloud solution. Examples: • 99.999% uptime – but what’s “uptime”? • Need to include the concept that “uptime available minutes” are those when the services are operating to specifications, or without errors • Speed to perform a function • Support call response • Recovery time objectives 15
  • 16. Audit • Right to audit cloud provider by client (and by client’s regulators if applicable) • Third party auditors to ensure compliance with cloud provider’s security program • Type of audit: SSAE 16 (US), CSAE 3416 (Canada), ISAE 3402 (International) • Type of report: • SOC 1: controls over financial reporting • SOC 2: controls related to security, availability, processing integrity, confidentiality, and privacy for a specific customer – “restricted report” • SOC 3: same as SOC 2, but for general release (i.e., all customers) • Frequency of report: Type I (point in time) vs. Type II (over period of time) 16
  • 17. Bringing Territory Back The cloud is typically thought of as not tied to territory, but consider: • Statutory prohibitions (e.g., FOIPPA, s. 30.1) • Sectoral laws requirements (e.g., Bank Act) • Your own policies and contracts – have you committed to persons that their data won’t be stored outside of Canada? • Which laws you must comply with – are they also binding on the cloud provider? • Specify in the contract what laws must be complied with, e.g., Canadian laws for personal information protection • Insurance – territorial limits on coverage 17
  • 18. Bringing Territory Back • Export controls – four areas of concern: • US-origin technology (including technical data) • Controlled technology: encryption, dual-use (civilian), military, nuclear • Cloud provider or user is located in sanctioned countries • Designated persons subject to economic sanctions 18
  • 19. Insurance Issues Gaps in traditional policies - general liability and E&O do not cover: • Business interruption due to your cloud provider suffering an outage as a result of computer or network security failure • Indemnification for security breach notification costs (including credit monitoring) • Defence and indemnification for regulatory action due to a breach of privacy laws • Liability for disclosure of electronic data, confidential information, and personal information • Liability for economic harm suffered by others due to failure of your computer or network security 19
  • 20. Insurance Issues • Cyber security & privacy liability insurance may be used to fill-in these gaps. Conditions of coverage: • Maintain same or better level of security as when coverage was taken-out (may include audit of your and your cloud provider’s systems and security) • Compliance with legal regulations • Notice of claims – therefore, must contractually require cloud provider to provide notice of security breach • There must have been a security failure (e.g., poor planning or unforeseen usage levels are not covered) 20
  • 21. Insurance Issues • Cyber security & privacy liability insurance – yours or your cloud provider’s? • Will your cloud provider’s coverage be there to protect you? • Cost of security breach based on number of records compromised: 100,000 records - $8.6m* (if the cloud provider has a 1,000 customers, that’s a $8.6b loss!) * Marsh, “Cyber & Privacy Liability” • Cloud provider business model is usually about reducing costs – providers therefore may have low insurance, high deductibles, and resist naming customers as additional insureds • Your insurance: covers data compromised in the hands of a cloud provider (with insurer subrogation against cloud provider) 21
  • 22. What Happens if your Cloud Provider Goes Out of Business? • Third party cloud continuity solutions – the new software escrow • Short term (e.g., 30 - 90 days) solution to keep your cloud provider’s service running while you transition to a new provider or repatriate the service • Two main variations: • Basic: escrow company contracts with cloud provider’s IaaS hosting provider to allow escrow company to keep the solution “up” if cloud provider goes out of business • More advanced: escrow company runs a mirrored solution in its own environment that can be cut-to as a fail-over if cloud provider goes out of business (or just goes down – also a diversity service) • May be coupled with traditional source code escrow 22
  • 23. Thank You montréal  ottawa  toronto  hamilton  waterloo region  calgary vancouver  beijing  moscow  london Paul Armitage Tel: 604-891-2779 Email: paul.armitage@gowlings.com