Cloud computing: 'everything you always wanted to know (but were aftaid to ask')


Published on

This workshop has been held at Legal Business Day on 8 September 2011.
Across the globe organisations are contending with this latest technology panacea - cloud computing. The multijurisdictional nature of the internet - which cares not for geographical boundaries - creates a variety of challenges and opportunities for businesses, regardless of the country in which they are based and are transferable to any industry in the private or public sector.
What key considerations should your organisation be aware of? In this workshop we share our opinions on how to handle the legal challenges surrounding cloud computing such as data protection and security, the importance of getting the contract right and on the current lack of consistent, international legal protection.

Published in: Business, Technology
1 Comment
  • Very nice slideshow, I’ve seen some of this information from and it helped a lot. Hopefully others will find it useful. You can never know enough about the cloud and their associated contracts.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud computing: 'everything you always wanted to know (but were aftaid to ask')

  1. 2. Cloud computing: 'Everything you always wanted to know (…but were afraid to ask)' Joris Willems Kristof de Vulder Arend Lagemaat Deze presentatie is beschikbaar op
  2. 3. Agenda <ul><li>Cloud computing - What is it? </li></ul><ul><li>(Contracting) issues in the cloud </li></ul><ul><li>Security </li></ul>
  3. 4. Cloud Computing - Definition <ul><li>'Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet)'. </li></ul><ul><li> </li></ul>
  4. 5. Cloud Computing - Numbers <ul><li>49% / 45% </li></ul><ul><li>1 in 4 </li></ul><ul><li>80% </li></ul>
  5. 6. Cloud Computing - Rationale <ul><li>Need to increase flexibility </li></ul><ul><li>Avoid technology lock-in </li></ul><ul><li>Refresh the technical landscape </li></ul><ul><li>Save money </li></ul><ul><li>Switch capex to opex </li></ul><ul><li>Improve performance </li></ul>
  6. 7. Cloud Computing - Types of…
  7. 8. Cloud Computing - Examples
  8. 9. Choosing a Cloud Provider <ul><li>Typically customers will pay attention to: </li></ul><ul><ul><li>Quality of service </li></ul></ul><ul><ul><ul><li>Vendor’s history of incidents </li></ul></ul></ul><ul><ul><ul><li>Vendor’s incident response policy </li></ul></ul></ul><ul><ul><li>Financial stability of cloud service provider </li></ul></ul><ul><ul><li>Adequacy of security policies </li></ul></ul><ul><ul><li>But also contract terms! </li></ul></ul>
  9. 10. Bridging the gap <ul><li>Typical customer positions (e.g. bank, telco, public body, large retail): </li></ul><ul><ul><li>Wide rights to seek redress and high limit of liability </li></ul></ul><ul><ul><li>Unlikely to give indemnities </li></ul></ul><ul><ul><li>Vetted personnel </li></ul></ul><ul><ul><li>Flexibility </li></ul></ul><ul><ul><li>Regulatory 'must have's' </li></ul></ul><ul><li>Analysis of cloud provider terms shows that the delta is (potentially) enormous! </li></ul><ul><ul><li>Discuss, negotiate and agree a middle ground? </li></ul></ul><ul><ul><li>Create an overlay? </li></ul></ul>
  10. 11. Typical positions of Cloud Provider <ul><li>Limited Cloud Provider obligations </li></ul><ul><li>Limit on liability </li></ul><ul><li>Changes and vendor lock-in </li></ul><ul><li>Data protection </li></ul><ul><li>Suspension and termination clauses </li></ul><ul><li>Service Level Agreement </li></ul><ul><li>Applicable law and jurisdiction </li></ul><ul><li>Security and compliance risks </li></ul>
  11. 12. Limited Cloud Provider obligations <ul><li>Warranty from cloud provider </li></ul><ul><ul><li>Compliance with service described by documentation </li></ul></ul><ul><ul><li>AS IS </li></ul></ul><ul><ul><li>Back-up obligation </li></ul></ul><ul><ul><li>Reasonable efforts </li></ul></ul><ul><li>Lessons learned on passed incidents: </li></ul><ul><ul><li>You may need a backup for your cloud provider’s backup! </li></ul></ul>
  12. 13. L imit on liability <ul><li>Reverse warranties </li></ul><ul><li>Damages </li></ul><ul><ul><li>Consequential damages waiver </li></ul></ul><ul><ul><li>Limited to payments during a period </li></ul></ul><ul><ul><li>Limited to direct loss </li></ul></ul><ul><ul><li>Potential Exceptions </li></ul></ul><ul><ul><ul><li>IP Rights </li></ul></ul></ul><ul><ul><ul><li>Gross negligence/willful misconduct </li></ul></ul></ul>
  13. 14. Changes and v endor lock-in <ul><li>Unilateral changes during the contract term </li></ul><ul><ul><li>Check reduction in services performance </li></ul></ul><ul><ul><ul><li>Notice </li></ul></ul></ul><ul><ul><ul><li>Period of notice </li></ul></ul></ul><ul><ul><ul><li>Period of advance notice for discontinued services </li></ul></ul></ul><ul><ul><li>Watch for other methods of modification </li></ul></ul><ul><ul><ul><li>Revision of definition of “services” </li></ul></ul></ul><ul><ul><ul><li>Revision of SLA </li></ul></ul></ul><ul><li>Transition to third party provider </li></ul><ul><ul><li>Exit obligations </li></ul></ul>
  14. 15. Data Protection <ul><li>Where is my data? </li></ul><ul><li>Data protection regime: European Data Protection Directive </li></ul><ul><li>Data controller </li></ul><ul><li>Data processor </li></ul><ul><li>Data controller must choose appropriate data processors and must seek adequate contractual protection from them </li></ul><ul><li>Transfer of personal data outside of EU </li></ul>
  15. 16. Suspension and Termination <ul><li>Suspension of access to the service </li></ul><ul><li>Termination of cloud computing contract by the supplier </li></ul><ul><ul><li>notice period </li></ul></ul><ul><ul><li>exit obligations </li></ul></ul><ul><ul><li>de facto termination resulting from supplier being out of business </li></ul></ul><ul><li>Termination of cloud computing contract by the customer </li></ul>
  16. 17. Service Level Agreement <ul><li>Is a SLA part of the cloud computing contract? </li></ul><ul><li>Service levels </li></ul><ul><ul><li>description of service levels </li></ul></ul><ul><ul><li>measurement / reporting </li></ul></ul><ul><ul><li>service credits / penalties </li></ul></ul>
  17. 18. Applicable Law and Jurisdiction <ul><li>Applicable law </li></ul><ul><ul><li>Laws based on which the cloud computing contract will be construed </li></ul></ul><ul><ul><li>Impact on the scope of rights and obligations under the contract </li></ul></ul><ul><li>Jurisdiction </li></ul><ul><ul><li>The competent court that will settle any dispute </li></ul></ul><ul><ul><li>Impact on enforcement of cloud computing contract </li></ul></ul>
  18. 19. Security - Some Quotes &quot;I think there is a lot of myth and scaremongering around date in the cloud as we speak&quot; Bill McCluggage, UK Cabinet Office &quot;Everybody loves talking about cloud computing, but everybody is scared to do it&quot; Marco Kerschen, Polo Ralph Lauren &quot;We can only enjoy the full benefit of Cloud computing if we can address the very real privacy and security concerns that come along with storing sensitive personal data information in databases and software scattered around the Internet&quot; Office of the Information and Privacy Commissioner of Ontario
  19. 20. Security - Some Considerations <ul><li>Assessing provider </li></ul><ul><ul><li>type of cloud services </li></ul></ul><ul><ul><li>criticality of the data </li></ul></ul><ul><ul><li>location of the service </li></ul></ul><ul><li>Certification </li></ul><ul><ul><li>SAS 70 II, ISO 27001/2, FISMA </li></ul></ul><ul><ul><li>not the answer, but an indication </li></ul></ul><ul><li>Standard bodies </li></ul><ul><ul><li>78+ industry groups </li></ul></ul><ul><ul><li>Cloud Security Alliance (widest participation users & vendors) </li></ul></ul>
  20. 21. How DLA Piper can help you <ul><li>We have drafted cloud terms for vendors, telco's and users in a variety of industries (pharma, financial services, public sector) </li></ul><ul><li>We have solved complex cross-border data transfer issues </li></ul><ul><li>We have commissioned and written insightful research. </li></ul>
  21. 22. Contact Joris Willems E: T: 020 5419 992 Kristof de Vulder E: T: +32 2 500 1520 Arend Lagemaat E: T: 020 5419 819
  22. 23. Twitter mee over Legal Business Day: #LBD11 #dlapiper