Sookman law society_6_min_business_law


Published on

Current Issues in Negotiating IT Contracts – Challenges of Cloud Computing

Published in: Technology, Business
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sookman law society_6_min_business_law

  1. 1. McCarthy Tétrault Advance™Building Capabilities for GrowthThe Six‐Minute Business Lawyer 2013, The LawSociety of Upper Canada, June 6, 2013Current Issues in Negotiating ITContracts – Challenges of CloudComputingBarry B. SookmanDirect Line: (416) 601-7949E-Mail: June 6, 2012McCarthy Tétrault LLP / / 12519801
  2. 2. What is cloud computing?The US National Institute of Standards and Technology (NIST) Definitionof Cloud Computing,“Cloud computing is a model forenabling ubiquitous, convenient,on-demand network access to ashared pool of configurable computingresources (e.g., networks, servers,storage, applications, and services)that can be rapidly provisionedand released with minimalmanagement effort or serviceprovider interaction.”McCarthy Tétrault LLP / / 125198012
  3. 3. Service ModelsNIST Cloud Computing Reference Architecture¬ SaaS: The capability provided to the consumer is to use the provider‟s applicationsrunning on a cloud infrastructure.¬ PaaS: The capability provided to the consumer is to deploy onto the cloud infrastructureconsumer-created or acquired applications created using programming languages,libraries, services, and tools supported by the provider. The consumer does not manageor control the underlying cloud infrastructure including network, servers, operatingsystems, or storage, but has control over the deployed applications and possiblyconfiguration settings for theapplication-hosting environment.¬ IaaS: The capability provided to the consumer isto provision processing, storage, networks,and other fundamental computing resourceswhere the consumer is able to deploy and runarbitrary software, which can include operatingsystems and applications. The consumer doesnot manage or control the underlying cloudinfrastructure but has control over operatingsystems, storage, and deployed applications; andpossibly limited control of select networking components (e.g., host firewalls).ICS Solutions Azure Advantage Tétrault LLP / / 125198013
  4. 4. Deployment ModelsSam Johnston, cloud infrastructure operated solely for an organization.Community: cloud infrastructure shared by several organizations andsupports specific community with shared concerns.Public: cloud infrastructure madeavailable to general public or largeindustry group.Hybrid: cloud infrastructure comprisedof two or more clouds that remainunique entities but have data orapplication portability.Note: Public clouds are moreproblematic from complianceperspectives.McCarthy Tétrault LLP / / 125198014
  5. 5. Cloud SuppliersCloud Technology Spectrum, Gravitant, 2012,http://blog.gravitant.com20120727cloud-technology-spectrumMcCarthy Tétrault LLP / / 125198015
  6. 6. SaaS Ecosystem is ExpandingTop PaaS, SaaS and IaaS Cloud Companies by CloudTimes, Cloud Times, 2011, Tétrault LLP / / 125198016
  7. 7. SaaS Deployment is MainstreamThe Growing Importance of SaaS as an Application Deployment Model, Aberdeen Group, 2013, Tétrault LLP / / 125198017
  8. 8. OSFI Feb 29, 2012: New technology-based outsourcing arrangements¬ “Information technology plays a very important role in the financial servicesbusiness and OSFI recognizes the opportunities and benefits that newtechnology-based services such as Cloud Computing can bring; however, FRFIsshould also recognize the unique features of such services and duly consider theassociated risks.¬ As such, and in light of the proliferation of new technology-based outsourcingservices, OSFI is reminding all FRFIs that the expectations contained in GuidelineB-10 remain current and continue to apply in respect of such services. Inparticular, FRFIs should consider their ability to meet the expectations containedin Guideline B-10 in respect of a material arrangement, with an emphasis on i)confidentiality, security and separation of property, ii) contingency planning, iii)location of records, iv) access and audit rights, v) subcontracting, and vi)monitoring the material outsourcing arrangements.¬ OSFI considers the management of outsourcing risks important to ensuring thatFRFIs continue to be managed prudently and OSFI will be monitoring this issueas part of its ongoing supervisory work.” (emphasis added)McCarthy Tétrault LLP / / 125198018
  9. 9. PIPEDA¬ Organizations are accountable for personal information under theircontrol.¬ PIPEDA Sch., Principle 4.1.3 requires organizations to use contractualor other means to provide a “comparable level of protection” while theinformation is being processed.¬ OPC Guidelines “Comparable level of protection‟ means that the thirdparty processor must provide protection that can be compared to thelevel of protection the personal information would receive if it had notbeen transferred. It does not mean that the protection must be thesame across the board but it does mean that they should be generallyequivalent, p.4.McCarthy Tétrault LLP / / 125198019
  10. 10. Can Data be Transferred Outside ofCanada for Cloud ComputingOPC, Report on the 2010 OPC’s Consultations on Online Tracking, Profiling andTargeting, and Cloud Computing¬ PIPEDA is largely modeled on the principles outlined in the OECD Guidelines,and is intended to balance an individuals right to privacy with the need of anorganization to collect, use or disclose that information for an appropriatepurpose. We have long stated that we believe that privacy does not hinderinnovation and economic progress. The organization-to-organization approachthat underscores PIPEDA supports transborder flows and data protection byholding organizations to account for their personal information protectionpractices. Information is accessible to authorities regardless of where it resides.As noted in our Guidelines, we do, however, maintain our view that acareful risk assessment needs to be undertaken prior to any arrangementthat involves the outsourcing of personal data to other organizations thatoperate globally, and that this assessment should consider the legalrequirements of the jurisdiction in which the third-party processor operates, aswell as some of the political, economic and social conditions, and any additionalrisk factors, in that jurisdiction.McCarthy Tétrault LLP / / 1251980110
  11. 11. Potential ProblemsMajor areas of focus:¬ Privacy and data protection/location of data/cross border issues¬ Information security/data integrity issues¬ Compliance e.g. OSFI B-10, audit¬ Dependence on service provider in increasingly complexenvironments, e.g., serviceinterruptions, SLA/availability, controls, change management¬ Access to data/lock-in¬ One sided provider friendly T&Cs including limits of liability¬ Ownership and protection of IP and trade secrets¬ Electronic discovery obligationsMcCarthy Tétrault LLP / / 1251980111
  12. 12. Contract for services¬ W Kwon Hon et al Negotiating Cloud Contracts – Looking at Clouds from Both Sides Now, QueenMary School of Law,¬ “Despite any perception that providers standard terms are non-negotiable, cloud contracts can be,and have been, negotiated by customers such as financial institutions… This paper concludes thatthere are indeed signs of change.¬ Based on our research, users consider that providers‟ standard contract terms or offerings do notsufficiently accommodate customer needs in various respects. The top six types of terms mostnegotiated, according to our sources, were as follows, with the third and fourth issues rankingroughly equally in importance (depending on type of user/service):¬ 1. exclusion or limitation of liability and remedies, particularly regarding data integrity anddisaster recovery;¬ 2. service levels, including availability;¬ 3. security and privacy, particularly regulatory issues under the EU Data Protection Directive(„DPD‟);¬ 4. lock-in and exit, including term, termination rights and return of data on exit;¬ 5. providers ability to change service features unilaterally and¬ 6. intellectual property rights (IPRs).”¬ Contracts frequently permit service providers to unilaterally amend terms.McCarthy Tétrault LLP / / 1251980112
  13. 13. QUESTIONS?McCarthy Tétrault LLP / / 1251980113
  14. 14. VANCOUVERSuite 1300, 777 Dunsmuir StreetP.O. Box 10424, Pacific CentreVancouver BC V7Y 1K2Tel: 604-643-7100Fax: 604-643-7900Toll-Free: 1-877-244-7711CALGARYSuite 3300, 421 7th Avenue SWCalgary AB T2P 4K9Tel: 403-260-3500Fax: 403-260-3501Toll-Free: 1-877-244-7711TORONTOBox 48, Suite 5300Toronto Dominion Bank TowerToronto ON M5K 1E6Tel: 416-362-1812Fax: 416-868-0673Toll-Free: 1-877-244-7711MONTRÉALSuite 25001000 De La Gauchetière Street WestMontréal QC H3B 0A2Tel: 514-397-4100Fax: 514-875-6246Toll-Free: 1-877-244-7711QUÉBECLe Complexe St-Amable1150, rue de Claire-Fontaine, 7e étageQuébec QC G1R 5G4Tel: 418-521-3000Fax: 418-521-3099Toll-Free: 1-877-244-7711UNITED KINGDOM & EUROPE125 Old Broad Street, 26th FloorLondon EC2N 1ARUNITED KINGDOMTel: +44 (0)20 7489 5700Fax: +44 (0)20 7489 5777McCarthy Tétrault LLP / / 1251980114