• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Contracting in the Cloud by Tammy Bortz

Contracting in the Cloud by Tammy Bortz






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Contracting in the Cloud by Tammy Bortz Contracting in the Cloud by Tammy Bortz Presentation Transcript

    • CONTRACTING IN THE CLOUD Tammy BortzDirector, Werksmans Attorneys
    • OVERVIEW Regulatory developments Key Legal Issues (not exhaustive) The Contract Due Diligence Data Privacy and Cross Border Data Transfer Security Redundancy/outages/service levels Liability Termination 2
    • Regulatory Developments South Africa: currently no legislation, guidelines, codes of conduct in place specifically to regulate cloud services and cloud service providers – hindrance to use of cloud services. Internationally: major call for cloud computing to be legislated so as to protect providers and customers. Numerous organizations have proposed guidelines, codes of practice and regulations around cloud computing. 3
    • International Developments  Cloud Industry Forum (www.cloudindustryforum.org) –  industry body. Members must comply with the Code of Practice (Code officially launched 1 Nov 2010). Code requires vendors to provide transparency about their capabilities and accountability for services provided to enable end users to make informed choices  European Network and Information Security Agency: Issue paper “Cloud Computing: benefits, risks and recommendations for information security” (www.enisa.europa.eu/ )  Microsoft: Cloud Computing Advancement Act  Cloud Security Alliance: non-profit organization promotes the use of best practice for providing security assurance within Cloud Computing. 4
    • Contract and Due Diligence May not always be possible to negotiate a contract with the cloud provider, especially with a public cloud. Mostly will have to accept the providers standard terms and conditions, privacy and security policies Thus, need to understand your legal risks in using cloud services and how to mitigate. First step is a thorough assessment of the various cloud providers, including a careful review of their terms and conditions, their security and data privacy policies, service levels, disaster recovery policies and termination policies. 10
    •   Privacy Major concern especially where customer is using the cloud service for business critical/customer facing services and transfers sensitive and personal data to the cloud Traditional outsourcing - vendor can be required to segregate servers and impose its security requirements on the service provider but not so with cloud computing – accept what the vendor offers Some jurisdictions have legislation which imposes obligations on data processors regarding protection of personal information the most well known being the UK Data Protection Act. Cloud providers in the UK would have to comply with this and this gives some degree of comfort that personal data held in a cloud situate in the UK will be kept private. Other jurisdictions, most notably (until very recently) the USA does not have such legislation and hence cloud customer cannot be guaranteed legislative protection. Would have to look carefully at providers terms and conditions. 7
    • Protection of Personal Information Bill (“PPI”) Status: Not yet in force, date for promulgation has yet to be announced  Object: to protect a third party’s personal information in instances where such personal information is in the hands of a third party. Imposes obligations on such third party as to how such data must be treated when in its possession or under its control. Impact on cloud computing: any South African company that wishes to transfer personal data to an offshore cloud provider will need to ensure either that such provider agrees to be bound by relevant provisions of the PPI alternatively, if not possible, must carefully read privacy terms and conditions to establish if same meet RSA PPI requirements. 8
    • Security Customer must audit security policies and processes - need to understand logical and physical security policies, both for data in motion and whilst in transmission. Policy: comprehensive physical security and logical (application) security (such as password, encryption, roles and permissions etc) applied by the provider - must be such that it will adequately maintain the security and integrity of data held in the cloud. Ask: has the cloud provider experienced any security breaches. If yes, full details of such breaches to be provided i.e circumstances of the breach and how many/what records were compromised. 13
    • PPI and SecuritySecurity SafeguardsS.18: Security Measures to be Taken by Responsible Parties on Integrity of PI (“Responsible party” - public or private body which, alone or in conjunction with others, determines the purpose of and means for processing personal information - usually cloud customer). S.19: Information Processed by Operator or Person Acting Under Authority (“Operator” - person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that person - usually cloud provider). S.20: Security Measures Regarding Information Processed by Operator
    • Cross Border Data Transfer Two components –  Can personal data be transferred outside South Africa  Can personal data be returned to South Africa Transfer out  Common law: may require consent of data owner  PPI: place restrictions on cross border data transfer (Section 74 of the PPI) Transfer in Will need to consider laws of particular jurisdiction in which the data is held Proposed New EU Regulations (EU Data Protection Directive): Regulations apply to any data subject in the EU irrespective of where the data controller or its equipment is situate – i.e, even if data controller in South Africa processes PI of data subject who is located in the EU, the proposed new regulations will apply USA Consumer Data Privacy framework 15
    • Back up / redundancy/outages Unavailability of the cloud will affect customers business continuity and have adverse impact on customers business especially where customer facing services are in the cloud How to mitigate: engage multiple services providers? This could become unwieldy and introduces problems of interoperability between providers Review the providers back up and redundancy policy and request notice of changes to BCP policy with right to terminate if not happy with the policy Service levels: may be little room to negotiate - response and recovery time? 12
    • Liability What, if any, are assumed by the cloud provider? Consider back to back exclusion with your customers/users Clark Street Wine and Spirits v. Emporos Systems Corporation: cloud computing/loss of data case –  court awarded damages for liability for gross negligence and recklessness  Court: in view of the great damage to customers and business that breaches of computer system may cause, cloud provider should take special precautions to protect these systems
    • Termination/Migration How easy will it be to change providers? Issues to consider –  Does the provider have an exit strategy and does it offer any termination assistance?  Can the cloud provider easily and quickly locate, isolate and extract data on termination?  How is data returned/recovered. These is currently no standard data formats or procedures for data portability thus this should be agreed alternatively understood upfront? 14
    • THANK YOU Nothing in this presentation should be construed as formal legaladvice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses.© 2011 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.