Cloud Computing - a legal view from Bird & Bird


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Computing - a legal view from Bird & Bird

  1. 1. Cloud Computing Barry Jennings 12th March 2013
  2. 2. Overview● Striking the right balance – negotiating cloud contracts● Taking a positive approach to data protection in the cloud● Keeping the rights to your data & IP – licensing issues● Staying flexible – the commercial/contractual lock-in issues to avoid● Concluding thoughts
  3. 3. Striking the right balance – reviewing cloudcontracts© Bird & Bird LLP 2010
  4. 4. Key Legal and Commercial Issues ● Commercial and legal risk analysis – contract and service issues ● Incorporation within or replacement of outsourcing arrangements ● TUPE transfers – is there a continuing activity? ● Jurisdiction & governing law issues ● Content & IP issues – what licences are required? ● Regulatory compliance – data protection, interception & communications regulations, financial services regulations © Bird & Bird LLP 2010
  5. 5. Risk Allocation under Contract ● Cloud computing agreements represent an arbitrage of risk, cost and control. ● Change one aspect and the other aspects – usually cost – will need to change in response. ● With most public cloud services, this balance is determined by suppliers as part of their service development and market positioning. ● The process of seeking to negotiate drives up costs so customers and suppliers should be conscious of when this is sensible and when it isn’t. ● Contract review becomes part of the service evaluation rather than a matter for negotiation and it needs to be fed in to the procurement process at an early stage.© Bird & Bird LLP 2010
  6. 6. Reviewing Cloud Services Agreements Implementation Service Exit / Transition •Configuration •Availability and •Notice assistance (£) performance provisions and •Acceptance service levels (£) termination Process •Service credits rights •Migration from (£) •Data portability legacy systems •Scaling – •Configuration •Integration with storage, users information other systems (£) •Transition (£) •Support (£) support (£) •Training (£) •Back-up and •Escrow (£) •Migration in - data recovery (£) •Migration out - Data Protection •Data Protection Data Protection Compliance & Security Compliance •Audit rights (£) – service element that may attract additional charges – vary between vendors© Bird & Bird LLP 2010
  7. 7. Taking a positive approach to dataprotection in the cloud© Bird & Bird LLP 2010
  8. 8. Data Protection, IT Security & Cybercrime● Information assurance is critical in cloud computing and yet the regulatory and standards framework is still catching up with the technology.● Risk-based assessments are again key in this area – see ICO Guidance.● The regulatory regimes are still jurisdictional in nature – making transitions to the cloud incredibly complex.© Bird & Bird LLP 2010
  9. 9. Technical Concerns ● Multi-tenancy in cloud environments is enabled by virtualisation. ● There are questions over the security of virtual versus physical segregation. ● Deployment via the cloud means data escapes the corporate firewall. ● Encryption of data passing across the internet is crucial. ● Data migration (in and out) is a difficult undertaking even where open formats are agreed© Bird & Bird LLP 2010
  10. 10. Location, Location, Location ● Ability to move data gives vendors flexibility and scalability.● Cloud vendors may wish to move data to maintain physical hardware.● Data protection regulation tends to emphasise location of data and consider data transfer to be processing requiring consent.● Where IT systems are globalised is systemic security and information governance more important than location?● Jurisdiction may have rules that enforce authority access to data or court systems that make it more difficult to enforce judgments to release data.© Bird & Bird LLP 2010
  11. 11. Flexibility and Mobility ● Cloud computing enables access outside of the office and on mobile devices. ● This has led to BYOD – where employees want access to corporate systems from their own computers, tablets and smart phones. ● There are questions over the security of some of these devices, particularly where shared with partners and children – increase in two factor authentication. ● Deployment of data and applications outside of the corporate firewall can be more expensive and harder to control. ● However, if enterprises impose too much control, most employees can easily find alternative ways of circumventing controls (e.g. sending documents to personal email).© Bird & Bird LLP 2010
  12. 12. People Issues ● Fairly well-recognised that most serious data security breaches result from inadvertent or deliberate acts of employees or contractors. ● Certain cloud deployments (e.g. thin client virtual desktops) increase security by centralising control. ● Disgruntled employees are a key risk area. ● Password management, locking computers when not in use, physical security are governance rather than technical issues.© Bird & Bird LLP 2010
  13. 13. Staying flexible – the commercial/contractual lock-in issues to avoid© Bird & Bird LLP 2010
  14. 14. Lock-in Issues ● Are minimum terms acceptable? Purist v commercial view. ● Technical barriers to data extracts. ● High charges for data extracts. ● Lack of standards. ● Termination for convenience charges. ● User resistance to change.
  15. 15. Concluding thoughts© Bird & Bird LLP 2010
  16. 16. Cloud contracts will reflect the fact thatcloud services are multi-tenancy – thecustomer has to accept more risk andless control (not negotiable in manycases)© Bird & Bird LLP 2010
  17. 17. Many of the benefits of cloud computing come from the way the services are used – proper risk appraisal and strong demand© Bird & Bird LLP 2010 management
  18. 18. Cloud services are like cars – lots of different types that you can configure but building one especially for you could be very expensive (or dangerous)© Bird & Bird LLP 2010
  19. 19. Thank youBird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated businesses.