Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Computing - a legal view from Bird & Bird


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cloud Computing - a legal view from Bird & Bird

  1. 1. Cloud Computing Barry Jennings 12th March 2013
  2. 2. Overview● Striking the right balance – negotiating cloud contracts● Taking a positive approach to data protection in the cloud● Keeping the rights to your data & IP – licensing issues● Staying flexible – the commercial/contractual lock-in issues to avoid● Concluding thoughts
  3. 3. Striking the right balance – reviewing cloudcontracts© Bird & Bird LLP 2010
  4. 4. Key Legal and Commercial Issues ● Commercial and legal risk analysis – contract and service issues ● Incorporation within or replacement of outsourcing arrangements ● TUPE transfers – is there a continuing activity? ● Jurisdiction & governing law issues ● Content & IP issues – what licences are required? ● Regulatory compliance – data protection, interception & communications regulations, financial services regulations © Bird & Bird LLP 2010
  5. 5. Risk Allocation under Contract ● Cloud computing agreements represent an arbitrage of risk, cost and control. ● Change one aspect and the other aspects – usually cost – will need to change in response. ● With most public cloud services, this balance is determined by suppliers as part of their service development and market positioning. ● The process of seeking to negotiate drives up costs so customers and suppliers should be conscious of when this is sensible and when it isn’t. ● Contract review becomes part of the service evaluation rather than a matter for negotiation and it needs to be fed in to the procurement process at an early stage.© Bird & Bird LLP 2010
  6. 6. Reviewing Cloud Services Agreements Implementation Service Exit / Transition •Configuration •Availability and •Notice assistance (£) performance provisions and •Acceptance service levels (£) termination Process •Service credits rights •Migration from (£) •Data portability legacy systems •Scaling – •Configuration •Integration with storage, users information other systems (£) •Transition (£) •Support (£) support (£) •Training (£) •Back-up and •Escrow (£) •Migration in - data recovery (£) •Migration out - Data Protection •Data Protection Data Protection Compliance & Security Compliance •Audit rights (£) – service element that may attract additional charges – vary between vendors© Bird & Bird LLP 2010
  7. 7. Taking a positive approach to dataprotection in the cloud© Bird & Bird LLP 2010
  8. 8. Data Protection, IT Security & Cybercrime● Information assurance is critical in cloud computing and yet the regulatory and standards framework is still catching up with the technology.● Risk-based assessments are again key in this area – see ICO Guidance.● The regulatory regimes are still jurisdictional in nature – making transitions to the cloud incredibly complex.© Bird & Bird LLP 2010
  9. 9. Technical Concerns ● Multi-tenancy in cloud environments is enabled by virtualisation. ● There are questions over the security of virtual versus physical segregation. ● Deployment via the cloud means data escapes the corporate firewall. ● Encryption of data passing across the internet is crucial. ● Data migration (in and out) is a difficult undertaking even where open formats are agreed© Bird & Bird LLP 2010
  10. 10. Location, Location, Location ● Ability to move data gives vendors flexibility and scalability.● Cloud vendors may wish to move data to maintain physical hardware.● Data protection regulation tends to emphasise location of data and consider data transfer to be processing requiring consent.● Where IT systems are globalised is systemic security and information governance more important than location?● Jurisdiction may have rules that enforce authority access to data or court systems that make it more difficult to enforce judgments to release data.© Bird & Bird LLP 2010
  11. 11. Flexibility and Mobility ● Cloud computing enables access outside of the office and on mobile devices. ● This has led to BYOD – where employees want access to corporate systems from their own computers, tablets and smart phones. ● There are questions over the security of some of these devices, particularly where shared with partners and children – increase in two factor authentication. ● Deployment of data and applications outside of the corporate firewall can be more expensive and harder to control. ● However, if enterprises impose too much control, most employees can easily find alternative ways of circumventing controls (e.g. sending documents to personal email).© Bird & Bird LLP 2010
  12. 12. People Issues ● Fairly well-recognised that most serious data security breaches result from inadvertent or deliberate acts of employees or contractors. ● Certain cloud deployments (e.g. thin client virtual desktops) increase security by centralising control. ● Disgruntled employees are a key risk area. ● Password management, locking computers when not in use, physical security are governance rather than technical issues.© Bird & Bird LLP 2010
  13. 13. Staying flexible – the commercial/contractual lock-in issues to avoid© Bird & Bird LLP 2010
  14. 14. Lock-in Issues ● Are minimum terms acceptable? Purist v commercial view. ● Technical barriers to data extracts. ● High charges for data extracts. ● Lack of standards. ● Termination for convenience charges. ● User resistance to change.
  15. 15. Concluding thoughts© Bird & Bird LLP 2010
  16. 16. Cloud contracts will reflect the fact thatcloud services are multi-tenancy – thecustomer has to accept more risk andless control (not negotiable in manycases)© Bird & Bird LLP 2010
  17. 17. Many of the benefits of cloud computing come from the way the services are used – proper risk appraisal and strong demand© Bird & Bird LLP 2010 management
  18. 18. Cloud services are like cars – lots of different types that you can configure but building one especially for you could be very expensive (or dangerous)© Bird & Bird LLP 2010
  19. 19. Thank youBird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated businesses.