Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Misa cloud computing workshop lhm final
1. Lou Milrad B.A., LL.B.
Lawyer
MilradLaw
Cloud Computing –
Moving Forward
March 26th, 2013
Burlington Convention Centre
2. This presentation illustrates a sampling of issues relating to
cloud service contracts while also providing discussion
insights on such issues and is intended to be merely
Illustrative, rather than conclusive, of the complexity of those
issues.
The model under discussion assumes that your Municipality
will be negotiating a cloud services contract and that the
expectation is that some sensitive and private data will be
stored on cloud-based data servers belonging to either the
cloud provider or to a business partner of that provider. In
addition, your Municipality is in the final stages of launching a
BYOD (Bring Your Own Device) policy.
3. In shifting away from the traditional infrastructure approach of
separately (or in combination) purchasing hardware, software and
services to complete services solution (SaaS, IaaS, PaaS, (MaaS,
SaaS, etc.), critical need to focus on
IT contracting strategy, and
Associated contract terms & conditions
Legal issues have become somewhat more complex
Many are traditional (e.g. IT outsourcing and similar managed
services arrangements), but many are new and unique to or
exacerbated by migration to the cloud.
4. Typically governed by total $$$ to be spent coupled
with supplier target market and industry standard
practices.
Try to avoid web-based terms and conditions
approach – exception may only be in “free” services
However, “free” might change to “paid for” services
model if volume or usage thresholds are exceed
Cautions -
Automatic term renewals
Incorporation of web-terms into negotiated
contracts
5. Clou
Web-based vs. negotiated terms
Governing Law
Data Availability and Term and Renewals
Additionally referenced terms & unilateral amendments, Statements of Work (SOW’s), & Service level agreements (SLA’s)
Intellectual property rights (IPR)
Confidential information (Confidentiality) and Trade Secrets
Privacy
Force majeure
Geographic Location of Data Servers
Third party access
Indemnification & insurance suspension & Termination
Suppliers’ compliance requirements
Grounds for Contract Termination
Liability of Damages due to a Service Interruption
Having an Exit Strategy
Grounds for Contract Termination
Data retention upon contract termination
6. Boilerplate examples for discussion
Contract Structure
Governing Law
Term and Renewals
Data Availability and Ownership
Intellectual Property Rights (IPR)
Confidential Information
Privacy
Force Majeure
AND
Data Availability and Ownership
7. Terms and Conditions
Full of legalese
Once signed, becomes the governing terms and
conditions
Amending Agreement to change terms
Schedules
Specifications
Pricing and Payment, etc.
Statements of Work (SOW’s)
Service Level Agreements (SLA’s)
8. What law governs performance under the contract terms?
Complex legal regulatory environment surrounding cloud computing
that both customers and providers need to consider.
e.g. Privacy statutes
Provision is typically found in the Boilerplate section of the contract (i.e.
- towards the end of the T’s & C’s)
Typically, vendor’s form contract
• Good place to start and build on
will specify that it is governed by the law of the vendor’s home
province/state, and
grant the courts of that province/state exclusive jurisdiction over
any disputes arising out of the contract
9. 3 Key aspects – Applicable law & jurisdiction/location
Contract interpretation
Location for Hearing(s)/Trial(s)
Resolution through mediation & arbitration
Options
Mutual agreement on these items
Leave unresolved and open for later argument and resolution
(if needed)
10. Vendor form contracts typically
Renew automatically for additional terms unless proper prior
notice
Not really major concern in the context of “free” services, but
could be problematic under a ”pay for services” automatic
renewal contract where the customer has not tracked the
advance notice of “intention to not to renew” date… and it
slips by
Auto renewal avoids the need to renegotiate the contract,
but…
Consideration for negotiating “termination for convenience”
provisions
Avoid additionally referenced terms & unilateral amendments -
11. Provide the vendor with the unilateral right, to make
modifications to its services – a negotiated
compromise might be something like:
“Vendor may make commercially reasonable
modifications to the Service, provided that they do
not materially diminish the nature, scope, or quality
of the Service.
12. Prerequisite for consideration:
Understanding of the system architecture
e.g. - How and in what format it keeps your data
Tools that are available to you to access your data
Covering off on e-discovery needs that may arise
Remain mindful of compliance with enterprise-wide policies (existing &
under consideration/development) - AUP, MDM, BYOD, etc.
13. Additional Requirements
Redundancy and backup
Disaster recovery
No vendor lock-in
Exit strategies as required
Protection of all designated confidential information and other intellectual property
rights
Confirmation that the vendor does not acquire and may not claim any security
interest in your data.
Where does Open Data fit in?
14. IP categories include
Copyrights, Trademarks, Trade secrets (Confidential Information) Data
IP Assets & Treatment under
Canadian laws
Laws of other countries
Infringement – what remedies?
Third party access – is vendor intending to grant some privileged third parties access to
your Municipality's stored data
Who is that to be
What is approval and authorization procedure?
Is there to be a confidential disclosure agreement and what form is it to take?
Protecting “personal information” and IPR
15. Defining Characteristics of Confidential Information: Typically includes intangible assets (and
associated materials) such as trade secrets, designs, processes, programs, procedures, third party
Information, developments, disclosed under terms of a software license or services agreement
Examples might include, nonpublic and financial contract terms with other suppliers, and
categories set out under MFIPPA
Negotiated cloud contracts will typically define, spell out, the restrictions, and remedies for
unauthorized disclosure or other violation – Web-based, less likely to address question although
it may be included under Intellectual Property Rights language
Breach of Confidentiality: Legal obligation of employees to respect the organization’s intangible
assets, business and trade secrets etc. and maintain their confidentiality both during and after term of
employment
Confidentiality & Non-Disclosure Agreements (NDA’s) might precede contract negotiation, and in
any event, negotiate contracts will contain associated obligations and restrictions regarding
confidentiality
Key consideration: Notwithstanding vendors adherence to best practices, what happens if the data
center gets hacked? Is there a remedy, and if so, what is it to be?
16. Canada has two federal privacy laws
the Privacy Act and the Personal Information Protection and Electronic Documents Act. …
Every province and territory has privacy legislation governing the collection, use and disclosure of
personal information held by government agencies – Office of The Privacy Commissioner of Canada
Ontario’s
MFIPPA Municipal Freedom of Information and Protection of Privacy Act, &
PHIPA - the Personal Health Information Protection Act
Onus on Municipalities and their suppliers to protect “personal information” from disclosure
Challenge to be considered - the trusteeship by the Municipality of personal information coupled with
possible access, handling and disclosure of personal information of others stored on external cloud
servers.
BYOD and Cloud access - Makings of a perfect storm with the convergence on one device of both
personal and corporate data and providing access to cloud based data and databases – therefore, a
critical need to have an enforceable BYOD policy in place.
17. Others
Our systems are vulnerable to damage or interruption
from earthquakes, terrorist attacks, floods, fires, power
loss, telecommunications failures, computer viruses,
computer denial of service attacks, or other attempts to
harm our systems.
18. Thank You
Lou Milrad
IT Lawyer
Milrad Law Office
lou@milrad.ca
647.982.7890
www.milradlaw.ca