310 likes | 399 Views
Legal Update Paul Jones & Helen Mulligan 7 February 2013. LMN IT Directors' Forum. Legal Update: Overview. Five burning data protection issues Helen Mulligan, Associate Cloud Contracting: Transition from Tower to Cloud Paul Jones, Partner. Five Burning Data Protection Issues.
E N D
Legal Update Paul Jones & Helen Mulligan 7 February 2013 LMN IT Directors' Forum
Legal Update: Overview • Five burning data protection issues • Helen Mulligan, Associate • Cloud Contracting: Transition from Tower to Cloud • Paul Jones, Partner
Five Burning Data Protection Issues Five things IT Directors in HE and FE institutions need to know: • Data security: lessons from recent enforcement action • Complying with the new rules on cookies • Email marketing: a new ICO approach? • The new EU Data Protection Regulation • DP compliance in the cloud
Five Burning DP Issues (1): Data Security Main legal requirements: • Appropriate “technical and organisational” security measures… • ….against loss, misuse or damage to personal data • Written contracts with “data processors” (and due diligence) • ICO fines of up to £500,000 for serious breaches • Some lessons from recent enforcement action…
Five Burning DP Issues (1): Data Security • Guard against "malicious" attacks • Prompt remedial action • Secure destruction of data • Watch your "data processors" • Not-for-profits not immune
Five Burning DP Issues (2): Cookies Main legal requirements: • Clear and comprehensive information about cookies in use • NEW: Active, informed consent from users • (Narrow) exemption for “strictly necessary” cookies • Enforcement: all cookies created equal? • Ways of getting consent: pop-ups?
Five Burning DP Issues (3): Direct Marketing The legal requirements: • No unsolicited “direct marketing”… • …By electronic means… • …Without “consent” • Fining regime extended (April 2011) • An ICO crack-down? • Reducing risk
Five Burning DP Issues (4): New DP Regulation • In force 2015? • Will replace the current Data Protection Act 1998 • Key changes: a much tougher compliance landscape • Things to think about now? • Long term contracts • “Privacy by design” • Have your say?
Five Burning DP Issues: The Cloud Two key DP issues: • Data “Export”: No transfer of personal data outside the EEA without “adequate protection” • Model clauses? • Safe Harbor? • Self-assessment of adequacy? • Data Security: risk assessments/contracts? • Recent ICO guidance: a practical approach? • Non-DP legal issues…
QUESTIONS? Helen Mulligan Associate helen.mulligan@farrer.co.uk 020 3375 7196
Cloud Contracting • Why is cloud computing such a hot topic? • Trends in cloud contracting • What are the key legal issues when contracting for the cloud? • Key practical challenges • Cloud contracting strategy
Why is cloud computing such a hot topic? • Essentially about online, scalable IT resources on demand • Key enabling technologies are: virtualisation + large server farms + high-bandwidth + low-cost connectivity • Cloud computing may facilitate: • Highly flexible and very rapid outsourcing • Reduced costs and conversion of capex to opex • Simplified hardware and software maintenance • More efficient delivery of public sector services
Cloud stacks and hidden layers [SIMPLIFIED!] From: http://csrc.nist.gov/groups/cloud-computing-v26.ppt
Different types of cloud [SIMPLIFIED!] "The Outside World" Community Private Public Hybrid IaaS SaaS PaaS
Can you negotiate cloud contracts? • Although not generally advertised, major cloud vendors often go off piste if a deal merits it in terms of value or strategic importance • One-off contracts are usually confidential but some public sector contracts have been published, eg CSC / Google / City of LA • The QMUL Cloud Legal Project recently conducted detailed, off-the-record, interviews with cloud suppliers, customers and advisors; as well as making various FOI requests • From an analysis of the research data, six issues emerged as subject to the heaviest negotiation, or as deal breakers…
[Legal] Trends in Cloud Contracting "Negotiating Cloud Contracts: Looking at Clouds from Both Sides Now" – Hon, Millard & Walden (2012) Top 6 issues in negotiated cloud contracts: • Exclusion / limitation of liability • Service Levels • Security & Privacy • Lock-in & Exit • Unilateral Changes • Intellectual Property Rights A detailed report on the research is available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2055199
1. Liability • Standard = broad exclusion / limitation of provider's liability • Difficult to negotiate • Sometimes liability is negotiated… • For defined types of losses, with caps (eg, 100%, 125%, 150% fees) • Liability for breach of confidentiality / privacy / data protection • Integrators may be more willing to accept liability • Consider "Plan B" eg, backup to own servers / another cloud
2. Service Levels • SLs = Function of price: but often high anyway • Lack of standards to measure / compare • For mission-critical / real-time applications users may insist on higher availability, more notice of planned downtime, etc • Remedies for breach of SLAs • Usually restricted to service credits • Monetary rebates sometimes available • More negotiable than service levels
3. Security & Privacy • Key concerns: • Who is responsible for security and to what standard? • Pre-contract penetration testing? • Audit - including roles of providers and third parties • Security breaches - monitoring / informing users / termination events • Most negotiated privacy and data protection terms • Data location • Confidentiality / access / disclosure • Data processor agreements / clauses • Role of sub-providers – identities and locations / control over appointment and operations may matter
4. Lock-in & Exit • Initial minimum term • 3 years typical • Automatic renewal / roll-over common (but negotiable) • Basic services may be on demand / monthly rolling • Exit strategy – termination on notice, insolvency etc • Data retention (during term and post-termination) • Data deletion (how / when) • Dependence on proprietary service; data / metadata formats
5. Unilateral Changes • SaaScommodity services • May be no choice • User concerns are mainly notice + termination rights • Changes to privacy policies are common • Iaas / Paas: practical issues • Users may have to update application code • For core services consider consent / longer notice period
6. Intellectual Property Rights • Clarification may be sought re: • Ownership / licensing of user or integrator-developed Iaas / PaaS applications (including post-termination) • Customisations, user-contributed improvements • Whether cloud service pricing includes application licences • Third party applications – licences • Included with service, or user's own licence if 'portable' • Licensing basis, eg annually in advance / monthly per user • IP Indemnity?
Are cloud services really so different? • Yes, but: • Scalability • Virtualization • No initial investment • These characteristics entail additional legal challenges: • Which law?Which jurisdiction? • Security and data protection • Access to and deletion of data • Contract term and termination • Supplier attitudes to contract provisions • Key Objectives • Understand risks and benefits • Control the risks without breaking the delivery model
The "Holy Trinity" • Cloud based services are not so different from "traditional" services – so do not ignore the "Holy Trinity": • Service Descriptions • Service Levels • Charges • Key = understanding extent that you can influence/negotiate what is to be provided, which in turn may dictate the extent to which you are in a private/semi-private cloud
1. Service Descriptions • Key = understanding what you will actually be getting from the cloud-based services • Issues to address: • scope of functionality provided • extent of any possible customisation / customer specific functions • performance / scalability issues (given reliance on internet connections, shared platforms, etc) • clear link through to the service level regime • what happens upon exit re: scope of transition assistance, return of data (and in which format, etc)
2. Service Level Agreement • Not just WHAT you get, but TO WHAT LEVEL of quality/availability, etc do you get it • Even more important in the cloud context, owing to combination of enhanced reliance and reduced control • Common SLs: • Availability (usually the key one in the Cloud) • Time to respond • Time to fix/provide workaround • Issues to watch for: • hours of measurement • exceptions re "short term" outages • monthly/quarterly measurement periods • remedies…?
3. Charges • Paid-for services as opposed to "free to air"…? • No single model but some common examples • Subscription charge • akin to a licence fee, but with potential advantage of avoiding larger, one off licence fee • incorporates traditional licence/support elements • Per transaction/unitary charge • popular "utility" style model • link to audit and/or automated calculation provisions
Practical Challenges of cloud contracting • Track record / size of service providers • Business Continuity issues (eg, provider insolvency) • Growth in reliance / difficulties in transition • Preservation of access to / use of data • Change of service provider or in-sourcing at the end of term • Negotiability of contract terms • Service provider positions (eg, on liability clauses)
Cloud Contracting Strategy • Identifying what can / cannot be entrusted to the cloud • Selecting minimum / "must have" requirements in each case • Differentiating between public and private cloud possibilities (and all points in between) • Deciding between: • negotiating on basis of service provider's own terms • developing own template for cloud based services • middle ground of an "addendum" or "overlay" (example = approach of UK Government) • Running a "pilot" project
Due diligence checklist • Is the infrastructure multi-layered and, if so, in what way? • Where will your data be processed (inc. storage / replication)? • Who controls the critical infrastructure (and from where)? • How easily can third parties get access to your data? • What happens if the cloud provider / their provider goes bust? • How easily could you move your data to another cloud service (or back to your own systems); and how long would it take? • How confident are you that you could regain control of your data without leaving behind copies and / or key metadata? • Is the contract ok (inc. TOS, T&C, SLA, Privacy Policy, AUP etc)?
QUESTIONS Paul Jones Partner paul.jones@farrer.co.uk 020 3375 7254