© 2011 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Evolving Technology Issues:
Cloud Computing
Cloud Computing
♦ Does compliance with applicable laws fall to the user or to the service
supplier?
♦ What to consider before entering agreement
♦ Which laws and regulations/standards are challenging for cloud
computing
♦ Assessing the cloud provider’s
♦ Mitigating cloud provider shortcomings
Definition:
♦ NIST Definition
♦ Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction …
♦ Essential Characteristics
♦ On-demand self-service. ♦ Broad network access. ♦ Resource pooling. ♦ Rapid elasticity. ♦ Measured Service.
Its Easy:
♦ Vendor T&C’s4
Vendor Terms of Service Types of Accounts Consent to Access Your Files Files and Folders Your Public Folder Your Shared Folder Your Responsibilities Privacy
Account Security Your Use of the Services Vendor Property and Feedback General Prohibitions
• false or misleading;
• defamatory; (
• privacy;
• obscene, pornographic, or offensive;
• (v) promotes bigotry, racism, hatred or harm against any individual or group;
• (vi) infringes another's rights, including any intellectual property rights; or
• (vii) violates, or encourages any conduct that would violate, any applicable law or regulation or would give rise to civil liability;
• Access, tamper with, or use non-public areas
• Attempt to probe, scan …;
• Attempt to access or search the Site, Content, Files or Services with any engine, software, tool, agent, device or mechanism other than the software and/or search agents provided by Vendor or other generally available third-party web browsers (such as Microsoft Internet Explorer or Mozilla Firefox), including but not limited to browser automation tools;
• Send unsolicited email,
• Forge any TCP/IP packet header;
• Attempt to decipher, decompile, disassemble or reverse engineer;
• Interfere with, or attempt to interfere with, the access of any user
• Impersonate or misrepresent your affiliation with any person or entity.
Digital Millennium Copyright Act Compliance
Definition:
♦ Service Models ♦ IaaS ♦ Facility Management ♦ Hardware ♦ PaaS ♦ Development Platform ♦ SaaS ♦ ASP ♦ Mixed♦ Overlap with Outsourcing
♦ Facility Management ♦ Hardware
Definition:
♦ Deployment Model ♦ Private Cloud ♦ Community Cloud ♦ ABA Wikis ♦ Public Cloud ♦ Google ♦ Amazon ♦ Hybrid ♦ Frequently mixed♦ Important to understand who you are dealing
Responsibility For Compliance?
♦ Does compliance with applicable laws fall to the user or to the service
supplier?
What to consider when your data
crosses borders
Privacy / Security Law Existing Policies
ITAR
Challenging Laws / Regulations / Standards
♦ Privacy Standards
♦ Whose Policies Apply
♦ Vendor Practices vs. Customer Practices
♦ Graham Leach Bliley
♦ HIPAA
♦ Bank Regulations
♦ Sarbanes Oxley
♦ SLAs
Assessing the cloud provider’s
compliance situation
♦ Pre-assessment (honey moon)
♦ Evaluate Leverage
♦ Evaluate Data
♦ Evaluate Mission Criticality
♦ Evaluate Type of Cloud
♦ Plan for Non-contractual remedies
Mitigating cloud provider shortcomings
♦ Back-to-Back Obligations ♦ Insurance ♦ Non-contractual Remedies ♦ Contractual Remedies ♦ Be Aware of “Boilerplate” ♦ Limitations ♦ Remedies ♦ Choice of LawRed Flags:
♦ Criticality of Service ♦ Sensitivity of Data ♦ Reputation of Provider ♦ SAS 70 Audits ♦ Boilerplate Terms ♦ User Experience ♦ SLAsKey Clauses:
♦ SLA♦ Changes to Service
♦ IP and Data Ownership
♦ Limitations of Liability
♦ Privacy and Security
♦ Litigation
Key Clauses: SLAs
♦ Availability ♦ Up Time ♦ Break Fix ♦ Response Time ♦ Level of Effort♦ “Vendor Will Fix with 2 hours”
or
♦ “Vendor will use commercially reasonable efforts to fix within 2 hours”
Key Clauses: SLAs
♦ Uptime Measurement ♦ Monthly, ♦ Monthly 99% = 7 hours ♦ Yearly ♦ 99% - 87 hours ♦ Permitted Downtime♦ Sunday 2:00 a.m. – regular maintenance window
♦ Is “Emergency Maintenance” part of Permitted downtime?
♦ How Good is the Reporting?
Key Clauses: SLAs
♦ How Measured♦ Force Majeure
♦ Reasonable Disaster Plan
♦ Third Party Acts
♦ Customer Acts, Equipment, Software
Key Clauses: SLAs
♦ Remedies♦ Credits
♦ Incentive
♦ Stick and Carrot
♦ Exclusive?
♦ Must Request
♦ Fail to meet in 2 consecutive months
♦ Fail to meet in any 4 months in a rolling 12 month period
Key Clauses: Changes to Service
♦ “Improvement” or “Reduction”♦ Sufficient Notice
♦ Right to Terminate?
♦ Requirement to buy new equipment/software to remain compatible?
♦ How Notified?
♦ Posted Notice online in Service Description
♦ Writing (unusual)
♦ Fee Increases – How much notice?
Key Clauses: IP and Data Ownership
♦ Customer Owns♦ Customer Data
♦ Customer Provided Software
♦ Notice when Data accessed, given to law enforcement
♦ Vendor Owns
♦ Vendor Software
♦ Tools
♦ Use of Aggregated Data
♦ How Aggregated is it?
♦ How is Data Used?
♦ Service not really License
♦ Subscription
Key Clauses: Limitation Liability Cap
♦ Extensive Disclaimers♦ Frequently Disclaim “Direct”
♦ Low Cap
♦ 1 month fees, to 12 month fees
♦ Insurance as a Proxy
Key Clauses: Privacy and Security
♦ Whose Policies Apply♦ Both?
♦ Do they Mesh
♦ Who has your Data
♦ SAS 70
♦ Watch out for check-box approach
♦ Understand criteria against which tested
Key Clauses: Litigation Hold, Subpoena,
♦ Can an Effective Litigation Hold be Implement♦ Whose Cost
♦ Pre-negotiate Rates
♦ Notice of Subpoena
♦ NSA
Key Clauses: Termination
♦ Vendor Suspension/Termination♦ Payment
♦ Dispute
♦ DDOS attack, viruses
♦ High Volume
♦ Illegal Activity
♦ Client Termination
♦ Convenience – not usual or for termination fee
♦ Absolute Right to Recover Data
♦ Conversion Tools, data maps?
♦ Termination Assistance?
Questions?
♦ Michael P. Bennett
♦ Edwards Wildman Palmer LLP
225 West Wacker Drive Chicago, IL 60606-1229 Tel: (312)201-2679 Fax: (312) 416-4597
Email: [email protected]