1 / 11

3Kites Consulting/Kemp IT Law Breakfast Seminar

Fresh Thinking in an Established World. 3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud: getting the L egals right Richard Kemp. Contracting for the Cloud – getting the Legals right.

kennan-dunn
Download Presentation

3Kites Consulting/Kemp IT Law Breakfast Seminar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fresh Thinking in an Established World 3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud: getting the Legals right Richard Kemp

  2. Contracting for the Cloud – getting the Legals right areas of focus today: - approach to Cloud contracts - general Cloud contract issues - regulatory Cloud contract issues for law firms - other contractual issues that the Cloud raises

  3. Approach to Cloud contracts - structured approach to Cloud procurement • internal business case and approvals • statement of requirements • running a structured procurement/preferred bidder process - internal risk and compliance report • weigh all the business factors • firm disaster recovery/business continuity arrangements? • ability/time required to switch to an alternative? • regulatory compliance - pre-contract supplier due diligence • technical, financial, commercial, legal

  4. General Cloud contracts issues (1): - supplier stability • do your credit searches (<3 months old) • take customer references • what resources/sub-contractors does the supplier depend on? • what are the supplier’s own disaster recover/business continuity arrangements? • verify in writing supplier’s security, etc policies and procedures - customer/service dependence - impact of different kinds of outage • Ensure ability to operate contract requirements on security, passwords, etc

  5. General Cloud contracts issues (2): - data • supplier commitments to return customer data during and after contract? • in what form will the data be returned? • how long from customer request to data return? • can customer easily use the data in the form in which it’s returned? • at termination, does the supplier’s data return obligation operate independently of the reason for termination? • keep copy of latest data onsite/with another supplier (e.g. Mimecast and email?) to reduce dependence?

  6. General Cloud contracts issues (3): - lifecycle contract issues • service levels/credits • liability/risk regime • who bears Internet/comms risk? • support • duration/renewal/notice • pricing increases/changes • test business continuity/DR at least annually • contract change process • unilateral variation of terms • Jurisdiction & governing law - exit/disengagement management/plan • prepare the plan in first 6 months of arrangement – update annually

  7. Regulatory Cloud contract issues for law firms (1): - outsourcing • moving to a Cloud platform likely to constitute outsourcing of legal activities or operational functions that are critical to the delivery of any legal activities • Within O(7.10) of the SRA Code of Conduct - SRA • contractual arrangements “must enable SRA or its agent to obtain information from, inspect records of, or enter premises of the Cloud provider regarding outsourced activities of functions” • outsourcing must not adversely affect compliance with or SRA monitoring of Handbook obligations compliance • outsourcing must not alter obligations to clients • outsourcing must not cause breach of SRA authorisation requirements

  8. Regulatory Cloud contract issues for law firms (2): - data protection • Cloud provider will normally be a data processor for DPA purposes – but NB when it could be a data controller • Will data ever be exported from the EU? • Ensure contract adequately reflects positions of parties in DP terms • Tie back into firm’s data protection policies, procedures, notices and terms - law enforcement access to data • generated more heat than light (Patriot Act, Snowden, Microsoft Dublin data centre (Aug 2014) • cannot exclude possibility in certain circumstances of lawful access by home or overseas law enforcement or intelligence agencies • selection criterion for Cloud provider? • a bit like the AMLR terms that go into firms’ engagement letters?

  9. Other contractual issues that the Cloud raises - Multiple Cloud suppliers • ensure consistency of approach, etc - Client engagement terms • include a new term around Cloud use if relevant? • vary current terms where key firm IT/service component going into the Cloud? • NB where client’s own business is regulated – e.g. FCA – or where client requires vendors (incl law firms) to comply with policies (e.g. IS, encryption, data, audit, etc) - Supplier Terms of Service/Acceptable Use Policy • if different from supplier service agreement - Internal firm policies and procedures • IT acceptable use • communications with clients

  10. Law Firm Cloud resources & materials • The Law Society: Cloud computing (April 2014) • SRA: Spiders in the web: the risk of online crime to legal business (Mar 2014) • SRA: Silver Linings: cloud computing, law firms and risk (Nov 2013) • ICO: Guidance on the use of cloud computing (Oct 2012) • NIST (US): Cloud computing – features, benefits, risks & recommendations for secure, efficient implementations (June 2012) • The Law Society: Data protection, Information security, Business continuity (Oct 2011)

  11. Thank you Questions? Richard Kemp, richard.kemp@kempitlaw.com 020 3011 1667

More Related