1 / 31

LMN IT Directors' Forum

Legal Update Paul Jones & Helen Mulligan 7 February 2013. LMN IT Directors' Forum. Legal Update: Overview. Five burning data protection issues Helen Mulligan, Associate Cloud Contracting: Transition from Tower to Cloud Paul Jones, Partner. Five Burning Data Protection Issues.

vielka-lang
Download Presentation

LMN IT Directors' Forum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Legal Update Paul Jones & Helen Mulligan 7 February 2013 LMN IT Directors' Forum

  2. Legal Update: Overview • Five burning data protection issues • Helen Mulligan, Associate • Cloud Contracting: Transition from Tower to Cloud • Paul Jones, Partner

  3. Five Burning Data Protection Issues Five things IT Directors in HE and FE institutions need to know: • Data security: lessons from recent enforcement action • Complying with the new rules on cookies • Email marketing: a new ICO approach? • The new EU Data Protection Regulation • DP compliance in the cloud

  4. Five Burning DP Issues (1): Data Security Main legal requirements: • Appropriate “technical and organisational” security measures… • ….against loss, misuse or damage to personal data • Written contracts with “data processors” (and due diligence) • ICO fines of up to £500,000 for serious breaches • Some lessons from recent enforcement action…

  5. Five Burning DP Issues (1): Data Security • Guard against "malicious" attacks • Prompt remedial action • Secure destruction of data • Watch your "data processors" • Not-for-profits not immune

  6. Five Burning DP Issues (2): Cookies Main legal requirements: • Clear and comprehensive information about cookies in use • NEW: Active, informed consent from users • (Narrow) exemption for “strictly necessary” cookies • Enforcement: all cookies created equal? • Ways of getting consent: pop-ups?

  7. Five Burning DP Issues (3): Direct Marketing The legal requirements: • No unsolicited “direct marketing”… • …By electronic means… • …Without “consent” • Fining regime extended (April 2011) • An ICO crack-down? • Reducing risk

  8. Five Burning DP Issues (4): New DP Regulation • In force 2015? • Will replace the current Data Protection Act 1998 • Key changes: a much tougher compliance landscape • Things to think about now? • Long term contracts • “Privacy by design” • Have your say?

  9. Five Burning DP Issues: The Cloud Two key DP issues: • Data “Export”: No transfer of personal data outside the EEA without “adequate protection” • Model clauses? • Safe Harbor? • Self-assessment of adequacy? • Data Security: risk assessments/contracts? • Recent ICO guidance: a practical approach? • Non-DP legal issues…

  10. QUESTIONS? Helen Mulligan Associate helen.mulligan@farrer.co.uk 020 3375 7196

  11. Cloud Contracting • Why is cloud computing such a hot topic? • Trends in cloud contracting • What are the key legal issues when contracting for the cloud? • Key practical challenges • Cloud contracting strategy

  12. Why is cloud computing such a hot topic? • Essentially about online, scalable IT resources on demand • Key enabling technologies are: virtualisation + large server farms + high-bandwidth + low-cost connectivity • Cloud computing may facilitate: • Highly flexible and very rapid outsourcing • Reduced costs and conversion of capex to opex • Simplified hardware and software maintenance • More efficient delivery of public sector services

  13. Cloud stacks and hidden layers [SIMPLIFIED!] From: http://csrc.nist.gov/groups/cloud-computing-v26.ppt

  14. Different types of cloud [SIMPLIFIED!] "The Outside World" Community Private Public Hybrid IaaS SaaS PaaS

  15. Can you negotiate cloud contracts? • Although not generally advertised, major cloud vendors often go off piste if a deal merits it in terms of value or strategic importance • One-off contracts are usually confidential but some public sector contracts have been published, eg CSC / Google / City of LA • The QMUL Cloud Legal Project recently conducted detailed, off-the-record, interviews with cloud suppliers, customers and advisors; as well as making various FOI requests • From an analysis of the research data, six issues emerged as subject to the heaviest negotiation, or as deal breakers…

  16. [Legal] Trends in Cloud Contracting "Negotiating Cloud Contracts: Looking at Clouds from Both Sides Now" – Hon, Millard & Walden (2012) Top 6 issues in negotiated cloud contracts: • Exclusion / limitation of liability • Service Levels • Security & Privacy • Lock-in & Exit • Unilateral Changes • Intellectual Property Rights A detailed report on the research is available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2055199

  17. 1. Liability • Standard = broad exclusion / limitation of provider's liability • Difficult to negotiate • Sometimes liability is negotiated… • For defined types of losses, with caps (eg, 100%, 125%, 150% fees) • Liability for breach of confidentiality / privacy / data protection • Integrators may be more willing to accept liability • Consider "Plan B" eg, backup to own servers / another cloud

  18. 2. Service Levels • SLs = Function of price: but often high anyway • Lack of standards to measure / compare • For mission-critical / real-time applications users may insist on higher availability, more notice of planned downtime, etc • Remedies for breach of SLAs • Usually restricted to service credits • Monetary rebates sometimes available • More negotiable than service levels

  19. 3. Security & Privacy • Key concerns: • Who is responsible for security and to what standard? • Pre-contract penetration testing? • Audit - including roles of providers and third parties • Security breaches - monitoring / informing users / termination events • Most negotiated privacy and data protection terms • Data location • Confidentiality / access / disclosure • Data processor agreements / clauses • Role of sub-providers – identities and locations / control over appointment and operations may matter

  20. 4. Lock-in & Exit • Initial minimum term • 3 years typical • Automatic renewal / roll-over common (but negotiable) • Basic services may be on demand / monthly rolling • Exit strategy – termination on notice, insolvency etc • Data retention (during term and post-termination) • Data deletion (how / when) • Dependence on proprietary service; data / metadata formats

  21. 5. Unilateral Changes • SaaScommodity services • May be no choice • User concerns are mainly notice + termination rights • Changes to privacy policies are common • Iaas / Paas: practical issues • Users may have to update application code • For core services consider consent / longer notice period

  22. 6. Intellectual Property Rights • Clarification may be sought re: • Ownership / licensing of user or integrator-developed Iaas / PaaS applications (including post-termination) • Customisations, user-contributed improvements • Whether cloud service pricing includes application licences • Third party applications – licences • Included with service, or user's own licence if 'portable' • Licensing basis, eg annually in advance / monthly per user • IP Indemnity?

  23. Are cloud services really so different? • Yes, but: • Scalability • Virtualization • No initial investment • These characteristics entail additional legal challenges: • Which law?Which jurisdiction? • Security and data protection • Access to and deletion of data • Contract term and termination • Supplier attitudes to contract provisions • Key Objectives • Understand risks and benefits • Control the risks without breaking the delivery model

  24. The "Holy Trinity" • Cloud based services are not so different from "traditional" services – so do not ignore the "Holy Trinity": • Service Descriptions • Service Levels • Charges • Key = understanding extent that you can influence/negotiate what is to be provided, which in turn may dictate the extent to which you are in a private/semi-private cloud

  25. 1. Service Descriptions • Key = understanding what you will actually be getting from the cloud-based services • Issues to address: • scope of functionality provided • extent of any possible customisation / customer specific functions • performance / scalability issues (given reliance on internet connections, shared platforms, etc) • clear link through to the service level regime • what happens upon exit re: scope of transition assistance, return of data (and in which format, etc)

  26. 2. Service Level Agreement • Not just WHAT you get, but TO WHAT LEVEL of quality/availability, etc do you get it • Even more important in the cloud context, owing to combination of enhanced reliance and reduced control • Common SLs: • Availability (usually the key one in the Cloud) • Time to respond • Time to fix/provide workaround • Issues to watch for: • hours of measurement • exceptions re "short term" outages • monthly/quarterly measurement periods • remedies…?

  27. 3. Charges • Paid-for services as opposed to "free to air"…? • No single model but some common examples • Subscription charge • akin to a licence fee, but with potential advantage of avoiding larger, one off licence fee • incorporates traditional licence/support elements • Per transaction/unitary charge • popular "utility" style model • link to audit and/or automated calculation provisions

  28. Practical Challenges of cloud contracting • Track record / size of service providers • Business Continuity issues (eg, provider insolvency) • Growth in reliance / difficulties in transition • Preservation of access to / use of data • Change of service provider or in-sourcing at the end of term • Negotiability of contract terms • Service provider positions (eg, on liability clauses)

  29. Cloud Contracting Strategy • Identifying what can / cannot be entrusted to the cloud • Selecting minimum / "must have" requirements in each case • Differentiating between public and private cloud possibilities (and all points in between) • Deciding between: • negotiating on basis of service provider's own terms • developing own template for cloud based services • middle ground of an "addendum" or "overlay" (example = approach of UK Government) • Running a "pilot" project

  30. Due diligence checklist • Is the infrastructure multi-layered and, if so, in what way? • Where will your data be processed (inc. storage / replication)? • Who controls the critical infrastructure (and from where)? • How easily can third parties get access to your data? • What happens if the cloud provider / their provider goes bust? • How easily could you move your data to another cloud service (or back to your own systems); and how long would it take? • How confident are you that you could regain control of your data without leaving behind copies and / or key metadata? • Is the contract ok (inc. TOS, T&C, SLA, Privacy Policy, AUP etc)?

  31. QUESTIONS Paul Jones Partner paul.jones@farrer.co.uk 020 3375 7254

More Related