lou milrad b.a., ll.b. lawyer milradlaw. this presentation illustrates a sampling of issues relating...
TRANSCRIPT
Legal Challenges in Contracting for Cloud
Services
Lou Milrad B.A., LL.B.Lawyer
MilradLaw
Cloud Computing – Moving Forward
March 26th, 2013Burlington Convention Centre
This presentation illustrates a sampling of issues relating to cloud service contracts while also providing discussion insights and is intended to be Illustrative, rather than conclusive, of the complexity of certain issues.
The model under discussion assumes that your Municipality will be negotiating one or more cloud services contract(s) and that the expectation is that some sensitive and private data will be stored on cloud-based data servers belonging either to the cloud provider, or to a business partner of that provider. In addition, your Municipality is in the final stages of launching a BYOD (Bring Your Own Device) policy.
Contracting for Cloud Services
In shifting away from the traditional infrastructure approach of separately (or in combination) purchasing hardware, software and services to complete services solution(s) (SaaS, IaaS, PaaS, (MaaS, SaaS, etc.), there is a critical need to focus on
IT contracting strategy, and
Associated contract terms & conditions
Legal issues have become somewhat more complex
Many are traditional (e.g. IT outsourcing and similar managed services arrangements), but many are new and unique to or exacerbated by migration to the cloud.
Dilemma - DATA and data server(s) location(s)
Web-based (ClickMe) vs. Negotiated Terms
Typically governed by total $$$ to be spent coupled with supplier target market and industry standard practices.
Try to avoid web-based terms and conditions approach – exception may only be in “free” services
However, “free” might change to “paid for” services model if volume or usage thresholds are exceeded
Cautions -
Automatic term renewals
Incorporation of web-terms into negotiated contracts
Brief Overview of Cloud Contracting Issues Web-based vs. negotiated terms
Governing Law
Data Availability and Term and Renewals
Additionally referenced terms & unilateral amendments, Statements of Work (SOW’s), & Service level agreements (SLA’s)
Intellectual property rights (IPR)
Confidential information (Confidentiality) and Trade Secrets
Privacy
Force majeure
Geographic Location of Data Servers
Third party access
Indemnification & insurance suspension & Termination
Suppliers’ compliance requirements
Grounds for Contract Termination
Liability of Damages due to a Service Interruption
Having an Exit Strategy
Grounds for Contract Termination
Data retention upon contract termination
Cloud Contracting & Variations on
Traditional “Boilerplate” terms Boilerplate examples for discussion
Contract Structure Governing Law Term and Renewals Data Availability and Ownership Intellectual Property Rights (IPR) Confidential Information Privacy Force Majeure
AND
Data Availability and Ownership
Contract Structure
Terms and Conditions
Full of legaleseOnce signed, become the governing terms and conditionsAmending Agreement required to change terms
SchedulesSpecificationsPricing and Payment, etc.Statements of Work (SOW’s)Service Level Agreements (SLA’s)
Governing Law What law governs performance under the contract terms?
Complex legal regulatory environment surrounding cloud computing that both customers and providers need to consider.
e.g. Privacy statutes
Provision is typically found in the boilerplate section of the contract (i.e. - towards the end of the T’s & C’s)
Typically, vendor’s form contract
• Good place to start and build on
Typically will specify that it is governed by the law of the vendor’s home province/state, and
grant the courts of that province/state exclusive jurisdiction over any disputes arising out of the contract
Governing Law (Cont’d)
3 Key aspects – Applicable law & Jurisdiction and Location governing resolution of
Contract interpretation
Hearing(s) & Trial(s)
Mediation & Arbitration
Options
Mutual agreement on these items
Leave unresolved and open for later argument and resolution (if needed)
Term and Renewals Vendor form contracts typically
Renew automatically for additional terms unless proper prior notice
Not really major concern in the context of “free” services, but could be problematic under a ”pay for services” automatic renewal contract, particularly where the customer has not tracked the advance notice of “intention to not to renew” date… and it slips by
Auto renewal avoids the need to renegotiate the contract, but…
Consideration for negotiating “termination for convenience” provisions
Avoid additionally referenced terms & unilateral amendments - (e.g. Incorporation by reference of additional terms and policies posted to the vendor’s website)
Term and Renewals (Cont’d)
Issue - Provides the vendor with the unilateral right, to make modifications to its services – a negotiated compromise might be something like:
“Vendor may make commercially reasonable modifications to the Service, provided that they do not materially diminish the nature, scope, or quality of the Service.
Data Availability and Ownership
Prerequisite for consideration:
Understanding of the system architecture
e.g. - How and in what format it keeps your data
Tools that are available to you to access your data
Covering off on e-discovery needs that may arise
Remain mindful of compliance with enterprise-wide policies (existing & under consideration/development) - AUP, MDM, BYOD, etc.
Data Availability and Ownership (Cont’d) Additional Requirements
Redundancy and backup
Disaster recovery
No vendor lock-in
Exit strategies as required
Protection of all designated confidential information and other intellectual property rights
Confirmation that the vendor does not acquire and may not claim any security interest in your data.
Where does Open Data fit in?
Intellectual Property Rights (IPR)IP categories include
Copyrights, Trademarks, Trade secrets (Confidential Information) Data
IP Assets & Treatment under
Canadian laws
Laws of other countries
Infringement – what remedies?
Third party access – is vendor intending to grant some privileged third parties access to your Municipality's stored data
Who is that to be
What is approval and authorization procedure?
Is there to be a confidential disclosure agreement and what form is it to take?
Protecting “personal information” and IPR
Confidential Information How broadly or narrowly will it be defined in the
Contract?
Defining Characteristics of Confidential Information: Typically includes intangible assets (and associated materials) such as trade secrets, designs, processes, programs, procedures, third party Information, developments, disclosed under terms of a software license or services agreement
Examples might include, nonpublic and financial contract terms with other suppliers, and categories set out under MFIPPA & PHIPA
Negotiated cloud contracts will typically define, spell out, the restrictions, and remedies for unauthorized disclosure or other violation – Web-based, less likely to address question although it may be included under Intellectual Property Rights language
Breach of Confidentiality: Legal obligation of employees to respect the organization’s intangible assets, business and trade secrets etc. and maintain their confidentiality both during and after term of employment
Confidentiality & Non-Disclosure Agreements (NDA’s) might precede contract negotiation, and in any event, negotiated contracts will contain associated obligations and restrictions regarding confidentiality
Key consideration: Notwithstanding vendors adherence to best practices, what happens if the data center gets hacked? Is there a remedy, and if so, what is it to be?
PrivacyCanada has two federal privacy laws
the Privacy Act and the Personal Information Protection and Electronic Documents Act. …
Every province and territory has privacy legislation governing the collection, use and disclosure of personal information held by government agencies – Office of The Privacy Commissioner of Canada
Ontario’s
MFIPPA Municipal Freedom of Information and Protection of Privacy Act, & PHIPA - the Personal Health Information Protection Act
Onus on Municipalities and their suppliers to protect “personal information” from disclosure
Challenge to be considered - the trusteeship by the Municipality of personal information coupled with possible access, handling and disclosure of personal information of others stored on external cloud servers.
BYOD and Cloud access - Makings of a perfect storm with the convergence on one device of both personal and corporate data and providing access to cloud based data and databases – therefore, a critical need to have an enforceable BYOD policy in place.
Force majeureOthers
Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems.
And now…