the cloud computing contract playbook: contracting for cloud services
TRANSCRIPT
The Cloud Computing Contract Playbook -
Contracting for Cloud Services
June 23, 2015
Paul Armitage*, Partner* Law Corporation
Doc #1761319
2
The Cloud is Everywhere
The cloud is everywhere and for anything• SaaS (applications)
• Customer accesses and uses cloud provider’s applications running on cloud provider’s infrastructure (e.g., Salesforce.com)
• PaaS (platform)• Customer deploys and controls own (developed/licensed)
applications running on cloud provider’s infrastructure (e.g., IBM Smartcloud, and also Salesforce.com!)
• IaaS (infrastructure)• Customer deploys and controls applications, operating systems,
storage, and networking components running on cloud provider’s infrastructure (e.g., AWS)
3
The Cloud is Everywhere
Expanding use of the cloud – from consumer to the enterprise
• The cloud is no longer just for free or low-cost consumer offerings
• Mission critical functions: finance, billing, database storage, networks
• Regulated industries (e.g., financial institutions, healthcare)
4
The Irresistible Force of the Cloud
• Significant cost reductions• Lower total cost of ownership: no servers or licenses to be bought
– just pay as you go• Cheaper to implement, customize and configure• No upgrade fees for ongoing maintenance to stay current with
latest versions of the software and operating systems
• Cost certainty• Predictable fees based on metrics (e.g., per user, log-in, record,
device)• Renewal pricing: TIP - contractually ensure cost certainty on
renewal!
5
The Irresistible Force of the Cloud
• Speed of delivery• Greatly reduces time required to implement, customize and
configure the solution, and to train users
• Scalable and elastic (metered, on-demand service)
• Increased connectivity and solution mobility (accessible anywhere and by any Internet enabled device)
• Can allow an organization to achieve security standards which are difficult or expensive to achieve in-house (e.g., diversity or disaster recovery requirements)
6
We’re Moving Everything to the Cloud - Not so Fast!
• OSFI, Guideline B-10: requires (among other things) federally-regulated financial institutions (FRFIs) to impose standards on the service provider in the areas of: (1) confidentiality, (2) security, (3) data segregation
• OSFI, February 29, 2012 Memorandum: “New technology-based outsourcing arrangements”
“Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks.
As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services.”
7
We’re Moving Everything to the Cloud - Not so Fast!
• B.C. Privacy Commissioner, June 2012: “Cloud Computing Guidelines for Public Bodies”
“Public bodies must consider s. 30.1 of FIPPA when making decisions about whether to store personal information in the cloud. With limited exceptions as set out in FIPPA, personal information, including information in computer logs and on backup tapes or drives cannot be stored or accessed outside of Canada.”
8
What’s Different about Contracting for Cloud Computing?
“Cloud” solution • No on-premises installation at customer• No license to the solution• Instead, customer gets a subscription to access and use
someone else’s solution, on someone else’s computer, hosted somewhere else, i.e., in the cloud
• In lieu of an in-house IT department where you can structure your computing environment and know first-hand what security safeguards are in place, you now have… a contract with your cloud provider
9
Storing Personal Information in the Cloud
• Storing personal information in the cloud is generally speaking permitted, so long as:• Socio-economic and legal environment of the hosting jurisdiction,
and sensitivity of the information are taken into consideration• Individuals are provided with notice of the cloud storage, and that
while their information is stored outside Canada it may be accessed by foreign courts, law enforcement and security authorities
• The cloud provider is contractually required to safeguard the personal information against unauthorized use, access, collection, disclosure, copying modification, and destruction, having regard to the sensitivity of the information, and providing a comparable level of protection to (a) if processed in-house, and (b) as is legally required in Canada
10
Storing Personal Information in the Cloud
• Additional Alberta requirements• Alberta Personal Information Protection Act:
• An organization must have policies about its use of “service providers” (includes contractors and affiliates) outside of Canada to process personal information, including as to (a) which countries, and (b) the purposes of processing, and must make its policies available on request
• An organization must, before or at the time of collecting or transferring the information outside Canada, notify the individual of (a) how to obtain information about the organization’s policies on use of service providers outside of Canada, and (b) the contact information of the person at the organization who is able to answer questions about those policies
11
Storing Personal Information in the Cloud
• Exceptions:• B.C. public bodies - FIPPA, s. 30.1
• Personal information in the custody or control of a public body must be stored in Canada and accessed only in Canada, unless one of the following applies: (a) individual consent, (b) allowed under FIPPA (including by ministerial order), or (c) in connection with payments to or by a public body
• Similar restrictions exist for Nova Scotia public bodies
12
Know Your Cloud Provider
• Due diligence on cloud provider• Review financial statements / regulatory filings (SEC 10K)
• Financial performance (look for positive growth) and self-disclosure of risks by cloud provider
• Data security measures – look for (and include in the contract) the following types of protections:• Physical, e.g. restricted access to data centres• Organizational, e.g. security clearances, background checks,
privacy and security policies, training• Technological, e.g. (a) firewall, (b) encryption (consider three
data states for encryption: (1) at rest, (2) in transit, (3) in process), (c) identity and access management (password protection), (d) patch management and network maintenance, (e) secure data deletion, (f) intrusion monitoring, (g) virus filters
13
Know Your Cloud Provider
• ISO 27001 standard for information security systems• Certification to demonstrate industry-minimum cyber security
measures have been adopted
14
Know Your Cloud Provider
• ISO 27018 standard for protection of personally identifiable information (PII) in the cloud• Requires cloud provider to (among other things):
• Only process PII in accordance with the customer’s instructions
• Only process PII for marketing or advertising purposes with the customer’s express consent
• Disclose to the customer the identity of subcontractors and locations where PII is processed
• Ensure that personnel who have access to PII enter into confidentiality agreements and receive appropriate training
• Assist the customer in complying with notification obligations in the event of a security breach
15
Know Your Cloud Provider
• PCI DSS (Payment Card Interface – Data Security Standard) for (1) payment card processing, (2) securing cardholder data (e.g., storage or encryption), (3) cardholder data environment (e.g., infrastructure, data centres), (4) application development with access to cardholder information / data environment• Standards for cardholder data security and consistent data
security measures
16
Data Security Clause
• Elements of a data security clause• Data remains owned and under the control of the organization
while in the cloud provider’s possession• Cloud provider must only use the data for the purpose of
performing its services• Cloud provider must provide notice of any data breach• Cloud provider must provide notice of any lawful access where
legally permitted• Continued access to data is assured (restrict cloud provider’s
ability to cut-off or suspend access, e.g., for non-payment)• Disaster recovery/business continuity plan to provide access to
data under adverse conditions• Continued access to data for a period after subscription ends to
allow for transitioning to another provider or service repatriation• Return of data on termination (specify cost and a format you can
use)
17
Specifications and Service Levels
• Specifications define what the cloud solution is supposed to do• A lot of cloud providers’ contracts don’t say anything about what
the solution does!• Incorporate specifications and guard against future changes
• Service levels set minimum performance standards for the cloud solution. Examples:• 99.999% uptime – but what’s “uptime”?• Time to perform a function• Support call response• Recovery time objectives
18
Audit
• Right to audit cloud provider by client (and by client’s regulators if applicable)
• Third party auditors to ensure compliance with cloud provider’s security program• SSAE 16 (Type I or Type II)
19
Bringing Territory Back
The cloud is typically not tied to territory, but consider:
• Statutory prohibitions (e.g., FIPPA, s. 30.1)
• Sectoral laws requirements (e.g., Bank Act)
• Your own policies and contracts – have you committed to persons that their data won’t be stored outside of Canada?
• Which laws you must comply with – are they also binding on the cloud provider?
• Specify in the contract what laws must be complied with, e.g., Canadian laws for personal information protection
• Insurance – territorial limits on coverage
20
Bringing Territory Back
• Export controls – four areas of concern:
• US-origin technology (including technical data)
• Controlled technology: encryption, dual-use (civilian), military, nuclear
• Cloud provider or user is located in sanctioned countries
• Designated persons subject to economic sanctions
21
Insurance Issues
Gaps in traditional policies - general liability and E&O do not cover:
• Business interruption due to your cloud provider suffering an outage as a result of computer or network security failure
• Indemnification for security breach notification costs (including credit monitoring)
• Defence and indemnification for regulatory action due to a breach of privacy laws
• Liability for disclosure of electronic data, confidential information, and personal information
• Liability for economic harm suffered by others due to failure of your computer or network security
22
Insurance Issues
• Cyber security & privacy liability insurance may be used to fill-in these gaps. Conditions of coverage:
• Maintain same or better level of security as when coverage was taken-out (may include audit of your and your cloud provider’s systems and security)
• Compliance with legal regulations
• Notice of claims – therefore, must contractually require cloud provider to provide notice of security breach
• There must have been a security failure (e.g., poor planning or unforeseen usage levels are not covered)
23
Insurance Issues
• Cyber security & privacy liability insurance – yours or your cloud provider’s?
• Will your cloud provider’s coverage be there to protect you?
• Cost of security breach based on number of records compromised: 100,000 records - $8.6m* (if the cloud provider has a 1,000 customers, that’s a $8.6b loss!)
* Marsh, “Cyber & Privacy Liability”
• Cloud provider business model is usually about reducing costs – providers therefore may have low insurance, high deductibles, and resist naming customers as additional insureds
• Your insurance: covers data compromised in the hands of a cloud provider (with insurer subrogation against cloud provider)
24
What Happens if your Cloud Provider Goes Out of Business?
• Third party cloud continuity solutions – the new software escrow
• Short term (e.g., 30 - 90 days) solution to keep your cloud provider’s service running while you transition to a new provider or repatriate the service
• Two main variations:• Basic: escrow company contracts with cloud provider’s IaaS
hosting provider to allow escrow company to keep the solution “up” if cloud provider goes out of business
• More advanced: escrow company runs a mirrored solution in its own environment that can be cut-to as a fail-over if cloud provider goes out of business (or just goes down – also a diversity service)
• May be coupled with traditional source code escrow
Thank You
montréal · ottawa · toronto · hamilton · waterloo region · calgary · vancouver · beijing · moscow · london
Paul ArmitageTel: 604-891-2779Email: [email protected]
Doc # 1761319