1

Anthony Wong MACS CPPresident, Australian Computer Society

Chief Executive, AGW Consulting

2

Cloud Computing

Potential to transform the way we live, work and interact Shapes the ICT sector and

the way enterprises provide

and use IT services Helps to level the playing

field by minimising up-front

investment in technology Changes business agility through “pay-as-you-use” for

access to bandwidth and technology functionality

3

Examples of Cloud Computing

Source: NBN Co

4

Reasons for adopting cloud computing

Outsource services to cloud suppliers Ability to up and down scale when required Reduction of internal technical support constraints Outsource technical management Provide more options and flexibility Deployment and adoption

of new technologies Access to special expertise Desire to reduce costs

5

Legal framework of Cloud Computing

Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges:

• Legal compliance issues• Service levels and performance• Cross-border issues • Data protection, rights and usage • Privacy and security• Termination and transition

6

Legal compliance issues

There is no ‘Law of Cyberspace’ for the Internet, however, in Australia, there are a number of specific laws that apply:

Electronic Transactions Acts Archives Act, FOI Act Copyright Amendment (Digital Agenda) Act 2000 (Cth) -

intellectual property Privacy Act 1988 & Privacy Amendment (Private Sector) Act

2000 (Cth) Cybercrime Act 2001 (Cth) Spam Act 2003 Telecommunications (Interception) Act 1979 (Cth)

7

Legal compliance issues

Legal requirements for organisations to consider: Have you reviewed your corporate governance and

industry regulation requirements? Are you able to comply with mandatory disclosures and

financial reporting? Are there special standards and compliance for your

industry? Can you comply with data retention requirements and

eDiscovery request during litigation?

Burden is on you to understand your compliance obligations

8

Legal compliance issues

Example of regulated industry Financial services companies must first notify Australian

Prudential Regulatory Authority (APRA) of data offshore transfer

Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: a financial institution’s ability to continue operations and

meet core obligations, following a loss of cloud computing services

confidentiality and integrity of sensitive (e.g. customer) data/information

compliance with legislative and prudential requirements

9

Legal compliance issues

Data and Records Preservation & Retention Ensure supplier’s data retention and destruction policies

comply with your requirements Your requirements depend upon nature of the activities and

regulatory environment in which your organisation operates And kinds of documents that your organisation has No single record retention requirements will be the same for

each organisation It has been asserted there are over 450 separate Acts of

Parliament in Australia contain provisions dealing with retention of records

Courts are not likely to be understanding because your data is in the Cloud

10

Legal compliance issues

What is the process in response to a legal request/search for information? FBI agents seized multi-tenant server

from data centre to gather evidence in an ongoing investigation

Unintended consequence of disrupting the continuity of other businesses whose data and information are hosted on the same server

*"Since the FBI seized its computer equipment earlier today, Liquid Motors has been unable to operate its business.”

*Networkworld April 22, 2009

Search and seizure at Data Centre

11

Service levels and performance

Some considerations for SLAs Cloud computing is dependent on the Internet – any

disruption will interrupt services Validate cloud services against your objectives and

understand how the services are provided Many traditional software licensing and outsourcing

contractual considerations come to play Cloud models often rely on multiple third party

providers or subcontractors How important are locations of servers? Can the

provider change server locations without any notice?

12

Service levels and performance

Factors to consider as a customer: Review the agreement (including standard form) and

provider’s terms of service Consider the range of services provided/required against

service levels critical to your business Be prepare to drive SLAs up (or down) to meet your needs Ask for performance guarantees (if critical) Include the right to audit provider’s operational and financial

viability Check the responsibilities of any sub-providers Ensure that your provider remains legally responsible for

obligations, notwithstanding sub-providers

13

Service levels and performance Most standard agreements trigger a ‘force majeure’ clause

that relieves the affected party of its obligations when disaster occurs: Is that acceptable for your requirements? Who is responsible for continuity of service when there are

multiple players and integrated transactional systems based in different geographical regions?

How long can you function without the contracted cloud services?

Develop a detailed Business Continuity Plan:a) Consider the events most likely to occur in your business

b) Know which disasters your supplier can cope with

c) Depending on (b), you might consider a ‘Plan B’

14

Cross-border issues

In a dispute or a conflict situation, which country’s court system will settle the dispute?

Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality

Local laws may override contractual agreements between cloud provider’s and customers

Location of servers may not be apparent from the provider’s terms of service

Consider the situation where Data may be stored in multiple locations (countries) at the same time

When do conflicts of laws occur?

15

Cross-border issues

Data stored in the U.S. is subject to U.S. law, for example: US Patriot Act – US government’s authority

extends to compel disclosure of records held by cloud providers

Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances

16

Cross-border issues

Jurisdiction is dependent on the sovereignty of a government Concept of jurisdiction evolved in relation to

geographical boundaries or territories Premise that each state or country has absolute

power to control persons and things located within its boundaries or territories

Internet challenges these territorially based principles

The law in regards to jurisdiction in cyberspace is unsettled

17

Consider Case Scenario:• Identifying the location of the offence/breach • Identifying the location where the harm resulted (e.g. victim’s location or computer’s location)• Deciding which sovereign nation and court should have jurisdiction over the dispute

Cross Border Jurisdiction Issues

Customer and User

Server breached & compromised

18

Cross-border issues

In order for a court to adjudicate in a case, the court must have authority over:

the subject matter in dispute (subject matter jurisdiction); and

parties before the court (personal jurisdiction)

19

Data protection, rights and usage

It is critical for organisations to understand how their data will be stored, used, managed and protected:

Consider issues of ownership of information and intellectual property created using cloud technology

Specify and define your “data” (including metadata) and your ownership rights

Consider what happens when your supplier “goes belly up”

Otherwise, consider making payments to your supplier for the return of data and materials which “you thought you owned”

20

Data protection, rights and usage

Monetisation of Data Assets – is this the new currency of the future?

Customer participation and information/data are valuable assets, for example:

Recent sale of Skype (400+ million users) for $8.5 billion

Doubling of LinkedIn’s (100+ million members) share price

Successful business models including Facebook and other social media companies

21

Privacy and security

Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud

Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: Privacy Act 1988 National Privacy Principle 4 (Data

Security) provides that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”

22

Privacy and security

Regulatory landscape in Australia:

Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth)

Equitable and common law duties regarding confidential information

State privacy legislation (State laws) and health privacy laws

Security and Information Management Standards and Practices

Other Codes of Conduct, Industry Standards and Guidelines

23

Privacy and security

Not all types of cloud services raise the same privacy and confidentiality risks:

Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks

Risks vary with the terms of service and privacy policy established by your provider

Can your cloud provider change the terms and policies at will? Do you have to comply with privacy legislation restricting

processing and transfer of data offshore? Should your agreement restricts services and data storage to

agreed locations? What are the rights of the supplier to operate in other locations? Define the scope of your confidential information – which will vary

depending on the nature of your business

24

Trans-Border Data Privacy

Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries

Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive

Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if:

the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles

the individual consents to the transfer the transfer is necessary for the performance of the contract between the

individual and the organisation or for the benefit of the individual

25

Privacy and security

Things to consider: Whose privacy policy will apply at different stages of the

data transfer? What security mechanisms are in place to manage data

transfers between parties? What are the consequences of security and privacy

breaches? How will you know if there is a breach? Is your cloud service provider required to provide

assistance in the investigation of security breaches? Is there an audit trail for data?

26

Privacy and security

Privacy Reform Privacy Act 1988 is being modernised to strengthen Australia’s

privacy protection 2008: ALRC report released, For Your Information: Australian

Privacy Law and Practice 2009: Government’s released its position on 197 of the

ALRC’s recommendations, including: develop a single set of National Privacy Principles strengthen and clarify the Privacy Commissioner’s powers

and functions 2010: exposure draft of the new Privacy Act was released by

the Government

27

Termination and transition

What assistance services do you need to change over to a new provider? Consider the payment required for transition services

Current architecture of cloud systems and lack of standards may hamper cloud interoperability and transition services Make compatibility and interoperability an issue

Seek clarity on limitations of liability in contracts Including exclusions of indirect, special and consequential

loss and direct losses And disclaimers and warranties

28

Conclusion

There is no one size fits all for cloud computing - laws are unsettled Not all cloud services are created equal and not all cloud services

should be subject to the same terms Few legal precedents regarding liability in the cloud Undertake due diligence as you need to fully understand the risks

associated with cloud computing and adopt a risk-mitigation approach to cloud adoption

Service agreements need to specify those areas the cloud provider is responsible for

Read the fine print of the cloud computing agreement carefully Specify locations for data storage and processing - know the

governing law of the cloud computing agreement

29

Conclusion

Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow

You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability

Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level

For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate

30

Thank You

“A global approach is the only way to deal with the Internet”

Francis Gurry, Head of the World Intellectual Property Organisation (WIPO)

and so for Cloud Computing…

Source: "IP's new role in the knowledge economy“ Asia Today International April/May 2011

www.acs.org.auanthonywong@acslink.net.au

www.linkedin.com/in/wonganthony

This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.