the cloud computing contract playbook - contracting for cloud services, sept. 30
TRANSCRIPT
The Cloud Computing
Contract Playbook -
Contracting for Cloud Services
September 30, 2015
Paul Armitage*, Partner * Law Corporation
2
The Cloud is Everywhere
The cloud is everywhere and for anything
• SaaS (applications)
• Customer accesses and uses cloud provider’s applications
running on cloud provider’s infrastructure (e.g., Salesforce.com)
• PaaS (platform)
• Customer deploys and controls own (developed/licensed)
applications running on cloud provider’s infrastructure (e.g., IBM
Smartcloud, and also Salesforce.com!)
• IaaS (infrastructure)
• Customer deploys and controls applications, operating systems,
storage, and networking components running on cloud provider’s
infrastructure (e.g., AWS)
The Cloud is Everywhere
Expanding use of the cloud – from consumer to the
enterprise
• The cloud is no longer just for free or low-cost consumer offerings
• Mission critical functions: finance, billing, database storage,
networks
• Regulated industries (e.g., financial institutions, healthcare)
3
The Irresistible Force of the Cloud
• Significant cost reductions
• Lower total cost of ownership: no servers or licenses to be bought
– just pay as you go
• Cheaper to implement, customize and configure
• No upgrade fees for ongoing maintenance to stay current with
latest versions of the software and operating systems
• Cost certainty
• Predictable fees based on metrics (e.g., per user, log-in, record,
device)
• Renewal pricing: PRACTICAL TIP - contractually ensure cost
certainty on renewal!
4
The Irresistible Force of the Cloud
• Speed of delivery
• Greatly reduces time required to implement, customize and
configure the solution, and to train users
• Scalable and elastic (metered, on-demand service)
• Increased connectivity and solution mobility (accessible
anywhere and by any Internet enabled device)
• Can allow an organization to achieve security standards
which are difficult or expensive to achieve in-house (e.g.,
diversity or disaster recovery requirements)
5
What’s Different about Contracting for Cloud Computing?
“Cloud” solution
• No on-premises installation at customer
• Customer gets a subscription to access and use someone else’s
solution, on someone else’s computer, hosted somewhere else,
all done via the internet – the “cloud”
• In lieu of an in-house IT department where you can structure your
computing environment and know first-hand what security
safeguards are in place, you now have… a contract with your
cloud provider
6
Storing Personal Information in the Cloud
• Storing personal information in the cloud is generally
speaking permitted, so long as:
• Socio-economic and legal environment of the hosting jurisdiction,
and sensitivity of the information are taken into consideration
• Individuals are provided with notice of the cloud storage, and that
while their information is stored outside Canada it may be
accessed by foreign courts, law enforcement and security
authorities
• The cloud provider is contractually required to safeguard the
personal information against unauthorized use, access, collection,
disclosure, copying modification, and destruction, having regard to
the sensitivity of the information, and providing a comparable level
of protection to (a) if processed in-house, and (b) as is legally
required in Canada
7
Storing Personal Information in the Cloud
• Additional Alberta requirements
• Alberta Personal Information Protection Act:
• An organization must have policies about its use of “service
providers” (includes contractors and affiliates) outside of
Canada to process personal information, including as to (a)
which countries, and (b) the purposes of processing, and must
make its policies available on request
• An organization must, before or at the time of collecting or
transferring the information outside Canada, notify the
individual of (a) how to obtain information about the
organization’s policies on use of service providers outside of
Canada, and (b) the contact information of the person at the
organization who is able to answer questions about those
policies
8
Storing Personal Information in the Cloud
• Exceptions:
• B.C. public bodies - FOIPPA, s. 30.1
• Personal information in the custody or control of a public body
must be stored in Canada and accessed only in Canada,
unless one of the following applies: (a) individual consent, (b)
allowed under FOIPPA (including by ministerial order), or (c) in
connection with payments to or by a public body
• Limited exceptions for cloud-based email solutions and social
media
• Similar restrictions exist for Nova Scotia public bodies
9
Know Your Cloud Provider
• Due diligence on cloud provider
• Review financial statements / regulatory filings (SEC 10K)
• Financial performance (look for positive growth) and self-
disclosure of risks by cloud provider
• Data security measures – look for (and include in the contract) the
following types of protections:
• Physical, e.g. restricted access to data centres
• Organizational, e.g. security clearances, background checks,
privacy and security policies, training
• Technological, e.g. (a) firewall, (b) encryption (consider three
data states for encryption: (1) at rest, (2) in transit, (3) in
process), (c) identity and access management (password
protection), (d) patch management and network maintenance,
(e) secure data deletion, (f) intrusion monitoring, (g) virus filters
10
Know Your Cloud Provider
• ISO 27001 standard for information security systems
• Certification to demonstrate industry-minimum cyber security
measures have been adopted
11
Know Your Cloud Provider
• ISO 27018 standard for protection of personally
identifiable information (PII) in the cloud
• Requires cloud provider to (among other things):
• Only process PII in accordance with the customer’s
instructions
• Only process PII for marketing or advertising purposes with the
customer’s express consent
• Disclose to the customer the identity of subcontractors and
locations where PII is processed
• Ensure that personnel who have access to PII enter into
confidentiality agreements and receive appropriate training
• Assist the customer in complying with notification obligations in
the event of a security breach
12
Know Your Cloud Provider
• PCI DSS (Payment Card Interface – Data Security
Standard) for (1) payment card processing, (2) securing
cardholder data (e.g., storage or encryption), (3)
cardholder data environment (e.g., infrastructure, data
centres), (4) application development with access to
cardholder information / data environment
• Standards for cardholder data security and consistent data
security measures
13
Crucial Clause: Data Security Clause
• Elements of a data security clause
• Data remains owned and under the control of the organization
while in the cloud provider’s possession
• Cloud provider must only use the data for the purpose of
performing its services
• Cloud provider must provide notice of any data breach
• Cloud provider must provide notice of any lawful access where
legally permitted
• Continued access to data is assured (restrict cloud provider’s
ability to cut-off or suspend access, e.g., for non-payment)
• Disaster recovery/business continuity plan to provide access to
data under adverse conditions
• Continued access to data for a period after subscription ends to
allow for transitioning to another provider or service repatriation
• Return of data on termination (specify cost and a format you can
use)
14
Heart of the Deal: Specifications and Service Levels
• Specifications define what the cloud solution is supposed
to do
• A lot of cloud providers’ contracts don’t say anything about what
the solution does!
• Incorporate specifications / software components and guard
against future changes removing functionality
• Service levels set minimum performance standards for
the cloud solution. Examples:
• 99.999% uptime – but what’s “uptime”?
• Need to include the concept that “uptime available minutes” are those
when the services are operating to specifications, or without errors
• Speed to perform a function
• Support call response
• Recovery time objectives
15
Audit
• Right to audit cloud provider by client (and by client’s
regulators if applicable)
• Third party auditors to ensure compliance with cloud
provider’s security program
• Type of audit: SSAE 16 (US), CSAE 3416 (Canada), ISAE 3402
(International)
• Type of report:
• SOC 1: controls over financial reporting
• SOC 2: controls related to security, availability, processing integrity,
confidentiality, and privacy for a specific customer – “restricted report”
• SOC 3: same as SOC 2, but for general release (i.e., all customers)
• Frequency of report: Type I (point in time) vs. Type II (over period of time)
16
Bringing Territory Back
The cloud is typically thought of as not tied to territory, but
consider:
• Statutory prohibitions (e.g., FOIPPA, s. 30.1)
• Sectoral laws requirements (e.g., Bank Act)
• Your own policies and contracts – have you committed to persons
that their data won’t be stored outside of Canada?
• Which laws you must comply with – are they also binding on the
cloud provider?
• Specify in the contract what laws must be complied with, e.g.,
Canadian laws for personal information protection
• Insurance – territorial limits on coverage
17
Bringing Territory Back
• Export controls – four areas of concern:
• US-origin technology (including technical data)
• Controlled technology: encryption, dual-use (civilian), military,
nuclear
• Cloud provider or user is located in sanctioned countries
• Designated persons subject to economic sanctions
18
Insurance Issues
Gaps in traditional policies - general liability and E&O do
not cover:
• Business interruption due to your cloud provider suffering an
outage as a result of computer or network security failure
• Indemnification for security breach notification costs (including
credit monitoring)
• Defence and indemnification for regulatory action due to a breach
of privacy laws
• Liability for disclosure of electronic data, confidential information,
and personal information
• Liability for economic harm suffered by others due to failure of
your computer or network security
19
Insurance Issues
• Cyber security & privacy liability insurance may be used
to fill-in these gaps. Conditions of coverage:
• Maintain same or better level of security as when coverage was
taken-out (may include audit of your and your cloud provider’s
systems and security)
• Compliance with legal regulations
• Notice of claims – therefore, must contractually require cloud
provider to provide notice of security breach
• There must have been a security failure (e.g., poor planning or
unforeseen usage levels are not covered)
20
Insurance Issues
• Cyber security & privacy liability insurance – yours or
your cloud provider’s?
• Will your cloud provider’s coverage be there to protect you?
• Cost of security breach based on number of records
compromised: 100,000 records - $8.6m* (if the cloud provider
has a 1,000 customers, that’s a $8.6b loss!)
* Marsh, “Cyber & Privacy Liability”
• Cloud provider business model is usually about reducing costs
– providers therefore may have low insurance, high
deductibles, and resist naming customers as additional
insureds
• Your insurance: covers data compromised in the hands of a cloud
provider (with insurer subrogation against cloud provider)
21
What Happens if your Cloud Provider
Goes Out of Business?
• Third party cloud continuity solutions – the new software
escrow
• Short term (e.g., 30 - 90 days) solution to keep your
cloud provider’s service running while you transition to a
new provider or repatriate the service
• Two main variations:
• Basic: escrow company contracts with cloud provider’s IaaS
hosting provider to allow escrow company to keep the solution
“up” if cloud provider goes out of business
• More advanced: escrow company runs a mirrored solution in its
own environment that can be cut-to as a fail-over if cloud provider
goes out of business (or just goes down – also a diversity service)
• May be coupled with traditional source code escrow
22
Thank You
montréal ottawa toronto hamilton waterloo region calgary vancouver beijing moscow london
Paul Armitage
Tel: 604-891-2779
Email: [email protected]