SlideShare a Scribd company logo

Misa cloud computing workshop lhm final

Download as PPTX, PDF
Lou Milrad, profile picture
Lou Milrad

This presentation discusses issues relating to cloud service contracts for municipalities. It notes that moving to cloud services requires focusing on contracting strategy and terms and conditions, as legal issues are complex. While some issues are traditional like outsourcing, cloud computing introduces new unique challenges. Key areas to focus on in contracts include governing law, data availability, intellectual property, privacy, termination, and exit strategies. The presentation provides examples of boilerplate contract language and issues to consider for negotiation to adequately protect a municipality's interests and manage risks of cloud computing arrangements.

1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Lou Milrad B.A., LL.B. Lawyer MilradLaw Cloud Computing – Moving Forward March 26th, 2013 Burlington Convention Centre
This presentation illustrates a sampling of issues relating to cloud service contracts while also providing discussion insights on such issues and is intended to be merely Illustrative, rather than conclusive, of the complexity of those issues. The model under discussion assumes that your Municipality will be negotiating a cloud services contract and that the expectation is that some sensitive and private data will be stored on cloud-based data servers belonging to either the cloud provider or to a business partner of that provider. In addition, your Municipality is in the final stages of launching a BYOD (Bring Your Own Device) policy.
 In shifting away from the traditional infrastructure approach of separately (or in combination) purchasing hardware, software and services to complete services solution (SaaS, IaaS, PaaS, (MaaS, SaaS, etc.), critical need to focus on  IT contracting strategy, and  Associated contract terms & conditions  Legal issues have become somewhat more complex  Many are traditional (e.g. IT outsourcing and similar managed services arrangements), but many are new and unique to or exacerbated by migration to the cloud.
 Typically governed by total $$$ to be spent coupled with supplier target market and industry standard practices.  Try to avoid web-based terms and conditions approach – exception may only be in “free” services  However, “free” might change to “paid for” services model if volume or usage thresholds are exceed  Cautions -  Automatic term renewals  Incorporation of web-terms into negotiated contracts
Clou  Web-based vs. negotiated terms  Governing Law  Data Availability and Term and Renewals  Additionally referenced terms & unilateral amendments, Statements of Work (SOW’s), & Service level agreements (SLA’s)  Intellectual property rights (IPR)  Confidential information (Confidentiality) and Trade Secrets  Privacy  Force majeure  Geographic Location of Data Servers  Third party access  Indemnification & insurance suspension & Termination  Suppliers’ compliance requirements  Grounds for Contract Termination  Liability of Damages due to a Service Interruption  Having an Exit Strategy  Grounds for Contract Termination  Data retention upon contract termination
Boilerplate examples for discussion  Contract Structure  Governing Law  Term and Renewals  Data Availability and Ownership  Intellectual Property Rights (IPR)  Confidential Information  Privacy  Force Majeure AND  Data Availability and Ownership
Terms and Conditions Full of legalese Once signed, becomes the governing terms and conditions Amending Agreement to change terms Schedules Specifications Pricing and Payment, etc. Statements of Work (SOW’s) Service Level Agreements (SLA’s)
 What law governs performance under the contract terms?  Complex legal regulatory environment surrounding cloud computing that both customers and providers need to consider.  e.g. Privacy statutes  Provision is typically found in the Boilerplate section of the contract (i.e. - towards the end of the T’s & C’s)  Typically, vendor’s form contract • Good place to start and build on  will specify that it is governed by the law of the vendor’s home province/state, and  grant the courts of that province/state exclusive jurisdiction over any disputes arising out of the contract
 3 Key aspects – Applicable law & jurisdiction/location  Contract interpretation  Location for Hearing(s)/Trial(s)  Resolution through mediation & arbitration  Options  Mutual agreement on these items  Leave unresolved and open for later argument and resolution (if needed)
 Vendor form contracts typically  Renew automatically for additional terms unless proper prior notice  Not really major concern in the context of “free” services, but could be problematic under a ”pay for services” automatic renewal contract where the customer has not tracked the advance notice of “intention to not to renew” date… and it slips by  Auto renewal avoids the need to renegotiate the contract, but…  Consideration for negotiating “termination for convenience” provisions  Avoid additionally referenced terms & unilateral amendments -
 Provide the vendor with the unilateral right, to make modifications to its services – a negotiated compromise might be something like:  “Vendor may make commercially reasonable modifications to the Service, provided that they do not materially diminish the nature, scope, or quality of the Service.
 Prerequisite for consideration:  Understanding of the system architecture  e.g. - How and in what format it keeps your data  Tools that are available to you to access your data  Covering off on e-discovery needs that may arise  Remain mindful of compliance with enterprise-wide policies (existing & under consideration/development) - AUP, MDM, BYOD, etc.
 Additional Requirements  Redundancy and backup  Disaster recovery  No vendor lock-in  Exit strategies as required  Protection of all designated confidential information and other intellectual property rights  Confirmation that the vendor does not acquire and may not claim any security interest in your data.  Where does Open Data fit in?
 IP categories include  Copyrights, Trademarks, Trade secrets (Confidential Information) Data  IP Assets & Treatment under  Canadian laws  Laws of other countries  Infringement – what remedies?  Third party access – is vendor intending to grant some privileged third parties access to your Municipality's stored data  Who is that to be  What is approval and authorization procedure?  Is there to be a confidential disclosure agreement and what form is it to take?  Protecting “personal information” and IPR
 Defining Characteristics of Confidential Information: Typically includes intangible assets (and associated materials) such as trade secrets, designs, processes, programs, procedures, third party Information, developments, disclosed under terms of a software license or services agreement  Examples might include, nonpublic and financial contract terms with other suppliers, and categories set out under MFIPPA  Negotiated cloud contracts will typically define, spell out, the restrictions, and remedies for unauthorized disclosure or other violation – Web-based, less likely to address question although it may be included under Intellectual Property Rights language  Breach of Confidentiality: Legal obligation of employees to respect the organization’s intangible assets, business and trade secrets etc. and maintain their confidentiality both during and after term of employment  Confidentiality & Non-Disclosure Agreements (NDA’s) might precede contract negotiation, and in any event, negotiate contracts will contain associated obligations and restrictions regarding confidentiality  Key consideration: Notwithstanding vendors adherence to best practices, what happens if the data center gets hacked? Is there a remedy, and if so, what is it to be?
 Canada has two federal privacy laws  the Privacy Act and the Personal Information Protection and Electronic Documents Act. …  Every province and territory has privacy legislation governing the collection, use and disclosure of personal information held by government agencies – Office of The Privacy Commissioner of Canada  Ontario’s  MFIPPA Municipal Freedom of Information and Protection of Privacy Act, &  PHIPA - the Personal Health Information Protection Act  Onus on Municipalities and their suppliers to protect “personal information” from disclosure  Challenge to be considered - the trusteeship by the Municipality of personal information coupled with possible access, handling and disclosure of personal information of others stored on external cloud servers.  BYOD and Cloud access - Makings of a perfect storm with the convergence on one device of both personal and corporate data and providing access to cloud based data and databases – therefore, a critical need to have an enforceable BYOD policy in place.
Others Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems.
Thank You Lou Milrad IT Lawyer Milrad Law Office lou@milrad.ca 647.982.7890 www.milradlaw.ca
Misa cloud computing workshop lhm final

More Related Content

PPT
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
PPT
Legal issues in cloud computing
Ritambhara Agrawal
 
PPT
Understanding Minimizing And Mitigating Risk In Cloud Computing
Janine Anthony Bowen, Esq.
 
PPTX
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
PPTX
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
PPTX
Cloud
alberto0
 
PPT
Cutting To The Chase: Cloud From A Customers Perspective
Janine Anthony Bowen, Esq.
 
PPT
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Legal issues in cloud computing
Ritambhara Agrawal
 
Understanding Minimizing And Mitigating Risk In Cloud Computing
Janine Anthony Bowen, Esq.
 
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
Cloud
alberto0
 
Cutting To The Chase: Cloud From A Customers Perspective
Janine Anthony Bowen, Esq.
 
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 

What's hot (19)

PPTX
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Cloud computing contracts
Meera Kaul
 
PDF
Common Data Protection Issues in Managing M&A Deals
Matheson Law Firm
 
PPTX
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
AltheimPrivacy
 
PDF
Cybersecurity and Data Privacy Update
WilmerHale
 
PPT
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
PPTX
Sookman law society_6_min_business_law
bsookman
 
PDF
Understanding Binding Corporate Rules
Jan Dhont
 
PDF
California Consumer Privacy Act (CCPA): Countdown to Compliance
Tinuiti
 
PPT
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
PDF
Cloud Computing: legal issues
ISPABelgium
 
PPTX
NetSquared London - GDPR for charities
Tech Trust
 
PPTX
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
PDF
Binding corporate rules
LYNX advokatfirma DA
 
PDF
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
PDF
CHAPTER 10A The Imposition of Sales Tax on Computer Software
Brent Alexander Newton, JD, CPA, MAc
 
PPTX
GDPR and personal data protection in EU research projects
Lorenzo Mannella
 
PPT
Engagement and Consumer Law
Stephanie Kimbro Dolin
 
PDF
Legal ethics & cloud computing
Patrick Fowler
 
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
Cloud computing contracts
Meera Kaul
 
Common Data Protection Issues in Managing M&A Deals
Matheson Law Firm
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
AltheimPrivacy
 
Cybersecurity and Data Privacy Update
WilmerHale
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Sookman law society_6_min_business_law
bsookman
 
Understanding Binding Corporate Rules
Jan Dhont
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
Tinuiti
 
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
Cloud Computing: legal issues
ISPABelgium
 
NetSquared London - GDPR for charities
Tech Trust
 
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
Binding corporate rules
LYNX advokatfirma DA
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
CHAPTER 10A The Imposition of Sales Tax on Computer Software
Brent Alexander Newton, JD, CPA, MAc
 
GDPR and personal data protection in EU research projects
Lorenzo Mannella
 
Engagement and Consumer Law
Stephanie Kimbro Dolin
 
Legal ethics & cloud computing
Patrick Fowler
 
Ad

Similar to Misa cloud computing workshop lhm final (20)

PPT
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
PPT
Legal issues in cloud computing
movinghats
 
PPTX
Procurement Of Software And Information Technology Services
Peister
 
PPTX
Cloud Computing & IT in the Boardroom
Brendon Noney
 
PPT
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 
PPT
The ugly, the bad and the good of cloud computing
Dan Michaluk
 
PPT
Cloud computing and Law-India legal summit
Adv Prashant Mali
 
PPT
Cloud computing and law-India legal summit 2011
Adv Prashant Mali
 
PDF
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
Jan Lindberg
 
PPTX
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
David Spinks
 
PPTX
Cloud Services As An Enabler: The Strategic, Legal & Pragmatic Approach
SLA-Ready Network
 
PPTX
Cloud Services As An Enabler
SLA-Ready Network
 
PPT
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
EuroCloud
 
PPTX
2015-0318 GAC Presentation - BCR - 05052015
Jan Dhont
 
PDF
Securing data in the cloud: A challenge for UK Law Firms
CloudMask inc.
 
PDF
Law 302
Parminder Singh
 
PPT
Cloud computing & service level agreements
Cade Zvavanjanja
 
PDF
Cloud Information Accountability Frameworks for Data Sharing in Cloud
IOSR Journals
 
PDF
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
PPTX
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Tom Kulik
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Legal issues in cloud computing
movinghats
 
Procurement Of Software And Information Technology Services
Peister
 
Cloud Computing & IT in the Boardroom
Brendon Noney
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 
The ugly, the bad and the good of cloud computing
Dan Michaluk
 
Cloud computing and Law-India legal summit
Adv Prashant Mali
 
Cloud computing and law-India legal summit 2011
Adv Prashant Mali
 
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
Jan Lindberg
 
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
David Spinks
 
Cloud Services As An Enabler: The Strategic, Legal & Pragmatic Approach
SLA-Ready Network
 
Cloud Services As An Enabler
SLA-Ready Network
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
EuroCloud
 
2015-0318 GAC Presentation - BCR - 05052015
Jan Dhont
 
Securing data in the cloud: A challenge for UK Law Firms
CloudMask inc.
 
Law 302
Parminder Singh
 
Cloud computing & service level agreements
Cade Zvavanjanja
 
Cloud Information Accountability Frameworks for Data Sharing in Cloud
IOSR Journals
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Tom Kulik
 
Ad

Misa cloud computing workshop lhm final

  • 1. Lou Milrad B.A., LL.B. Lawyer MilradLaw Cloud Computing – Moving Forward March 26th, 2013 Burlington Convention Centre
  • 2. This presentation illustrates a sampling of issues relating to cloud service contracts while also providing discussion insights on such issues and is intended to be merely Illustrative, rather than conclusive, of the complexity of those issues. The model under discussion assumes that your Municipality will be negotiating a cloud services contract and that the expectation is that some sensitive and private data will be stored on cloud-based data servers belonging to either the cloud provider or to a business partner of that provider. In addition, your Municipality is in the final stages of launching a BYOD (Bring Your Own Device) policy.
  • 3.  In shifting away from the traditional infrastructure approach of separately (or in combination) purchasing hardware, software and services to complete services solution (SaaS, IaaS, PaaS, (MaaS, SaaS, etc.), critical need to focus on  IT contracting strategy, and  Associated contract terms & conditions  Legal issues have become somewhat more complex  Many are traditional (e.g. IT outsourcing and similar managed services arrangements), but many are new and unique to or exacerbated by migration to the cloud.
  • 4.  Typically governed by total $$$ to be spent coupled with supplier target market and industry standard practices.  Try to avoid web-based terms and conditions approach – exception may only be in “free” services  However, “free” might change to “paid for” services model if volume or usage thresholds are exceed  Cautions -  Automatic term renewals  Incorporation of web-terms into negotiated contracts
  • 5. Clou  Web-based vs. negotiated terms  Governing Law  Data Availability and Term and Renewals  Additionally referenced terms & unilateral amendments, Statements of Work (SOW’s), & Service level agreements (SLA’s)  Intellectual property rights (IPR)  Confidential information (Confidentiality) and Trade Secrets  Privacy  Force majeure  Geographic Location of Data Servers  Third party access  Indemnification & insurance suspension & Termination  Suppliers’ compliance requirements  Grounds for Contract Termination  Liability of Damages due to a Service Interruption  Having an Exit Strategy  Grounds for Contract Termination  Data retention upon contract termination
  • 6. Boilerplate examples for discussion  Contract Structure  Governing Law  Term and Renewals  Data Availability and Ownership  Intellectual Property Rights (IPR)  Confidential Information  Privacy  Force Majeure AND  Data Availability and Ownership
  • 7. Terms and Conditions Full of legalese Once signed, becomes the governing terms and conditions Amending Agreement to change terms Schedules Specifications Pricing and Payment, etc. Statements of Work (SOW’s) Service Level Agreements (SLA’s)
  • 8.  What law governs performance under the contract terms?  Complex legal regulatory environment surrounding cloud computing that both customers and providers need to consider.  e.g. Privacy statutes  Provision is typically found in the Boilerplate section of the contract (i.e. - towards the end of the T’s & C’s)  Typically, vendor’s form contract • Good place to start and build on  will specify that it is governed by the law of the vendor’s home province/state, and  grant the courts of that province/state exclusive jurisdiction over any disputes arising out of the contract
  • 9.  3 Key aspects – Applicable law & jurisdiction/location  Contract interpretation  Location for Hearing(s)/Trial(s)  Resolution through mediation & arbitration  Options  Mutual agreement on these items  Leave unresolved and open for later argument and resolution (if needed)
  • 10.  Vendor form contracts typically  Renew automatically for additional terms unless proper prior notice  Not really major concern in the context of “free” services, but could be problematic under a ”pay for services” automatic renewal contract where the customer has not tracked the advance notice of “intention to not to renew” date… and it slips by  Auto renewal avoids the need to renegotiate the contract, but…  Consideration for negotiating “termination for convenience” provisions  Avoid additionally referenced terms & unilateral amendments -
  • 11.  Provide the vendor with the unilateral right, to make modifications to its services – a negotiated compromise might be something like:  “Vendor may make commercially reasonable modifications to the Service, provided that they do not materially diminish the nature, scope, or quality of the Service.
  • 12.  Prerequisite for consideration:  Understanding of the system architecture  e.g. - How and in what format it keeps your data  Tools that are available to you to access your data  Covering off on e-discovery needs that may arise  Remain mindful of compliance with enterprise-wide policies (existing & under consideration/development) - AUP, MDM, BYOD, etc.
  • 13.  Additional Requirements  Redundancy and backup  Disaster recovery  No vendor lock-in  Exit strategies as required  Protection of all designated confidential information and other intellectual property rights  Confirmation that the vendor does not acquire and may not claim any security interest in your data.  Where does Open Data fit in?
  • 14.  IP categories include  Copyrights, Trademarks, Trade secrets (Confidential Information) Data  IP Assets & Treatment under  Canadian laws  Laws of other countries  Infringement – what remedies?  Third party access – is vendor intending to grant some privileged third parties access to your Municipality's stored data  Who is that to be  What is approval and authorization procedure?  Is there to be a confidential disclosure agreement and what form is it to take?  Protecting “personal information” and IPR
  • 15.  Defining Characteristics of Confidential Information: Typically includes intangible assets (and associated materials) such as trade secrets, designs, processes, programs, procedures, third party Information, developments, disclosed under terms of a software license or services agreement  Examples might include, nonpublic and financial contract terms with other suppliers, and categories set out under MFIPPA  Negotiated cloud contracts will typically define, spell out, the restrictions, and remedies for unauthorized disclosure or other violation – Web-based, less likely to address question although it may be included under Intellectual Property Rights language  Breach of Confidentiality: Legal obligation of employees to respect the organization’s intangible assets, business and trade secrets etc. and maintain their confidentiality both during and after term of employment  Confidentiality & Non-Disclosure Agreements (NDA’s) might precede contract negotiation, and in any event, negotiate contracts will contain associated obligations and restrictions regarding confidentiality  Key consideration: Notwithstanding vendors adherence to best practices, what happens if the data center gets hacked? Is there a remedy, and if so, what is it to be?
  • 16.  Canada has two federal privacy laws  the Privacy Act and the Personal Information Protection and Electronic Documents Act. …  Every province and territory has privacy legislation governing the collection, use and disclosure of personal information held by government agencies – Office of The Privacy Commissioner of Canada  Ontario’s  MFIPPA Municipal Freedom of Information and Protection of Privacy Act, &  PHIPA - the Personal Health Information Protection Act  Onus on Municipalities and their suppliers to protect “personal information” from disclosure  Challenge to be considered - the trusteeship by the Municipality of personal information coupled with possible access, handling and disclosure of personal information of others stored on external cloud servers.  BYOD and Cloud access - Makings of a perfect storm with the convergence on one device of both personal and corporate data and providing access to cloud based data and databases – therefore, a critical need to have an enforceable BYOD policy in place.
  • 17. Others Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems.
  • 18. Thank You Lou Milrad IT Lawyer Milrad Law Office lou@milrad.ca 647.982.7890 www.milradlaw.ca