Cloud Computing: Overcoming the Legal and Regulatory Challenges. November

Transcription

1 Cloud Computing: Overcoming the Legal and Regulatory Challenges November 2011

2 2 Cloud Computing: Overcoming the Legal and Regulatory Challenges November 2011 Cloud Computing Overcoming the Legal and Regulatory Challenges Security A need to keep your data secure, particularly where it includes number one concern by those considering implementation service provision is increasingly geographically diverse heightens the concern. Legislation and guidance which relates when using a third party to store or process your data. Examples include: in the UK HIPAA, U.S. Export Administration Regulations, Gramm- Leach-Bliley, and trade secrets laws in the U.S. as amended in May 2011 Prudential Standards which regulate outsourcing activities which relate to material business activities, business Australian banks Some legislation or standards may have an impact on a company s ability to engage with cloud service providers. customer and the cloud service provider s data centres. Is cloud security worse? Security risks associated with potential data security weaknesses are potentially heightened in a cloud computing As with any outsourcing arrangement, where a third party is hosting your data you may not know about, or be in as strong a position to contain, a data leak. Additionally, issues with...or better? However, as best practices evolve, many now believe that Allen & Overy LLP 2012

3 3 issues, cloud service providers are increasingly agreeing to Some products, such as Ciphercloud, now claim to provide security and compliance solutions. Cloud services may provide increased security through: and back-up capabilities superior to those a customer might regular back-ups. where the data will be located and associated physical and whether your existing support and maintenance capacity is how you can you get your data back how long is it Check what the contract says they can be negotiated is also a key point to understand eg what compensation and remedies are available in the event guarantees as to the technical and organisational security sub-processors are involved. As we will see, cloud service have the contractual protection can also be problematic. Put governance structures in place Robust governance procedures should also be agreed to control and oversee the policies, procedures, and standards appropriate service levels and obligations. Conduct audits with relevant standards may complement your due diligence. As with traditional outsourcing arrangements, you could As an ongoing measure, a general contractual right to concerns over other customers data security due to the would a shared delivery centre providing outsourced your security needs, or alternatively to decide that no cloud data is particularly sensitive.

4 Cloud Computing: Overcoming the Legal and Regulatory Challenges November 2011 Data Protection and Cross-Border Data Transfers outside the EEA except in limited circumstances, such as to Similar restrictions exist, or are soon to be introduced, in a while having no over-arching data protection law, does have third-party service providers, data exporters have relied either data will be processed. Some cloud service providers are trying to address the Harbor scheme. while continuing to protect personal data. Allen & Overy LLP 2012

5 Control and categorisation cloud model may cause particular tensions with regard to service provider. processed, they will act as data controllers rather than responsibilities may help to avoid disputes as to liability and under data protection laws) on the basis that they are services to the customer and solely in accordance with its instructions cloud service provider. For example, under the controllerprocessor model clauses, a service provider acting as data importer must comply with onerous provisions in order to enter into sub-contracts on the same terms as the model How do I mitigate these risks? be appropriately placed in the cloud. Sensitive personal data not suitable unless the security and contractual protections protection laws. Customers should also consider putting in place technical measures that are appropriate to the sending it to the cloud service provider and obtaining regular physical back-ups. Intellectual Property Rights In negotiating contracts with service providers, customers inherent IP concepts underlying the cloud service. Cloud Issues that may arise include: Customer s content: being asked to give an IP indemnity A customer needs to ensure it has all the rights it needs to upload, store, process, organise, and use its content third parties) on a hosted basis. A cloud service provider states laws as to whether an intermediary service provider

6 Cloud Computing: Overcoming the Legal and Regulatory Challenges November 2011 customer s data, the cloud service provider may create new intellectual property, such as copyright and database rights. set out who owns it. A customer should consider whether it customers should not view cloud services as an all or computing resources), or even certain business critical Interoperability and Portability should consider the ease with which they can switch to a service arrangements. Customers should use their leverage prior to signing a deal to out plan should contain timing commitments within which One thing to remember is that however robust the transition- circumstances where the customer does not have a direct contractual relationship with the service provider. Applicable Law and Jurisdiction However, while many global customers will be used to dealing with the risks associated with working across located at any one time. Allen & Overy LLP 2012

7 data held by U.S. providers and U.S. nationals in and outside your obligations to comply. For entities operating in highly public procurement tenders because they cannot guarantee government s data. data protection legislation, you may need to choose which you must comply with the U.S. government s demands and which includes obligations to limit the manner in which data is disclosed by the cloud provider and to agree such disclosure. authority, or practical ability to obtain the documents A customer in the U.S. should check that its cloud provider should also be clear about deletion policies, and when these must be suspended. Finally, it may be worth negotiating the cloud, companies should check that they can continue to comply with routine discovery obligations. EU laws and harmonisation many areas at a European level, this legislation is not always implemented in the same way by member states. when the controller is established in the EU member state, but also that European legislation applies even though the processing

8 8 Cloud Computing: Overcoming the Legal and Regulatory Challenges November 2011 Other Contractual Issues Cloud computing is still a relatively immature technology and service providers are generally reluctant to negotiate their standard terms and conditions, even when dealing with large heavily negotiated outsourcing contract, where you are being provided dedicated services, is not realistic determine whether to pass through vendor driven exclusions comply with applicable laws and regulations which may mean increases and enterprise customers enter the cloud market. As we have seen, cloud providers are starting to appreciate the tension and in a more competitive market have more recently concerns such as security and data protection. Customers their operational and governance concerns. Recent research Queen Mary University in London last year conducted an continuing to monitor the terms analysed to see whether the position is changing. Gartner has recently produced a report which outlines its changeable URL link in many cloud contracts. negotiating cloud contracts Service levels should be clear and deal with availability and service uptime guarantees that meet your business needs Seek a to protect against vendor alternatives in the market Liability clauses Liability provisions should be consistent with market Restrict price increases employment legislation where in the UK and the Employment Act in Singapore) Allen & Overy LLP 2012

9 termination rights and seek a to avoid vendor lock-in Avoid exclusive clauses where they are not network operator can you cancel your cloud service whilst retaining your underlying network service? Conclusion Cloud computing is not new. However, due to the global For organisations considering a move into the cloud, restraints which may prevent a move to the cloud?

10 10 Cloud Computing: Overcoming the Legal and Regulatory Challenges November 2011 Your Allen & Overy contacts HERALD JONGEN FILIP VAN ELSEN Partner Corporate Netherlands Amsterdam JIM FORD Partner Corporate, Intellectual Property Belgium Antwerp PAUL KELLER Partner Corporate London Partner Litigation USA New York WILL MCAULIFFE AHMED BALADI Partner Corporate Hong Kong Partner Corporate France Paris Allen & Overy LLP 2012

11 11 TOM DE CORDIER CHARLOTTE MULLARKEY Counsel Corporate, Intellectual Property Belgium Brussels CATHERINE MANLEY Senior PSL Corporate London CONNELL O NEILL Associate Corporate, Intellectual Property NIGEL PARKER Senior Lawyer Corporate Australia Sydney JAMES BARABAS Senior Associate Corporate London Associate Litigation USA New York

12 FOR MORE INFORMATION, PLEASE CONTACT: London Allen & Overy LLP London United Kingdom GLOBAL PRESENCE Allen & Overy is an international legal practice with approximately 4,750 staff, including some 480 partners, working in 39 offices worldwide. Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi Amsterdam Antwerp Athens (representative office) Bangkok Beijing Belfast Bratislava Brussels Bucharest (associated office) Budapest Casablanca Doha Dubai Düsseldorf Frankfurt Hamburg Hong Kong Jakarta (associated office) London Luxembourg Madrid Mannheim Milan Moscow Munich New York Paris Perth Prague Riyadh (associated office) Rome São Paulo Shanghai Singapore Sydney Tokyo Warsaw Washington, D.C. Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP s affiliated undertakings. Allen & Overy LLP 2012 I CS1111_CDD-730_