Tech Law Summit Recap – Navigating the Cloud: Tips & Tricks
Cloud computing is fast-emerging as an efficient and low cost alternative to more traditional information technology (IT) solutions. It enables a business to outsource its IT requirements to a specialist service provider who can provide required services in a more efficient and cost effective manner and allows a business to focus on its core competencies. However, cloud computing also comes with legal and business risks that need to be managed. Some of the oft-cited issues with this model surround security, confidentiality, performance as well as data location, access and retention.
At McCarthy Tétrault’s Toronto Technology Law Summit, partners George Takach, Matthew Peters, John Boscariol, and salesforce.com’s Shanti Ariker discussed customers’ concerns with cloud computing and provided some tips on how to successfully navigate the cloud:
- Understand the offerings – Cloud computing runs the gamut from "public" models (i.e., sharing of infrastructure with the general public) to "private" models (i.e., dedicated infrastructure). There are also hybrid models such as partial shared clouds. The risks of the cloud are more or less a function of the degree to which the infrastructure is abstracted and shared. There are also different service models to consider:
- infrastructure as a service (IaaS) – virtual servers that are available on demand
- platform as a service (PaaS) – development platforms that allow third parties to create their own application
- software as a service (SaaS) – web-based replacements for desktop applications (like salesforce.com)
- Assess your situation – What services are you looking to buy? Where are you in the service model stack? What’s the size of your buy? The answers to these questions will impact your ability to negotiate terms and conditions with cloud providers. If you are considering a standard offering in a multi-tenant environment, you may not be able to negotiate terms. In that case, you need to determine whether you can live with what you get.
- Dip your toe – To get comfortable with the cloud model, try a proof of concept with non-core functions. Mission-critical applications or applications involving highly sensitive data are probably not the best place to start.
- Know your regulatory requirements – What statutes and regulations do you need to comply with? This will depend in part on where you operate your business and what type of data you collect. If you have personal information from your customers that will be hosted or processed in a country other than Canada, Canadian privacy law requires that you comply with some notification and other steps to move their data to a foreign country. And, in BC, the public sector is prohibited from transferring data to the US. (To read a more detailed analysis of cloud computing and privacy issues, see our related post on this topic). For financial institutions, there are additional requirements prescribed by OSFI.
- Drill down on location - While the cloud is premised on taking geography out of the equation, geography is still an important issue for export controls and economic sanctions. You can trigger violations if your data passes through or is accessed in certain countries. Your cloud provider may not be able to tell you which data centre your data will reside in, but it might be able to let you know in which countries or regions you data will - or will not - be located. Further, if your data or software is controlled, permits will be required for any transfers from Canada. Careful screening of the locations and entities involved is required as failure to comply with export controls and economic sanctions can result in significant financial and reputational costs.
- Check for compliance – Check to see what certifications the provider has (e.g., ISO 27001) and whether it has passed audits by third-party assessors (e.g., SAS 70). Also, understand how the cloud provider is measuring compliance with their security obligations and whether their approach will meet your requirements.
- Think short-term – George noted that there is expected to be a huge investment in cloud R&D over the next 12-24 months and Matthew predicted that terms will likely become more standardized over time. In the circumstances, now may not be the time to lock into a long-term contract.
- Watch for carve-outs – Cloud providers will have obligations under the agreement for performing at certain service levels (like uptime), but those obligations are much less meaningful if there are numerous caveats attached. Likewise, it’s important to review the indemnification provisions around intellectual property to ensure they are appropriate.
- Plan your exit – Review the termination, transition and business continuity provisions in the service agreement before you sign and create a plan for the termination of the cloud service (as George said: “contemplate the divorce before the marriage.”) Among the items that customers need to consider are:
- How long will information uploaded into the cloud stay in the cloud after the agreement terminates? Is that enough time for you to successfully transition your data to another provider?
- What are the termination charges and data ownership provisions and are they appropriate?
- What format will your data will be returned to you and will that work for your organization?
cloud computing cloud service data Data Centre economic sanctions export controls IaaS Indemnification information technology OSFI PaaS personal information privacy retention SaaS service agreement termination