Tech Summit 2013 Recap - Innovation in Cloud
At McCarthy Tétrault’s 3rd Annual Technology Law Summit, moderator Barry Sookman, and panelists John LeBlanc of Scotiabank and David Crane of McCarthy Tétrault, lead a discussion on procuring and contracting for cloud based services. Top takeaway tips from the session include:
Cloud is Everywhere: Be cognisant that software and services that use the cloud may be in use in your organization without your legal team’s knowledge – including employee teams using collaboration or information tools (like dropbox or box.net) for small projects or one-off uses that haven’t gone through a typical procurement process (or legal review). Another example is the use of ancillary product features, like a backup function, or an intelligent personal assistant on a smart phone or tablet (which may send queries or tasks to the service provider’s server for processing, and in some cases storage).
Third Party Assurance Reports: Customers can obtain some comfort with respect to a service provider’s internal controls by getting a third party assurance report. In a separate blog post, David Crane explains what to ask for when requesting a Canadian Standard on Assurance Engagement report (“CSAE report”). Also consider asking for more specialized reports (like Payment Card Industry Data Security Standard (PCI DSS) certification) for services to which they are applicable. However, obtaining a third party assurance report would not necessarily replace the role of an audit right.
You should also keep in mind that many standards are not “cloud” specific and so, in some cases, supplemental control testing may be appropriate. A number of industry associations and standards bodies are working on cloud specific standards and guidelines (from both a security and an interoperability perspective), but for now no clear industry-wide standard has emerged.
Finally, remember to make it clear, where appropriate, that internal control audit (and other audit) obligations extend to applicable subcontractors of the service provider of the Cloud.
Location of Data: The technical architecture, along with the business model, of many cloud services can make it difficult to precisely limit, or know, the location of your data. For some customers, and some data, this is acceptable and worthwhile in order to take advantage of other benefits. For others, it presents a risk that needs to be mitigated. For others still, it may be a barrier that prevents them from being able to use the service.
For example, financial institutions engaging in a material outsourcing subject to the OSFI Guidelines B-10 may need a solution that allows them to know the location of their data.
Where a service provider will be handling personal information, customers need to make sure that requirements under PIPEDA, and its provincial equivalents, are met. One recommendation to ensure compliance or mitigate risks of falling afoul privacy legislation, is to put in place, contractually, with your service provider a level of protection of security generally equivalent to the level of protection the information would receive if it had not been transferred. Appropriate consents will also need to be obtained from the individuals whose personal information is being handled. Further prohibitions exist in certain provinces (such as British Columbia) on public sector actors where personal information may be handled outside of Canada.
Continuity During the Term: In many cases, where a cloud service is provided as a shared service, it may be unrealistic for a single customer to receive custom business continuity or disaster recovery planning in respect of the service. However, customers should still require the service provider to have appropriate plans in place, to provide a summary of the plans (at an appropriate level of detail), and, in many cases, to commit to testing these plans – it is not enough for them to tell you these plans are in place, as these obligations should actually be reflected in the contract.
Continuity After the Term: Some standard cloud service contracts only provide a short window after termination or expiration of the contract for you to obtain a copy of your data (and in some cases no right is expressly provided at all!). It is important to address these deficiencies in the contract so that you always have an acceptable level of access to your data. You should also consider addressing the format in which the data will be returned/made available and, where appropriate, the provision of transition services.
[For more cloud computing takeaways, see this blog written about the cloud computing panel from the 2012 Tech Summit.]
CSAE report; cloud; privacy; OSFI Guidelines B-10