Exploring the Future Potential of AI-Enabled Smartphone Processors
Contracting in the Cloud by Tammy Bortz
1. CONTRACTING
IN
THE CLOUD
Tammy Bortz
Director, Werksmans Attorneys
2. OVERVIEW
Regulatory developments
Key Legal Issues (not exhaustive)
The Contract
Due Diligence
Data Privacy and Cross Border Data Transfer
Security
Redundancy/outages/service levels
Liability
Termination
2
3. Regulatory Developments
South Africa: currently no legislation, guidelines, codes of conduct in
place specifically to regulate cloud services and cloud service providers –
hindrance to use of cloud services.
Internationally: major call for cloud computing to be legislated so as to
protect providers and customers.
Numerous organizations have proposed guidelines, codes of practice and
regulations around cloud computing.
3
4. International Developments
Cloud Industry Forum (www.cloudindustryforum.org) –
industry body. Members must comply with the Code of
Practice (Code officially launched 1 Nov 2010). Code requires
vendors to provide transparency about their capabilities and
accountability for services provided to enable end users to
make informed choices
European Network and Information Security Agency:
Issue paper “Cloud Computing: benefits, risks and
recommendations for information security” (www.enisa.europa.eu/
)
Microsoft: Cloud Computing Advancement Act
Cloud Security Alliance: non-profit organization promotes
the use of best practice for providing security assurance
within Cloud Computing.
4
6. Contract and Due
Diligence
May not always be possible to negotiate a contract with the
cloud provider, especially with a public cloud. Mostly will have
to accept the providers standard terms and conditions, privacy
and security policies
Thus, need to understand your legal risks in using cloud
services and how to mitigate.
First step is a thorough assessment of the various cloud
providers, including a careful review of their terms and
conditions, their security and data privacy policies, service
levels, disaster recovery policies and termination policies.
10
7. Privacy
Major concern especially where customer is using the cloud service for business
critical/customer facing services and transfers sensitive and personal data to the
cloud
Traditional outsourcing - vendor can be required to segregate servers and impose
its security requirements on the service provider but not so with cloud computing –
accept what the vendor offers
Some jurisdictions have legislation which imposes obligations on data processors
regarding protection of personal information the most well known being the UK
Data Protection Act.
Cloud providers in the UK would have to comply with this and this gives some
degree of comfort that personal data held in a cloud situate in the UK will be kept
private.
Other jurisdictions, most notably (until very recently) the USA does not have such
legislation and hence cloud customer cannot be guaranteed legislative protection.
Would have to look carefully at providers terms and conditions.
7
8. Protection of Personal Information
Bill (“PPI”)
Status: Not yet in force, date for promulgation has yet to be
announced
Object: to protect a third party’s personal information in instances
where such personal information is in the hands of a third party.
Imposes obligations on such third party as to how such data must be
treated when in its possession or under its control.
Impact on cloud computing: any South African company that wishes
to transfer personal data to an offshore cloud provider will need to
ensure either that such provider agrees to be bound by relevant
provisions of the PPI alternatively, if not possible, must carefully read
privacy terms and conditions to establish if same meet RSA PPI
requirements.
8
9. Security
Customer must audit security policies and processes - need to
understand logical and physical security policies, both for data in
motion and whilst in transmission.
Policy: comprehensive physical security and logical (application)
security (such as password, encryption, roles and permissions etc)
applied by the provider - must be such that it will adequately
maintain the security and integrity of data held in the cloud.
Ask: has the cloud provider experienced any security breaches. If
yes, full details of such breaches to be provided i.e circumstances
of the breach and how many/what records were compromised.
13
10. PPI and Security
Security Safeguards
S.18: Security Measures to be Taken by Responsible Parties on
Integrity of PI (“Responsible party” - public or private body
which, alone or in conjunction with others, determines the
purpose of and means for processing personal information -
usually cloud customer).
S.19: Information Processed by Operator or Person Acting
Under Authority (“Operator” - person who processes personal
information for a responsible party in terms of a contract or
mandate, without coming under the direct authority of that
person - usually cloud provider).
S.20: Security Measures Regarding Information Processed by
Operator
11. Cross Border Data Transfer
Two components –
Can personal data be transferred outside South Africa
Can personal data be returned to South Africa
Transfer out
Common law: may require consent of data owner
PPI: place restrictions on cross border data transfer (Section 74 of the PPI)
Transfer in
Will need to consider laws of particular jurisdiction in which the data is held
Proposed New EU Regulations (EU Data Protection Directive): Regulations
apply to any data subject in the EU irrespective of where the data controller
or its equipment is situate – i.e, even if data controller in South Africa
processes PI of data subject who is located in the EU, the proposed new
regulations will apply
USA Consumer Data Privacy framework
15
12. Back up / redundancy/outages
Unavailability of the cloud will affect customers business continuity and
have adverse impact on customers business especially where customer
facing services are in the cloud
How to mitigate: engage multiple services providers? This could
become unwieldy and introduces problems of interoperability between
providers
Review the providers back up and redundancy policy and request
notice of changes to BCP policy with right to terminate if not happy
with the policy
Service levels: may be little room to negotiate - response and
recovery time?
12
13. Liability
What, if any, are assumed by the cloud provider?
Consider back to back exclusion with your customers/users
Clark Street Wine and Spirits v. Emporos Systems Corporation: cloud
computing/loss of data case –
court awarded damages for liability for gross negligence and recklessness
Court: in view of the great damage to customers and business that
breaches of computer system may cause, cloud provider should take
special precautions to protect these systems
14. Termination/Migration
How easy will it be to change providers?
Issues to consider –
Does the provider have an exit strategy and does it offer any
termination assistance?
Can the cloud provider easily and quickly locate, isolate and
extract data on termination?
How is data returned/recovered. These is currently no standard
data formats or procedures for data portability thus this should
be agreed alternatively understood upfront?
14