SlideShare une entreprise Scribd logo

Contracting in the Cloud by Tammy Bortz

Télécharger en tant que PPT, PDF
I
itnewsafrica
TechnologieBusiness
1  sur  15
CONTRACTING IN THE CLOUD Tammy Bortz Director, Werksmans Attorneys
OVERVIEW  Regulatory developments  Key Legal Issues (not exhaustive) The Contract Due Diligence Data Privacy and Cross Border Data Transfer Security Redundancy/outages/service levels Liability Termination 2
Regulatory Developments  South Africa: currently no legislation, guidelines, codes of conduct in place specifically to regulate cloud services and cloud service providers – hindrance to use of cloud services.  Internationally: major call for cloud computing to be legislated so as to protect providers and customers.  Numerous organizations have proposed guidelines, codes of practice and regulations around cloud computing. 3
International Developments  Cloud Industry Forum (www.cloudindustryforum.org) –   industry body. Members must comply with the Code of Practice (Code officially launched 1 Nov 2010). Code requires vendors to provide transparency about their capabilities and accountability for services provided to enable end users to make informed choices  European Network and Information Security Agency: Issue paper “Cloud Computing: benefits, risks and recommendations for information security” (www.enisa.europa.eu/ )  Microsoft: Cloud Computing Advancement Act  Cloud Security Alliance: non-profit organization promotes the use of best practice for providing security assurance within Cloud Computing. 4
KEY LEGAL ISSUES (NOT EXHAUSTIVE)
Contract and Due Diligence  May not always be possible to negotiate a contract with the cloud provider, especially with a public cloud. Mostly will have to accept the providers standard terms and conditions, privacy and security policies  Thus, need to understand your legal risks in using cloud services and how to mitigate.  First step is a thorough assessment of the various cloud providers, including a careful review of their terms and conditions, their security and data privacy policies, service levels, disaster recovery policies and termination policies. 10
  Privacy  Major concern especially where customer is using the cloud service for business critical/customer facing services and transfers sensitive and personal data to the cloud  Traditional outsourcing - vendor can be required to segregate servers and impose its security requirements on the service provider but not so with cloud computing – accept what the vendor offers  Some jurisdictions have legislation which imposes obligations on data processors regarding protection of personal information the most well known being the UK Data Protection Act.  Cloud providers in the UK would have to comply with this and this gives some degree of comfort that personal data held in a cloud situate in the UK will be kept private.  Other jurisdictions, most notably (until very recently) the USA does not have such legislation and hence cloud customer cannot be guaranteed legislative protection. Would have to look carefully at providers terms and conditions. 7
Protection of Personal Information Bill (“PPI”)  Status: Not yet in force, date for promulgation has yet to be announced    Object: to protect a third party’s personal information in instances where such personal information is in the hands of a third party. Imposes obligations on such third party as to how such data must be treated when in its possession or under its control.  Impact on cloud computing: any South African company that wishes to transfer personal data to an offshore cloud provider will need to ensure either that such provider agrees to be bound by relevant provisions of the PPI alternatively, if not possible, must carefully read privacy terms and conditions to establish if same meet RSA PPI requirements. 8
Security  Customer must audit security policies and processes - need to understand logical and physical security policies, both for data in motion and whilst in transmission.  Policy: comprehensive physical security and logical (application) security (such as password, encryption, roles and permissions etc) applied by the provider - must be such that it will adequately maintain the security and integrity of data held in the cloud.  Ask: has the cloud provider experienced any security breaches. If yes, full details of such breaches to be provided i.e circumstances of the breach and how many/what records were compromised. 13
PPI and Security Security Safeguards S.18: Security Measures to be Taken by Responsible Parties on Integrity of PI (“Responsible party” - public or private body which, alone or in conjunction with others, determines the purpose of and means for processing personal information - usually cloud customer).  S.19: Information Processed by Operator or Person Acting Under Authority (“Operator” - person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that person - usually cloud provider).  S.20: Security Measures Regarding Information Processed by Operator
Cross Border Data Transfer  Two components –  Can personal data be transferred outside South Africa  Can personal data be returned to South Africa  Transfer out  Common law: may require consent of data owner  PPI: place restrictions on cross border data transfer (Section 74 of the PPI)  Transfer in Will need to consider laws of particular jurisdiction in which the data is held Proposed New EU Regulations (EU Data Protection Directive): Regulations apply to any data subject in the EU irrespective of where the data controller or its equipment is situate – i.e, even if data controller in South Africa processes PI of data subject who is located in the EU, the proposed new regulations will apply USA Consumer Data Privacy framework 15
Back up / redundancy/outages  Unavailability of the cloud will affect customers business continuity and have adverse impact on customers business especially where customer facing services are in the cloud  How to mitigate: engage multiple services providers? This could become unwieldy and introduces problems of interoperability between providers  Review the providers back up and redundancy policy and request notice of changes to BCP policy with right to terminate if not happy with the policy  Service levels: may be little room to negotiate - response and recovery time? 12
Liability  What, if any, are assumed by the cloud provider?  Consider back to back exclusion with your customers/users  Clark Street Wine and Spirits v. Emporos Systems Corporation: cloud computing/loss of data case –  court awarded damages for liability for gross negligence and recklessness  Court: in view of the great damage to customers and business that breaches of computer system may cause, cloud provider should take special precautions to protect these systems
Termination/Migration  How easy will it be to change providers?  Issues to consider –  Does the provider have an exit strategy and does it offer any termination assistance?  Can the cloud provider easily and quickly locate, isolate and extract data on termination?  How is data returned/recovered. These is currently no standard data formats or procedures for data portability thus this should be agreed alternatively understood upfront? 14
THANK YOU Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2011 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.

Recommandé

Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
Is There Sun Behind Those Clouds
Is There Sun Behind Those CloudsIs There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
Understanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud ComputingUnderstanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud Computing
Janine Anthony Bowen, Esq.
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
ISPABelgium
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Cutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers PerspectiveCutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers Perspective
Janine Anthony Bowen, Esq.
 

Recommandé

Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
Is There Sun Behind Those Clouds
Is There Sun Behind Those CloudsIs There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
Understanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud ComputingUnderstanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud Computing
Janine Anthony Bowen, Esq.
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
ISPABelgium
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Cutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers PerspectiveCutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers Perspective
Janine Anthony Bowen, Esq.
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the Boardroom
Brendon Noney
 
BYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesBYOD: Advice for Employers and Employees
BYOD: Advice for Employers and Employees
Cassie McGarvey, JD
 
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationCloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar Association
Amy Larrimore
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010
kapil_arora
 
Cloud
CloudCloud
Cloud
alberto0
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
Yarko Petriw
 
Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2
dbarton944
 
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
blogzilla
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentation
OnRampAccess
 
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
Jon Polenberg
 
Cyber
Cyber Cyber
Cyber
Alberto Peñaranda Echevarría
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
WilmerHale
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
This account is closed
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
Knowledge Management Associates, LLC
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
 
"Everything as a Service" Contracts - Presentation
"Everything as a Service" Contracts - Presentation "Everything as a Service" Contracts - Presentation
"Everything as a Service" Contracts - Presentation
MorningstarLaw
 
Morningstar Law Group CLE 2016 © Morningstar Law Group
Morningstar Law Group CLE 2016 © Morningstar Law Group Morningstar Law Group CLE 2016 © Morningstar Law Group
Morningstar Law Group CLE 2016 © Morningstar Law Group
MorningstarLaw
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)
Lance Michalson
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
movinghats
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
Ritambhara Agrawal
 

Contenu connexe

Tendances

Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010
kapil_arora
 
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
blogzilla
 
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
Jon Polenberg
 
Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)
Lance Michalson
 

Tendances (20)

Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_security
 
Cloud Computing & IT in the Boardroom
Cloud Computing & IT in the BoardroomCloud Computing & IT in the Boardroom
Cloud Computing & IT in the Boardroom
 
BYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesBYOD: Advice for Employers and Employees
BYOD: Advice for Employers and Employees
 
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationCloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar Association
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010
 
Cloud
CloudCloud
Cloud
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2
 
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentation
 
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
 
Cyber
Cyber Cyber
Cyber
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
"Everything as a Service" Contracts - Presentation
"Everything as a Service" Contracts - Presentation "Everything as a Service" Contracts - Presentation
"Everything as a Service" Contracts - Presentation
 
Morningstar Law Group CLE 2016 © Morningstar Law Group
Morningstar Law Group CLE 2016 © Morningstar Law Group Morningstar Law Group CLE 2016 © Morningstar Law Group
Morningstar Law Group CLE 2016 © Morningstar Law Group
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
 
Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)
 

Similaire à Contracting in the Cloud by Tammy Bortz

Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
movinghats
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
EuroCloud
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
Lou Milrad
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud Services
Lou Milrad
 
A cloud provisioning contract is the fundamental agr.docx
A cloud provisioning contract is the fundamental agr.docxA cloud provisioning contract is the fundamental agr.docx
A cloud provisioning contract is the fundamental agr.docx
sleeperharwell
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
Peister
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015
Jan Dhont
 
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
accacloud
 

Similaire à Contracting in the Cloud by Tammy Bortz (20)

Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 
Cloud computing contracts
Cloud computing contractsCloud computing contracts
Cloud computing contracts
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud Services
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
 
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal AspectsSLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy Update
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
A cloud provisioning contract is the fundamental agr.docx
A cloud provisioning contract is the fundamental agr.docxA cloud provisioning contract is the fundamental agr.docx
A cloud provisioning contract is the fundamental agr.docx
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015
 
Data Privacy And Security Issues In Cloud Computing.pdf
Data Privacy And Security Issues In Cloud Computing.pdfData Privacy And Security Issues In Cloud Computing.pdf
Data Privacy And Security Issues In Cloud Computing.pdf
 
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 

Plus de itnewsafrica

Plus de itnewsafrica (20)

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...
Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...
Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...
Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...
Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...
 
Koen den Hollander- The Future is Omni
Koen den Hollander- The Future is OmniKoen den Hollander- The Future is Omni
Koen den Hollander- The Future is Omni
 
Wongama Millie- South African Social Media Insights 2023
Wongama Millie- South African Social Media Insights 2023Wongama Millie- South African Social Media Insights 2023
Wongama Millie- South African Social Media Insights 2023
 
Emphasising Personalization and Customer Journey Mapping in Digital Retail
Emphasising Personalization and Customer Journey Mapping in Digital RetailEmphasising Personalization and Customer Journey Mapping in Digital Retail
Emphasising Personalization and Customer Journey Mapping in Digital Retail
 
Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...
Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...
Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...
 
Data Analytics & Customer Insights as enablers of businesses to employ predic...
Data Analytics & Customer Insights as enablers of businesses to employ predic...Data Analytics & Customer Insights as enablers of businesses to employ predic...
Data Analytics & Customer Insights as enablers of businesses to employ predic...
 
Mark Cockerell- A New Era of Retail Data Integration Mark Cockerell Retail ...
Mark Cockerell- A New Era of Retail Data Integration Mark Cockerell Retail ...Mark Cockerell- A New Era of Retail Data Integration Mark Cockerell Retail ...
Mark Cockerell- A New Era of Retail Data Integration Mark Cockerell Retail ...
 
Pravir Ishvarlal- Artificial Intelligence in Healthcare
Pravir Ishvarlal- Artificial Intelligence in HealthcarePravir Ishvarlal- Artificial Intelligence in Healthcare
Pravir Ishvarlal- Artificial Intelligence in Healthcare
 
Braden van Breda- The Role of AI, Robotics in African Healthcare
Braden van Breda- The Role of AI, Robotics in African HealthcareBraden van Breda- The Role of AI, Robotics in African Healthcare
Braden van Breda- The Role of AI, Robotics in African Healthcare
 
Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...
Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...
Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...
 
Anish Gupta- Smart Care Coordination Platform
Anish Gupta- Smart Care Coordination PlatformAnish Gupta- Smart Care Coordination Platform
Anish Gupta- Smart Care Coordination Platform
 
Andrew Roberts- How Technology can Transform Healthcare for the Better
Andrew Roberts- How Technology can Transform Healthcare for the BetterAndrew Roberts- How Technology can Transform Healthcare for the Better
Andrew Roberts- How Technology can Transform Healthcare for the Better
 
Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...
Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...
Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...
 

Dernier

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Contracting in the Cloud by Tammy Bortz

  • 1. CONTRACTING IN THE CLOUD Tammy Bortz Director, Werksmans Attorneys
  • 2. OVERVIEW  Regulatory developments  Key Legal Issues (not exhaustive) The Contract Due Diligence Data Privacy and Cross Border Data Transfer Security Redundancy/outages/service levels Liability Termination 2
  • 3. Regulatory Developments  South Africa: currently no legislation, guidelines, codes of conduct in place specifically to regulate cloud services and cloud service providers – hindrance to use of cloud services.  Internationally: major call for cloud computing to be legislated so as to protect providers and customers.  Numerous organizations have proposed guidelines, codes of practice and regulations around cloud computing. 3
  • 4. International Developments  Cloud Industry Forum (www.cloudindustryforum.org) –   industry body. Members must comply with the Code of Practice (Code officially launched 1 Nov 2010). Code requires vendors to provide transparency about their capabilities and accountability for services provided to enable end users to make informed choices  European Network and Information Security Agency: Issue paper “Cloud Computing: benefits, risks and recommendations for information security” (www.enisa.europa.eu/ )  Microsoft: Cloud Computing Advancement Act  Cloud Security Alliance: non-profit organization promotes the use of best practice for providing security assurance within Cloud Computing. 4
  • 5. KEY LEGAL ISSUES (NOT EXHAUSTIVE)
  • 6. Contract and Due Diligence  May not always be possible to negotiate a contract with the cloud provider, especially with a public cloud. Mostly will have to accept the providers standard terms and conditions, privacy and security policies  Thus, need to understand your legal risks in using cloud services and how to mitigate.  First step is a thorough assessment of the various cloud providers, including a careful review of their terms and conditions, their security and data privacy policies, service levels, disaster recovery policies and termination policies. 10
  • 7.   Privacy  Major concern especially where customer is using the cloud service for business critical/customer facing services and transfers sensitive and personal data to the cloud  Traditional outsourcing - vendor can be required to segregate servers and impose its security requirements on the service provider but not so with cloud computing – accept what the vendor offers  Some jurisdictions have legislation which imposes obligations on data processors regarding protection of personal information the most well known being the UK Data Protection Act.  Cloud providers in the UK would have to comply with this and this gives some degree of comfort that personal data held in a cloud situate in the UK will be kept private.  Other jurisdictions, most notably (until very recently) the USA does not have such legislation and hence cloud customer cannot be guaranteed legislative protection. Would have to look carefully at providers terms and conditions. 7
  • 8. Protection of Personal Information Bill (“PPI”)  Status: Not yet in force, date for promulgation has yet to be announced    Object: to protect a third party’s personal information in instances where such personal information is in the hands of a third party. Imposes obligations on such third party as to how such data must be treated when in its possession or under its control.  Impact on cloud computing: any South African company that wishes to transfer personal data to an offshore cloud provider will need to ensure either that such provider agrees to be bound by relevant provisions of the PPI alternatively, if not possible, must carefully read privacy terms and conditions to establish if same meet RSA PPI requirements. 8
  • 9. Security  Customer must audit security policies and processes - need to understand logical and physical security policies, both for data in motion and whilst in transmission.  Policy: comprehensive physical security and logical (application) security (such as password, encryption, roles and permissions etc) applied by the provider - must be such that it will adequately maintain the security and integrity of data held in the cloud.  Ask: has the cloud provider experienced any security breaches. If yes, full details of such breaches to be provided i.e circumstances of the breach and how many/what records were compromised. 13
  • 10. PPI and Security Security Safeguards S.18: Security Measures to be Taken by Responsible Parties on Integrity of PI (“Responsible party” - public or private body which, alone or in conjunction with others, determines the purpose of and means for processing personal information - usually cloud customer).  S.19: Information Processed by Operator or Person Acting Under Authority (“Operator” - person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that person - usually cloud provider).  S.20: Security Measures Regarding Information Processed by Operator
  • 11. Cross Border Data Transfer  Two components –  Can personal data be transferred outside South Africa  Can personal data be returned to South Africa  Transfer out  Common law: may require consent of data owner  PPI: place restrictions on cross border data transfer (Section 74 of the PPI)  Transfer in Will need to consider laws of particular jurisdiction in which the data is held Proposed New EU Regulations (EU Data Protection Directive): Regulations apply to any data subject in the EU irrespective of where the data controller or its equipment is situate – i.e, even if data controller in South Africa processes PI of data subject who is located in the EU, the proposed new regulations will apply USA Consumer Data Privacy framework 15
  • 12. Back up / redundancy/outages  Unavailability of the cloud will affect customers business continuity and have adverse impact on customers business especially where customer facing services are in the cloud  How to mitigate: engage multiple services providers? This could become unwieldy and introduces problems of interoperability between providers  Review the providers back up and redundancy policy and request notice of changes to BCP policy with right to terminate if not happy with the policy  Service levels: may be little room to negotiate - response and recovery time? 12
  • 13. Liability  What, if any, are assumed by the cloud provider?  Consider back to back exclusion with your customers/users  Clark Street Wine and Spirits v. Emporos Systems Corporation: cloud computing/loss of data case –  court awarded damages for liability for gross negligence and recklessness  Court: in view of the great damage to customers and business that breaches of computer system may cause, cloud provider should take special precautions to protect these systems
  • 14. Termination/Migration  How easy will it be to change providers?  Issues to consider –  Does the provider have an exit strategy and does it offer any termination assistance?  Can the cloud provider easily and quickly locate, isolate and extract data on termination?  How is data returned/recovered. These is currently no standard data formats or procedures for data portability thus this should be agreed alternatively understood upfront? 14
  • 15. THANK YOU Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2011 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.