Cloud Brokerage. paper prepared for the ITechLaw European Conference Louis Jonker

Size: px
Start display at page:

Download "Cloud Brokerage. paper prepared for the ITechLaw European Conference 2013. Louis Jonker"

Transcription

1 Cloud Brokerage paper prepared for the ITechLaw European Conference 2013 Louis Jonker Copyright 2013 All Rights Reserved

2 BIOGRAPHICAL INFORMATION Louis Jonker Van Doorne PO Box Phone: +31 (0) AG Amsterdam Fax: +31 (0) The Netherlands Primary Areas of Practice: IT Commercial Contracting, IT Sourcing & Cloud, IT Disputes, E-commerce & Data Protection Education: Post Degree Specialist Program in Computer Law (cum laude) at Grotius Academy Education Program with the Dutch Bar Association Dutch Law at the University of Amsterdam Recognition: Legal 500 EMEA 2013 edition International Who s Who of Information Technology Lawyers 2013 International Who s Who of Internet, e-commerce and Data Protection Lawyers 2012 Membership in Associations, Committees, etc.: ITechLaw Dutch Association for IT Lawyers (VIRA) Dutch Association for IT and Law (NVvIR) Platform Outsourcing Netherlands (PON) Additional activities: Lecturer in 'Contracts & ICT' at TILT, Tilburg University City Councillor in Lelystad, the Netherlands 2

3 INTRODUCTION Cloud computing is here to stay and has proven to be more than a novelty, a hype, a buzz-word. Does this also apply to the new breed of providers in the cloud industry: the cloud brokerage services provider? Among the many precedents for the approach of a brokerage services provider in other industries are the travel industry's aggregation sites, such as Expedia. By using those sites, customers ensure that they receive the best value from a wide selection of offerings (advised on by the intermediary Expedia), while providers benefit from a broader audience for their services pre-approved by the same intermediary Expedia. In this business model Expedia, as brokerage services provider, receives a small fee for its brokerage service from the providers. An equivalent business model where the fee is paid by the customers is of course also possible. This paper will focus on what cloud brokerage is, to which challenges of cloud computing the model tries to find a solution, which roles a cloud brokerage services provider may adopt and whether there are any downsides to the cloud brokerage concept. I do not pretend to provide a comprehensive overview of all issues associated with the cloud brokerage concept. This paper only gives an overview of some key issues at stake as a starting point for further legal discussion on the pros and cons of cloud brokerage. 3

4 I. A BUZZ WORDS-INDUSTRY Louis Jonker Amsterdam, 23 September 2013 In 1903, the president of the Michigan Savings Bank advised Henry Ford s lawyer, Horace Rackham, not to invest in the Ford Motor Company by stating: "The horse is here to stay but the automobile is only a novelty a fad." Well, how he proved himself wrong. Nevertheless, more than 100 years later a lot of people still have the same reluctant approach towards new society-changing developments, especially in the technology industry. The only exception may be the second success cycle of vinyl records as a response to music subscription services like Spotify. This reluctant approach is strengthened by the many buzz words in the technology industry we are confronted with each year. As Larry Ellison, co-founder and chief executive of Oracle Corporation, once correctly concluded: "The computer industry is the only industry that is more fashion-driven than women's fashion." One of the buzz words in the last decade is of course cloud computing. Although nowadays we have quite a clear idea what cloud computing entails compared to more 'classic' IT business models, and although it is safe to say that cloud computing is here to stay, cloud computing marketing language sometimes still sounds like complete gibberish. 4

5 As cloud computing evolves, new buzz words within the cloud services industry arise, such as "cloud brokerage". Already back in 2009 Gartner predicted the rise of cloud brokerages to provide the ability to govern the use, performance and delivery of cloud services. 1 With all respect to Gartner's reputation in predicting new trends, the question remains whether cloud brokerage is merely a novelty - a fad? II. WHAT IS CLOUD BROKERAGE? As with cloud computing itself, the use of the word "cloud brokerage" in multiple contexts addressing different types of situations does not help to get a clear understanding of what cloud brokerage is. A simple explanation of a broker is that a broker acts as an intermediary in the negotiation and/or subsequent contractual relationship between a customers of a certain service and one or more providers of said service. In general the broker enhances the base service delivery and therewith, hopefully, service value. Enhancement may include managing easier access to the provider's service, mitigating cloud risks by providing greater trustworthiness of the provider's service, or even creating a completely new (integrated) service. When thinking about a broker, most likely an actual individual or company pops to mind, such as an insurance broker, real estate broker or stock broker. However, in the modern world of today a broker may also be a software application, a platform or a suite of technologies. 1 Gartner Says Cloud Consumers Need Brokerages to Unlock the Potential of Cloud Services, Press Release, Gartner, 9 July

6 Brokerage stands for the act of using and taking advantage of the various brokers available for specific services. In most cases, the brokerage services provider will act as broker and will use its own broker technology. The brokerage services provider receives a (small) fee for its brokerage service either from the providers or from the customers. Among the many precedents for the approach of a brokerage services provider in other industries are the travel industry's aggregation sites, such as Expedia. In the context of the cloud, cloud brokerage is an IT role and business model in which a cloud brokerage services provider adds value to one or more (public or private) cloud services for the benefit of one or more customers of that service. This way cloud customers ensure that they receive the best value from a wide selection of offerings (advised on by the cloud brokerage services provider), while cloud providers benefit from a broader audience for their cloud services pre-approved by the same brokerage services provider. In this paper I will focus on the role of this cloud brokerage service provider. III. WHY CLOUD BROKERAGE? (1) Traditional cloud challenges It is interesting to see the maturity process cloud computing is going through over the last couple of years. As cloud computing evolves and the number of incidents related to the traditional challenges of cloud computing (e.g. security, business continuity) are increasing, this does not seem to 6

7 prevent companies and organizations to enter into or stay in the cloud. For example the security challenge. Traditionally, every company or organization is of course reluctant to hand over control to or share control with a third-party service provider concerning the security of its IT systems and data. However, PwC's Global State of Information Security Survey shows that although the number of security incidents in the last year have increased by 25% (not surprisingly taking into account the many news reports on this topic that hit us almost every week), with the financial costs of incidents also rising (e.g. average losses are up to 18% over last year), almost half of the 9,600+ survey respondents still use cloud services while not including cloud in their security policies. The reason may be that a prior survey of PwC 3 found that 54% of all respondents that had implemented cloud services said the cloud technology had actually improved the organization s security. The same may apply to the challenge of ensuring business continuity and preventing the associated risk of service downtime (which may result from a security incident mentioned above). If there is one certainty in the technology industry, including the cloud industry, it is that uptime will never be 100%. An incident of downtime will occur someday. This is true for third-party services like cloud services, but this is also true for an organization's own IT infrastructure. In the news we mainly hear about the big 2 3 PwC's Global State of Information Security Survey

8 outages on the services providers' side. This is also more newsworthy as the effect on society is bigger (business continuity of multiple organizations is at stake due to downtime at one services provider). In the event of an outage of an organization's own IT infrastructure, in principle only said organization is affected. Nevertheless, from the organization's point of view, the effect on business continuity is quite the same. The question is then who will be better equipped to get the service up and running again as soon as possible. If you would do a survey on business continuity and cloud services, I would not be surprised if a substantial part of the respondents that had implemented cloud services would say that the cloud technology had actually decreased the organization's business continuity risk. All things considered, it seems that traditional cloud challenges like security and business continuity are not a decisive factor for cloud adoption. One may therefore also doubt whether the rise of cloud brokerage is directly related to these traditional cloud challenges. Notwithstanding the above, the security risk and the risk of service downtime remain. Consequently, organizations still have to do a lot themselves to mitigate these risks. As for the risk of service downtime, PwC's Global State of Information Security Survey shows a troubling survey result in this respect: especially organizations in Europe and North America lag in the leading practice of adopting and implementing a backup and recovery/business continuity policy (only 45% respectively 47% of the respondents in 8

9 Europe and North America have such a policy), while it is clear that such a policy is essential to safeguard business continuity, whether the organization has contracted cloud services or not. It is without saying that cloud brokerage services may of course be helpful to choose the best fit in cloud services taking into account the organization's security and business continuity demands, which may (partly) explain the rise of cloud brokerage (see below). (2) New cloud challenges Besides the traditional challenges of cloud computing (see above), new challenges have arisen as cloud computing evolved, which challenges are outside of the control of even the most efficient IT governance models. These new challenges are primarily due to the success of cloud computing combined with the direct cloud purchasing model. For example, as each cloud provider has its own approach to KPIs, usage-tracking and pricing and billing, it is hard to ensure the best commercial deal on purchasing volume. Also the management of multiple reporting systems, financial statements and operating models that result from the use of multiple cloud providers is presenting cloud customers a throbbing headache, notwithstanding that the combination of multiple cloud services is proving to be too complex and untrustworthy for cloud customers to handle in terms of their integration. The general lack of standardization and subsequent risk of vendor lock-in does not help either. 4 9

10 Furthermore, cloud consumers keep finding it challenging to find the right match in the pool of available cloud providers. The traditional leaders in the IT industry are not necessarily the best cloud providers. And who has the courage to boldly choose an unknown cloud provider? Proven performance is key to earn the cloud customer's trust. The same goes for compliancy concerns. How do you ascertain that your cloud provider has your best interest in mind in meeting legal and other regulatory obligations, for example, that personal data is not transferred to a so-called third country outside of the European Economic Area (EEA) which does not ensure an adequate level of protection within the meaning of Directive 95/46/EC? The managerial challenge associated with this compliancy risk only increases (probably exponentially) in case of multiple cloud service providers. These challenges demand for thorough pre-contract screening and due diligence, sound contract management, (joint) customer-oriented KPIs and comparable pricing and reporting models. And exactly these challenges justify the rise of cloud brokerage. Cloud brokerage service providers may assist cloud customers in identifying the right cloud services and providers, in ensuring similar KPIs, usage-tracking and reporting tools across the menu of executed cloud services, and in coordinating the pricing and billing for those cloud services in line with customer's demands. These possibilities for providing added value are probably the reason for Gartner to predict, as follow-up to its 2009 prediction (the rise of 10

11 cloud brokerage), that by 2015 cloud brokerage service providers will handle at least 20% of all cloud services, up from less than 5% today. 5 IV. ROLES OF CLOUD BROKERAGE Depending on the needs of the cloud customer, cloud brokerage services may be provided via three primary roles: (1) Intermediation An intermediation brokerage services provider provides added value support on top of one or more existing cloud services to enhance some specific capability of said cloud services, without actually providing any of the cloud services itself. Intermediation services may include identity and access management, service level management and reporting, security management and incident reporting, or supervision on pricing and billing. Intermediation services provider often also provide pre-contract consultancy services such as guidance of the cloud customer through the cloud selection process. Depending on the circumstances at hand, a contractual relationship between the cloud services provider and the intermediation services provider may qualify as an agency or distributorship. From a cloud customer perspective, the intermediation services may qualify as simple consultancy services up to a 'managed services'/outtasking type of relationship (with representation rights)

12 (2) Aggregation and customization An aggregation brokerage services provider goes a step further and provides the intermediation services while bundling and customizing multiple cloud services into one or more customer-tailored cloud services under its own label (but "powered by..."). Aggregation services may include data integration, safeguarding process integrity, modeling data across all components of the cloud services and ensuring data portability between the cloud customer and the various cloud services providers. Aggregation services come with a single user interface for monitoring joint KPIs, single billing and single contract management. By bundling and customizing multiple cloud services into one or more cloud services, which are contracted directly to the cloud customer, the aggregation services provider basically becomes a cloud services provider itself. The underlying cloud services provider become nothing less than providers of a sort of cloud tools and are - from a legal point of view - merely the subcontractors of the aggregation services provider being the head cloud contractor. (3) Brokerage enabling Some cloud brokerage services providers are not directly involved in cloud customer contact, but rather enable other brokerage services providers to provide their brokerage services. Examples of these cloud brokerage enablers are providers of cloud aggregation platforms or other (software) technology that enable aggregation providers to combine 12

13 various cloud services into one or more aggregated cloud services to the cloud customer. Brokerage enabling services are basically the other side to the coin compared to the aggregation/customization services mentioned above. The cloud brokerage enabler is merely the subcontractor to the head cloud provider, being the aggregation services provider. The cloud brokerage enabler does not have a contractual relationship with the cloud customer. V. DOWNSIDES The concept of cloud brokerage does not only have advantages. There are also some downsides. (1) Risk of undisclosed preferences First, as any concept that involves an intermediary, the cloud brokerage concept replaces a full and open competitive selection and negotiation process with the cloud services providers. How do you ascertain that the cloud brokerage services provider is truly independent from the cloud services providers? The commercial risk of the brokerage services provider having undisclosed preferences is of course only relevant if and when the cloud customer has engaged the brokerage services provider for pre-contract consultancy services (pre-contract selection of the best fit for customer's demands). Nevertheless, with current severe budgetary constraints, the focus should rather be on more commercial transparency, while cloud brokerage may result in less transparency. 13

14 (2) Business continuity risk due to longer chain of services Another potential downside, again not different from 'old school' concepts involving an intermediary, is that the cloud brokerage concept may involve the role of an integrator. Obviously, as already elaborately set out above, the role of an integrator has great advantages in the current maze of multiple cloud services providers (with each its own approach to KPIs, usage-tracking and pricing and billing). On the other hand, an integrator also adds a link to the chain. This additional service management layer may, for example, make it more difficult, timely and costly to troubleshoot technical issues, which constitutes a business continuity risk. Also for remedial action (e.g. damages), the brokerage services provider may also provide less possibilities of redress (including less insurance coverage). It is furthermore common practice in the IT industry that IT providers regularly provide free advice to their customers. The cloud industry is not different. Introducing a middleman in the service chain, however, devalues such free advice. Finally, exercising audit rights (for example, to verify the quality of the operational processes leading to the customer service or to verify regulatory compliance) may become more complex. Whom and where do you audit in the event of bundled cloud services? See also the necessity of full transparency to ensure privacy compliance (see below). (3) Risk of privacy non-compliance As a further downside to adding a link to the services chain, is the increased risk of privacy non-compliance. Despite the 14

15 acknowledged benefits of cloud computing in both economic and societal terms, the Article 29 Data Protection Working Party has outlined how the wide scale deployment of cloud services can trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient (transparent) information with regard to how, where and by whom the data is being processed/sub-processed. 6 In the context of the cloud aggregation/customization brokerage model, where the brokerage services provider is the main contractor (and thus in principle the data processor) and the cloud services providers are its sub-contractors (and thus in principle its sub-processors), the brokerage services provider is obliged to inform the cloud customer on the subcontracting, detailing the type of service subcontracted, the characteristics of current or potential sub-contractors and guarantees that these sub-contractors offer to the brokerage services provider to comply with Directive 95/46/EC. The same goes for sub-sub-contractors. Further to the view of the Article 29 Data Protection Working Party on sub-contracting in cloud relationships 7, the brokerage services provider can subcontract its activities only on the basis of the consent of the cloud customer (the data controller), which will be generally given at the beginning of the service, with a clear duty for the brokerage services provider to name all the subcontractors commissioned and to inform the cloud customer of any intended changes 6 Article 29 Data Protection Working Party, Opinion 05/2012 on Cloud Computing, WP 196, adopted on 1 July Article 29 Data Protection Working Party, Opinion 05/2012 on Cloud Computing, WP 196, adopted on 1 July

16 concerning the addition or replacement of subcontractors, and with the cloud customer retaining at all times the possibility to object to such changes or to terminate the cloud services. In addition, a contract should be signed between the brokerage services provider and any subcontractor reflecting the stipulations of the contract between the brokerage services provider and the cloud customer. The cloud customer should furthermore be able to avail of contractual recourse possibilities in case of breaches of contracts caused by the sub-contractors (either by third-party beneficiary rights towards sub-contractors or by full liability of the brokerage services provider for non-performance of its subcontractors). And again, the same goes for sub-subcontractors. The complexity concerning privacy compliance in case of cloud brokerage increases when you consider that the lawfulness of data processing depends on the adherence to one of the basic principles of EU data protection law: transparency. The cloud customer should always be made aware of all sub-contractors and sub-sub-contractors contributing to the provision of the respective cloud services (see above), as well as of the locations of all data centers personal data may be processed at. Otherwise, the cloud customer will, for example, not be able to assess whether personal data may be transferred to a so-called third country outside of the European Economic Area (EEA) which does not ensure an adequate level of protection within the meaning of Directive 95/46/EC. Transparency also sees to the implementation of adequate technical and organizational security measures to protect personal data at every level in 16

17 the cloud services chain. Such transparency may prove to be quite a challenge in the context of the cloud aggregation/ customization brokerage model. VI. GOVERNMENT INITIATIVES Without prejudice to the possible downside of cloud brokerage, in North America and Europe already some interesting government initiatives concerning cloud brokerage can be mentioned that are focused at providing the best value to the government and taxpayers by saving the government time and money and allowing it to gain access to critical technologies faster than ever before. (1) General Services Administration (GSA) In the US, the General Services Administration (GSA) office assists with procurement work for other government agencies. As part of this effort, it maintains the large GSA Schedules (a sort of collection of pre-negotiated contracts), which other agencies can use to buy goods and services. GSA has a long history of acting as the US government's brokerage services provider of complex, pay-per-use services for other government agencies. These include cloud services from a wide array of GSA pre-approved cloud providers that participate in a government-approved marketplace. So basically the GSA is the US government's own cloud brokerage services provider that primarily focuses at the intermediation role (see chapter IV above). Although offering a proven concept of brokerage itself, the GSA - in collaboration with NASA and the departments of Homeland Security, Health and Human Services, Labor, 17

18 Justice, and Defense - published a request for information in July 2012 to gain input from industry on how GSA could better deploy a cloud services brokerage model to maximize the government's adoption and efficient use of cloud computing services. GSA's current research is looking into each cloud brokerage role (see chapter IV above) and determining which, if any, are appropriate for GSA's role in acquisition support for cloud procurement and services for the government. According to Mary Davie, assistant commissioner of the Office of Integrated Technology Services in the GSA's Federal Acquisition Service, GSA will not be outsourcing its own intermediary role. 8 So it seems GSA is merely interested to learn how to strengthen its current intermediation role, and maybe, by obtaining technology from cloud brokerage enablers, to also adopt an aggregation role where possible. (2) Cloud-for-Europe (C4E) As always, Europe was a little bit behind on US developments when on 4 July 2013, the lift-off of the Cloudfor-Europe (C4E) initiative was formally announced. The C4E project runs until November The initiative is driven by organizations from 11 European countries and it aims at direct involvement of the IT and telecom industry in order to jointly shape a European cloud computing market to the benefit of European customers, providers and the citizen at large. 9 8 Mary Davie, GSA and the cloud broker model, FCW.com, 12 July

19 C4E supports public sector cloud use as collaboration between public authorities and the industry. C4E uses precommercial procurement (an approach for procuring R&D services) to identify innovative solutions for cloud services that best fit public sector needs, but also to provide better information to public procurers about the potential of cloud services. So basically C4E is aiming to become Europe's GSA as cloud brokerage intermediary between government cloud customers and private cloud services providers (see chapter IV above on the cloud brokerage intermediation role). VII. CONCLUSION In this paper I have addressed the concept of cloud brokerage and tried to break it down to understandable proportions that are comparable to 'old-fashioned' IT services and business models. As trust is one of the key elements that can make or break cloud services, it is safe to say that the concept of cloud brokerage, like any concept involving a trusted intermediary in the chain of services provision, adds to the trustworthiness of cloud computing. Consequently, we may assume that cloud brokerage is here to stay and is not a novelty, a fad (although it may currently be a hype, a buzz word). Notwithstanding the benefits of cloud brokerage, a sound sourcing/cloud strategy still requires some thorough due diligence work by the cloud customer to be able to truly enjoy the benefits of cloud services and cloud brokerage. These do not only relate to the common cloud challenges such as security and business continuity, but also the 19

20 increased risk of privacy non-compliance when engaging a cloud brokerage services provider. A thorough due diligence on the cloud brokerage services provider is also advisable, especially on its business connections, if any, with cloud services providers, which connections may be qualified as undisclosed preferences and may prevent the cloud customer to obtain the best value of service. As for European government agencies, let us hope that the Cloud-for-Europe initiative one day delivers similar cloud brokerage benefits as its US counterpart, the GSA, seems to be offering. * * * * * 20

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Data transfers in the Cloud

Data transfers in the Cloud Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive

More information

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING 1. Overview and Background On 27 September 2012, the European Commission adopted a strategy for "Unleashing the potential of cloud computing in

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

The problem of cloud data governance

The problem of cloud data governance The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in

More information

CLOUD COMPUTING Contractual and data protection aspects

CLOUD COMPUTING Contractual and data protection aspects CLOUD COMPUTING Contractual and data protection aspects Cloudscape VI 25 February 2014, Bruxelles Paolo Balboni Ph.D., Founding Partner, ICT Legal Consulting Domenico Converso LL.M., Senior Associate,

More information

Bring Your Own Device: Policies and Contracts. paper prepared for the ITechLaw European Conference 2012. Louis Jonker

Bring Your Own Device: Policies and Contracts. paper prepared for the ITechLaw European Conference 2012. Louis Jonker Bring Your Own Device: Policies and Contracts paper prepared for the ITechLaw European Conference 2012 Louis Jonker Copyright 2012 All Rights Reserved BIOGRAPHICAL INFORMATION Louis Jonker Van Doorne PO

More information

Cloud computing Alessandro Galtieri Pavel Klimov Severin Loeffler

Cloud computing Alessandro Galtieri Pavel Klimov Severin Loeffler Cloud computing Alessandro Galtieri, Senior Lawyer, Colt Technology Services, London, UK Pavel Klimov, General Counsel EMEA, Unisys, London, UK Severin Loeffler, Assistant General Counsel, Central Eastern

More information

Third-Party Vendor Compliance Programs: The Value, the Need, the Risk

Third-Party Vendor Compliance Programs: The Value, the Need, the Risk Third-Party Vendor Compliance Programs: The Value, the Need, the Risk HCCA Compliance Institute Session 602 Tuesday, April 19, 2016 1:00-2:00 PM HCCA CI - 2016 1 Presenters Corey M. Perman, JD Vice President,

More information

Moving Government To The Cloud

Moving Government To The Cloud Moving Government To The Cloud Agenda Who is Workday The path to innovation What is being done across the country and lessons learned Why technology matters Procurement and contracting considerations and

More information

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012 Presentation by: Dr. Nathalie Moreno Partner Cloud Computing and Data Protection: an Update 4 October 2012 Our team Speechly Bircham is an ambitious, international mid-size fullservice law firm head-quartered

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

PICSE survey. (PICSE: Procurement Innovation for Cloud services in Europe)

PICSE survey. (PICSE: Procurement Innovation for Cloud services in Europe) PICSE survey (PICSE: Procurement Innovation for Cloud services in Europe) To ensure that Europe reaps the benefits of the shift to cloud computing, there is the need to focus on new ways of procuring cloud

More information

A LEGAL GUIDE TO CLOUD COMPUTING

A LEGAL GUIDE TO CLOUD COMPUTING A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The

More information

Enclosure. Dear Vendor,

Enclosure. Dear Vendor, Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus

More information

GUIDANCE NOTE ON OUTSOURCING

GUIDANCE NOTE ON OUTSOURCING GN 14 GUIDANCE NOTE ON OUTSOURCING Office of the Commissioner of Insurance Contents Page I. Introduction.. 1 II. Application...... 1 III. Interpretation.... 2 IV. Legal and Regulatory Obligations... 3

More information

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Cloud Computing and Privacy Toolkit Protecting Privacy Online May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Table of Contents ABOUT THIS TOOLKIT... 4 What is this Toolkit?... 4 Purpose of this Toolkit...

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

Cloud Computing Contracts. October 11, 2012

Cloud Computing Contracts. October 11, 2012 Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best

More information

A Best Practice Guide

A Best Practice Guide A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Software Licensing and Pricing Best Practices. Stewart Buchanan June 3, 2009 Gartner Webinar

Software Licensing and Pricing Best Practices. Stewart Buchanan June 3, 2009 Gartner Webinar Software Licensing and Pricing Best Practices Stewart Buchanan June 3, 2009 Gartner Webinar How to Participate Today Audio Announcement You have joined the audio muted using your computer s speaker system

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

Mobile App Developer Agreements

Mobile App Developer Agreements Mobile App Developer Agreements By Alan L. Friel Many companies that have had disputes with developers have been surprised to discover that the agreements signed, often without input from legal, failed

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Cloud Computing. Hot topics in relation to security, liability and privacy. Steven De Schrijver

Cloud Computing. Hot topics in relation to security, liability and privacy. Steven De Schrijver Cloud Computing Hot topics in relation to security, liability and privacy Steven De Schrijver Cloud Computing : who and what is involved? Data Cloud Service Provider (e.g. SaaS, PaaS, IaaS) Sub-contractor

More information

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing. Privacy in the cloud computing, and the company concerned is required to submit a risk analysis to DNB. 3 Cloud computing entails the saving, processing and using of company data on the servers of a cloud

More information

Accountability: Data Governance for the Evolving Digital Marketplace 1

Accountability: Data Governance for the Evolving Digital Marketplace 1 Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the

More information

Cloud Computing. The impact for IT departments and the IT professional. by Maurice van der Woude

Cloud Computing. The impact for IT departments and the IT professional. by Maurice van der Woude Cloud Computing The impact for IT departments and the IT professional by Maurice van der Woude Cloud Computing The impact for IT departments and the IT professional Preface 3 Organizational changes 4 Moving

More information

Continuity in the Cloud: new practical solutions required. An inventory from a Dutch perspective

Continuity in the Cloud: new practical solutions required. An inventory from a Dutch perspective Continuity in the Cloud: new practical solutions required An inventory from a Dutch perspective September 2013 Ernst-Jan Louwers, attorney-at-law at Louwers IP Technology Advocaten Copyright 2013 All Rights

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

The Business Case for Cloud: Critical Legal, Business & Diligence Considerations

The Business Case for Cloud: Critical Legal, Business & Diligence Considerations The Business Case for Cloud: Critical Legal, Business & Diligence Considerations Presented by Janine Anthony Bowen, Esq., CIPP/US jbowen@jack-law.com (678) 823-6611 Janine Anthony Bowen, Esq., CIPP/US

More information

BEUC s contribution on Cloud Computing for the Public Hearing in the ITRE Committee, European Parliament, 29 May 2013

BEUC s contribution on Cloud Computing for the Public Hearing in the ITRE Committee, European Parliament, 29 May 2013 BEUC s contribution on Cloud Computing for the Public Hearing in the ITRE Committee, European Parliament, 29 May 2013 Contact: Digital and Consumer Contracts Teams digital@beuc.eu - consumercontracts@beuc.eu

More information

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors

More information

EuroCloud Star Audit. A strong partnership that provides you with a competitive advantage

EuroCloud Star Audit. A strong partnership that provides you with a competitive advantage EuroCloud Star Audit A strong partnership that provides you with a competitive advantage Strong and advantageous? 5 topics to consider 99% of all organisations are SME, with little internal Know- how.

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

The Cloud-Enabled Enterprise Developing a Blueprint and Addressing Key Challenges

The Cloud-Enabled Enterprise Developing a Blueprint and Addressing Key Challenges WHITE PAPER The Cloud-Enabled Enterprise Developing a Blueprint and Addressing Key Challenges Cloud computing offers a significant opportunity for improved business outcomes through the delivery of innovative

More information

The Why & How of Managed Services

The Why & How of Managed Services SOLUTIONS Cut Costs While Improving Productivity The Why & How of Managed Services What are Managed Services? CIOs all face similar challenges: cost containment, reliability of systems and keeping pace

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

SourceIT User Notes. Specific Clauses. Licence and Support Contract Commercial off-the-shelf Software RELEASE VERSION 2.

SourceIT User Notes. Specific Clauses. Licence and Support Contract Commercial off-the-shelf Software RELEASE VERSION 2. SourceIT User Notes Specific Clauses Licence and Support Contract Commercial off-the-shelf Software RELEASE VERSION 2.3 DECEMBER 2012 AGIMO is part of the Department of Finance and Deregulation SourceIT

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Third Party Supplier Security

Third Party Supplier Security Third Party Supplier Security Managing risk and compliance through external due diligence audits. Presented by: Stephen Higgins 6 th December 2012 To cover When third party supplier security goes wrong...

More information

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Introduction The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal

More information

Indicative Requirements for Cloud Service Providers. connect communicate collaborate

Indicative Requirements for Cloud Service Providers. connect communicate collaborate Requirements Document Cloud Services connect communicate collaborate www.geant.net This document has been produced with the financial assistance of the European Union. The contents of this document are

More information

THE WHY & HOW OF MANAGED SERVICES

THE WHY & HOW OF MANAGED SERVICES SOLUTIONS CUT COSTS WHILE IMPROVING PRODUCTIVITY THE WHY & HOW OF MANAGED SERVICES WHAT ARE MANAGED SERVICES? CIOs all face similar challenges: cost containment, reliability of systems and keeping pace

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider

Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider Elisabeth P.M. Thole A case study under Dutch law from the perspective of an IT provider In February 2006 Widmer and Nair described the data protection issues in the context of outsourcing from the Swiss

More information

Mapping of outsourcing requirements

Mapping of outsourcing requirements Mapping of outsourcing requirements Following comments received during the first round of consultation, CEBS and the Committee of European Securities Regulators (CESR) have worked closely together to ensure

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Managing Cloud Services in the Enterprise The Value of Cloud Services Brokers

Managing Cloud Services in the Enterprise The Value of Cloud Services Brokers Whitepaper: Managing Cloud Services in the Enterprise The Value of Cloud Services Brokers Whitepaper: Managing Cloud Services in the Enterprise 2 The cloud has revolutionized the way businesses operate

More information

Government Use of Cloud Computing Legal Challenges

Government Use of Cloud Computing Legal Challenges Government Use of Cloud Computing Legal Challenges Liesbeth Hellemans Liesbeth.hellemans@law.kuleuven.be ICRI/CIR KU Leuven IAPP Europe Data Protection Congress Agenda 1. Cloud for Europe project 2. Legal

More information

APES GN 30 Outsourced Services

APES GN 30 Outsourced Services APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited

More information

ITIL in the Cloud. Vernon Lloyd. www.foxit.net www.askthefox.info

ITIL in the Cloud. Vernon Lloyd. www.foxit.net www.askthefox.info ITIL in the Cloud Vernon Lloyd ITIL is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office www.foxit.net

More information

Insights into Cloud Computing

Insights into Cloud Computing This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid

More information

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels. Getting a Clean Bill of Health for Privacy in Your Mobile App By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels. I. Introduction to the legal regime and risks As the marketplace floods

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

Accountable Privacy Management in BC s Public Sector

Accountable Privacy Management in BC s Public Sector Accountable Privacy Management in BC s Public Sector Contents Accountable Privacy Management In BC s Public Sector 2 INTRODUCTION 3 What is accountability? 4 Steps to setting up the program 4 A. PRIVACY

More information

WHITE PAPER. How to choose and implement your cloud strategy

WHITE PAPER. How to choose and implement your cloud strategy WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.

More information

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised ACE USA Podcast Released February 3, 2010 Preparing for the Inevitable Data Breach: What to Do Before Sensitive Customer and Employee Data is Breached, Stolen or Compromised Moderator: Richard Tallo Senior

More information

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Risk Management in the New Regulatory Environment. kpmg.com Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July 2005. Hong Kong

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July 2005. Hong Kong Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES First Edition July 2005 Hong Kong Contents Glossary...2 Introduction to Standards...4 Interpretation Section...6

More information

White Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance

White Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance White Paper Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance Author Document Number Revision Issue Date Copyright : : : : : Ben Martin WHP-1010 V2.2

More information

12 Considerations for Managing Foreign Supplier Risk

12 Considerations for Managing Foreign Supplier Risk 12 Considerations for Managing Foreign Supplier Risk November 2014 Lockton Companies A growing number of manufacturers over the past VINCE GAFFIGAN, CPA EVP, Director, Risk Consulting Risk Management Services

More information

The NREN cloud strategy should be aligned with the European and national policies, but also with the strategies of the member institutions.

The NREN cloud strategy should be aligned with the European and national policies, but also with the strategies of the member institutions. 4 External influences PESTLE Analysis A PESTLE analysis is a useful tool to support the investigation and decision process relating to cloud services. PESTLE in general covers Political, Economic, Social,

More information

The Keys to the Cloud: The Essentials of Cloud Contracting

The Keys to the Cloud: The Essentials of Cloud Contracting The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb

More information

Aegon's Internal Cloud Broker

Aegon's Internal Cloud Broker Aegon's Internal Cloud Broker Cloud FS Americas Metropolitan West, NYC July 21, 2015 John Linn Aegon at a glance Focus History Rating About Aegon Life insurance, pensions & asset management Dating back

More information

Information Technology

Information Technology Information Technology Information Technology Kennedy Van der Laan is known in The Netherlands and internationally as the leading information technology law practice in The Netherlands. Chambers Global

More information

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed

More information

STRATEGIC GOVERNANCE

STRATEGIC GOVERNANCE STRATEGIC GOVERNANCE Achieving Next-Generation Benefits with Sourcing Cynthia Hollandsworth Batty, Director, ISG and Carol Britton, Managing Director & Chief Procurement Officer, BNY Mellon www.isg-one.com

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Could your utility improve efficiency and performance with third-party services?

Could your utility improve efficiency and performance with third-party services? White Paper Outsourced Smart Grid Services: A Smart Approach for AMI and Beyond Could your utility improve efficiency and performance with third-party services? Jim Blake Director of Customer Operations

More information

Client Alert. Global Information Technology & Communications Privacy, Data Protection and Information Management

Client Alert. Global Information Technology & Communications Privacy, Data Protection and Information Management Global Information Technology & Communications Privacy, Data Protection and Information Management Client Alert Umbrellas for Clouds: Risk Mitigation Strategies for SaaS Transactions www.bakermckenzie.com

More information

To: Our Clients and Friends March 25, 2014

To: Our Clients and Friends March 25, 2014 Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors

More information

Emptoris Contract Management Solution for Healthcare Providers

Emptoris Contract Management Solution for Healthcare Providers Emptoris Contract Management Solution for Healthcare Providers An Emptoris White Paper Emptoris, an IBM Company www.emptoris.com CMS-HP-4/12 Emptoris Contract Management Solution for Healthcare Providers

More information

BAC to the Basics: Business Associate Contracts Made Easy

BAC to the Basics: Business Associate Contracts Made Easy BAC to the Basics: Business Associate Contracts Made Easy Prepared by Jen C. Salyers BAC to the Basics: Business Associate Contracts Made Easy Table of Contents Page I. Approaches to Creating a Business

More information

Managing General Agents (MGAs) Guideline

Managing General Agents (MGAs) Guideline Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Cloud Services and Business Process Outsourcing

Cloud Services and Business Process Outsourcing Cloud Services and Business Process Outsourcing What security concerns surround Cloud Services and Outsourcing? Prepared for the Western NY ISACA Conference April 28 2015 Presenter Kevin Wilkins, CISSP

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information