Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal
Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best Practices and Compliance Tips 2
Traditional Computing INTERNET FIREWALL 3
In The Cloud FIREWALL INTERNET FIREWALL 4
5 Cloud Definition NIST Visual
Cloud Deployment Models Public cloud: traditional mainstream model; resources are provisioned to general public on a self-service basis over Internet, via web applications/web services, from off-site 3rd-party provider who bills on utility basis. Private cloud: infrastructure operated solely for single organization/ enterprise; managed internally or by 3rd-party & hosted internally or by 3rd-party Community cloud: shared infrastructure between several org s from specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a 3rd-party & hosted internally or externally. Hybrid cloud: composition of 2+ clouds (private, community, or public) that remain unique entities but are bound together, offering benefits of multiple deployment models; also defined as multiple cloud systems that are connected to facilitate program/data portability 6
Delivery Models SaaS, PaaS, IaaS Software as a Service (SaaS): Provider: supplies software from server in cloud User: limited right to configure = no need to install/implement hardware & simplifies maintenance Platform as a Service (PaaS): Provider: supplies computing platform and/or solution stack as a service User: selects/configures applications & hosting environments = facilitates deployment of applications without cost/complexity of buying/managing underlying hardware/software layers Infrastructure as a Service (IaaS): Provider: supplies all the computer infrastructure typically a platform virtualization environment as a service, incl. storage and networking User: configures applications, operating systems and storage, etc. 7
Risk Mitigation General Do: institute internal policies & procedures; and ensure staff understand the cloud Do Not: assume service provider will take the risks; or Take it or leave it with cloud contracts Due Diligence Other Standards? WebTrust - Canadian Institute of Chartered Accountants (CICA) certify authentication standards, security, availability, processing integrity, confidentiality and privacy WebTrust is probably NOT sufficient in itself 8
Risk Mitigation Due Diligence Data/ Deployment / Licenses Only cloud the right data Use public cloud services only for suitable less sensitive data - sanitized precedent documentation, etc. Only private cloud for financial data, legal work, etc. Email? confidentiality and privilege issues Adopt Hybrid Model mix private cloud & public cloud based on Nature of data Location preference risk versus cost analysis Existing Software Licenses able to be moved to the cloud? does the license allow outsourcers? can the software be on multiple systems? are multiple copies/back up copies permitted? are there competitor restrictions? 9
Risk Mitigation Due Diligence Current and Ongoing Pre-Contract Who provides the services Transparency of the service and data path Who is/ are the contracting entities? Who is actually providing the service? Is customer information sold or exploited by the provider in some way? Are there auditable security standards and audit rights in the contract? What are the alternative services to cloud service? 10
Risk Mitigation Due Diligence Ongoing Due Diligence Keep current of changes in technology/provider affecting initial assessment of whether a service is acceptable. Services and service providers may become more or less acceptable in light of technological and business changes. 11
Privacy Issues and Cloud Computing Privacy legislation Understanding whether privacy legislation applies, and if so, which legislation applies Key principle from privacy legislation obligation to protect personal information Disclosure outside Canada Special consideration prohibition in B.C. public sector privacy legislation Law Society Report and recommendations 12
Privacy Legislation Personal Information Protection and Electronic Documents Act ( PIPEDA ) governs the collection, use and disclosure of personal information in provinces other than B.C., Alberta and Quebec, for commercial purposes and collection, use and disclosure of personal information outside of provinces (outside of British Columbia or outside of Canada) B.C. Personal Information Protection Act ( PIPA ) applies to collection, use and disclosure of personal information within British Columbia B.C. Freedom of Information and Protection of Privacy Act ( FIPPA ) applies to public sector bodies and their service providers, authorization to collect, use and disclose personal information for purposes related to the mandate of the public body, etc. 13
Privacy Legislation PIPEDA, FIPPA and PIPA (the Privacy Legislation ) only apply to personal information Privacy Legislation does not apply to contact information, nor to work product information Privacy Legislation does not apply to aggregate or anonymized information where it is not possible to ascertain the identity of the individual the information is about Personal information must be information about an identifiable individual. For example, a recent Alberta Court of Appeal case held that vehicle license was not personal information because it was linked to a vehicle and not a person (Leon s Furniture Ltd. v Alberta (Information and Privacy Commissioner, 2011 A.B.C.A. 94 [leave to appeal to Supreme Court of Canada dismissed]) 14
Privacy Legislation PIPEDA applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities Organization is responsible for personal information under its control or in its custody including where the information is transferred to a third party for processing Under PIPA and FIPPA, organization is responsible for personal information in its custody or under its control 15
Privacy Legislation Two early decisions decided under PIPA decided that the personal information held in files of Vancouver law firms was not under the custody or control of the law firms but was under the control of the client, in which case PIPA did not apply (Order P502; Order P503) Similar to PIPEDA, under PIPA, if an organization uses a third party for processing, the organization has primary obligations over that personal information and is expected to ensure that the third party complies with the privacy obligations of the organization through contractual protection FIPPA specifically defines service provider as a person retained under a contract to perform services for a public body. Specific provisions of FIPPA bind service providers as well as public bodies 16
Obligation to Protect Personal Information Obligation to protect or safeguard personal information in PIPA and FIPPA is an obligation to protect personal information in the custody or control of the public body or organization by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal Thus for third party processors of personal information, public bodies or private sector organizations must ensure that the third party processor is meeting the same obligations to protect personal information BC Commissioner has said that security obligation standard is the same for public sector and private sector entities the reasonableness of security measures and their implementation is measured by whether they are objectively diligent and prudent in all of the circumstances reasonable does not mean perfect; however what is reasonable may signify a high level of rigour 17
Obligation to Protect Personal Information Due diligence requirements include the following: carrying out a data audit or creating a data map that instructs the organization as to where all personal information is held in the organization, including the type & sensitivity of personal information conducting a physical audit of the premises, conducting an IT audit of electronic information researching and considering use of encryption developing policies and procedures physical security procedures including locked cabinets, locked offices, clean desks, access control procedures, password protection for computers, and PDAs organizational procedures including things such as background security checks, need to know access to physical and electronic records, document storage policies, document disposal policies, and retention schedules for all physical and electronic documents 18
Obligation to Protect Personal Information Entering into a privacy protection schedule with a third party to whom the organization transfers personal information for processing, including obligations to notify of unauthorized access or disclosure, and audit rights Further, FIPPA provides that the protection of personal information provision in FIPPA also applies to employees of a service provider 19
Obligation to Protect Personal Information The Alberta Commissioner has found in respect of the Alberta PIPA, which is similar to BC s PIPA, that an organization had made reasonable security arrangements to protect personal information after it provided evidence of a written agreement between itself and the contractor respecting the collection, use and disclosure of personal information (SAS Institute Canada Inc. P2005-IR-008) Principle 4.7 of PIPEDA requires that personal information be protected by security safeguards appropriate to the sensitivity of the information to protect against loss or theft as well as unauthorized access, disclosure, copying, use or modification 20
Obligation to Protect Personal Information PIPEDA, Principle 4.1.3, requires organizations to use contractual or other means when using third party service providers to ensure a comparable level of protection of personal information (PIPEDA Case Summaries No. 394, 365, 333 and 313) Organizations can meet their obligations under PIPEDA by having contracts in place that provide guarantees of confidentiality and security of personal information and allow for oversight, monitoring and auditing of the services being provided (PIPEDA Case No. 394, 262, 168 and 42) 21
Disclosure Outside Canada Disclosure outside Canada - depends on the applicable legislation Under PIPEDA and PIPA there is no prohibition on disclosure of personal information outside of Canada 22
Disclosure Outside Canada However, the Federal Privacy Commissioner has said that from the perspective of compliance with the transparency principle, notice should be given that personal information may be stored or accessed outside of Canada, where it may be subject to lawful access requirements in that jurisdiction (PIPEDA Decision No. 313) Under BC PIPA there is no prohibition for disclosure of personal information outside of Canada. In one decision, BC Commissioner noted that notice to employees was not required, however stated that the information was not highly sensitive and left open the possibility that if the information was considered more sensitive, that notice should be given (20th Century Fox, P06-04). 23
Disclosure Outside Canada However, as a best practice, recommended that BC organizations give notice as the transparency principle also applies in BC PIPA FIPPA has a complete prohibition on disclosure outside of Canada except in very limited circumstances. Consent of the individual for disclosure or access outside of Canada will cure the prohibition The prohibition applies to employees, officers and directors of the public body, and in the case of an employee that is a service provider, all employees and associates of the service provider 24
OIPC Cloud Computing Guidelines BC OIPC paper on Cloud Computing Guidelines for public bodies recommends that personal information be encrypted during transmission to the cloud provider and that organizations do their due diligence with the third party provider Suggestions include: confirming in writing that provider will only process data in accordance with instructions of organization and will maintain an appropriate level of security provider to give guaranteed reliability in training of its staff provider to demonstrate its ability to recover from a serious technological or procedural failure 25
OIPC Cloud Computing Guidelines consider only working with an established company and researching its security track record use contractual covenants for data protection standards understand the lawful access requirements of the governmental authorities in the jurisdiction where the data is stored use contractual protection so that service provider will provide the organization with copies of the information regularly in an agreed form and structure as well as giving the organization the right to conduct site visits and audit the management of its personal information provider should demonstrate its due diligence for identity and access management by its employees 26
OIPC Cloud Computing Guidelines Commissioner also reminded public bodies and their service providers that storing personal information, including information on the cloud, is subject to the prohibition that it cannot be stored or accessed outside of Canada and that it is an offence to store or allow access to personal information outside of Canada unless it is authorized 27
Law Society Report of the Cloud Computing Working Group Report asks Benchers to recommend steps to be taken to ensure that lawyers are protecting the personal information of their clients and confidential and privileged information Report covers a number of issues such as requirement of lawyers to retain records for ten years from the final accounting transaction, make the records available to the Law Society, rules regarding lawyer s obligation to maintain custody or control of records 28
Law Society Report of the Cloud Computing Working Group In terms of the due diligence requirements, there are general due diligence requirements for use of cloud computing technology and a section on privacy considerations Privacy Considerations: 1. Lawyers need to ensure that they understand which privacy legislation covers the personal information to ensure that they are compliant with the obligations and the governing legislation 2. If using data storage outside of Canada, advise the client at the time of obtaining the retainer and if possible, memorialize the consent in the written retainer 29
Law Society Report of the Cloud Computing Working Group 3. Review the lawyer s privacy policy and determine whether it supports the use of the service contemplated, update the policy if it is out of date 4. Enter into a data protection agreement with the service provider that ensures equivalent level of data protection as is required in BC/Canada 5. Because of the transparency principle, give notice to the client the data will be processed outside of Canada and notify the client that a foreign state may seek to access the data for lawful access purposes 6. Practices and policies should indicate the countries outside Canada where the collection, use and disclosure will occur and the purposes for which the service provider has been authorized to collect, use or disclose the personal information (note that this obligation is taken from the Alberta Personal Information Protection Act) 30
Contract Terms Standard Contractual Terms Provider s Rationale for Standard Terms Allows providers to offer lower cost services Customer Challenge Amending one-size fits-all cloud provider terms to meet business needs and legal obligations 31
Contract Terms Data Security physical/virtual standards ISO 27001/27002 Confidentiality contractual obligations of non-use/nondisclosure Access - limit access of provider lawyer MUST have 24x7x365 access (subject to downtime) Ownership & Control always owned by lawyer and under their contractual control 32
Contract Terms Data Ownership & License Standard Term You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours. When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services Google Drive Services Terms of Use May 7, 2012 33
Contract Terms Location limit country/city/data centre where data processed/stored consider entire data path (including back ups) End of Contract - termination (for any reason); access, transfer, usable format, destruction Disputes data hijacking Audits audit provider s compliance with security and operations 34
Contract Terms Retention - Does the service store long enough to meet regulatory requirements? Mechanisms to ensure retention How often do back ups occur? Destruction Are there mechanisms to destroy data and contract terms to ensure destruction 35
Contract Terms Services Price determines everything; hidden fees SLAs price and deployment dependent; downtime; Changes to the Services notice; affect on professional obligations Parties/Subcontracting/Assignment affect on data transparency flow down requirements; reputation of subcontractors/assignees 36
Contract Terms Unilateral Right to Amend Contract We may modify these terms or any additional terms that apply to a Service to, for example, reflect changes to the law or changes to our Services. You should look at the terms regularly. We ll post notice of modifications to these terms on this page. We ll post notice of modified additional terms in the applicable Service. Google Drive Terms of Service May 7 2012 Warranties push for warranties by provider and limit provider s disclaimers Breaches what are they?; limit effects of your breaches If you are using our Services on behalf of a business, that business accepts these terms. It will hold harmless and indemnify Google and its affiliates, officers, agents, and employees from any claim, suit or action arising from or related to the use of the Services or violation of these terms, including any liability or expense arising from claims, losses, damages, suits, judgments, litigation costs and attorneys fees. Google Drive Terms of Service May 7 2012 37
Contract Terms Remedies yours are quite limited; termination is not always the answer Limits of Liability typically low and restrictive WHEN PERMITTED BY LAW, GOOGLE, AND GOOGLE S SUPPLIERS AND DISTRIBUTORS, WILL NOT BE RESPONSIBLE FOR LOST PROFITS, REVENUES, OR DATA, FINANCIAL LOSSES OR INDIRECT, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES. TO THE EXTENT PERMITTED BY LAW, THE TOTAL LIABILITY OF GOOGLE, AND ITS SUPPLIERS AND DISTRIBUTORS, FOR ANY CLAIM UNDER THESE TERMS, INCLUDING FOR ANY IMPLIED WARRANTIES, IS LIMITED TO THE AMOUNT YOU PAID US TO USE THE SERVICES (OR, IF WE CHOOSE, TO SUPPLYING YOU THE SERVICES AGAIN). IN ALL CASES, GOOGLE, AND ITS SUPPLIERS AND DISTRIBUTORS, WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE THAT IS NOT REASONABLY FORESEEABLE. Google Drive Terms of Service May 7 2012 38
Contract Terms Jurisdiction governing law, jurisdiction of storage 39
CBABC General Checklist Client Identification Date of Agreement Parties Interpretation Client Data Duties and Obligations of Client Duties and Obligations of Cloud Provider Fees and Pricing Term of Contract, Termination and Remedies Service Levels Provided Security Privacy and Confidentiality Performance Indicators and Metrics Subcontracting by Cloud Provider Guarantees and Indemnities Intellectual Property Representations and Warranties Insurance coverage Boiler Plate (Assignment, Governing Law, Dispute Resolution, General Provisions) 40
Panel Discussion and Q&A Questions or Comments? 41
Karam Bayrakal +1 604 631 4850 kbayrakal@fasken.com Lorene Novakowski +1 604 631 3216 lnovakowski@fasken.com 42