Presentation on theme: "3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:"— Presentation transcript:
3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud: getting the Legals right Richard Kemp
Contracting for the Cloud – getting the Legals right areas of focus today: - approach to Cloud contracts - general Cloud contract issues - regulatory Cloud contract issues for law firms - other contractual issues that the Cloud raises
Approach to Cloud contracts - structured approach to Cloud procurement internal business case and approvals statement of requirements running a structured procurement/preferred bidder process - internal risk and compliance report weigh all the business factors firm disaster recovery/business continuity arrangements? ability/time required to switch to an alternative? regulatory compliance - pre-contract supplier due diligence technical, financial, commercial, legal
General Cloud contracts issues (1): - supplier stability do your credit searches (<3 months old) take customer references what resources/sub-contractors does the supplier depend on? what are the supplier’s own disaster recover/business continuity arrangements? verify in writing supplier’s security, etc policies and procedures - customer/service dependence - impact of different kinds of outage Ensure ability to operate contract requirements on security, passwords, etc
General Cloud contracts issues (2): - data supplier commitments to return customer data during and after contract? in what form will the data be returned? how long from customer request to data return? can customer easily use the data in the form in which it’s returned? at termination, does the supplier’s data return obligation operate independently of the reason for termination? keep copy of latest data onsite/with another supplier (e.g. Mimecast and ?) to reduce dependence?
General Cloud contracts issues (3): - lifecycle contract issues service levels/credits liability/risk regime who bears Internet/comms risk? support duration/renewal/notice pricing increases/changes test business continuity/DR at least annually contract change process unilateral variation of terms Jurisdiction & governing law - exit/disengagement management/plan prepare the plan in first 6 months of arrangement – update annually
Regulatory Cloud contract issues for law firms (1): - outsourcing moving to a Cloud platform likely to constitute outsourcing of legal activities or operational functions that are critical to the delivery of any legal activities Within O(7.10) of the SRA Code of Conduct - SRA contractual arrangements “must enable SRA or its agent to obtain information from, inspect records of, or enter premises of the Cloud provider regarding outsourced activities of functions” outsourcing must not adversely affect compliance with or SRA monitoring of Handbook obligations compliance outsourcing must not alter obligations to clients outsourcing must not cause breach of SRA authorisation requirements
Regulatory Cloud contract issues for law firms (2): - data protection Cloud provider will normally be a data processor for DPA purposes – but NB when it could be a data controller Will data ever be exported from the EU? Ensure contract adequately reflects positions of parties in DP terms Tie back into firm’s data protection policies, procedures, notices and terms - law enforcement access to data generated more heat than light (Patriot Act, Snowden, Microsoft Dublin data centre (Aug 2014) cannot exclude possibility in certain circumstances of lawful access by home or overseas law enforcement or intelligence agencies selection criterion for Cloud provider? a bit like the AMLR terms that go into firms’ engagement letters?
Other contractual issues that the Cloud raises - Multiple Cloud suppliers ensure consistency of approach, etc - Client engagement terms include a new term around Cloud use if relevant? vary current terms where key firm IT/service component going into the Cloud? NB where client’s own business is regulated – e.g. FCA – or where client requires vendors (incl law firms) to comply with policies (e.g. IS, encryption, data, audit, etc) - Supplier Terms of Service/Acceptable Use Policy if different from supplier service agreement - Internal firm policies and procedures IT acceptable use communications with clients
Law Firm Cloud resources & materials The Law Society: Cloud computing (April 2014)Cloud computing SRA: Spiders in the web: the risk of online crime to legal business (Mar 2014)Spiders in the web: the risk of online crime to legal business SRA: Silver Linings: cloud computing, law firms and risk (Nov 2013)Silver Linings: cloud computing, law firms and risk ICO: Guidance on the use of cloud computing (Oct 2012)Guidance on the use of cloud computing NIST (US): Cloud computing – features, benefits, risks & recommendations for secure, efficient implementations (June 2012)Cloud computing – features, benefits, risks & recommendations for secure, efficient implementations The Law Society: Data protection, Information security, Business continuity (Oct 2011)Data protectionInformation securityBusiness continuity