3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud:

Slides:

Advertisements

Similar presentations

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Advertisements

Company Law Consultants and Company Secretaries. Who are we? David Venus & Company LLP are the leading independent firm of chartered secretaries Established.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

London Compliance MiFID Overview BCS 25 th April 2005 Simon Barker Head of Regulatory Affairs BNP Paribas London branch.

Supportive Services for Veteran Families (SSVF) Data Bigger Picture Updated 5/22/14.

Communications Briefing: Navigating the clouds Sam Parr and Ian Walden Wednesday 21 October 2009, – 2.00 pm.

Developing a Records & Information Retention & Disposition Program:

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.

SAFA- IFAC Regional SMP Forum

Information Governance in Commissioning Mental Health Commissioners Collaborative.

Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Vendor Risk: Effective Management is Essential

Internal Auditing and Outsourcing

Hartley, Project Management: Integrating Strategy, Operations and Change, 3e Tilde Publishing Chapter 11 Procurement Management Embedding value into the.

Measure what matters – to build stronger financial performance and to achieve financial stability under OFR Peter Scott Peter Scott Consulting

TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.

LegalTech Asia DATA PRIVACY LAWS UPDATE Edward Chatterton 4 March 2013.

Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Resources – Key to survival and competitiveness as a sole practitioner Peter Scott PETER SCOTT CONSULTING

Implications of the Markets in Financial Instruments Directive (“MIFID”) Richard Thompson.

Planning an Audit The Audit Process consists of the following phases:

James Aiello PricewaterhouseCoopers Africa Utility Week 06 International Good Practice in Procurement.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

Advanced Program in Auditing and Accounting Regulation Module 12 Enhancing Statutory Audit Quality from a Financial Regulator’s Perspective Presenter:

Cloud Computing climate change for legal contracts ? EuroCloud Ireland & Irish Computer Society July 1st 2010 Philip Nolan/ Jeanne Kelly Partners, Mason.

CANTO 24th Annual Seminar Enhancing competitiveness in the Caribbean through the harmonization of ICT policies, legislation and regulation Bahamas, July.

Practice Management Quality Control

Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

Information Management in Telco: A Legal Perspective Sheila Tormey Barlow Lyde & Gilbert LLP Ronan Lupton Barrister at Law 17 September 2009.

Session 7 Compliance failure policy. 1 Contents Part 1: COLP and COFA duties Part 2: What do we have to comply with and why does it matter? Part 3: Compliance.

Information Management in Retail: A Legal Perspective Chris Hill Barlow Lyde & Gilbert LLP 17 September 2009.

Chapter 8 Auditing in an E-commerce Environment

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Legal framework Look at the legal compliance and framework a business is subject to.

Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.

Page 1 Portfolio Committee on Water and Environmental Affairs 14 July 2009.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Data protection—training materials [Name and details of speaker]

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

Cyber Security and how to safeguard data in the ‘Cloud’ Claire Jacques 21 April 2016.

THE OFFICE OF THE LEGAL SERVICES COMMISSIONER The Ethics of Cloud Computing Community Legal Centres 21 May 2013.

Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.

AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.

General Data Protection Regulation (EU 2016/679)

Continuing Competence is coming

Outsourcing Policy & Procedures

12.3 Control Procurements The process of managing procurement relationships, monitoring contract performance and making changes or corrections as needed.

Data protection headaches: GDPR, brexit AND perimeter risk

Current ‘Hot Topics’ in Information Security Governance Auditing

General Data Protection Regulations: what you really need to know

Museums + Heritage webinar, 30 November 2017

Introduction to GDPR 09/11/2018.

Red Flags Rule An Introduction County College of Morris

The Insurance Brokers Code of Practice - an update

GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.

Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .

GDPR PERSONDATAFORORDNINGEN I PRAKSIS

Grant Implementation Agreement (GIA)

Presentation transcript:

3Kites Consulting/Kemp IT Law Breakfast Seminar Law Firms and the Cloud: Balancing Benefits and Risks London, 10 September 2014 Contracting for the Cloud: getting the Legals right Richard Kemp

Contracting for the Cloud – getting the Legals right areas of focus today: - approach to Cloud contracts - general Cloud contract issues - regulatory Cloud contract issues for law firms - other contractual issues that the Cloud raises

Approach to Cloud contracts - structured approach to Cloud procurement internal business case and approvals statement of requirements running a structured procurement/preferred bidder process - internal risk and compliance report weigh all the business factors firm disaster recovery/business continuity arrangements? ability/time required to switch to an alternative? regulatory compliance - pre-contract supplier due diligence technical, financial, commercial, legal

General Cloud contracts issues (1): - supplier stability do your credit searches (<3 months old) take customer references what resources/sub-contractors does the supplier depend on? what are the supplier’s own disaster recover/business continuity arrangements? verify in writing supplier’s security, etc policies and procedures - customer/service dependence - impact of different kinds of outage Ensure ability to operate contract requirements on security, passwords, etc

General Cloud contracts issues (2): - data supplier commitments to return customer data during and after contract? in what form will the data be returned? how long from customer request to data return? can customer easily use the data in the form in which it’s returned? at termination, does the supplier’s data return obligation operate independently of the reason for termination? keep copy of latest data onsite/with another supplier (e.g. Mimecast and ?) to reduce dependence?

General Cloud contracts issues (3): - lifecycle contract issues service levels/credits liability/risk regime who bears Internet/comms risk? support duration/renewal/notice pricing increases/changes test business continuity/DR at least annually contract change process unilateral variation of terms Jurisdiction & governing law - exit/disengagement management/plan prepare the plan in first 6 months of arrangement – update annually

Regulatory Cloud contract issues for law firms (1): - outsourcing moving to a Cloud platform likely to constitute outsourcing of legal activities or operational functions that are critical to the delivery of any legal activities Within O(7.10) of the SRA Code of Conduct - SRA contractual arrangements “must enable SRA or its agent to obtain information from, inspect records of, or enter premises of the Cloud provider regarding outsourced activities of functions” outsourcing must not adversely affect compliance with or SRA monitoring of Handbook obligations compliance outsourcing must not alter obligations to clients outsourcing must not cause breach of SRA authorisation requirements

Regulatory Cloud contract issues for law firms (2): - data protection Cloud provider will normally be a data processor for DPA purposes – but NB when it could be a data controller Will data ever be exported from the EU? Ensure contract adequately reflects positions of parties in DP terms Tie back into firm’s data protection policies, procedures, notices and terms - law enforcement access to data generated more heat than light (Patriot Act, Snowden, Microsoft Dublin data centre (Aug 2014) cannot exclude possibility in certain circumstances of lawful access by home or overseas law enforcement or intelligence agencies selection criterion for Cloud provider? a bit like the AMLR terms that go into firms’ engagement letters?

Other contractual issues that the Cloud raises - Multiple Cloud suppliers ensure consistency of approach, etc - Client engagement terms include a new term around Cloud use if relevant? vary current terms where key firm IT/service component going into the Cloud? NB where client’s own business is regulated – e.g. FCA – or where client requires vendors (incl law firms) to comply with policies (e.g. IS, encryption, data, audit, etc) - Supplier Terms of Service/Acceptable Use Policy if different from supplier service agreement - Internal firm policies and procedures IT acceptable use communications with clients

Law Firm Cloud resources & materials The Law Society: Cloud computing (April 2014)Cloud computing SRA: Spiders in the web: the risk of online crime to legal business (Mar 2014)Spiders in the web: the risk of online crime to legal business SRA: Silver Linings: cloud computing, law firms and risk (Nov 2013)Silver Linings: cloud computing, law firms and risk ICO: Guidance on the use of cloud computing (Oct 2012)Guidance on the use of cloud computing NIST (US): Cloud computing – features, benefits, risks & recommendations for secure, efficient implementations (June 2012)Cloud computing – features, benefits, risks & recommendations for secure, efficient implementations The Law Society: Data protection, Information security, Business continuity (Oct 2011)Data protectionInformation securityBusiness continuity

Thank you Questions? Richard Kemp,