Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC ); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions. Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing Contracting Cloud Services from a Legal Practitioner’s Standpoint 5 July 2013 Alan Chiu Mayer Brown JSM – Hong Kong, Partner Geofrey L Master Mayer Brown LLP – Washington, DC, Partner

Introduction - Perspective Mayer Brown JSM – Intellectual Property and Information Technology Mayer Brown LLP – Business & Technology Sourcing 2

Presentation Agenda Introduction – Perspective Contracting for Cloud Computing Services Key Issues/Risks in Cloud Computing Public vs. Private Cloud: the Impact on Key Contracting Issues (Selected Contracting Issues) 3

Contracting for Cloud Computing Services: The Road to the Cloud! 4

Cloud Contracting - Introduction Contract basics – Parties – Establishes enforceable terms – rights and obligations – Mechanics of enforcement Contract formation – Clickwrap – Clickwrap with manually signed amendment – Full markup of vendor’s form agreement – Customer’s agreement Contract modification – – Traditional contracts – process for amendment / modification defined – Linked webpages Limits on unilateral changes 5

Cloud Customers Must Make Informed Tradeoffs There is no standard contract “form” that will work for each situation – Traditional outsourcing and software licensing terms may be useful, but cannot be inflexibly applied to cloud computing More robust contractual protection may or may not be the correct answer — it depends Prospective cloud customers must take into account – Criticality of the software, data and services in question – Unique issues associated with cloud computing – Public, private or hybrid model – Availability and pricing of various alternatives For “nice-to-have” business tools or routine data, a low cost solution may outweigh contractual protection Requiring robust contractual protection may increase the price and eliminate certain service providers altogether 6

Cloud Customers – Essential Considerations Customer must evaluate the cloud provider and the contractual structure – before entering into the relationship. – Compliance considerations: Cannot delegate compliance to service provider Service providers rarely have the same compliance obligations as their customers Customer must determine if service provider and solution is compatible with compliance obligations. The nature of the cloud relationship drives the elements of evaluation: – criticality of the service (function) and regulatory demands – sensitivity of the data/processes – scale of the activity 7

Breadth of Cloud-Based Offerings “Nice to have” business tools Routine, non-sensitive data Limited scope of business use Mission critical applications Regulated or business sensitive data Enterprise-wide use Each end of the spectrum presents different legal and contractual challenges, options and trade-offs 8

Tier One Enterprise Providers are beginning to get it….. Tier One and similar service providers are beginning to offer solutions addressing customer concerns, often through private clouds Private clouds offer more protection than public clouds; however private clouds do not magically solve all privacy, security and compliance issues Private clouds cost more than other leveraged solutions – They can be dedicated (close to data center services) or leveraged (still some cost savings, but with more limited rights than in a traditional ITO model ) – Some private clouds are not really cloud services at all –they are merely custom data center and hosting services Generally, private / enterprise cloud solutions offer better protection than pure public cloud solutions 9

Contracting for Cloud Computing YES! Keep your eye on – Criticality of the software, data and services – Unique issues associated with cloud computing – Public vs. private cloud – Availability and pricing of various alternatives Leverage outsourcing, software and data use precedent as appropriate 10

Key Issues/Risks in Cloud Computing 11

Data security is by far the largest concern as the market has yet to address enterprise security requirements source: TPI 12 78% 51% 49% 48% 34% 33% 29% 27% 26% 25% 11% Data security Failing regulatory requirements Integration risks with legacy systems Unclear who has access to my data Disaster recovery Co-mingling of data Up-time availability Connectivity / bandwidth Service provider viability Unclear where data is stored Response time Migration to different service Ill defined business case

Privacy, Security and the Cloud We are at an intersection, with privacy regulation dramatically increasing at the same time cloud computing is increasing exponentially. Enterprises need to understand and prepare for entry into cloud computing – requires assessment, planning (including for regulatory requirements) and careful transformation. Privacy Cloud 13

Issues with Privacy and Security: The “Elephant in the Room” Data transfer issues (EU and similar jurisdictions) Data location issues Location of users accessing data Movement and storage of data Use of subcontractors Lack of transparency and control Data breach issues Data destruction issues Ability to impose security and privacy requirements 14

Issues with Privacy and Security: More Robust Data Privacy Regulations Hong Kong: Personal Data (Privacy) (Amendment) Ordinance 2012 – A Data User shall be responsible for any act done by an outsourcing agent who is entrusted to store or process personal data – A Data User (customer) must adopt “contractual or other means” to prevent (i) any personal data transferred to Data Processor (service provider) from being kept longer than is necessary for processing of the data; and (ii) unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. 15

Issues with Privacy and Security: More Robust Data Privacy Regulations China: – Several Provisions on Regulation of the Order of Internet Information Service Market (15 March 2012) – Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection (28 Dec 2012) Fundamental privacy and security principles – Guideline for Personal Information Protection within Information System for Public and Commercial Services (1 Feb 2013) Detailed obligations but not legally binding Prohibits data users from transferring personal data outside China unless it is expressly allowed pursuant to laws or regulations or otherwise approved by the authority – Draft Rules on the Protection of Personal Information of Telecommunications and Internet Users (10 April 2013) published for consultation 16

Other Critical Contracting Issues for Cloud Customers Regulatory and Compliance Challenges Compliance and auditability Lack of transparency and control Subcontracting and flow down of provisions Investigations / electronic discovery issues Record retention issues Other Key Issues and Challenges Service levels Disaster recovery and business continuity Exit rights and termination assistance Financial stability of service providers/due diligence 17

Intellectual Property Considerations and the Cloud IP Ownership Who owns the data? Importance of express provision – especially for high value IP-related / business data Content Licensing Licence to service provider royalty-free, perpetual, irrevocable, non-exclusive licence (by default in public cloud?) Scope of the licence Right to terminate Return/ removal of IP upon termination 18

Intellectual Property Considerations and the Cloud Trade Secrets/ Patentable Subject Matter Trade secrets put on cloud – risk of losing the necessary quality of confidence Patentable subject matter – risk of losing the novelty? Importance of defining access right and security control End-to-end encryption to prevent unauthorized access Misappropriation of IP IP protection is territorial – location of data storage/ processing matters Risk of theft or misappropriation of IP with little recourse High level of security measures + countries with strong IP laws preferred 19

Intellectual Property Considerations and the Cloud IP Creation on the Cloud Development by service provider (e.g., interface, new functionality) Who owns it? Can the service provider reuse it for other clients or your competitors? IP Infringement Indemnity Infringing content uploaded by customers Indemnity for service providers Right to take-down by service providers? Infringing cloud services Patent/ Copyright infringement – warranty of no infringement + indemnity for customers 20

Public vs. Private Cloud: The Impact on Key Contracting Issues 21

Analysis of Selected Contracting Issues Models for Analysis Pure Public Cloud Dedicated Private Cloud Semi-Private Leveraged Cloud Contracting Issues Service Provider Commitments Service Quality Protections Customer Control Rights Compliance Obligations Termination Assistance 22

1. Service Provider Commitments Customer Need Pure Public Cloud Contract Dedicated Private Cloud Contract Semi-Private Leveraged Cloud Contract Commitment to Contract Terms Terms may be changed by service provider in its discretion Terms changed only by mutual agreement Terms changed only by mutual agreement, or a few things may be unilaterally changed by service provider, with exit rights with no penalty if changes are not acceptable Commitment to Services High-level definition of standard services, often “AS IS” Detailed and customized service definition A detailed, but not customized, definition Minimum Term Commitment Little or no minimum term Long term commitment early termination charges May have a short minimum term or long notice period 23

2. Service Quality Protections Customer Need Pure Public Cloud Contract Dedicated Private Cloud Contract Semi-Private, Leveraged Cloud Contract Testing and Acceptance No testing, no acceptance – perhaps “demo” Testing built into transition and all deliverables Testing of key transition milestones and deliverables. Commitment to service levels No meaningful service levels or service level credits and/or unrealistic hurdles to obtaining credits Detailed and customer-specific service levels with meaningful credits Service levels built for service provider technology not customer needs, but with meaningful credits 24

3. Customer Control Rights Customer Need Pure Public Cloud Contract Dedicated Private Cloud Contract Semi-Private, Leveraged Cloud Contract Determine architecture No right to approve service provider’s architecture Customer approves architecture No right to approve service provider’s architecture Control changes by service provider Servicer provider may make changes without notice or consent All changes to services require customer approval Service provider must give notice and customer may terminate if changes have an adverse effect Personnel Continuity No commitment to personnel continuity Commitments for continuity of key personnel and turnover protections May have some commitment to continuity of a few key personnel, but with fewer rights 25

4. Compliance Obligations Customer Need Pure Public Cloud Contract Dedicated Private Cloud Contract Semi-Private Leveraged Cloud Contract Assistance in complying with laws Standardized offering, no particular assistance, other than standard reports Compliance with all laws applicable to service provider’s services to customer Some ability to configure to meet compliance requirements, but often limited solutions Audit rightsTypically not available, especially not for subcontractors Extensive operational and financial audit rights Some rights available, but may not include physical access Other incentives for compliance Extremely limited liability for breaches or failures of any type Liability for direct damages up to a cap subject to exclusions More like dedicated private cloud contracts 26

5. Termination Assistance Customer Need Pure Public Cloud Contract Dedicated Private Cloud Contract Semi-Private, Leveraged Cloud Contract Termination assistance Return of data if terminated for convenience – no promise of data portability Extension of services and extensive assistance in transition Extension of services and reasonable assistance in transition – some terms around data portability Post- Termination Rights to Technology NonePost-termination licence, rights subject to exceptions, right to acquire dedicated hardware, and right to make offers to dedicated service provider personnel Usually none 27

Questions 28 Geofrey L Master Mayer Brown LLP, Washington, D.C. Telephone: +1 (202) Facsimile: +1 (202) Alan Chiu Mayer Brown JSM, Hong Kong Telephone: Facsimile: