Nine Hot-Button Legal Issues in Cloud Contracts
-
Upload
michael-l-whitener -
Category
Documents
-
view
215 -
download
0
Transcript of Nine Hot-Button Legal Issues in Cloud Contracts
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
1/23
1
Michael L. Whitener
Lead Counsel, Technology and Communications
Clearspire Law Co., PLLC
NINE HOT-BUTTON LEGAL ISSUES
IN CLOUD CONTRACTS
2012 Clearspire Law Co., PLLC
Presentation at SaaS University
Boston, MA
October 25, 2012
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
2/23
The Backdrop
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
3/23
Cloud Phobia
NEPHOPHOBIA: Fear of clouds. Symptoms typically include extreme
anxiety, dread and anything associated with panic such as shortness of
breath, rapid breathing, irregular heartbeat, sweating, excessivesweating, nausea, dry mouth, nausea, inability to articulate words or
sentences, dry mouth and shaking.
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
4/23
Confidential
4
CEO of US$40B Tech Company
Cloud computing is a security
nightmare and it cant be
handled in traditional ways.
John Chambers
CEO Cisco Systems
http://www.purpleopurple.com/biography/CEO-Lessons/john-chambers.jpg -
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
5/23
Confidential
5
Leading US Computer Expert
Cloud computing sounds so
sweet and wonderful and
safe . . . we should just call it
swamp computing.
Ronald Rivest
MIT Computer Science Professor
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
6/23
Confidential
6
2012 Clearspire Law Co., PLLC
The Darth Vader of EU Data Protection
Using cloud computing to processpersonal data raises legal and technical
questions that have yet to be
adequately addressed.
The core principle of the cloud . . .
cannot meet the demands of modern
data privacy.
US companies cannot achieve the data
privacy level required under EU standards
simply by self-certifying to the SafeHarbor list.
Thilo Weichert
Data Protection Commissioner
State of Schleswig-Holstein, Germany
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
7/23
Two Core Cloud
Fear Factors TRUST: Will the cloud service provider
keep data secure? Can data be retrieved
(or destroyed) when the relationshipends?
COMPLIANCE: Will the cloud service
provider comply with all applicable legaland regulatory requirements?
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
8/23
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
9/23
US: Key Legal Principles
Sector-by-sector rather than comprehensiveapproach to data privacy
Result: alphabet soup of data-specific
laws HIPAA/HITECH Act: health data
GLB Act: financial data
FERPA: student data
COPPA: children data
Nearly every state has data breach laws
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
10/23
EU: Key Legal Principles
EU Data Protection Directive aimed atpermitting the free flow of data among EU
nations
Transfers of personal data outside the EU
permitted only to jurisdictions with
adequate data protection laws (few
nations qualify)
Exceptions: Safe Harbor (US only)
Model Contractual Clauses
Binding Corporate Rules
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
11/23
The Combatants
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
12/23
Gartners IaaS Magic Quadrant
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
13/23
The Hot-Button Legal Issues
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
14/23
1. Data Security
Typical CSP Position: CSP will take reasonable securitymeasures.
Possible Customer Pushback:
Satisfy customer security policies
Commit to written security specifications Obtain security certifications or meet security audit
standards
Provide customer audit rights
Have security breach policy
PITFALL: Fort Knox guarantees of absolute data security
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
15/23
2. Notification of Data Security Breach
Typical CSP Position: Not addressed.
Possible Customer Pushback:
Require CSP to promptly notify customer of any data
security issues
Prohibit CSP from notifying customer end users of security
breach
CSP to pay all costs incurred by customer to provide notice
of any security breach
PITFALL: Contractual commitments regarding giving notice of
data security breaches that conflict with compliance obligations
under applicable data privacy laws
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
16/23
3. Data Privacy
Typical CSP Position: Customer agrees that CSP may process
customer personal information as required to provide the
services, including transfers to third parties and between
countries.
Possible Customer Pushback:
Require commitment of compliance with all applicable dataprivacy laws (and liability for failure to do so)
No use of customer data except as explicitly authorized
including for analytical purposes
No transfer of customer data overseas
PITFALL: Failure to require customer to obtain end user consents
to the processing of personal information in connection with the
agreement and to indemnify service provider against any liability
for failure to do so
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
17/23
4. Limitation of Liability
Typical CSP Position: No liability for indirect/consequentialdamages; overall liability limited to fees paid or credit
allowances.
Possible Customer Pushback:
Limitation as multiple of fees paid by customer during aspecified period most commonly, the previous 12 months.
Carve-outs from limitation:
Breach of confidentiality, data security obligations
IP infringement
Indemnity obligations
PITFALL: Carve-out from limitation for data security breaches
perhaps indirectly via confidentiality clause
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
18/23
5. Warranties
Typical CSP Position: No express or implied warranties; serviceprovided as is.
Possible Customer Pushback:
Make explicit warranties re service/software performance,
non-infringement, data security
No sharing or disclosure of customer data without
customers prior written consent
No suspension or disruption of service, even if customer is
alleged to have breached the agreement by nonpayment or
otherwise
PITFALL: Failure to explicitly exclude any warranty that the
services will be adequate, useful or error-free, or that data will be
kept secure and not lost/damaged
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
19/23
6. Indemnities
Typical CSP Position: Customer must indemnify CSP for certainthird-party claims e.g., customer data violates
legal/regulatory requirement.
Possible Customer Pushback:
Indemnify customer for claims relating to: CSPs breach of its confidentiality and security
obligations re customer data
IP infringement
No limitation on indemnity liability
PITFALL: No requirement that customer indemnify CSP for third-
party claims relating to failure to meet security obligations,
violation of AUP, violation of end user agreements
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
20/23
7. Uptime Service Levels
Typical CSP Position: Uptime commitments or targets, subjectto exclusions (e.g., scheduled maintenance).
Possible Customer Pushback:
Require higher uptime commitment even 100%
Require prior written notice of scheduled downtime Define unavailability to include performance degradation
(e.g., slow access to data)
Require CSP to proactively monitor uptime performance and
provide reports
PITFALL: Insufficiently broad exclusions from the uptime
commitment (e.g., emergency maintenance, outages caused by
hackers or viruses)
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
21/23
8. Remedies for Service Level Failure
Typical CSP Position: Service Availability Credit as a percentage
of the monthly fee, perhaps with a cap.
Possible Customer Pushback:
No percentage limitation on Service Availability Credit
Credits are not exclusive remedy Failure to meet uptime targets as material breach
Response and resolution time commitments and credits for
failure to meet these commitments
PITFALL: Fuzzy definition of credit: is it a rebate, a discount, or
an extension of the service period?
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
22/23
9. Disaster Recovery/Business Continuity
Typical CSP Position: Not specifically addressed, except
Customer is often made responsible for data storage and backup.
Possible Customer Pushback:
Provide regularly scheduled backup of customer data
Have written disaster recovery and business continuity plan
for customer review Provide assistance with customer migration to another
service provider
Return data to customer in specified format
PITFALL: Open-ended obligation to migrate customer to another
service provider and provide data conversion/transition services
at own expense
-
7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts
23/23
Prepared by:
Michael L. Whitener
Lead Counsel, Technology & Communications
Clearspire Law Co., PLLC
Email: [email protected]
1747 Pennsylvania Avenue, NW
Washington, D.C. 20006
Office: 202-595-9376
Mobile: 202-257-2402
www.clearspire.com