1 / 42

Cloud Computing: How to Have a Smart Conversation with IT

Cloud Computing: How to Have a Smart Conversation with IT. April 26, 2011. Presenters. Our Panel includes: Frank Lynch , Senior Counsel, Mondial Assistance Chris Burroughs , Vice President of IT Infrastructure Services, Mondial Assistance

kareem
Download Presentation

Cloud Computing: How to Have a Smart Conversation with IT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cloud Computing: How to Have a Smart Conversation with IT April 26, 2011

  2. Presenters Our Panel includes: • Frank Lynch, Senior Counsel, Mondial Assistance • Chris Burroughs, Vice President of IT Infrastructure Services, Mondial Assistance • Andrew Stanley, Director, Enterprise Architecture, MeadWestvaco • Andrew Geyer, Associate, Hunton & Williams LLP

  3. Before I start:  definitions It wouldn't be a presentation on cloud computing without another definition. cloud computing (pure):application of marginal computing resources by Internet-scale corporations.   cloud computing (hybrid):application of shared computing resources by large-scale corporations. cloud computing (niche):application of dedicated computing resources, priced in a variable, non-capital model

  4. MWV is a global leader in packaging and packaging solutions $6 billion in revenue 21,000 employees worldwide Presence in 30 countries Growth in emerging markets +40% sales outside North America 25% of revenue from related businesses (Specialty Chemicals, Consumer & Office Products, Land Management)

  5. Why                 ? Apps Etc. Replace MWV's 10 global systems (Notes, Exchange, etc.) w/ Google Apps Variabilize our costs  Standardize collaboration tools  Rapid integration of acquisitions Cost Reduction Leverage Google’s innovation cycle One MWV == One Messaging and Collaboration system to enable MWV’s strategy One Messaging system common globally Speeds collaboration and innovation across the world Partner with the  leader in Web 2.0 technology Commanding share in search, video, and content distribution Organizational commitment to transparency and partnership Healthy firm with strong financials and security-of-data focus 

  6. Summary • 115 pilot participants • 80 users “live” on Google • 12 countries • 40 functional groups • 90%+ recommend Google MWV Google Pilot     Two phase pilot from 3/09 – 6/09 Phase 1, 5 associates Phase 2, 110 associates All geographies represented Multiple surveys executed Midpoint End Results Strong preference for Google email over existing tools Strong collaboration capability within the Google Apps suite Constant stream of innovation from Google 90%+ agree/strongly agree we should move to Google Synchronizing multiple email systems within the domain very difficult Executive Admins are a change management focus Security considerations require policy changes and training for end users

  7. Now, if you'll indulge me... "The Hockey Puck"

  8. Trend Ubiquitous Continuous Persistent Business Impact Always on, the true "office without walls" Information is universally accessible, cross-platform, and travels well. Knowledge workers accustomed to larger data sets Where is technology going?

  9. Trend Ubiquitous Continuous Persistent Legal Impact When does the work day end?  Who's IP is it? Can I secure my information on another parties' asset? Discoverability and analytical tools: a litigation arms race? What this means for you.

  10. WMACCA Cloud Computing:Key Contractual ConsiderationsAndrew GeyerHunton & Williams LLP(804) 787-8164ageyer@hunton.comwww.hunton.comwww.huntonoutsourcing.com

  11. Key Contractual Considerations • Limits of Liability • Indemnities • Termination • Service Levels • Representations and Warranties • Termination Assistance • Services Not to Be Withheld • Privacy and Data Security

  12. Limits of Liability Provider Position: • The liability of the provider is often limited to “direct” damages and an aggregate dollar amount • Limitations are generally not reciprocal in the provider’s form agreement • Commonly, the liability cap is defined by the provider as a multiple of monthly charges generally ranging from three to six months of fees actually paid

  13. Limits of Liability Practice Tips: • Liability cap should refer to charges invoiced or scheduled to be invoiced, rather than those actually paid, since payments may be reduced by performance credits and other set-offs • Liability cap and the “direct” damages limitation should not apply to damages arising out of, among other things: • a breach of confidentiality or data protection obligations (although some providers will only agree to a “super-cap” in this instance, such as 2x or 3x the liability cap) • indemnification responsibilities • gross negligence, theft, fraud or other intentional misconduct • personal injury and property damage (including data loss) • breach by the provider of an obligation not to withhold service

  14. Indemnities Provider Position: • Providers typically limit their indemnification responsibility to third party claims for intellectual property infringement only Practice Tips: • Remember that trade secrets can only be “misappropriated” not “infringed” • Consider negotiating the expansion of providers’ indemnification responsibilities to include, among other things, third party claims arising from: • violation of law • gross negligence, theft, fraud or other intentional misconduct • the provider’s breach of the agreement, including its agreement not to withhold services • personal injury and property damage

  15. Indemnities Practice Tips (continued): • Consider negotiating indemnification for costs associated with data security breach incidents involving customer information in the provider’s possession, custody or control • The provider may request reciprocal indemnities, though not every indemnity should be provided by the customer • Indemnities are generally of particular importance in cloud computing service agreements given many provider’s reluctance to alter the limitation of liability provision

  16. Termination Provider Position: • Provider forms typically only allow the customer to terminate for an uncured, material breach Practice Tips: • Seek the right to terminate the agreement for convenience upon notice (typically 30-180 days) • In some instances, the provider will require payment of a termination charge, the purpose of which should be to fairly compensate the provider for its unrecovered investments • Ensure that the charge does not include lost pursuit costs, lost profit or lost opportunity costs

  17. Termination Practice Tips (continued): • In addition to a right to terminate for cause and convenience, consider expanding the customer’s termination rights to include: • persistent breaches (i.e., a series of material breaches that the provider cures within the permissible periods or the occurrence of non-material events that are material in the aggregate) • the provider’s failure to meet one or more critical service levels • It is debatable whether a data security breach incident affecting customer data in the cloud constitutes a material breach • Consider negotiating the right to terminate following a data security breach incident (in some cases based in part on the severity of the breach incident or losses arising from the incident), or negotiating to expressly provide that a data security breach incident is to be considered a material breach

  18. Termination Practice Tips (continued): • While the provider has adequate remedies for all customer breaches, the customer’s business might be irreparably harmed in the event of an unjustified termination by the provider • Consider restricting the provider from terminating the agreement only when an undisputed material payment default remains uncured after notice • If you are unsuccessful in restricting a provider’s termination rights in this manner, try to mitigate this by negotiating the provision of termination assistance services, regardless of the reason for termination

  19. Service Levels Provider Position: • Providers are highly resistant to changing their service levels since these metrics apply enterprise-wide across all clients Practice Tip: • Focus negotiations around clarifying the calculations used by the provider to determine whether the service level was actually achieved • Remove or modify the provider’s proposed exceptions to service level performance

  20. Service Levels Provider Position: • Service level credits are the customers sole and exclusive remedy Practice Tips: • The payment of service level credits by the provider should not release any claim arising out of a service level failure, if that failure has a material adverse effect on the customer • For failures that have an immaterial effect, performance credits are sometimes an exclusive remedy • in that case, the customer should retain a “look back” right • any performance credits paid should then be treated as a credit towards the customer’s damages

  21. Representations and Warranties Provider Position: • Provider forms generally offer little or no representations or warranties • Examples include: • Service conforms to the service levels • Service will perform “materially” in accordance with the specifications Practice Tips: • Consider including warranties addressing standards of performance, compliance with law, and the prevention and remediation of viruses • For services involving the handling, processing or storage of credit card information, pursue representations and warranties for Payment Card Industry Data Security Standard (PCI-DSS) compliance

  22. Termination Assistance Services The agreement should provide for the provider’s assistance in the orderly transition of the services either in-house or to a new vendor upon the termination or expiration of the agreement, regardless of the reason for such termination

  23. Termination Assistance Services Provider Position: • Typically not included in the providers’ form agreements. When requested, there is significant resistance to performing these services in the event of a termination for Customer’s material breach, such as non-payment. Practice Tips: • To assure business continuity, the provider must provide termination assistance even in the event of customer non-payment, if the customer pays for the termination assistance in advance • Provision should also address the customer’s ability to retrieve any data it has stored in the cloud upon demand and the form in which that data will be provided

  24. Services Not to Be Withheld Agreement should guarantee that the services will not be intentionally withheld by the provider for any reason other than the customer’s undisputed nonpayment since the customer’s entire business may depend on the provider’s continued performance

  25. Services Not to Be Withheld Provider Position: • Providers almost universally resist these provisions, suggesting that the customer is adequately compensated by a payment from the provider for the amount of the liability cap if the provider walks away from a transaction that has become economically unwise, and thereby destroying the customer’s business as a result Practice Tips: • Customer should be entitled to an injunction without necessity of posting a bond • Resulting damages or indemnity claims should not be subject to limits of liability

  26. Privacy and Data Security • Data Security Breach Notification • Legal Process Notification • Use of Customer Data • Secure Destruction of Customer Data at Termination • Compliance with EU Data Protection Law • HIPAA • Discoverability

  27. Data Security Breach Notification Provider Position: • Provider forms generally do not address notice to customers in the event of a data security breach • For those providers that do address the topic, the provider is generally only obligated to provide notice if there has been an “unlawful” disclosure of the data

  28. Data Security Breach Notification Practice Tips: • In general, state and federal notice obligations apply to the customer as the owner of the data, not the service provider (although most laws do require service providers to notify data owners of such compromises) • The determination of whether a security event constitutes a legally-reportable data security breach may be subjective in nature, and time limits may apply with respect to certain breach notification obligations • Accordingly, the provider must be contractually required to report to customer immediately any actual or suspected unauthorized access to, or misuse of, the customer data

  29. Legal Process Notification Provider Position: • If addressed, provider forms will permit the disclosure of customer data that is maintained in the cloud for purposes of responding to a subpoena or other lawful request Practice Tip: • Add an obligation on the part of the provider to notify the customer, and give the customer an opportunity to respond, in the event of such a request, prior to making the disclosure (unless the provider is prohibited by law from doing so)

  30. Use of Customer Data Provider Position: • Providers typically include provisions outlining the purposes for which the provider may use customer data, but the scope of such permitted use tends to be very broad • For example, the provider will state that it may monitor or use customer data “as necessary to operate this service or any other provider service” or “to protect provider’s rights” or “in order to improve provider’s products”

  31. Use of Customer Data Practice Tip: • Limit the permissible uses of customer data to those necessary to provide services to the customer specifically, or as required pursuant to law or legal process, to prevent providers from monitoring or using customer data for their own business development purposes or any other use that does not directly serve the customer

  32. Secure Destruction of Customer Data at Termination Provider Position: • Provider forms typically provide for the return or destruction of customer’s data upon expiration or termination of services, usually after a specified period of time and at the election of the customer pursuant to certain terms Practice Tips: • Ensure that the customer’s data be deleted in a secure manner such that it cannot be read or reconstructed, and that all copies or backups of the data be similarly destroyed so that the provider does not continue to possess any customer data • Require the provider to provide a certificate of destruction to the customer for regulatory compliance verification purposes

  33. Compliance with EU Data Protection Law • The European Union has exceptionally stringent requirements and restrictions regarding the processing and transfer of personal data of European residents from the EU to other jurisdictions • The EU data protection regime can pose significant obstacles to the implementation of a cloud computing solution involving data originating in the European Union Practice Tip: DO YOUR HOMEWORK!!!

  34. HIPAA • The HIPAA Privacy Rule states that a business associate (BA) is, among others, a person who performs, or assists in the performance of, a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing (45 CFR 160.103) Provider Position: Providers typically have a form BAA Practice Tip: • BAAs must include statutorily-mandated language • Don’t forget about the Health Information Technology for Clinical and Economic Health Act (HITECH)

  35. Discoverability • The ABA reported that in a 2007 survey of more than 100 information technology managers in medium and large US corporations only 6 percent stated that they could “immediately and confidently” field electronic discovery requests Provider Position: • If available, providers will typically offer an add-on service (usually self-help) to address their customers’ discovery related requirements

  36. Mock Analysis of a Cloud Proposal:Microsoft BPOS

  37. Microsoft BPOS PUR – § 2.a (bullet 1) “License Terms Updates. We may update these license terms from time to time. Changes to these license terms that we either introduce with updates or supplements, are required by law to make, or do not materially affect your use of the online services will apply immediately. For any other changes, your use of the online service under any existing license during the first 12 months of your subscription license term will be governed by these license terms without those updates…We will endeavor to notify you of updates at least 30 days before they are generally effective. You agree to the new terms by using the online service after we publish them in these product use rights or send you an email notice about the updates.”

  38. Microsoft BPOS PUR – § 2.a (bullet 2) “Online Service Updates. We may modify the functionality or features or release a new version of the online service and software from time to time. After an update, some previously available functionality or features may change or no longer be available. If we update the online service or software and you do not use the updated online service or software, some features may not be available to you and your use of the online service and software may be interrupted.”

  39. Microsoft BPOS PUR –- § 2.a (bullet 3) “Online Service Suspension. We may suspend the online service in whole or in part and without notice: (1) If we believe that your use of the online service represents a direct or indirect threat to our network function or integrity or anyone else’s use of the online service; (2) if reasonably necessary to prevent unauthorized access to customer data; or (3) to the extent necessary to comply with legal requirements. If we suspend the services without notice, we will provide the reason for such suspension if you request.”

  40. Microsoft BPOS PUR – § 2.b “Online Service Expiration or Termination. Upon expiration or termination of your online service subscription, you must contact Microsoft and tell us whether to: (1) disable your account and then delete the customer data; or (2) retain your subscriber data in a limited function account for at least 90 days after expiration or termination of your subscription (the “retention period”) so that you may extract the data. If you indicate (1), you will not be able to extract the customer data from your account. If you indicate (2), you will reimburse us for any applicable costs. If you do not indicate (1) or (2), we will retain the customer data in accordance with (2). Following the expiration of the retention period, we will disable your account and then delete the customer data. Cached or back-up copies will be purged within 30 days of the end of the retention period.”

  41. Microsoft BPOS PUR – § 2.j “Privacy. Personal data collected through the online service may be transferred, stored and processed in the United States or any other country in which Microsoft or its service providers maintain facilities. This includes any personal data you collect using the service. By using this online service, you consent to transfer of personal data outside of your country. You also agree to obtain sufficient authorization from persons providing personal data to you, to: • transfer that data to Microsoft and its agents, and • permit its transfer, storage and processing.”

  42. Microsoft BPOS PUR – § 2.r “Service Level Agreements (SLAs). Some online services may include performance related SLAs. Go to http://microsoft.com/licensing/contracts for more information.”

More Related