3Kites Consulting/Kemp IT Law Breakfast Seminar
Law Firms and the Cloud: Balancing Benefits and Risks
London, 10 September 2014
Contracting for the Cloud: getting the Legals right
Richard Kemp
Contracting for the Cloud – getting the Legals right
areas of focus today:
- approach to Cloud contracts
- general Cloud contract issues
- regulatory Cloud contract issues for law firms
- other contractual issues that the Cloud raises
Approach to Cloud contracts
- structured approach to Cloud procurement
• internal business case and approvals
• statement of requirements
• running a structured procurement/preferred bidder process
- internal risk and compliance report
•
•
•
•
weigh all the business factors
firm disaster recovery/business continuity arrangements?
ability/time required to switch to an alternative?
regulatory compliance
- pre-contract supplier due diligence
• technical, financial, commercial, legal
General Cloud contracts issues (1):
- supplier stability
•
•
•
•
•
do your credit searches (<3 months old)
take customer references
what resources/sub-contractors does the supplier depend on?
what are the supplier’s own disaster recover/business continuity arrangements?
verify in writing supplier’s security, etc policies and procedures
- customer/service dependence - impact of different kinds of outage
• Ensure ability to operate contract requirements on security, passwords, etc
General Cloud contracts issues (2):
- data
•
•
•
•
•
supplier commitments to return customer data during and after contract?
in what form will the data be returned?
how long from customer request to data return?
can customer easily use the data in the form in which it’s returned?
at termination, does the supplier’s data return obligation operate independently of
the reason for termination?
• keep copy of latest data onsite/with another supplier (e.g. Mimecast and email?)
to reduce dependence?
General Cloud contracts issues (3):
- lifecycle contract issues
•
•
•
•
•
•
•
•
•
•
service levels/credits
liability/risk regime
who bears Internet/comms risk?
support
duration/renewal/notice
pricing increases/changes
test business continuity/DR at least annually
contract change process
unilateral variation of terms
Jurisdiction & governing law
- exit/disengagement management/plan
• prepare the plan in first 6 months of arrangement – update annually
Regulatory Cloud contract issues for law firms (1):
- outsourcing
• moving to a Cloud platform likely to constitute outsourcing of legal activities or
operational functions that are critical to the delivery of any legal activities
• Within O(7.10) of the SRA Code of Conduct
- SRA
• contractual arrangements “must enable SRA or its agent to obtain information from,
inspect records of, or enter premises of the Cloud provider regarding outsourced
activities of functions”
• outsourcing must not adversely affect compliance with or SRA monitoring of
Handbook obligations compliance
• outsourcing must not alter obligations to clients
• outsourcing must not cause breach of SRA authorisation requirements
Regulatory Cloud contract issues for law firms (2):
- data protection
• Cloud provider will normally be a data processor for DPA purposes – but NB when it
could be a data controller
• Will data ever be exported from the EU?
• Ensure contract adequately reflects positions of parties in DP terms
• Tie back into firm’s data protection policies, procedures, notices and terms
- law enforcement access to data
• generated more heat than light (Patriot Act, Snowden, Microsoft Dublin data centre
(Aug 2014)
• cannot exclude possibility in certain circumstances of lawful access by home or
overseas law enforcement or intelligence agencies
• selection criterion for Cloud provider?
• a bit like the AMLR terms that go into firms’ engagement letters?
Other contractual issues that the Cloud raises
- Multiple Cloud suppliers
• ensure consistency of approach, etc
- Client engagement terms
• include a new term around Cloud use if relevant?
• vary current terms where key firm IT/service component going into the Cloud?
• NB where client’s own business is regulated – e.g. FCA – or where client requires
vendors (incl law firms) to comply with policies (e.g. IS, encryption, data, audit, etc)
- Supplier Terms of Service/Acceptable Use Policy
• if different from supplier service agreement
- Internal firm policies and procedures
• IT acceptable use
• communications with clients
Law Firm Cloud resources & materials
• The Law Society: Cloud computing (April 2014)
• SRA: Spiders in the web: the risk of online crime to legal business (Mar 2014)
• SRA: Silver Linings: cloud computing, law firms and risk (Nov 2013)
• ICO: Guidance on the use of cloud computing (Oct 2012)
• NIST (US): Cloud computing – features, benefits, risks & recommendations for
secure, efficient implementations (June 2012)
• The Law Society: Data protection, Information security, Business continuity
(Oct 2011)
Thank you
Questions?
Richard Kemp,
richard.kemp@kempitlaw.com
020 3011 1667