Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Sookman law society_6_min_business_law
1. McCarthy Tétrault Advance™
Building Capabilities for Growth
The Six‐Minute Business Lawyer 2013, The Law
Society of Upper Canada, June 6, 2013
Current Issues in Negotiating IT
Contracts – Challenges of Cloud
Computing
Barry B. Sookman
Direct Line: (416) 601-7949
E-Mail: bsookman@mccarthy.ca June 6, 2012
McCarthy Tétrault LLP / mccarthy.ca / 12519801
2. What is cloud computing?
The US National Institute of Standards and Technology (NIST) Definition
of Cloud Computing, http://ow.ly/aRX1M/
“Cloud computing is a model for
enabling ubiquitous, convenient,
on-demand network access to a
shared pool of configurable computing
resources (e.g., networks, servers,
storage, applications, and services)
that can be rapidly provisioned
and released with minimal
management effort or service
provider interaction.”
McCarthy Tétrault LLP / mccarthy.ca / 12519801
2
3. Service Models
NIST Cloud Computing Reference Architecture http://ow.ly/aRYoy
¬ SaaS: The capability provided to the consumer is to use the provider‟s applications
running on a cloud infrastructure.
¬ PaaS: The capability provided to the consumer is to deploy onto the cloud infrastructure
consumer-created or acquired applications created using programming languages,
libraries, services, and tools supported by the provider. The consumer does not manage
or control the underlying cloud infrastructure including network, servers, operating
systems, or storage, but has control over the deployed applications and possibly
configuration settings for the
application-hosting environment.
¬ IaaS: The capability provided to the consumer is
to provision processing, storage, networks,
and other fundamental computing resources
where the consumer is able to deploy and run
arbitrary software, which can include operating
systems and applications. The consumer does
not manage or control the underlying cloud
infrastructure but has control over operating
systems, storage, and deployed applications; and
possibly limited control of select networking components (e.g., host firewalls).
ICS Solutions Azure Advantage http://ow.ly/aRVSB
McCarthy Tétrault LLP / mccarthy.ca / 12519801
3
4. Deployment Models
Sam Johnston, http://ow.ly/aRWs2
Private: cloud infrastructure operated solely for an organization.
Community: cloud infrastructure shared by several organizations and
supports specific community with shared concerns.
Public: cloud infrastructure made
available to general public or large
industry group.
Hybrid: cloud infrastructure comprised
of two or more clouds that remain
unique entities but have data or
application portability.
Note: Public clouds are more
problematic from compliance
perspectives.
McCarthy Tétrault LLP / mccarthy.ca / 12519801
4
6. SaaS Ecosystem is Expanding
Top PaaS, SaaS and IaaS Cloud Companies by CloudTimes, Cloud Times, 2011,
http://cloudtimes.org/2011/11/30/top-paas-saas-and-iaas-cloud-companies-by-cloudtimes/
McCarthy Tétrault LLP / mccarthy.ca / 12519801
6
7. SaaS Deployment is Mainstream
The Growing Importance of SaaS as an Application Deployment Model, Aberdeen Group, 2013,
http://blogs.aberdeen.com/it-infrastructure/the-growing-importance-of-saas-as-an-application-
deployment-model/
McCarthy Tétrault LLP / mccarthy.ca / 12519801
7
8. OSFI Feb 29, 2012: New technology-
based outsourcing arrangements
¬ “Information technology plays a very important role in the financial services
business and OSFI recognizes the opportunities and benefits that new
technology-based services such as Cloud Computing can bring; however, FRFIs
should also recognize the unique features of such services and duly consider the
associated risks.
¬ As such, and in light of the proliferation of new technology-based outsourcing
services, OSFI is reminding all FRFIs that the expectations contained in Guideline
B-10 remain current and continue to apply in respect of such services. In
particular, FRFIs should consider their ability to meet the expectations contained
in Guideline B-10 in respect of a material arrangement, with an emphasis on i)
confidentiality, security and separation of property, ii) contingency planning, iii)
location of records, iv) access and audit rights, v) subcontracting, and vi)
monitoring the material outsourcing arrangements.
¬ OSFI considers the management of outsourcing risks important to ensuring that
FRFIs continue to be managed prudently and OSFI will be monitoring this issue
as part of its ongoing supervisory work.” (emphasis added)
McCarthy Tétrault LLP / mccarthy.ca / 12519801
8
9. PIPEDA
¬ Organizations are accountable for personal information under their
control.
¬ PIPEDA Sch., Principle 4.1.3 requires organizations to use contractual
or other means to provide a “comparable level of protection” while the
information is being processed.
¬ OPC Guidelines “Comparable level of protection‟ means that the third
party processor must provide protection that can be compared to the
level of protection the personal information would receive if it had not
been transferred. It does not mean that the protection must be the
same across the board but it does mean that they should be generally
equivalent, p.4.
McCarthy Tétrault LLP / mccarthy.ca / 12519801
9
10. Can Data be Transferred Outside of
Canada for Cloud Computing
OPC, Report on the 2010 OPC’s Consultations on Online Tracking, Profiling and
Targeting, and Cloud Computing
¬ PIPEDA is largely modeled on the principles outlined in the OECD Guidelines,
and is intended to balance an individual's right to privacy with the need of an
organization to collect, use or disclose that information for an appropriate
purpose. We have long stated that we believe that privacy does not hinder
innovation and economic progress. The organization-to-organization approach
that underscores PIPEDA supports transborder flows and data protection by
holding organizations to account for their personal information protection
practices. Information is accessible to authorities regardless of where it resides.
As noted in our Guidelines, we do, however, maintain our view that a
careful risk assessment needs to be undertaken prior to any arrangement
that involves the outsourcing of personal data to other organizations that
operate globally, and that this assessment should consider the legal
requirements of the jurisdiction in which the third-party processor operates, as
well as some of the political, economic and social conditions, and any additional
risk factors, in that jurisdiction.
McCarthy Tétrault LLP / mccarthy.ca / 12519801
10
11. Potential Problems
Major areas of focus:
¬ Privacy and data protection/location of data/cross border issues
¬ Information security/data integrity issues
¬ Compliance e.g. OSFI B-10, audit
¬ Dependence on service provider in increasingly complex
environments, e.g., service
interruptions, SLA/availability, controls, change management
¬ Access to data/lock-in
¬ One sided provider friendly T&Cs including limits of liability
¬ Ownership and protection of IP and trade secrets
¬ Electronic discovery obligations
McCarthy Tétrault LLP / mccarthy.ca / 12519801
11
12. Contract for services
¬ W Kwon Hon et al Negotiating Cloud Contracts – Looking at Clouds from Both Sides Now, Queen
Mary School of Law, http://ow.ly/aSGS0
¬ “Despite any perception that providers' standard terms are non-negotiable, cloud contracts can be,
and have been, negotiated by customers such as financial institutions… This paper concludes that
there are indeed signs of change.
¬ Based on our research, users consider that providers‟ standard contract terms or offerings do not
sufficiently accommodate customer needs in various respects. The top six types of terms most
negotiated, according to our sources, were as follows, with the third and fourth issues ranking
roughly equally in importance (depending on type of user/service):
¬ 1. exclusion or limitation of liability and remedies, particularly regarding data integrity and
disaster recovery;
¬ 2. service levels, including availability;
¬ 3. security and privacy, particularly regulatory issues under the EU Data Protection Directive
(„DPD‟);
¬ 4. lock-in and exit, including term, termination rights and return of data on exit;
¬ 5. providers' ability to change service features unilaterally and
¬ 6. intellectual property rights ('IPRs').”
¬ Contracts frequently permit service providers to unilaterally amend terms.
McCarthy Tétrault LLP / mccarthy.ca / 12519801
12
14. VANCOUVER
Suite 1300, 777 Dunsmuir Street
P.O. Box 10424, Pacific Centre
Vancouver BC V7Y 1K2
Tel: 604-643-7100
Fax: 604-643-7900
Toll-Free: 1-877-244-7711
CALGARY
Suite 3300, 421 7th Avenue SW
Calgary AB T2P 4K9
Tel: 403-260-3500
Fax: 403-260-3501
Toll-Free: 1-877-244-7711
TORONTO
Box 48, Suite 5300
Toronto Dominion Bank Tower
Toronto ON M5K 1E6
Tel: 416-362-1812
Fax: 416-868-0673
Toll-Free: 1-877-244-7711
MONTRÉAL
Suite 2500
1000 De La Gauchetière Street West
Montréal QC H3B 0A2
Tel: 514-397-4100
Fax: 514-875-6246
Toll-Free: 1-877-244-7711
QUÉBEC
Le Complexe St-Amable
1150, rue de Claire-Fontaine, 7e étage
Québec QC G1R 5G4
Tel: 418-521-3000
Fax: 418-521-3099
Toll-Free: 1-877-244-7711
UNITED KINGDOM & EUROPE
125 Old Broad Street, 26th Floor
London EC2N 1AR
UNITED KINGDOM
Tel: +44 (0)20 7489 5700
Fax: +44 (0)20 7489 5777
McCarthy Tétrault LLP / mccarthy.ca / 12519801
14