What are the legal implications of moving into the Cloud?ICAEW, 24 September 2010

Richard KempSenior PartnerKemp Little, Solicitors, London EC2richard.kemp@kemplittle.comwww.kemplittle.com

SaaS

Cloud Computing

Utility Computing

1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s

1940s: Adoption of programmmable computer

1957: IBM introduces FORTRAN programming language

1964: IBM introduces System 360 computer family

1969: the software industry is born as IBM unbundles hardware & software

1981: Microsoft develops MS-DOS

1971: Intel 4004 – the first micro-processor developed

1981: IBM launches PC

1995: Netscape IPO ; Bill Gates’ ‘Internet tidal wave’ memo 2001: .com bust

Early 2000s onwards: broadband replaces dial up internet

Mid ‘60s to early ‘80s:IBM heyday

‘80s: rise of the PC

‘90s to mid-00’s: Wintel heyday

Mid ‘00s onwards: Google heyday

hard

war

eso

ftw

are

inte

rnet

1985: open source FSF set up

1970: UNIX releasedby AT&T

mid ‘00s onwards: open source (OSS) in the mainstream

serv

ices

ASP adoption

1990: Microsoft launches Windows 3.0

1993:Linux

‘90s: rise of laptops

‘00s: rise of PDAs

1984: Apple Mac launched

2004: Google, salesforce.com IPOs;‘web 2.0’ coined

2008: Google Chrome, Microsoft Windows ‘in the Cloud’ (Azure) launched

2007: IPO of hypervisor developer VMware

Outsourcing ITO BPO LPO, etc

‘anytime anywhere’

devices

SmartphonesiPad, etc

The rise of service based computing

‘‘Software as a licenceSoftware as a licence’ OutsourcingOutsourcing

ASPASP - 1 to 1

SaaSSaaS – 1 to many, built for the web,

Pay per use

CloudCloud – massively scaled UtilityUtility – aggregated resources,

supplied on metered basis

Evolution of service based computing

Essence of service based computingASP

Application serviceProvision

Hosted application Management

‘your server room, not mine’

SaaS

‘built for the web’ application

‘web ready’ customer services

‘one to many’ secure delivery model

Consumer and professional markets

Incremental pay per use basis

e.g.: Salesforce.com

Cloud

‘massive scalability’

Mass market availability via the internet

of IT-enabled, scalable resources provided as a service

Bigger & bigger data centres

e.g.: Azure

Utility

Aggregated resources (input, programming, processing, storage, output, comms, etc)

packaged into the service the customer wants

and supplied on a metered basis

Increasing prevalence of and reliance on technology

Improved internet/networking connectivity

IT costs increasing – personnel/hardware/software/storage

Too much bespoke tailoring and risk in ‘traditional’ models

Difficult for in-house teams to keep up let alone innovate whilst keeping a lid on costs

Business Drivers/Benefits

Cloud Issues – data loss

Cloud Issues – Internet outage

Cloud Issues – service availability

Cloud/out sourcing contracts – the similaritiesemperor’s new clothes?

Outsourcing1.Services procurement accent on performance, exit, etc

2. Buying in specialist expertise to improve efficiency/reduce cost

3. Aim to avoid locking up capital in i/s - move to expense model

4. Typically function based IT, AR, HR, LPO, etc function done in house before

5. At least an element of remote service provision (off/on/right shoring)

6. ‘grown up’ services contracts devil is in the detail

Cloud/SaaS1.Services procurement accent on performance, availability, exit, etc

2. Buying in specialist expertise to improve efficiency/reduce cost

3. Aim to avoid locking up capital in i/s - move to expense model

4. Typically function based CRM, Accounts function done in house before?

5. remote service provision

6. ‘grown up’ services contracts devil is in the detail

Cloud/out sourcing contracts – the differences

Outsourcing1.Custom deal – service tailored to client

Previously carried in-house Supplier moulds plug to client’s socket

2. Supplier responsible for delivery KPIs part of service metrics/SLA

3. Assets/staff may transfer over HR TUPE transfers and related issues

4. pricing/payment models annual fee/ complex pricing models/gainshare

5. Service development customisable agree improvement regime at outset

6. Deals still longer, more complex, higher value multisourcing – supplier management an issue

Cloud/SaaS1. ‘one to many’ model customisable, but commodity service

Client moulds socket to supplier’s plug

2. Customer takes Internet availability risk? how do you deal with service levels?

3. Generally no transfer agreement but beware ambit of TUPE

4. Pay per use basis

5. Customer gets improvements as released less customisable

6. Deals shorter, lower (but increasing) value

What really matters in a SaaS/cloud contract1. Performance

Key service metrics (response times, throughput, volumes, etc)

‘room at a hotel’2. Availability

Internet delivery enabled – bandwidth, speed, etc So who bears the risk of outages, slow response times

3. Data Security, regulatory Check you can get it back (i) at any time (ii) in

usable form4. Regulatory

Increasing importance – not just data privacy Access, audit, etc

5. Exit Think about exit/disengagement on the way in! Avoid supplier dependence

Data privacy and security The amount of information we store is increasing

exponentially

There is an increase in incidents and severity of losses or theft of information

There is increasing media, public and government awareness and concern about risks of information loss

There are increasing amounts of information law, regulation and enforcement…and higher penalties

Most businesses lack control of their own information - NEVER OUTSOURCE A PROBLEM…

Data issues Who owns the data

The customer of course, but you’d be surprised … When should you be able to get access to your data?

Any time, and in usable format, but you’d be surprised …

Put in place effective back up, DR, regime, etc What about regulatory, auditor access?

Regulatory access, etc should be guaranteed whenever sought

Data protection Build in contractual assurance around:

Export of data to third countries (e.g. USA, India) Security, access standards Commitments as to no supplier use without express consent, etc

Real world points Assess risk before you do the deal and how you manage it

Ask yourself: What’s the worst that can happen? How easy is it, long would it take, to bring back in house/move to an alternative?

Avoid supplier over dependence Check out supplier stability, etc

Agree exit/disengagement management regime up front Even if fault/disputed termination ‘Fix first argue later’ Get your data back immediately!

You want to avoid litigation!! Know your contract! Effective governance regime Internal dispute escalation up through both organisation

often the best way

What happens if it all goes wrong - remedies

Questions?

Thank you

Richard Kemp

Partner

Kemp Little LLP

richard.kemp@kempilttle.com

Tel. +44 (0) 20 7710 1610