What are the legal implications of moving into the Cloud? ICAEW, 24 September 2010 Richard Kemp...
-
date post
23-Jan-2016 -
Category
Documents
-
view
216 -
download
0
Transcript of What are the legal implications of moving into the Cloud? ICAEW, 24 September 2010 Richard Kemp...
What are the legal implications of moving into the Cloud?ICAEW, 24 September 2010
Richard KempSenior PartnerKemp Little, Solicitors, London [email protected]
SaaS
Cloud Computing
Utility Computing
1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s
1940s: Adoption of programmmable computer
1957: IBM introduces FORTRAN programming language
1964: IBM introduces System 360 computer family
1969: the software industry is born as IBM unbundles hardware & software
1981: Microsoft develops MS-DOS
1971: Intel 4004 – the first micro-processor developed
1981: IBM launches PC
1995: Netscape IPO ; Bill Gates’ ‘Internet tidal wave’ memo 2001: .com bust
Early 2000s onwards: broadband replaces dial up internet
Mid ‘60s to early ‘80s:IBM heyday
‘80s: rise of the PC
‘90s to mid-00’s: Wintel heyday
Mid ‘00s onwards: Google heyday
hard
war
eso
ftw
are
inte
rnet
1985: open source FSF set up
1970: UNIX releasedby AT&T
mid ‘00s onwards: open source (OSS) in the mainstream
serv
ices
ASP adoption
1990: Microsoft launches Windows 3.0
1993:Linux
‘90s: rise of laptops
‘00s: rise of PDAs
1984: Apple Mac launched
2004: Google, salesforce.com IPOs;‘web 2.0’ coined
2008: Google Chrome, Microsoft Windows ‘in the Cloud’ (Azure) launched
2007: IPO of hypervisor developer VMware
Outsourcing ITO BPO LPO, etc
‘anytime anywhere’
devices
SmartphonesiPad, etc
The rise of service based computing
‘‘Software as a licenceSoftware as a licence’ OutsourcingOutsourcing
ASPASP - 1 to 1
SaaSSaaS – 1 to many, built for the web,
Pay per use
CloudCloud – massively scaled UtilityUtility – aggregated resources,
supplied on metered basis
Evolution of service based computing
Essence of service based computingASP
Application serviceProvision
Hosted application Management
‘your server room, not mine’
SaaS
‘built for the web’ application
‘web ready’ customer services
‘one to many’ secure delivery model
Consumer and professional markets
Incremental pay per use basis
e.g.: Salesforce.com
Cloud
‘massive scalability’
Mass market availability via the internet
of IT-enabled, scalable resources provided as a service
Bigger & bigger data centres
e.g.: Azure
Utility
Aggregated resources (input, programming, processing, storage, output, comms, etc)
packaged into the service the customer wants
and supplied on a metered basis
Increasing prevalence of and reliance on technology
Improved internet/networking connectivity
IT costs increasing – personnel/hardware/software/storage
Too much bespoke tailoring and risk in ‘traditional’ models
Difficult for in-house teams to keep up let alone innovate whilst keeping a lid on costs
Business Drivers/Benefits
Cloud Issues – data loss
Cloud Issues – Internet outage
Cloud Issues – service availability
Cloud/out sourcing contracts – the similaritiesemperor’s new clothes?
Outsourcing1.Services procurement accent on performance, exit, etc
2. Buying in specialist expertise to improve efficiency/reduce cost
3. Aim to avoid locking up capital in i/s - move to expense model
4. Typically function based IT, AR, HR, LPO, etc function done in house before
5. At least an element of remote service provision (off/on/right shoring)
6. ‘grown up’ services contracts devil is in the detail
Cloud/SaaS1.Services procurement accent on performance, availability, exit, etc
2. Buying in specialist expertise to improve efficiency/reduce cost
3. Aim to avoid locking up capital in i/s - move to expense model
4. Typically function based CRM, Accounts function done in house before?
5. remote service provision
6. ‘grown up’ services contracts devil is in the detail
Cloud/out sourcing contracts – the differences
Outsourcing1.Custom deal – service tailored to client
Previously carried in-house Supplier moulds plug to client’s socket
2. Supplier responsible for delivery KPIs part of service metrics/SLA
3. Assets/staff may transfer over HR TUPE transfers and related issues
4. pricing/payment models annual fee/ complex pricing models/gainshare
5. Service development customisable agree improvement regime at outset
6. Deals still longer, more complex, higher value multisourcing – supplier management an issue
Cloud/SaaS1. ‘one to many’ model customisable, but commodity service
Client moulds socket to supplier’s plug
2. Customer takes Internet availability risk? how do you deal with service levels?
3. Generally no transfer agreement but beware ambit of TUPE
4. Pay per use basis
5. Customer gets improvements as released less customisable
6. Deals shorter, lower (but increasing) value
What really matters in a SaaS/cloud contract1. Performance
Key service metrics (response times, throughput, volumes, etc)
‘room at a hotel’2. Availability
Internet delivery enabled – bandwidth, speed, etc So who bears the risk of outages, slow response times
3. Data Security, regulatory Check you can get it back (i) at any time (ii) in
usable form4. Regulatory
Increasing importance – not just data privacy Access, audit, etc
5. Exit Think about exit/disengagement on the way in! Avoid supplier dependence
Data privacy and security The amount of information we store is increasing
exponentially
There is an increase in incidents and severity of losses or theft of information
There is increasing media, public and government awareness and concern about risks of information loss
There are increasing amounts of information law, regulation and enforcement…and higher penalties
Most businesses lack control of their own information - NEVER OUTSOURCE A PROBLEM…
Data issues Who owns the data
The customer of course, but you’d be surprised … When should you be able to get access to your data?
Any time, and in usable format, but you’d be surprised …
Put in place effective back up, DR, regime, etc What about regulatory, auditor access?
Regulatory access, etc should be guaranteed whenever sought
Data protection Build in contractual assurance around:
Export of data to third countries (e.g. USA, India) Security, access standards Commitments as to no supplier use without express consent, etc
Real world points Assess risk before you do the deal and how you manage it
Ask yourself: What’s the worst that can happen? How easy is it, long would it take, to bring back in house/move to an alternative?
Avoid supplier over dependence Check out supplier stability, etc
Agree exit/disengagement management regime up front Even if fault/disputed termination ‘Fix first argue later’ Get your data back immediately!
You want to avoid litigation!! Know your contract! Effective governance regime Internal dispute escalation up through both organisation
often the best way
What happens if it all goes wrong - remedies
Questions?