The growth of cloud computing in Australia has been exponential and analysts forecast that cloud computing will dominate the Australian IT landscape within the next decade.
It has a reputation for delivering economies of scale, reducing overheads and driving increased efficiencies within organisations. However, the reality is that, like any IT procurement, implementing a cloud computing solution for your business still requires careful planning, effective project management, robust contracts and sound oversight.
Russell Kennedy Lawyers delve into the risks and rewards of adopting Cloud Computing in Australia.
Ricky French: Championing Truth and Change in Midlothian
Cloud computing in Australia - Separating hype from reality
1. Cloud Computing
in Australia:
Separating Hype
from Reality
Craig Subocz
BE (Hons), LLB, LLM, Grad.
Cert. in Entrepreneurship &
Innovation
Senior Associate
7 May 2014
2. The information contained in this
presentation is intended as general
commentary and should not be
regarded as legal advice. Should you
require specific advice on the topics or
areas discussed please contact the
presenter directly.
Disclaimer
3. Agenda
The use of
cloud computing
in Australia
The risks of
cloud computing
Risk
minimisation
strategy
7. Risks - Security
• Secure access to data
• Customer access
• Provider access
• Secure data transfer
• Identity management
• Architecture security
8. Risks - Confidentiality
• A key risk magnified if your provider has
access to your data
• Essential to manage the risk of inadvertent
disclosure of your confidential information
• Contractual provisions protecting confidentiality
of your information assist
• Issue of proof may be difficult
9. Risks - Privacy
• New privacy laws from 12 March 2014
• Private entities with annual turnover exceeding
$3 million bound by the Privacy Act and the
Australian Privacy Principles
• APP 8 deals with cross-border disclosure of
personal information (NB: not use of personal
information offshore)
10. Risks - Privacy
• APP 8 – two choices
• APP 8.1: Before disclosure, reasonable steps
to ensure recipient does not breach APPs
• Due diligence on provider pre-contract
• Contract provisions
• APP 8.2: Several options
• Reasonable belief about o/s laws
• Individuals consent to disclosure
• Disclosure authorised or required by law
11. Risks - Privacy
• Victorian government agencies still bound by
Information Privacy Act 2000 (Vic) and IPP 9.
• Can only transfer information about an individual to
someone outside Victoria only if:
• Reasonable belief about the law binding the
recipient
• The individual consents
• Transfer is necessary for the performance of a
contract between you and the individual
• Transfer is necessary for the performance of a
contract between you and a 3rd party for the benefit
of the individual
12. Risks - Privacy
How can an entity
use a cloud
provider based
outside Australia?
Informed consent
of individuals
how practical?
Reasonable belief
about the laws
binding the
provider
what happens if
location(s) of
provider’s data
centre(s) change?
Capacity to
contract with
provider
how strong is your
bargaining
position?
13. Risks - Privacy
• Other APPs (IPPs) are also relevant.
• APP 10 – quality of personal information
• APP 11 – security of personal information
• APP 12 – access to personal information
• APP 13 – correction of personal information
• But consider all the Privacy Principles
14. Risks – Intellectual Property
• Service, not software, provided
• Sufficient IP rights needed
• Different considerations apply depending on
context
• Public cloud versus private cloud
15. Risks – Service Levels
• What service levels are appropriate?
• What is the risk to your business if the cloud
service fails to meet the service levels?
• Reputational risk
• Legal risk (including contract breach)
• What rights and remedies do you have if
provider fails a service level?
16. Risks – Disaster Recovery
• You trust your provider to keep your data safe
• This trust is earned through assessing how a
provider will react to a disaster event
• Assess whether trusting your critical systems to
cloud is worth the risk
• What contingencies do you have to mitigate
against a disaster event affecting your
business?
• Weigh this against the benefits of moving to
cloud
17. Risks – Termination & Transition-Out
• Nothing lasts forever
• What procedures are in place to transition out
from your engagement?
• What assistance will the provider give?
• At what cost?
• Who pays?
• Effect of provider’s insolvency
• What happens to your data at the end of the
engagement?
18. Risk Mitigation Strategies
Minimising
legal risks
Pre-contract
During contract
Post-contract
Minimising
practical risks
Risk
management
plan
Be cognisant of
what you have
agreed with
your provider
19. Risk Mitigation Strategies
• Why cloud?
• Due diligence
(including evaluation)
• Vendor selection
Pre-
engagement
• Regular reports
• Regular project
meetings (if possible)
• Audit rights
During
engagement • Clear, unambiguous
transition arrangements
and knowledge transfer
• Safeguarding privacy
and confidentiality
Post
engagement
20. Pre-Engagement
Why move to the
cloud?
Identify a clear
business need
Why is this
model the
preferred
delivery model?
Who can robustly
deliver your
requirements?
Cloud
computing
growing but still
relatively new
Who has a
track record for
delivery?
Identity your
minimum
requirements
Minimum
service levels
Compliance
with your
statutory
obligations
Located in
Australia?
Evaluate potential
suppliers
Tender process
Proof of
concept
How will they
handle a
transition-out?
21. Risk Mitigation Strategies – Pre-
Engagement
Plan for the following risks:
• Security breaches
• Misuse/unauthorised disclosure of confidential
information or personal information
• Adequate IP rights secured
• Clear service levels and remedies for service
level non-compliance
• Clear means for a “graceful exit”
22. During Engagement
• Non-compliance with privacy laws (APP 1)
• Physical locations of data centres – which laws apply?
• Is the provider bound to hand over personal information
to foreign governments?
• Transfers between data centres (APP 8/IPP 9)
• Right to be notified if provider seeks to transfer your
data to a new centre
• Notification of breaches (APP 11/IPP 4)
• Responsibility for conduct investigations into
breaches
24. During Engagement
• Seek information on service level compliance
• Regular written reports
• Dashboard software
• Independent audits keep provider honest
• Customer remedies for non-compliance with
service levels
• Are service rebates your only remedy?
• Need flexibility regarding serious or repeated
breaches
25. During Engagement
• What happens if a disaster event occurs and the
data needs to be restored?
• Ensuring clear lines of responsibility and
communication
• Disaster recovery and business continuity plan to
be provided before contract starts
• Plan to be updated, maintained and tested during
contract term.
• Verification that the plan is functional essential
to maintaining your trust in the provider
26. Post-Engagement
• Data transfer post expiry or termination
• Immediate transfer as a provision in the contract
• Transfer to the customer directly or to new provider
• When the cloud provider becomes insolvent
• Customer may deal with a liquidator
• different priorities to the cloud provider
• Understand rights of controller under Corporations Act to
dispose of assets
27. Post-Engagement
• Survival of key obligations
• Privacy
• Confidentiality
• Customer should ensure that provider no
longer holds customer’s data following the
contract
• Possible conflict with data protection laws
in data centre locations