MULTI-JURISDICTIONAL GUIDE 2013/14

OUTSOURCING

This article was first published in the Outsourcing Multi-Jurisdictional Guide 2013/14
and is reproduced with the permission of the publisher, Thomson Reuters.
The law is stated as at 1 September 2013.



C
o
u
n
t
r
y

Q
&
A

Cloud computing: a primer for outsource
lawyers
Martin P J Kratz, QC, Duncan Card and Michael Whitt, QC
Bennett Jones LLP
practicallaw.com/4-518-5181

The business advantages of cloud computing are compelling, and
will undoubtedly push more businesses, large and small, to
consider using cloud services to replace or enhance current
computing resources. However, adopting cloud computing involves
the same principles and concepts of an outsourcing transaction,
since the business relies on the provision of data processing and
other technological services from third parties outside your
enterprise. One of the main areas of common ground is that
concepts relating to goods or licensing have little or no application
because the cloud consists primarily of a provision of services. That
distinction provides unique challenges for companies (and their
lawyers) adopting cloud service arrangements over internal
computing infrastructure.
Against this background, this article examines the following:
What is cloud computing?
Cloud computing arrangements.
Cautions when using cloud computing.
Contract checklist.
WHAT IS CLOUD COMPUTING?
The cost of maintaining and installing a company's data hardware
and software infrastructure can be prohibitive. As with other IT
outsourcing strategies, many enterprises are increasing their
reliance on a web-based, metered-use, automatically provisioned
shared system that can be delivered on demand through a single
service provider, commonly referred to as cloud computing. Low
capital cost and higher deployment and scaling efficiencies provide
a competitive edge to many businesses. Accessing data through
the internet using off-premises software and hardware can also
allow a business' customers to access and analyse up-to-date data
on demand, and can improve the speed and ease with which
information can be collected and used.
The National Institute of Standards and Technology defines cloud
computing as (NIST, 8 July 2011):
''a model for enabling convenient, on-demand network access to a
shared pool of configurable computing resources (for example,
networks, servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal management effort
or service provider interaction."
A key concept of cloud computing is that the service is provided
through the internet using shared infrastructure. Another
important feature of cloud computing is scalability, meaning that
the services and resources of the business can be scaled up or
down based on demand, and on an automatically provisioned and
metered-use basis. Scalability allows businesses greater flexibility
in terms of costs of maintaining an IT infrastructure.


This article refers to the following three broad types of cloud
services:
Internal utilisation (internal cloud).
Internal to (and within the controlled infrastructure of) the third
party service provider (private cloud).
Various degrees of access to computing resources that are
external to any one particular third party service provider
(including "hybrid cloud", "community cloud", or "public
(distributed) cloud" computing).
Depending on the nature of the services that are performed, all
three of those cloud computing structures may be framed as any
of:
"Infrastructure as a service" (IaaS).
"Platform as a service" (PaaS).
"Data as a service" (DaaS).
"Software as a service" (SaaS).
"Everything as a service" (EaaS) (as Hewlett-Packard markets).
Infrastructure as a Service
The IaaS market was estimated to be worth about US$6.1 billion in
2012 and is estimated to grow to about US$9 billion in 2013.
Examples of companies operating IaaS include Amazon and
Qwest. Both Microsoft and Google entered the market in 2013 with
the public launch of their own IaaS products.
IaaS consists of cloud-based, usually virtualised servers,
networking, and storage, which the customer is free to manage as
required. Billing is typically on a utility or metered-use computing
model: the more of each that you use, the more you pay.
In this model the customer can obtain from one or more cloud
providers the network, storage, processing and other essential
computing infrastructure resources. The customer does not
manage or control the data centre or network but the customer
may have control over the data and operating systems placed into
the infrastructure sourced from the IaaS providers.
Platform as a Service
Worldwide PaaS revenue was estimated to reach about be worth
about US$1.2 billion in 2012 and is estimated to grow to US$2.9
billion by 2016. Examples of companies operating PaaS are
Microsoft and Google.
In a PaaS scenario, the customer can use its own applications on
the cloud service provider's infrastructure. The customer does have
control over the data and the applications and in some cases the
hosting environment. The rest is provided as a shared-resource
metered service.



practicallaw.com/outsourcing-mjg
C
o
u
n
t
r
y

Q
&
A

Data as a Service
As enterprises move toward "Big Data" solutions, the benefits of
being provided with required data on demand is increasingly
apparent. For example, the statistics division of the United Nations
created a data access and delivery solution based on cloud
computing called "UNdata - A World of Information". The cloud
solution allows all UN participants access to precisely defined data
that is current, without storage cost, with minimal data
management, and where the data can be dynamically altered for
new situations and uses, on demand. The "bigger" the data gets,
the more tempting it becomes to move that resource into the
cloud.
Software as a Service
SaaS is the largest and most common cloud-based service. The
SaaS market was estimated to be worth about $14.5 billion by the
end of 2012 and is estimated to grow to about US$22.1 billion by
2015. Examples of companies operating IaaS are Salesforce, Intuit,
Webex, Geminare, Syncapse and NRX.
In a SaaS arrangement, the customer accesses the cloud provider's
software applications through the internet. This is also a common
model for consumer cloud services.
CLOUD COMPUTING ARRANGEMENTS
Unlike a conventional outsourcing, infrastructure resources can be
far more complex. For example, many more parties are involved in
typical cloud computing arrangements. These can include:
The end-user.
The commercial customer.
The cloud service provider.
An auditor of the quality of the services being offered.
A platform provider.
A provider of servers.
A data centre provider and operator.
An operating system provider.
Applications software providers.
The carrier or provider of data connectivity.
A reseller, distributor or broker who may be involved in
managing the relationship between the customer and the cloud
service provider.
Consultants who can address implementation and
configuration.
Additionally, many different types of hardware, software, and their
platforms, may be combined and utilised across many jurisdictions.
This is in reliance upon many layers of subcontractors, suppliers,
third party service providers and also clouds within clouds of
supporting and contributing infrastructure.
Furthermore, a business will often engage with a disaster recovery
or business continuity provider, as those functions will operate
differently in a cloud service model than would be usual in an
owner or outsourced model. It is not unusual for one cloud provider
to use other cloud providers as subcontractors.
Complicating matters for the customer, there is no contractual
privity between the customer and the many other parties (and tiers
of contributors) who may provide elements of the overall service.
Similarly, there are often issues surrounding governing law and
jurisdictional restrictions, even knowing if (or when) a breach of
service obligation has occurred and enforcement of contract and
mitigation of breach (such as of privacy or data protection
regulations, compliance with the users' local laws or reciprocal
enforcement of Court judgements).

Typical contract structures in a cloud service arrangement include:
Terms of service.
Service level agreement (SLA).
Service quality verification.
Compliance with applicable laws.
Acceptable use policies.
Export control (jurisdiction restriction) obligations.
Privacy policies.
End user licence agreements.
Reasonable dispute resolution and remedies.
The contracting environment is complex and often more difficult in
cloud services scenarios. The fundamental nature of cloud service
offerings rely on high degrees of automation of provisioning and
metering of use, which in turn require high degrees of
standardisation of the services being offered. This militates toward
highly standardised and non-negotiable contract terms.
CAUTIONS WHEN USING CLOUD COMPUTING
The advantages of cloud computing services are undeniable. They
include being quickly scalable, subscription or metered-use based
rather than capital intensive, are maintained and provided by
others without adding any additional infrastructure and staff, are
available and paid for only on demand, readily deployable, and
promise to be very innovative and up-to-date.
Moving to these 'as a service' cloud systems (SaaS, IaaS, and PaaS)
can be a nearly irresistible urge. For the right applications it can be
done safely and securely, if done properly. However not all business
functions can or should be moved to the cloud, and none without
careful forethought and planning.
As with all outsourcing, cloud services are provided by third parties.
However, unlike outsourcing, cloud services may not rely on
provider-owned systems. It is also significant that many cloud
services are aimed at consumers and not business or government
users. This means that the system designs of such consumer-
focused services may be built for consumer grade uses, and are not
built for mission-critical business or government applications.
Similarly, service levels and service contract terms and conditions
are aimed at individual consumers who have little, if any,
negotiation leverage.
The implications are that service guarantees, uptime and security,
jurisdictional restrictions, service reporting obligations, SLA
verification, breach of contract reporting, data integrity, and
compliance with privacy and other regulatory requirements are not
typically "baked in" to the terms and conditions of the service
contracts. That means that much care must be taken when
engaging business or governmental computing functions with
cloud services.
Therefore the following points should be considered:
Goods versus services. Systems that are owned and controlled,
even if via outsourced infrastructure providers, are operated
specifically by or for the organisation. This means that data in the
systems and the operation of the systems, the surrounding security
and integrity, and control over users and uses, are all provided by
the organisation at the direction of the organisation. Decisions
about outages, updates and add-in capabilities are made by the
organisation, with an eye to the organisation's sole benefit and its
needs and regulatory constraints.
This is different about cloud computing: instead of a direct control
relationship with the systems and equipment, the relationship is
one of 'purchaser of shared services'. So instead of buying
computers and licensing software, the business is buying services


practicallaw.com/outsourcing-mjg
C
o
u
n
t
r
y

Q
&
A

from a service provider, with no tangible assets in the mix. As a
result, the custom features and handling available for an owned (or
outsourced) system are replaced by the service provider's
approach, systems and practices.
Relationships and trust. Cloud users are, of necessity, at the
mercy of the service provider. Data as well as processing facilities
and software reside outside of the physical control of the company
using the cloud services. The service provider may well subcontract
infrastructure, security, access, physical computing resources,
software, maintenance, training, configuration, and so on to third
parties, often also cloud-based operators, with whom the company
has no contractual relationship, and some or all of whom may be in
other jurisdictions. This means that there must be a higher level of
commercial proactivism, due diligence, service performance
verification (including audit rights), privacy review, data ownership,
disaster recovery and backup, and similar concerns addressed
before and in the contractual relationships between the user
organisation and the cloud provider. Special care should be applied
to the termination and transition out arrangements.
Social networking collaboration services. An ancillary part of
cloud computing is that a lot of the services in the cloud are social
networking and collaboration tools or add-ons. When layered on
top of concerns with cloud service contracting, contracting for
social networking collaboration services adds another level of
complexity to the company's analysis of security, privacy, access,
information integrity, logging and audit, performance, and
ownership and control of information and data.
Similarly, social networking and collaboration systems in the cloud
are generally aimed at consumers, with similar consumer grade
concerns with respect to contractual and system-design
protections for mission-critical and sensitive data and systems.
Business users need to address any mismatch needed for their
mission-critical applications and data.
Cloud computing and corporate governance. Many, if not most,
of the contractual controls over an enterprise's IT operations are
not merely technical or commercial "nice to have" features. They
are most often legal, regulatory and corporate governance
requirements that those structuring and negotiating cloud service
contracts have no authority to override and deviate from,
regardless of the business benefits of doing so.
CONTRACT CHECKLIST
There are many different commercial, technical, regulatory and
governance concerns that should be addressed during any
proposed cloud computing transactions. The following list provides
a sample of some terms that a company may wish to include in a
cloud computing contract, beyond the standard terms and
conditions:
Services are to be provided in a "good and workmanlike" or with
a "professional" standard of care.
Data is the property and confidential information of the
customer (or customer's customers) and will be promptly
returned on demand in a useable format.
Services cannot be performed (by vendor or subcontractors)
from export control prohibited jurisdictions, especially DaaS
and also Data Location. Some agencies are regulated as to
where data can reside or be processed or stored (for example,
healthcare, financial services, and public bodies).
Reasonably comprehensive service specifications and level
requirements. In SLA terms: watch percentage uptimes. 99%
uptime is equal to 3.65 days downtime per year. Take care in
definitions.
Duty of service provider to promptly report material breach of
non-compliance with contractual obligations, including
remedial efforts and known implications.
Prohibition against suspension of service without sufficient
notice from provider; bona fides fee disputes will not be a
sufficient reason to suspend the service.
No deletion of dormant accounts without sufficient notice to
customer.
Termination assistance: cloud provider is required to provide
transition and conversion assistance so that data and
functionality can be moved to another system after termination
(usually at the customer's cost, but at the vendor's normal
rates).
Compliance with laws and regulations that are applicable to the
service provider concerning the performance of the contract
(including duties toward third party personal information).
Caps on fee increases year over year, if multiple year contract.
Litigation or regulatory change co-operation assistance (such as
changes to privacy laws, breach reporting requirements, and so
on) usually at the customer's cost, but at the vendor's normal
rates.
System as specified and operated will not infringe third party
confidentiality or IP rights.
Vendor accepts responsibility for data losses caused by Vendor
or "subcontractors" and obligation to provide disaster recovery
plan (beforehand) and assistance (afterward) at no additional
cost.
Reasonable risk allocation and liability limitation provisions,
including for criminal conduct, fraud, intentional harm or
malfeasance. Consider also risk allocation for gross negligence
or wilful disregard for enterprise's interests. Are there statutory
risks for privacy failures that must also be allocated?
Vendor is obliged to identify third party service providers and
subcontractors, and the customer has the right to audit. (There
is not much else the customer can do.)
Service verification, including customer's right to audit, access
to key subcontracts, data recovery and backup plans
(periodically) and vendor duty to report (auditable) service level
compliance (uptime, lag and latency, and so on).
No secondary commercial use or disclosure of customer data (or
the customer's customers' data) by cloud provider or its
subcontractors.
Regulatory and customer enquiry or complaint "pass-through"
obligations (on the vendor) so that the customer is not blind-
sided.


practicallaw.com/outsourcing-mjg
C
o
u
n
t
r
y

Q
&
A

Practical Law Contributor details

Martin P J Kratz, QC
Bennett Jones LLP
T +403 298 3650
F +403 265 7219
E kratzm@bennettjones.com
W www.bennettjones.com

Professional qualifications. Canada (Alberta),1985; Trademark
Agent, 1985; Queen's Counsel, 2009
Areas of practice. Outsourcing; intellectual property; information
technology; licensing and technology transactions; procurement;
data protection; privacy; e-commerce; technology and intellectual
property M&A.
Recent transactions
Acting for international energy business in relation to acquisition
of advanced energy technology and intellectual property.
Large IP due diligence and offshoring transaction associated
with multi-national acquisition of multi-billion dollar
international oil and gas services technology.
Large IT procurement project in energy sector.
Patent litigation matters (strategy, freedom to operate,
invalidity, infringement, enforcement) relating to clean
technology, solar energy, oil and gas, pharmaceuticals and e-
commerce.
Acting for cloud service provider in numerous cloud based
transactions with blue chip customers.
Acting for social media analytics service provider in numerous
social media transactions with blue chip customers.


Duncan Card
Bennett Jones LLP
T +416 777 6446
F +416 863 1716
E cardd@bennettjones.com
W www.bennettjones.com

Professional qualifications. Canada (Ontario), 1984; Bermuda,
1984
Areas of practice. Outsourcing; procurement transactions;
technology.
Recent transactions
Several large multinational offshore IT outsourcing transactions.
Shared service infrastructure transactions in the public sector.
Major open access intelligent community communications
infrastructure transaction.
Large international technology procurement transaction,
including cross-border technology transfer, development
services and all related supply arrangements for the Bank of
Canada.



practicallaw.com/outsourcing-mjg
C
o
u
n
t
r
y

Q
&
A


Michael Whitt, QC
Bennett Jones LLP
T +403 298 4448
F +403 265 7219
E whittm@bennettjones.com
W www.bennettjones.com

Professional qualifications. Canada (Alberta), 1979; Trademark
Agent, 1994; Patent Agent, 2001; Queen's Council, 2008
Areas of practice. Information technology; licensing and
transactional intellectual property; agency; licensing and
commercialisation; litigation support healthcare; information
technology and data protection; transactions privacy and data
protection; regulatory compliance and response (transaction-
related).
Recent transactions
Large data system re-tooling project for regional healthcare
provider organisation - consulting and licensing transaction.
Large IP due diligence, IT due diligence and IT migration
associated with multinational acquisition/divestiture of multi-
billion dollar Canadian mid-stream oil and gas assets.
Large IT and IP procurement project for heavy oil upgrading
facilities. Multi-family patent applications related to
upgrader/refinery processes and facilities - originating drafting,
prosecution and portfolio strategy.
Patent litigation matters (strategy, invalidity, infringement,
enforcement) relating to heavy oil facilities, down hole MWD
telemetry tools, injector/lubricator bodies in oil and gas sector.
Canada and international data breach response, major national
professional services firm.