At McCarthy Tétrault's 3rd Annual Technology Law
Barry Sookman, and panelists John LeBlanc of Scotiabank and
David Crane of McCarthy Tétrault, lead a discussion on
procuring and contracting for cloud based services. Top takeaway
tips from the session include:
Cloud is Everywhere: Be cognisant that software
and services that use the cloud may be in use in your organization
without your legal team's knowledge – including employee
teams using collaboration or information tools (like dropbox or
box.net) for small projects or one-off uses that haven't gone
through a typical procurement process (or legal review). Another
example is the use of ancillary product features, like a backup
function, or an intelligent personal assistant on a smart phone or
tablet (which may send queries or tasks to the service
provider's server for processing, and in some cases
Third Party Assurance Reports: Customers can
obtain some comfort with respect to a service provider's
internal controls by getting a third party assurance report. In a
separate blog post, David Crane
explains what to ask for when requesting a Canadian Standard on
Assurance Engagement report ("CSAE report"). Also
consider asking for more specialized reports (like Payment Card
Industry Data Security Standard (PCI
DSS) certification) for services to which they are applicable.
However, obtaining a third party assurance report would not
necessarily replace the role of an audit right.
You should also keep in mind that many standards are not
"cloud" specific and so, in some cases, supplemental
control testing may be appropriate. A number of industry
associations and standards bodies are working on cloud specific
standards and guidelines (from both a security and an
interoperability perspective), but for now no clear industry-wide
standard has emerged.
Finally, remember to make it clear, where appropriate, that
internal control audit (and other audit) obligations extend to
applicable subcontractors of the service provider of the Cloud.
Location of Data: The technical architecture,
along with the business model, of many cloud services can make it
difficult to precisely limit, or know, the location of your data.
For some customers, and some data, this is acceptable and
worthwhile in order to take advantage of other benefits. For
others, it presents a risk that needs to be mitigated. For others
still, it may be a barrier that prevents them from being able to
use the service.
For example, financial institutions engaging in a material
outsourcing subject to the OSFI Guidelines B-10 may need a solution that
allows them to know the location of their data.
Where a service provider will be handling personal information,
customers need to make sure that requirements under PIPEDA, and its
provincial equivalents, are met. One recommendation to ensure
compliance or mitigate risks of falling afoul privacy legislation,
is to put in place, contractually, with your service provider a
level of protection of security generally equivalent to the level
of protection the information would receive if it had not been
transferred. Appropriate consents will also need to be obtained
from the individuals whose personal information is being handled.
Further prohibitions exist in certain provinces (such as British
Columbia) on public sector actors where personal information may be
handled outside of Canada.
Continuity During the Term: In many cases,
where a cloud service is provided as a shared service, it may be
unrealistic for a single customer to receive custom business
continuity or disaster recovery planning in respect of the service.
However, customers should still require the service provider to
have appropriate plans in place, to provide a summary of the plans
(at an appropriate level of detail), and, in many cases, to commit
to testing these plans – it is not enough for them to tell
you these plans are in place, as these obligations should actually
be reflected in the contract.
Continuity After the Term: Some standard cloud
service contracts only provide a short window after termination or
expiration of the contract for you to obtain a copy of your data
(and in some cases no right is expressly provided at all!). It is
important to address these deficiencies in the contract so that you
always have an acceptable level of access to your data. You should
also consider addressing the format in which the data will be
returned/made available and, where appropriate, the provision of
[For more cloud computing takeaways, see
this blog written about the cloud computing panel from the 2012
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).