One can't help be see in the news these days all the uncertain weather, terrorist threats, and potential interrupted utilities. Just look at what happened in Chicago with traffic control for the airlines. No working DR plan there.
Contrary to popular belief, most companies and organizations categorize business continuity planning as risk aversion or an insurance policy. Although similar, business continuity planning comprises the steps, policies and procedures that are activated once a disaster has occurred. The object is to recover as quickly as possible so you can minimize downtime. Having a plan in place saves time, money, and possibly your entire company. So why so few have one? Test it? Interesting...........
Here are some favorite questions we get asked all the time:
What type of disasters could impact my business?
Last year, New England suffered through a tornado, hurricane and earthquake over a short period of time. Imagine those events ripping through your company. Beyond those obvious disasters, there are things like computer outages, fires, floods, cyber-attacks, viruses, and a whole host of situations that could affect your organization. Bottom line: Be prepared for the worst-case scenario: a loss of your entire organization, including the physical structure and personnel. Organizations always forget about the staff. Plan on your local staff not being available in your plan.
So if I have a major disaster, how does a business continuity plan help?
A business continuity plan will not prevent the earthquake, flood or most other types of disasters from happening. What a tested business continuity plan could do is potentially save you thousands, if not millions, of dollars in production losses, your reputation as a business, and your customers and clients. Here's one example. A large manufacturing client in Central Massachusetts says it cannot afford to be down for any length of time. They sometimes have two or three shifts working. It's estimated that if the company was shut down for just one week, it would lose $5 million in production. A clear, concise business continuity plan with policies and procedures could cut that downtime to two or three days. Also, if your competition and your clients find you've suffered a disaster and you cannot respond in a timely manner, your business begins to erode and your clients move to other companies. Once you lose the confidence of your clients, it's extremely difficult to recapture them. Engage the entire organization in the planning and testing. Their input is very important.
The business continuity plan is an organizational plan, and every employee has a stake in the planning, up keep and ownership. When the time comes to utilize that plan, it will take the entire team to ensure success.
Arnett Group not only can help you plan, but test, communicate, train and design your response to any situation.
Keep it positive!
Scott Arnett
scott@arnettservicesgroup.com
www.arnettservicesgroup.com
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Wednesday, October 1, 2014
Tuesday, September 30, 2014
New Website
Change is always a good thing. This is a positive change for Arnett Group.
Please check out our new website.
www.arnettservicesgroup.com
Please check out our new website.
www.arnettservicesgroup.com
Thursday, February 6, 2014
Video Conference - Corporate Tool or Toy?
There are many advantages to having a Video Conference Solution - big or small organization. Even with more and more home based staff, the tool is essential. Communication, collaboration and effective meetings.
Video conferencing has long been thought of as the technology for the big guys, the ones handling mergers and acquisitions and the like - not something the average business could afford or make use of. In the last few years, the advancement in technology, bandwidth affordability, and the business capability drive has changed a few notions around this tool. Video conferencing is not only a viable technology for business of any size but a necessity.
The technology of many video solutions today will interface with other solutions, making it a more open use, and not just a closed or proprietary toolset. That opens the door to many more applications of use and leverage - more than just meetings.
We always hear many customers say that video conference solutions are to complicated, to expensive, and not worth the investment. We always say, stop, take a moment to see how far these solutions have come, how more user friendly they are, the simplicity and quality. Plus the cost has come down - there are more solutions on the market today.
Check out http://www.arnettservicesgroup.com/video-conferencing.html
In my opinion, this technology has gone from corporate toy to a real business tool. SMB can really benefit from the many new video solutions on the market today. Let's us not only show you, but build some process and organizational function around the tool to get your ROI.
Keep it positive!
Scott Arnett
www.arnettservicesgroup.com
Video conferencing has long been thought of as the technology for the big guys, the ones handling mergers and acquisitions and the like - not something the average business could afford or make use of. In the last few years, the advancement in technology, bandwidth affordability, and the business capability drive has changed a few notions around this tool. Video conferencing is not only a viable technology for business of any size but a necessity.
The technology of many video solutions today will interface with other solutions, making it a more open use, and not just a closed or proprietary toolset. That opens the door to many more applications of use and leverage - more than just meetings.
We always hear many customers say that video conference solutions are to complicated, to expensive, and not worth the investment. We always say, stop, take a moment to see how far these solutions have come, how more user friendly they are, the simplicity and quality. Plus the cost has come down - there are more solutions on the market today.
Check out http://www.arnettservicesgroup.com/video-conferencing.html
In my opinion, this technology has gone from corporate toy to a real business tool. SMB can really benefit from the many new video solutions on the market today. Let's us not only show you, but build some process and organizational function around the tool to get your ROI.
Keep it positive!
Scott Arnett
www.arnettservicesgroup.com
Friday, January 10, 2014
Your Bucket List
Start of another year, and reflection of the past year or years is always a good thing. Perhaps it will help you develop new resolutions for the upcoming year.
Most of us have seen the movie Bucket List, and if not, you should. It should not take getting sick to realize life has slipped by and you have not done all you want to do, but many times that is reality. We get busy in careers, chasing titles, financial goals, or even keeping up with the Jones and wake up one day, look in the mirror and say how did I get here. How did I get so old, when did the kids leave, why don't I have fun anymore, why am I working so hard, what is going to happen to me?
So what is on your Bucket List? Travel? NASCAR Event? Meeting someone? If we had a list we kept current and take the time to do something for ourselves each week, perhaps life will be more fulfilling. Working on your priority list each day should have something on there I would call "life" - lunch with a friend, dinner with your wife, golf or a child's event. If your entire list is nothing but work related - time to adjust.
We ask ourselves many times why did God allow me to get ill, or in an accident, why did this happen to me? Maybe he wants to slow you down so you take time to find what is important in life again. Perhaps, reset priority and find what truly is important in life.
Life truly does go by very fast, and each day brings something new, we don't know what, each new day is a true surprise. So make the best of it, keep it positive, and do something special for someone. When your time comes, be able to say I had a great life, and made a difference for others, and had great experiences.
Keep it positive!
Scott Arnett
scott@arnettservicesgroup.com
www.arnettservicesgroup.com
Most of us have seen the movie Bucket List, and if not, you should. It should not take getting sick to realize life has slipped by and you have not done all you want to do, but many times that is reality. We get busy in careers, chasing titles, financial goals, or even keeping up with the Jones and wake up one day, look in the mirror and say how did I get here. How did I get so old, when did the kids leave, why don't I have fun anymore, why am I working so hard, what is going to happen to me?
So what is on your Bucket List? Travel? NASCAR Event? Meeting someone? If we had a list we kept current and take the time to do something for ourselves each week, perhaps life will be more fulfilling. Working on your priority list each day should have something on there I would call "life" - lunch with a friend, dinner with your wife, golf or a child's event. If your entire list is nothing but work related - time to adjust.
We ask ourselves many times why did God allow me to get ill, or in an accident, why did this happen to me? Maybe he wants to slow you down so you take time to find what is important in life again. Perhaps, reset priority and find what truly is important in life.
Life truly does go by very fast, and each day brings something new, we don't know what, each new day is a true surprise. So make the best of it, keep it positive, and do something special for someone. When your time comes, be able to say I had a great life, and made a difference for others, and had great experiences.
Keep it positive!
Scott Arnett
scott@arnettservicesgroup.com
www.arnettservicesgroup.com
Monday, January 6, 2014
Cloud Computing Contracts and Cloud Outages
Happy New Year! I'm Bob Lankey, still filling in for Scott. I want to continue our series on Cloud Computing legal challenges and awareness. Today we are talking about Cloud Computing Contracts and Cloud Outages. Oh - those outages can have an impact on your operations, and potential financial portfolio.
The past few years have provided numerous examples of significant service interruptions at major providers. Amazon AWS service was down for 12 to 30 hours, affecting many companies that rely on Amazon services, including Foursquare, Hootsuite, Quora and Reddit. We saw the Sony PlayStation service was interrupted, being the victim of a massive hack attack. Most recently, there were outages with Microsoft’s Business Productivity Online Services, and Google’s Blogger service.
When a cloud service goes down, users lose access to their data; they may also be deprived from the processing capabilities that are provided as part of the cloud offering. In turn, they may be unable to provide services to their own customers, and be exposed to significant liability for failure to provide these services. When is a cloud user compensated for the loss of service, and to what extent? Let’s examine some cloud computing contracts and their provisions for cloud outages.
Service providers will disclaim their liability in their “Terms of Service,” or “Terms and Conditions.” This is usually achieved through Disclaimer of Warranty and Limitation of Liability provisions. Some contracts also include a limitation of damage provision.
The Disclaimer of Warranty states that the company makes no warranty with respect to the service, including, no warranty that the service will be available, or will not lose the data. Many times no warranty stated or implied around security.
For example, many entities -- including businesses -- have come to rely on YouTube to publish information in video format. The YouTube service is provided free of charge, and is funded through the advertising revenues that are generated from displaying ads related to the content being viewed.
The YouTube Terms of Service Disclaimer of Warranty provision (section 9) states:
YOU AGREE THAT YOUR USE OF THE SERVICES SHALL BE AT YOUR SOLE RISK. …. YOUTUBE …. DISCLAIM [S] ALL WARRANTIES, EXPRESS OR IMPLIED, IN CONNECTION WITH THE SERVICES …. YOUTUBE …. ASSUMES NO LIABILITY OR RESPONSIBILITY FOR …. (IV) ANY INTERRUPTION OR CESSATION OF TRANSMISSION TO OR FROM OUR SERVICES, (IV) ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE WHICH MAY BE TRANSMITTED TO OR THROUGH OUR SERVICES BY ANY THIRD PARTY ….
Limitation of Liability provisions are intended to limit the scope of liability in terms of the nature of the liability, such as liability for direct or consequential damages, or liability for negligence. Limitation of Damages provisions limit the dollar amount for any liability, and state the maximum amount of damages for which the provider might be responsible. For example, the YouTube Terms of Service Limitation of Liability provision (section 10) states in part:
IN NO EVENT SHALL YOUTUBE …. BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL ….. DAMAGES …. RESULTING FROM …. (IV) ANY INTERRUPTION OR CESSATION OF TRANSMISSION TO OR FROM OUR SERVICES, (IV) ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE, WHICH MAY BE TRANSMITTED TO OR THROUGH OUR SERVICES BY ANY THIRD PARTY ….
In other words, whether you have uploaded a clip of last Sunday’s picnic, or the installation instructions for a sophisticated piece of equipment that your business sells, YouTube will not compensate you if its network goes down or is attacked. There will be no compensation for loss of service or for loss or corruption of the data. And no compensation for the loss of business if your customers return their purchases because they could not access the installation instructions and were unable to install the products they purchased from you.
Thus, while using a free service is financially attractive, this is true only to the extent that the service operates without problems. If there is any loss of connection, processing capability or data -- there may be significant consequences for the users of these services. The service provider will not compensate for any of these losses. As the saying goes, “There is no such thing as a free lunch.”
In addition, if a virus passed through by use of this service and impacts your operations or your customers operation, the cloud provider is not responsible as stated in the contract. Worth the risk?
In order to find out what terms a cloud service provider offers to address a service interruption, you should look at the contract for these services, which may be found in several documents. First, look at the Services Agreement. This is usually the main agreement that defines the terms and conditions for access to the service. There, you may find a provision that describes the cloud provider’s commitment to provide continuous -- or almost continuous -- service.
For example, the Salesforce.com Master Services Agreement describes the company’s commitment to provide services 24 hours a day (see Section 4.1), except for planned downtime and a number of specific circumstances out of the company’s control, such as denial-of-service attacks. The company also makes a commitment to protect the security, confidentiality and integrity of the user’s data (see Section 4.2). This is key statement in regards to the commitment to security.
Some companies supplement their general terms and conditions with a separate Service Level Agreement (SLA) For example, in addition to its service agreement, Rackspace Cloud Terms of Service, Rackspace uses several SLAs.. The Rackspace Cloud Servers SLA provides:
Network
We guaranty our data center network will be available 100% of the time in any given monthly billing period, excluding scheduled maintenance. Make sure you understand their BCP/DR architecture and process/plan.
The document defines “scheduled maintenance” as “maintenance that is announced at least ten business days in advance, and that does not exceed sixty minutes in any calendar month.” There is no explanation of what happens if “scheduled maintenance” needs to take more than sixty minutes in a calendar month. Since this does not fit under the definition of “scheduled maintenance,” what is it?
The basic result is the same in both contract structures (i.e., single services agreement or services agreement combined with an SLA). If the service were interrupted, one or several of these clauses -- in the Services Agreement or in the SLA -- would be the basis for defining the bargain between the two parties.
Some contracts are very specific about the way the cloud provider will compensate the client for the damages resulting from a service interruption. For example, the Rackspace Cloud Servers SLA provides:
Credits
If we fail to meet a guaranty stated above, you will be eligible for a credit. Credits will be calculated as a percentage of the fees for the Cloud Servers™ adversely affected by the failure for the current monthly billing period during which the failure occurred (to be applied at the end of the billing cycle), as follows:
Network: Five percent (5%) of the fees for each 30 minutes of network downtime, up to 100% of the fees. …
Limitations
…. This Service Level Guaranty is your sole and exclusive remedy for Cloud Servers™ unavailability. So make sure you understand that. You should consult with your legal staff on this important part of the agreement.
Note that the compensation will only be for the loss of service, and will amount only to a percentage of your monthly service fee. There is no compensation for the loss of data, business, reputation or other loss. These terms are consistent with what is generally offered in the industry, but does not mean you should just accept it for your business. Do your homework, and find what risks the business is willing to take.
Read slowly and carefully. Most of these clauses provide some compensation for the unavailability of the services, typically as a percentage of the monthly fee, but not much else.
Ensure the method of calculation is clearly defined. For example, what constitutes “downtime”? How is the duration of service interruption computed? Do intermittent failures count as “downtime”? For example, if the service is up for one minute, down for one minute, and again, up and down for one minute at a time, is the interruption computed as the total of the periods when the system is down? Or is it the entire time when the service is so unreliable that processing is stalled or interrupted?
And, there are more complex questions. For example, is a cloud outage caused by a hacking circumstance out of the control of the service provider, and should therefore result in no liability? Or was the hacking possible due to gross negligence, and failure to install commonly known safeguards? This brings up my security essentials - and make sure your clearly define your expectations around security, safeguards and data protection.
You should also understand that, unless there has been a negotiated contract with clear and specific commitments, there will be no compensation for the loss of data or the loss of business. The cloud provider is furnishing only a specific service, such as hosting and computing. It has no way to know whether the data in its custody are critical company secrets or sensitive personal data. In addition, the cloud services are usually not priced to address the nature of the data being hosted or processed. If the agreement pertains to a certain volume of data, all that counts is just that: the volume of data stored or processed. There is no room for distinguishing between “regular data” and “highly sensitive data.”
Thus, if your data matter to your business, are critical to your operations or are the lifeline to your activities, make sure you understand the risks of cloud computing. Consider redundant systems, local storage and other technical or physical means to ensure business continuity, even when the cloud is out of service. This again brings up the fact that Business Continuity, Disaster Recovery and Security is still your responsibility. You have to ensure you have a plan, your contract covers what you need it to cover and that the business understands all the risks.
There is no perfect, infallible cloud service. Interruptions and downtime are bound to happen, whether they are caused by a natural event (e.g., an equipment break-down) or by a man-made one (e.g., a breach of security or a denial-of-service attack). Users and cloud service providers need to be clear on what happens when there is an interruption in the service. Any uncertainty in the terms for compensating the customer for service interruptions and downtime will only cause problems when such cloud outages occur. Clarity will save time, money and aggravation to both parties if these terms are adequately defined in the contract for these services. Don't accept the standard contract, make sure the contract fits your business needs, and risk acceptance.
At the end of the day, any outage with a cloud service provider can have significant impacts to your business, and working with a 3rd party can be frustrating. Make sure the contract clearly states all the expectations, commitments, deliverables, and compensation. The contract should cover "normal" operations as well as those unexpected incidents. Take it serious - it is your data.
Best regards
Bob
bob.lankey@arnettservicesgroup.biz
www.arnettservicesgroup.com
The past few years have provided numerous examples of significant service interruptions at major providers. Amazon AWS service was down for 12 to 30 hours, affecting many companies that rely on Amazon services, including Foursquare, Hootsuite, Quora and Reddit. We saw the Sony PlayStation service was interrupted, being the victim of a massive hack attack. Most recently, there were outages with Microsoft’s Business Productivity Online Services, and Google’s Blogger service.
When a cloud service goes down, users lose access to their data; they may also be deprived from the processing capabilities that are provided as part of the cloud offering. In turn, they may be unable to provide services to their own customers, and be exposed to significant liability for failure to provide these services. When is a cloud user compensated for the loss of service, and to what extent? Let’s examine some cloud computing contracts and their provisions for cloud outages.
Free cloud computing contracts
If a service provided at no cost goes down, is interrupted or is not available for any reason, usually users do not receive any compensation for the loss of availability, loss of data or other loss. The business rationale is if the service is provided for no fee, there is no financial loss for the user.Service providers will disclaim their liability in their “Terms of Service,” or “Terms and Conditions.” This is usually achieved through Disclaimer of Warranty and Limitation of Liability provisions. Some contracts also include a limitation of damage provision.
The Disclaimer of Warranty states that the company makes no warranty with respect to the service, including, no warranty that the service will be available, or will not lose the data. Many times no warranty stated or implied around security.
For example, many entities -- including businesses -- have come to rely on YouTube to publish information in video format. The YouTube service is provided free of charge, and is funded through the advertising revenues that are generated from displaying ads related to the content being viewed.
The YouTube Terms of Service Disclaimer of Warranty provision (section 9) states:
YOU AGREE THAT YOUR USE OF THE SERVICES SHALL BE AT YOUR SOLE RISK. …. YOUTUBE …. DISCLAIM [S] ALL WARRANTIES, EXPRESS OR IMPLIED, IN CONNECTION WITH THE SERVICES …. YOUTUBE …. ASSUMES NO LIABILITY OR RESPONSIBILITY FOR …. (IV) ANY INTERRUPTION OR CESSATION OF TRANSMISSION TO OR FROM OUR SERVICES, (IV) ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE WHICH MAY BE TRANSMITTED TO OR THROUGH OUR SERVICES BY ANY THIRD PARTY ….
Limitation of Liability provisions are intended to limit the scope of liability in terms of the nature of the liability, such as liability for direct or consequential damages, or liability for negligence. Limitation of Damages provisions limit the dollar amount for any liability, and state the maximum amount of damages for which the provider might be responsible. For example, the YouTube Terms of Service Limitation of Liability provision (section 10) states in part:
IN NO EVENT SHALL YOUTUBE …. BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL ….. DAMAGES …. RESULTING FROM …. (IV) ANY INTERRUPTION OR CESSATION OF TRANSMISSION TO OR FROM OUR SERVICES, (IV) ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE, WHICH MAY BE TRANSMITTED TO OR THROUGH OUR SERVICES BY ANY THIRD PARTY ….
In other words, whether you have uploaded a clip of last Sunday’s picnic, or the installation instructions for a sophisticated piece of equipment that your business sells, YouTube will not compensate you if its network goes down or is attacked. There will be no compensation for loss of service or for loss or corruption of the data. And no compensation for the loss of business if your customers return their purchases because they could not access the installation instructions and were unable to install the products they purchased from you.
Thus, while using a free service is financially attractive, this is true only to the extent that the service operates without problems. If there is any loss of connection, processing capability or data -- there may be significant consequences for the users of these services. The service provider will not compensate for any of these losses. As the saying goes, “There is no such thing as a free lunch.”
In addition, if a virus passed through by use of this service and impacts your operations or your customers operation, the cloud provider is not responsible as stated in the contract. Worth the risk?
Paid cloud computing contracts
If the service is provided for a fee, the terms of use of the service will usually include provisions similar to those discussed above. However, this time, these provisions will usually include some commitment from the service provider, and some form of compensation if there are deficiencies in the services, such as an interruption. In most cases, however, this compensation is strictly limited. Do not count on being compensated for the loss of business resulting from service interruption.In order to find out what terms a cloud service provider offers to address a service interruption, you should look at the contract for these services, which may be found in several documents. First, look at the Services Agreement. This is usually the main agreement that defines the terms and conditions for access to the service. There, you may find a provision that describes the cloud provider’s commitment to provide continuous -- or almost continuous -- service.
For example, the Salesforce.com Master Services Agreement describes the company’s commitment to provide services 24 hours a day (see Section 4.1), except for planned downtime and a number of specific circumstances out of the company’s control, such as denial-of-service attacks. The company also makes a commitment to protect the security, confidentiality and integrity of the user’s data (see Section 4.2). This is key statement in regards to the commitment to security.
Some companies supplement their general terms and conditions with a separate Service Level Agreement (SLA) For example, in addition to its service agreement, Rackspace Cloud Terms of Service, Rackspace uses several SLAs.. The Rackspace Cloud Servers SLA provides:
Network
We guaranty our data center network will be available 100% of the time in any given monthly billing period, excluding scheduled maintenance. Make sure you understand their BCP/DR architecture and process/plan.
The document defines “scheduled maintenance” as “maintenance that is announced at least ten business days in advance, and that does not exceed sixty minutes in any calendar month.” There is no explanation of what happens if “scheduled maintenance” needs to take more than sixty minutes in a calendar month. Since this does not fit under the definition of “scheduled maintenance,” what is it?
The basic result is the same in both contract structures (i.e., single services agreement or services agreement combined with an SLA). If the service were interrupted, one or several of these clauses -- in the Services Agreement or in the SLA -- would be the basis for defining the bargain between the two parties.
Some contracts are very specific about the way the cloud provider will compensate the client for the damages resulting from a service interruption. For example, the Rackspace Cloud Servers SLA provides:
Credits
If we fail to meet a guaranty stated above, you will be eligible for a credit. Credits will be calculated as a percentage of the fees for the Cloud Servers™ adversely affected by the failure for the current monthly billing period during which the failure occurred (to be applied at the end of the billing cycle), as follows:
Network: Five percent (5%) of the fees for each 30 minutes of network downtime, up to 100% of the fees. …
Limitations
…. This Service Level Guaranty is your sole and exclusive remedy for Cloud Servers™ unavailability. So make sure you understand that. You should consult with your legal staff on this important part of the agreement.
Note that the compensation will only be for the loss of service, and will amount only to a percentage of your monthly service fee. There is no compensation for the loss of data, business, reputation or other loss. These terms are consistent with what is generally offered in the industry, but does not mean you should just accept it for your business. Do your homework, and find what risks the business is willing to take.
Tips for navigating cloud contract clauses
Before entering into a contract for cloud computing or similar services, review carefully its clauses. They will be essential if the service is interrupted, and the user looks for compensation for the harm or losses resulting from the interruption.Read slowly and carefully. Most of these clauses provide some compensation for the unavailability of the services, typically as a percentage of the monthly fee, but not much else.
Ensure the method of calculation is clearly defined. For example, what constitutes “downtime”? How is the duration of service interruption computed? Do intermittent failures count as “downtime”? For example, if the service is up for one minute, down for one minute, and again, up and down for one minute at a time, is the interruption computed as the total of the periods when the system is down? Or is it the entire time when the service is so unreliable that processing is stalled or interrupted?
And, there are more complex questions. For example, is a cloud outage caused by a hacking circumstance out of the control of the service provider, and should therefore result in no liability? Or was the hacking possible due to gross negligence, and failure to install commonly known safeguards? This brings up my security essentials - and make sure your clearly define your expectations around security, safeguards and data protection.
You should also understand that, unless there has been a negotiated contract with clear and specific commitments, there will be no compensation for the loss of data or the loss of business. The cloud provider is furnishing only a specific service, such as hosting and computing. It has no way to know whether the data in its custody are critical company secrets or sensitive personal data. In addition, the cloud services are usually not priced to address the nature of the data being hosted or processed. If the agreement pertains to a certain volume of data, all that counts is just that: the volume of data stored or processed. There is no room for distinguishing between “regular data” and “highly sensitive data.”
Thus, if your data matter to your business, are critical to your operations or are the lifeline to your activities, make sure you understand the risks of cloud computing. Consider redundant systems, local storage and other technical or physical means to ensure business continuity, even when the cloud is out of service. This again brings up the fact that Business Continuity, Disaster Recovery and Security is still your responsibility. You have to ensure you have a plan, your contract covers what you need it to cover and that the business understands all the risks.
There is no perfect, infallible cloud service. Interruptions and downtime are bound to happen, whether they are caused by a natural event (e.g., an equipment break-down) or by a man-made one (e.g., a breach of security or a denial-of-service attack). Users and cloud service providers need to be clear on what happens when there is an interruption in the service. Any uncertainty in the terms for compensating the customer for service interruptions and downtime will only cause problems when such cloud outages occur. Clarity will save time, money and aggravation to both parties if these terms are adequately defined in the contract for these services. Don't accept the standard contract, make sure the contract fits your business needs, and risk acceptance.
At the end of the day, any outage with a cloud service provider can have significant impacts to your business, and working with a 3rd party can be frustrating. Make sure the contract clearly states all the expectations, commitments, deliverables, and compensation. The contract should cover "normal" operations as well as those unexpected incidents. Take it serious - it is your data.
Best regards
Bob
bob.lankey@arnettservicesgroup.biz
www.arnettservicesgroup.com
Friday, December 20, 2013
Cloud Computing Legal Issues: Data Location
Welcome back to our series on Cloud Computing Legal Issues. I am fascinated on the speed that certain businesses want to move key business systems, data, and functions to the cloud without doing a risk assessment and legal review. It concerns me that it appears some business leaders are just following a hype trend and not doing their homework.
This post is about data location. You have a signed contract now with a cloud service provider, do you know where your data will be hosted? In a cloud computing environment, data and applications are hosted "in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from "well… hum ... in the cloud" to "we have servers everywhere, data moves around constantly" or "we cannot tell you for security reasons." Really? You better demand knowing in the contract. I sat in on a meeting a few weeks ago and heard a salesman from a top "cloud provider" say - you don't have to worry about that anymore, that is the beauty of the cloud. I choked on my coffee, and more so when the business leaders said, oh, ok.
As the custodian of confidential and valuable data -- personal or company information -- you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. In the legal world, location is most frequently associated with jurisdiction. The concept of “jurisdiction” is associated with the power of a judge or government entity to assert authority over the persons or things involved in an action, and to make a decision about a specific issue or sets of facts.
Jurisdiction is not necessarily exclusive. Several countries or courts may have concurrent jurisdiction over a matter. Indeed, litigants frequently argue about who has jurisdiction over their dispute. In the cloud environment, where a piece of equipment is located may have significant consequences on the ability of a court or other government authority to assert jurisdiction over that piece of equipment, and, in the case of a server, over the data contained in that server.
If the cloud that hosts your data has servers in a foreign country, the laws of that foreign country may govern your data when stored in that server. As a result, many important foreign laws may govern your data (in addition to those of the United States). This even applies to your code that is being developed in a foreign country - proceed with caution and complete awareness.
Cloud computing legal issues: Data protection laws
Assume that Cloud X Service provides hosting, email and collaboration solutions to Arnett, a U.S. company with no operations abroad. Assume also that the Cloud X network includes servers located in a data center in the United Kingdom. Thus, Arnett as Cloud X’s customer ends up using data or servers that are in the U.K.
The Data Protection Act (1998) governs the protection of personal information that is processed in the U.K. Of course, the Data Protection Act applies to companies that do business in the U.K. However, that is not the extent of its reach. Under Section 5(1)(b) of the act,, the law also applies to a data controller that is not established in the U.K. or in any other European Economic Area state (EEA includes the European Union plus Lichtenstein, Norway, Iceland) but that “uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.”
This means that if a foreign company uses equipment that is located in the U.K. to process personal data, the processing of the data must comply with the U.K. Data Protection Law, even if the company is not established, or does not do business in the U.K.. The same provision can be found in the data protection laws of the 30 EEA member states and other countries.
When a cloud service provider elects to install servers in the EEA or other countries with a similar data protection law, all data that is processed, stored or maintained on these servers are subject to the data protection laws of the country where the servers are located. These laws have extensive requirements, restrictions and prohibitions on what may or may not be done with personal data. They may require registrations with the country’s Data Protection Supervisory Authority; they may prohibit certain transfers of these data, and much more. Failure to comply may have serious consequences. It is your obligation to be aware, you can't outsource your responsibility - ignorance to the law is no defense.
Cloud computing legal issues: Government surveillance
In addition to foreign data protection laws, consider the possibility that a third party or a foreign government might want to have access to a cloud service server that holds your data. In principle, access by a third party, even a government, is restricted, and even the police or secret service may not have access to premises or equipment without appropriate authorization -- in the form of a search warrant or court order -- before being allowed to search a computer.
However, this is not the case everywhere. For example, if your data is stored on a server that is located in India, the server will be subject to the laws of India. India’s Information Technology Act of 2000 (as amended in 2009) governs many aspects of the protection and use of computers, networks, etc. Section 69 of India’s IT Act allows the Central Government to issue directions for the interception, monitoring and decryption of messages from any computer and other communication device for security reasons, for public order, to prevent the commission of any cognizable offense or to investigate any offense. Section 69B(1) grants the Central Government the power to authorize any agency of the government to monitor and collect traffic data or information generated, transmitted, received or stored on any computer. In both cases, there is no requirement for a court order or other permission, and no limitation to these powers. Plus I may add, it is not limited to just communications, things like data transfers such as proprietary code could be intercepted.
What information may be retained and preserved may also be dictated by the Indian government. Section 67C of the Information Technology Act requires companies to preserve and retain such information as may be specified, and for such duration, and in such manner and format as the central government may prescribe.
Thus, while the cloud may take advantage of the friendly business environment in a country, it may also subject equipment and data stored in this equipment to the monitoring and surveillance of the government in that country. The political influences may add additional risk to your company sensitive data. What is your risk as an organization?
Contracting tip
When negotiating your contract for cloud services, decide if knowing where your data is located is important to you. If it is, then try to limit the geographic area where your data will be stored or processed. The City of Los Angeles was able to obtain some restrictions in its contract with Computer Sciences Corp. and Google Inc. for email and other services. Some of the data will be stored only in the continental U.S.. See, Appendix J.1, Section 1.7 of the Professional Services Contract between Google and the City of Los Angeles, which provides:
1.7 Data Transfer. Google agrees to store and process Customer's email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States. Google shall make commercially reasonable efforts to advise Customer when such data storage capability is made available. Notwithstanding the foregoing, Google may store and process Login Data in any country in which Google or its agents maintain facilities.
Cloud service providers want the freedom to move data to different servers for load balancing or to take advantage of the lower cost of utilities or personnel in different geographies. However, by doing so, they may inadvertently expose their customers’ data to the laws of countries other than those where the customer opted to operate. Plus, it is your data, you are responsible for the protection thereof, you can't outsource that responsibility, so take control and set the expectations and contractual requirements.
It may be that, in the future, countries that wish to attract foreign investments and data centers will carve out a niche from their data protection laws. However, currently, the black letter law in many countries may subject cloud users to the data protection requirements and other laws of the country where the servers are located.
One more note on data location - always include a disaster recovery section in all your contracts. Business Continuity and Disaster Recovery is very important part of many regulatory requirements. Location will play a part in those plans.
Happy Holidays!
Bob Lankey
bob.lankey@arnettservicesgroup.biz
www.arnettservicesgroup.com
This post is about data location. You have a signed contract now with a cloud service provider, do you know where your data will be hosted? In a cloud computing environment, data and applications are hosted "in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from "well… hum ... in the cloud" to "we have servers everywhere, data moves around constantly" or "we cannot tell you for security reasons." Really? You better demand knowing in the contract. I sat in on a meeting a few weeks ago and heard a salesman from a top "cloud provider" say - you don't have to worry about that anymore, that is the beauty of the cloud. I choked on my coffee, and more so when the business leaders said, oh, ok.
As the custodian of confidential and valuable data -- personal or company information -- you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. In the legal world, location is most frequently associated with jurisdiction. The concept of “jurisdiction” is associated with the power of a judge or government entity to assert authority over the persons or things involved in an action, and to make a decision about a specific issue or sets of facts.
Jurisdiction is not necessarily exclusive. Several countries or courts may have concurrent jurisdiction over a matter. Indeed, litigants frequently argue about who has jurisdiction over their dispute. In the cloud environment, where a piece of equipment is located may have significant consequences on the ability of a court or other government authority to assert jurisdiction over that piece of equipment, and, in the case of a server, over the data contained in that server.
If the cloud that hosts your data has servers in a foreign country, the laws of that foreign country may govern your data when stored in that server. As a result, many important foreign laws may govern your data (in addition to those of the United States). This even applies to your code that is being developed in a foreign country - proceed with caution and complete awareness.
Cloud computing legal issues: Data protection laws
Assume that Cloud X Service provides hosting, email and collaboration solutions to Arnett, a U.S. company with no operations abroad. Assume also that the Cloud X network includes servers located in a data center in the United Kingdom. Thus, Arnett as Cloud X’s customer ends up using data or servers that are in the U.K.
The Data Protection Act (1998) governs the protection of personal information that is processed in the U.K. Of course, the Data Protection Act applies to companies that do business in the U.K. However, that is not the extent of its reach. Under Section 5(1)(b) of the act,, the law also applies to a data controller that is not established in the U.K. or in any other European Economic Area state (EEA includes the European Union plus Lichtenstein, Norway, Iceland) but that “uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.”
This means that if a foreign company uses equipment that is located in the U.K. to process personal data, the processing of the data must comply with the U.K. Data Protection Law, even if the company is not established, or does not do business in the U.K.. The same provision can be found in the data protection laws of the 30 EEA member states and other countries.
When a cloud service provider elects to install servers in the EEA or other countries with a similar data protection law, all data that is processed, stored or maintained on these servers are subject to the data protection laws of the country where the servers are located. These laws have extensive requirements, restrictions and prohibitions on what may or may not be done with personal data. They may require registrations with the country’s Data Protection Supervisory Authority; they may prohibit certain transfers of these data, and much more. Failure to comply may have serious consequences. It is your obligation to be aware, you can't outsource your responsibility - ignorance to the law is no defense.
Cloud computing legal issues: Government surveillance
In addition to foreign data protection laws, consider the possibility that a third party or a foreign government might want to have access to a cloud service server that holds your data. In principle, access by a third party, even a government, is restricted, and even the police or secret service may not have access to premises or equipment without appropriate authorization -- in the form of a search warrant or court order -- before being allowed to search a computer.
However, this is not the case everywhere. For example, if your data is stored on a server that is located in India, the server will be subject to the laws of India. India’s Information Technology Act of 2000 (as amended in 2009) governs many aspects of the protection and use of computers, networks, etc. Section 69 of India’s IT Act allows the Central Government to issue directions for the interception, monitoring and decryption of messages from any computer and other communication device for security reasons, for public order, to prevent the commission of any cognizable offense or to investigate any offense. Section 69B(1) grants the Central Government the power to authorize any agency of the government to monitor and collect traffic data or information generated, transmitted, received or stored on any computer. In both cases, there is no requirement for a court order or other permission, and no limitation to these powers. Plus I may add, it is not limited to just communications, things like data transfers such as proprietary code could be intercepted.
What information may be retained and preserved may also be dictated by the Indian government. Section 67C of the Information Technology Act requires companies to preserve and retain such information as may be specified, and for such duration, and in such manner and format as the central government may prescribe.
Thus, while the cloud may take advantage of the friendly business environment in a country, it may also subject equipment and data stored in this equipment to the monitoring and surveillance of the government in that country. The political influences may add additional risk to your company sensitive data. What is your risk as an organization?
Contracting tip
When negotiating your contract for cloud services, decide if knowing where your data is located is important to you. If it is, then try to limit the geographic area where your data will be stored or processed. The City of Los Angeles was able to obtain some restrictions in its contract with Computer Sciences Corp. and Google Inc. for email and other services. Some of the data will be stored only in the continental U.S.. See, Appendix J.1, Section 1.7 of the Professional Services Contract between Google and the City of Los Angeles, which provides:
1.7 Data Transfer. Google agrees to store and process Customer's email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States. Google shall make commercially reasonable efforts to advise Customer when such data storage capability is made available. Notwithstanding the foregoing, Google may store and process Login Data in any country in which Google or its agents maintain facilities.
Cloud service providers want the freedom to move data to different servers for load balancing or to take advantage of the lower cost of utilities or personnel in different geographies. However, by doing so, they may inadvertently expose their customers’ data to the laws of countries other than those where the customer opted to operate. Plus, it is your data, you are responsible for the protection thereof, you can't outsource that responsibility, so take control and set the expectations and contractual requirements.
It may be that, in the future, countries that wish to attract foreign investments and data centers will carve out a niche from their data protection laws. However, currently, the black letter law in many countries may subject cloud users to the data protection requirements and other laws of the country where the servers are located.
One more note on data location - always include a disaster recovery section in all your contracts. Business Continuity and Disaster Recovery is very important part of many regulatory requirements. Location will play a part in those plans.
Happy Holidays!
Bob Lankey
bob.lankey@arnettservicesgroup.biz
www.arnettservicesgroup.com
Thursday, December 19, 2013
Cloud Computing: Legal Issues
Many organizations are quickly running to the cloud, but who is taking the time to evaluate and review the legal issues that comes with this new technology offerings. I have spoken with several organizational legal teams to find out they are brought in after there is a problem, breach of contract or a change of heart. Perhaps, the legal review needs to be done up front.
Let's take a few minutes to talk about some of the key issues. The characteristics of cloud computing -- on demand self-service, elasticity, metered service or ubiquitous access -- make it look like a simple and casual operation, but cloud computing services present many legal issues. Organizations need to tread carefully and perform due diligence, this means bring the corporate attorney into the loop.
Cloud computing legal issues: data location
Organizations need to know where the data they’re responsible for – both personal customer data and corporate information -- will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. I would also demand all your data is encrypted while at rest in the cloud.
Cloud computing legal issues result from where a cloud provider keeps data, including application of foreign data protection laws and surveillance. In my next post, learn about cloud computing legal issues stemming from data location, and how to avoid them.
Cloud computing contracts and cloud outages
When a cloud service goes down, users lose access to their data and therefore may be unable to provide services to their customers. When is a cloud user compensated for the loss of service, and to what extent? Users need to examine how cloud computing contracts account for cloud outages.
In a future post, learn how a cloud outage could negatively affect business and examines some cloud computing contracts and their provisions for cloud outages. You are still responsible for your Business Continuity Plan and Disaster Recovery Plan - you can not outsource that.
Cloud computing contracts: Tread carefully
Organizations must be careful with cloud computing contracts, according to a panel of lawyers at the RSA Conference 2011. Cloud computing contracts should include many data protection provisions, but cloud computing service providers may not agree to them.
In a future post, learn some advice on negotiating with cloud computing service providers and on legal considerations for organizations entering cloud service provider contracts, including data security provisions. I have found many service providers will push back on encryption demands, or even backup requirements. Make sure the contract and services agreement meet all YOUR business requirements, not theirs.
Ten key provisions in cloud computing contracts
When entering into a relationship with a cloud computing service provider, companies should pay attention to contract terms, security requirements and several other key provisions when negotiating cloud computing contracts.
In a future post, I will discuss cloud computing contracts and the ten key provisions that companies should address when negotiating contracts with cloud computing service providers. Have it in writing, including performance metrics, data ownership, and most important, the right to audit their facility and operations.
Developing cloud computing contracts
Cloud service relationships can be complicated. The use of cloud services could sacrifice an entity’s ability to comply with several laws and regulations and could put sensitive data at risk. Consequently, it’s essential for those using cloud computing services to understand the scope and limitations of the services they receive, and the terms under which these services will be provided.
In this series of posts, I will explain the critical considerations for cloud computing contracts in order to protect your organization as well as reviewing the critical steps and best practices for developing, maintaining and terminating cloud computing contracts. I will also give you advice on the terms and length of such contracts, and what your options are if you need to make a change due to performance.
In summary, not all Cloud Service providers are equal, and not all have your best interest in mind. After all, they are in this to make money, your money. Move to the cloud with caution, an open mind, and your legal affairs in order.
Happy Holidays
Bob Lankey
bob@arnettservicesgroup.biz
www.arnettservicesgroup.com
Let's take a few minutes to talk about some of the key issues. The characteristics of cloud computing -- on demand self-service, elasticity, metered service or ubiquitous access -- make it look like a simple and casual operation, but cloud computing services present many legal issues. Organizations need to tread carefully and perform due diligence, this means bring the corporate attorney into the loop.
Cloud computing legal issues: data location
Organizations need to know where the data they’re responsible for – both personal customer data and corporate information -- will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. I would also demand all your data is encrypted while at rest in the cloud.
Cloud computing legal issues result from where a cloud provider keeps data, including application of foreign data protection laws and surveillance. In my next post, learn about cloud computing legal issues stemming from data location, and how to avoid them.
Cloud computing contracts and cloud outages
When a cloud service goes down, users lose access to their data and therefore may be unable to provide services to their customers. When is a cloud user compensated for the loss of service, and to what extent? Users need to examine how cloud computing contracts account for cloud outages.
In a future post, learn how a cloud outage could negatively affect business and examines some cloud computing contracts and their provisions for cloud outages. You are still responsible for your Business Continuity Plan and Disaster Recovery Plan - you can not outsource that.
Cloud computing contracts: Tread carefully
Organizations must be careful with cloud computing contracts, according to a panel of lawyers at the RSA Conference 2011. Cloud computing contracts should include many data protection provisions, but cloud computing service providers may not agree to them.
In a future post, learn some advice on negotiating with cloud computing service providers and on legal considerations for organizations entering cloud service provider contracts, including data security provisions. I have found many service providers will push back on encryption demands, or even backup requirements. Make sure the contract and services agreement meet all YOUR business requirements, not theirs.
Ten key provisions in cloud computing contracts
When entering into a relationship with a cloud computing service provider, companies should pay attention to contract terms, security requirements and several other key provisions when negotiating cloud computing contracts.
In a future post, I will discuss cloud computing contracts and the ten key provisions that companies should address when negotiating contracts with cloud computing service providers. Have it in writing, including performance metrics, data ownership, and most important, the right to audit their facility and operations.
Developing cloud computing contracts
Cloud service relationships can be complicated. The use of cloud services could sacrifice an entity’s ability to comply with several laws and regulations and could put sensitive data at risk. Consequently, it’s essential for those using cloud computing services to understand the scope and limitations of the services they receive, and the terms under which these services will be provided.
In this series of posts, I will explain the critical considerations for cloud computing contracts in order to protect your organization as well as reviewing the critical steps and best practices for developing, maintaining and terminating cloud computing contracts. I will also give you advice on the terms and length of such contracts, and what your options are if you need to make a change due to performance.
In summary, not all Cloud Service providers are equal, and not all have your best interest in mind. After all, they are in this to make money, your money. Move to the cloud with caution, an open mind, and your legal affairs in order.
Happy Holidays
Bob Lankey
bob@arnettservicesgroup.biz
www.arnettservicesgroup.com
Subscribe to:
Posts (Atom)