Page 36 - CCCA Magazine Spring 2014
P. 36
{ FEATURE } AT A MINIMUM, YOU SHOULD BE SURE “ YOUR SERVICE PROVIDER IS BASED IN A ” JURISDICTION WITH A MATURE AND FAIR LEGAL SYSTEM. cloud service provider: cloud providers generally have greater 5. Obligate the service provider to resist — to the extent lawful resources to devote to security, and mobile users will no longer and as soon as possible — orders to disclose information with- have to carry data with them in vulnerable devices such as lap- out your consent. tops and USB drives. 6. Obligate the service provider to cooperate with you in any regulators’ investigations. Q What role should jurisdiction play in a decision about whether to adopt cloud computing? 7. Prohibit the service provider from dealing with any regula- tors related to your information without your participation. A Jurisdiction is relevant but less so than most believe. For example, you should be very wary of any situation that casts 8. Implement safeguards to protect information. Require that doubt over whether your contract with your service provider the service provider abide by accepted information security will be enforceable. After all, their obligations to secure your standards instead of constantly changing technologies — and data are set out in the contract. At a minimum, you should that they be regularly audited against them by a third party, be sure your service provider is based in a jurisdiction with a with access to the audit reports available to you. The provider mature and fair legal system. Data may fall under the jurisdic- should warrant it will do so and will cover your costs if there is tion of any country to which the service provider is reasonably a breach resulting from its lapse. Include your ability to audit connected. This includes, at minimum, where you are located, your users’ access of the data. where the service provider is based and where the data resides. For each of these jurisdictions, consider whether it introduces 9. Insist on full indemnity, without limitations, for liability re- any meaningful increase in risk to your data. It is very diffcult lated to privacy and security. The provider’s warranty and in- to determine and measure this risk; you should seek expert legal demnity should cover all of your costs and any remedies you advice to do so. must offer your customers due to a security breach. Require the provider have and maintain adequate insurance for such inci- dents, and provide you with certifcates of insurance. Q What should I look for in the contract with my service provider? 10. Provide that you can get your data back and the service pro- vider cannot retain or use it after the contract ends — and make A Here are the top 10 things you should ask for. Not every ser- vice provider will negotiate these terms and, depending on the sure you get all your data back! model of cloud computing the provider uses, some are simply diffcult or impossible to deliver — but you should still ask for Q What are the best practices for decision-making around them and consider any response. cloud computing? A As with any new program involving the handling of personal 1. Limit the service provider to using your data for your pur- poses only, and for no other purpose unless you explicitly information, your organization should undertake a privacy im- consent. pact assessment (PIA). PIAs are a systematic way of canvassing all of the privacy issues inherent in a project to identify — and hope- 2. Include a provision that the service provider holds your data fully mitigate — them. PIAs are widely done in the public sec- “in trust” for you, making it a legal fduciary. tor; private sector organizations considering moving customer or 3. Prohibit the service provider from making any disclosures of employee data to a service provider should also conduct a PIA. ❚ your data without your consent, except as expressly set out in the agreement, and contemplate what it should do in response David Fraser, a partner with McInnes Cooper, is one of Canada’s leading inter- to a legal order for access. net, technology and privacy lawyers. He regularly advises a range of Canadian and international clients — from start-ups to Fortune 100 companies — on all 4. Specify the damages to which you are entitled if the service aspects of technology and privacy laws, including cloud computing and PIAs. provider discloses any data without your consent by using a You can reach David at david.fraser@mcinnescooper.com or 902-444-8535, multiplier connected to the extent of the disclosure, instead of a and follow his blog at blog.privacylawyer.ca. Visit McInnes Cooper at fxed sum, and characterized as general damages. www.mcinnescooper.com. 36 CCCA MAGAZINE | SPRING 2014 PRINTEMPS