1. Lou Milrad B.A., LL.B. Lawyer MilradLaw

2. This presentation illustrates a sampling of issues relating to cloud service contracts while also providing discussion insights and is intended to be Illustrative, rather than conclusive, of the complexity of certain issues This presentation illustrates a sampling of issues relating to cloud service contracts while also providing discussion insights and is intended to be Illustrative, rather than conclusive, of the complexity of certain issues. The model under discussion assumes that your Municipality will be negotiating one or more cloud services contract(s) and that the expectation is that some sensitive and private data will be stored on cloud-based data servers belonging either to the cloud provider, or to a business partner of that provider. In addition, your Municipality is in the final stages of launching a BYOD (Bring Your Own Device) policy.

3.  In shifting away from the traditional infrastructure approach of separately (or in combination) purchasing hardware, software and services to complete services solution(s) (SaaS, IaaS, PaaS, (MaaS, SaaS, etc.), there is a critical need to focus on  IT contracting strategy, and  Associated contract terms & conditions  Legal issues have become somewhat more complex  Many are traditional (e.g. IT outsourcing and similar managed services arrangements), but many are new and unique to or exacerbated by migration to the cloud.  Dilemma - DATA and data server(s) location(s)

4.  Typically governed by total $$$ to be spent coupled with supplier target market and industry standard practices.  Try to avoid web-based terms and conditions approach – exception may only be in “free” services  However, “free” might change to “paid for” services model if volume or usage thresholds are exceeded  Cautions -  Automatic term renewals  Incorporation of web-terms into negotiated contracts

5.  Web-based vs. negotiated terms  Governing Law  Data Availability and Term and Renewals  Additionally referenced terms & unilateral amendments, Statements of Work (SOW’s), & Service level agreements (SLA’s)  Intellectual property rights (IPR)  Confidential information (Confidentiality) and Trade Secrets  Privacy  Force majeure  Geographic Location of Data Servers  Third party access  Indemnification & insurance suspension & Termination  Suppliers’ compliance requirements  Grounds for Contract Termination  Liability of Damages due to a Service Interruption  Having an Exit Strategy  Grounds for Contract Termination  Data retention upon contract termination

6. Boilerplate examples for discussion  Contract Structure  Governing Law  Term and Renewals  Data Availability and Ownership  Intellectual Property Rights (IPR)  Confidential Information  Privacy  Force Majeure AND  Data Availability and Ownership

7. Terms and Conditions Full of legalese Once signed, become the governing terms and conditions Amending Agreement required to change terms SchedulesSpecifications Pricing and Payment, etc. Statements of Work (SOW’s) Service Level Agreements (SLA’s )

8.  What law governs performance under the contract terms?  Complex legal regulatory environment surrounding cloud computing that both customers and providers need to consider.  e.g. Privacy statutes  Provision is typically found in the boilerplate section of the contract (i.e. - towards the end of the T’s & C’s)  Typically, vendor’s form contract Good place to start and build onGood place to start and build on  Typically will specify that it is governed by the law of the vendor’s home province/state, and  grant the courts of that province/state exclusive jurisdiction over any disputes arising out of the contract

9.  3 Key aspects – Applicable law & Jurisdiction and Location governing resolution of  Contract interpretation  Hearing(s) & Trial(s)  Mediation & Arbitration  Options  Mutual agreement on these items  Leave unresolved and open for later argument and resolution (if needed)

10.  Vendor form contracts typically  Renew automatically for additional terms unless proper prior notice  Not really major concern in the context of “free” services, but could be problematic under a ”pay for services” automatic renewal contract, particularly where the customer has not tracked the advance notice of “intention to not to renew” date… and it slips by  Auto renewal avoids the need to renegotiate the contract, but…  Consideration for negotiating “termination for convenience” provisions  Avoid additionally referenced terms & unilateral amendments - (e.g. Incorporation by reference of additional terms and  Avoid additionally referenced terms & unilateral amendments - (e.g. Incorporation by reference of additional terms and policies posted to the vendor’s website)

11.  Issue - Provides the vendor with the unilateral right, to make modifications to its services – a negotiated compromise might be something like:  “Vendor may make commercially reasonable modifications to the Service, provided that they do not materially diminish the nature, scope, or quality of the Service.

12.  Prerequisite for consideration:  Understanding of the system architecture  e.g. - How and in what format it keeps your data  Tools that are available to you to access your data  Covering off on e-discovery needs that may arise  Remain mindful of compliance with enterprise-wide policies (existing & under consideration/development) - AUP, MDM, BYOD, etc.

13.  Additional Requirements  Redundancy and backup  Disaster recovery  No vendor lock-in  Exit strategies as required  Protection of all designated confidential information and other intellectual property rights  Confirmation that the vendor does not acquire and may not claim any security interest in your data.  Where does Open Data fit in?

14.  IP categories include  Copyrights, Trademarks, Trade secrets (Confidential Information) Data  IP Assets & Treatment under  Canadian laws  Laws of other countries  Infringement – what remedies?  Third party access – is vendor intending to grant some privileged third parties access to your Municipality's stored data  Who is that to be  What is approval and authorization procedure?  Is there to be a confidential disclosure agreement and what form is it to take?  Protecting “personal information” and IPR

15.  Defining Characteristics of Confidential Information: Typically includes intangible assets (and associated materials) such as trade secrets, designs, processes, programs, procedures, third party Information, developments, disclosed under terms of a software license or services agreement  Examples might include, nonpublic and financial contract terms with other suppliers, and categories set out under MFIPPA & PHIPA  Negotiated cloud contracts will typically define, spell out, the restrictions, and remedies for unauthorized disclosure or other violation – Web-based, less likely to address question although it may be included under Intellectual Property Rights language  Breach of Confidentiality: Legal obligation of employees to respect the organization’s intangible assets, business and trade secrets etc. and maintain their confidentiality both during and after term of employment  Confidentiality & Non-Disclosure Agreements (NDA’s) might precede contract negotiation, and in any event, negotiated contracts will contain associated obligations and restrictions regarding confidentiality  Key consideration: Notwithstanding vendors adherence to best practices, what happens if the data center gets hacked? Is there a remedy, and if so, what is it to be?

16. a has two federal privacy laws  Canada has two federal privacy laws  the Privacy Act and the Personal Information Protection and Electronic Documents Act. …  Every province and territory has privacy legislation governing the collection, use and disclosure of personal information held by government agencies – Office of The Privacy Commissioner of Canada  Ontario’s  MFIPPA Municipal Freedom of Information and Protection of Privacy Act, &  PHIPA - the Personal Health Information Protection Act  Onus on Municipalities and their suppliers to protect “personal information” from disclosure  Challenge to be considered - the trusteeship by the Municipality of personal information coupled with possible access, handling and disclosure of personal information of others stored on external cloud servers.  BYOD and Cloud access - Makings of a perfect storm with the convergence on one device of both personal and corporate data and providing access to cloud based data and databases – therefore, a critical need to have an enforceable BYOD policy in place.

17. Others Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems.

18. Thank You Lou Milrad IT Lawyer Milrad Law Office lou@milrad.ca647.982.7890www.milradlaw.ca