Cloud Computing

Cloud computing has grown significantly in the last few years. A Gartner Executive Program survey of more than 2,000 Chief Information Officers (CIOs), representing 50 countries and 38 industries, found that cloud computing is the number one technology priority for 2011. Fully 43% of the CIOs expected that a majority of their IT will be running “in the cloud” within four years.¹ In its updated June 2011 forecast of Information Technology spending, Gartner stated that cloud computing expenditures are likely to rise by 16-20% per year through 2015, representing 4% of global IT spending by the end of that period. Richard Gordon, research vice president at Gartner, noted that expenditures for cloud computing services grew four times faster than overall IT spending.²

What is Cloud Computing?

The term “cloud computing” has been used to refer to almost anything from the ability to access virtual servers over the Internet to the consumption of any information technology service situated outside an organization’s infrastructure. The more precise technical meaning, however, is expressed in the following draft definition published by the U.S. Government’s National Institute of Standards and Technology:

[A] model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.³

As this suggests, the key feature of cloud computing is the ability to access a remote, shared IT infrastructure on an as-needed basis. 

Benefits of Cloud Computing

There are many benefits of cloud computing, including that organizations that use cloud computing are not required to maintain their own localized infrastructures to support the services; rather, they pay for the use of technology resources only when and to the extent that they actually need them. As a result, users can avoid the expense of setting up and looking after in-house infrastructure. Among other things, this allows organizations to replace up-front capital expenditures with a more fluid operational expenditure that more closely tracks actual business activity. Further, because cloud computing services are available to multiple users leveraging the same infrastructure, the cloud service provider is typically able to achieve significant economies of scale, producing additional savings for its customers. 

Federally Regulated Entities under OSFI Guideline B-10

Guideline B-10 of the Office of the Superintendent of Financial Institutions (Canada) (OSFI) governs cloud computing arrangements (and other outsourcing agreements) entered into by Federally Regulated Entities (FREs).⁴ For the purposes of the Guideline, the term “FRE” encompasses all Canadian banks, insurance companies, fraternal benefit societies, trust and loan companies and cooperative credit associations and Canadian branches of foreign banks and insurance companies.

Guideline B-10 imposes overall accountability and control requirements, and requires an assessment of the materiality of an outsourcing arrangement and the implementation of a risk management program (the scope and nature of which will vary depending on the materiality of the outsourcing arrangement in question).

B-10 and Cloud Computing

Many of the issues that cloud computing raises for FREs are not unique to cloud computing; they exist in the context of any outsourcing. Nevertheless, cloud computing involves a host of inherent risks, including the use of shared resources; the use of multiple dynamic data transfer routes (to minimize bandwidth usage); dependency on a commoditized, non-customized, volume-based solution; and the use of infrastructure scattered over multiple locations (often in low-cost centres with minimal legislative data protection obligations). The significance of the issues involved in cloud computing will largely depend on the materiality and nature of the services obtained. It would be prudent for FREs to consider the following issues in connection with the development of their cloud computing strategies:

1. Data commingling and segregation 

   The use of shared virtual infrastructure may create data commingling and segregation issues. B-10 requires service providers to be capable of isolating an FRE’s data, records and items in process from those of other customers at all times. As a precondition of entering into a cloud computing arrangement which is subject to B-10, an FRE must therefore determine whether the cloud service provider can offer the service in a manner that permits proper data segregation.

2. Accessibility of confidential information

   The nature of cloud computing – including the ability for multiple entities to access shared resources and the use of multiple locations across low cost regions – can create data security and privacy issues. B-10 requires the FRE to ensure that security and confidentiality policies of the cloud computing service provider are commensurate with those of the FRE, which should ensure that all necessary protections are in place to secure the confidentiality of the data provided to the cloud infrastructure. In particular, contractual provisions should clearly define who has responsibility for protection mechanisms, the information that is covered by such protections, the ability of either party to modify security procedures and requirements and notification obligations of the cloud service provider should any confidentiality or security breach occur.

3. Business continuity

   The FRE’s business continuity plans must address all reasonably foreseeable situations in which a cloud service provider may be unable to continue to provide services at the required levels. Most importantly, in the context of any business interruption affecting the cloud service provider, the FRE should ensure that it has access to all necessary records to allow it to continue its business operations and meet any statutory obligations or other obligations to OSFI. 

4. Data location

   A cloud service provider’s infrastructure and software may be dispersed across multiple locations across the globe. This may be problematic for FREs since B-10 requires the contract governing the provision of the cloud services to identify the nature and scope of the services, including specification of the physical location where the services are being provided. While this may be possible at the outset of a cloud computing arrangement, the dynamic nature of cloud computing means that regular updates should be contemplated under the contract in order to address any shift in the location of the information technology infrastructure supporting the services. In addition, contractual provisions to address any deficiencies in legislated privacy protections and issues relating to access rights of foreign governments and their regulatory agencies should be considered.

5. Subcontractors

   Many cloud service providers enter into subcontracts for additional virtual technology infrastructure on an as-needed basis. FREs need to ensure that subcontracting limitations are imposed to ensure that all such subcontractors are subject to the same security, confidentiality and audit obligations as the cloud service provider.

6. Monitoring cloud arrangements

   The nature of cloud computing can make monitoring and auditing the arrangements difficult. B-10 requires that the FRE be able to monitor the services to ensure that they are being delivered in accordance with the FRE’s requirements. The FRE must be capable of evaluating the cloud service provider from time to time, including its internal controls (which may be satisfied through the provision of a SAS70 or analogous control report). The FRE must carefully consider how best to ensure that the necessary monitoring can occur, based on the service model and geographic territory of the services being provided, as well as on the level of monitoring required (given the risks presented by the cloud computing arrangements in question).

7. e-Discovery

   While not specific to FREs, some thought should be given to the growing need to facilitate e-discovery (the production of electronic data and information required in the “discovery” process that occurs when a lawsuit is initiated). The use of cloud computing could lead to delays and costly efforts to produce relevant materials due to data commingling or data dispersion across locations and/or service providers.

Know the Challenges – Address the Risks

Virtually all organizations’ IT business plans include at least some outsourcing of IT functions to third parties. Because cloud computing offers so many advantages, its adoption is, for many companies, a question of “when” rather than “if”. Security and other challenges faced by FREs in the context of cloud computing are not unique to FREs, but are more pronounced due to the need to comply with B-10. While in certain contexts the challenges and compromises inherent in cloud computing may preclude its adoption by the FRE, in most cases cloud computing will work well, provided that the FRE carefully considers the relevant issues before entering into any agreements.

_____________________________

1. KPMG – Cloud Computing: Is the perfect storm ahead of us?
2. http://www.gartner.com/DisplayDocument?doc_cd=214540&ref=g_noreg
3. http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf
4. http://www.osfi-bsif.gc.ca/app/DocRepository/1/eng/guidelines/sound/guidelines/b10_e.pdf

Attention forum shoppers! Your governing law clause could buy you a lot more than you bargained for

There are many good reasons to “forum shop” when choosing the governing law of an outsourcing contract. Proximity to the place of performance and comfort with the commercial sophistication of the selected jurisdiction are two. In a ruling relating to a franchisee class action, the Ontario Court of Appeal has recently added another (maybe not so “good”) reason to the list: the possibility that the jurisdiction’s general body of statute law may apply to operations outside the jurisdiction even if you have not specifically named any statutes in your agreement – and even where the statutes being applied disclaim application outside their jurisdiction.

In 405341 Ontario Limited v. Midas Canada Inc., the court considered, inter alia, whether an Ontario choice of law clause in a franchise agreement resulted in the application of Ontario’s franchise legislation, the Arthur Wishart Act (the “Act”), to the franchise relationship. Section 2(1) of the Act specifically states that it applies “if the business operated by the franchisee under the franchise agreement or its renewal or extension is to be operated partly or wholly in Ontario.” The question before the Court was whether the Act should apply to franchises operating outside of Ontario as a result of the parties having chosen Ontario law to govern the contract.

The Court of Appeal affirmed the motion judge’s ruling that, by choosing Ontario law as the governing law, the parties imported the obligations under the Act but not the jurisdictional limit contained within the Act.

The franchise agreement at issue contained the following choice of law provision:

Controlling Law: This Agreement, including all matters relating to the validity, construction, performance, and enforcement thereof, shall be governed by the laws of the Province of Ontario.

In finding that the Act applied to the franchisees located outside of Ontario despite the territorial limitation, the motion judge stated:

I believe the most reasonable inference is that, by agreeing that the laws of Ontario are to govern the validity, construction, performance and enforcement of a franchise agreement applicable to franchises operating in another province, the intention of the parties was that their rights and obligations – including the reciprocal and inviolable rights and duties of fair dealing – are to be the same as if the business of the franchise was operated in Ontario. The territorial limitations in section 2 of the AWA have, in my opinion, no more effect for this purpose than that of the general presumption that statues are not 'intended to apply extraterritorially to persons, things or events outside the boundaries of the enacting jurisdiction'.

The Court of Appeal agreed with the motion judge’s ruling without specifically addressing the territorial limitation contained in the Act. Instead, the appellate court merely elaborated on the tendency for contemporary commercial contracts to contain a choice of law clause that “bears no relationship with where the contract is to be carried out.”

Many outsourcing agreements involving Canadian-based customers are governed by the laws of Ontario. Prior to this decision, I would have thought that the Ontario governing law clause would only import Ontario law that is specifically part of the province’s law of contract. For example, a contract governed by Ontario law clearly could not be interpreted without reference to Ontario’s Statute of Frauds, so a governing law clause would have to include the Statute of Frauds. I would not have thought that a choice of law clause would result in the automatic application of other legislation – especially not legislation that, on its terms, would not apply due to jurisdictional limitations contained within the legislation.

Most Ontario laws, from the Accessibility for Ontarians with Disabilities Act, 2005 to the Workplace Safety and Insurance Act, 1997, contain jurisdictional limits on their application, for example, to persons with disabilities or workplaces located within Ontario. While the obligations within these (or any other) pieces of legislation can be contractually adopted by parties, this would generally be effected by specifically incorporating the legislation by reference. Before Midas came along, one would have thought the absence of any such specific reference to the Act, coupled with the jurisdictional limits contained within the legislation itself, would preclude its automatic application to a relationship that falls outside those limits, despite the parties having chosen Ontario law as the governing law.

The concern arising from this decision does not only apply to contracts which are governed by Ontario law, but to any contract which is the subject of judicial interpretation in Ontario. If an outsourcing agreement is governed by the laws of New York but litigated in Ontario, Ontario courts may import, solely by virtue of the governing law clause, laws of New York which the parties had not initially intended to incorporate into the contractual relationship.

In light of this decision, and the many pieces of legislation that could apply to long term outsourcing arrangements, parties to an outsourcing arrangement (or any contractual relationship) should carefully review their choice of clause to ensure that local laws, other than foundational contract laws, are not inadvertently imported. It may not be sufficient to rely on the internal jurisdictional limits contained in Ontario (or other) legislation to avoid their application. In addition, when choosing language intended to preclude the application of conflicts of law principles, be cognizant of the implications of language implying that a court should view the performance of the contract as occurring within a specified jurisdiction.

Over the past couple of years, I have noticed that organizations engaging in outsourcing activities are increasingly willing to rely on service providers’ standard service descriptions. The main driver of this trend appears to be tight budgets. At a time of economic uncertainty, there is less capacity for rigorous review of a service provider’s standard service descriptions and service levels. Lacking internal resources, customers are increasingly relying on service providers’ expertise to fill in the gaps. A second factor may be a form of complacency. As customers accumulate a history of positive experiences with successful outsourcings, they may become less vigilant about potential problems in new outsourcing relationships. In any event, it is clear that many customers are willing to accept service providers’ assurances that the standard descriptions and service levels “work for all customers." 

However, customers do so at the peril of the outsourcing.

A few years ago, the foregoing observation would have been superfluous: it would be harder to think of a more obvious requirement in the context of an outsourcing. While organizations engage in outsourcings partly to benefit from the expertise of the service provider, it is clearly essential that both parties ensure that their expectations for the outsourcing are fully aligned. While service providers are generally experts on the services they provide and the manner in which they provide them, customers need to understand how their internal organization will use and rely upon the services and how this may differ from other customers of the service provider. The expertise of the service provider should inform the customer’s needs, but not determine them. 

Ultimately, the customer needs to dedicate sufficient resources to ensure a full appreciation of the services that are being contracted (including service levels and the consequences of any service level failure). Generally, this is a two-step process involving:

1. understanding the organization’s needs without reference to the service providers’ services; and
2. understanding any discrepancy between the organization’s needs and what the service provider is willing and able to provide.

The second part of this analysis will result in discussions between the customer and the service provider which will prove useful in understanding the service provider’s ability to meet the customer’s requirements and its ability to problem-solve – including obtaining assistance to mitigate the impact of any discrepancies that are found to exist.

How much time and effort does it take to perform this type of analysis? Often, more than most organizations think will be necessary. But the time and effort involved will help the organization better understand its needs and ensure that its expectations are reasonable and achievable. Like any necessary preparation work, however significant the time and effort required may be, it is unlikely to compare to the time and effort required to resolve the situation if the analysis is not performed and the parties subsequently find that their expectations are inconsistent. Having said that, the ease and effectiveness of available exit strategies can be considered when determining how much time and effort should be spent in performing an analysis of the services offered (however, if an organization is not spending the necessary time and effort to perform an analysis of the services it will be outsourcing, one has to wonder whether it has spent sufficient time analyzing exit strategies). 

While service providers may argue that their expertise allows them to offer “off the shelf” outsourcings, few customers consider themselves to have only “off the shelf” requirements. It follows, therefore, that only the customer will be fully competent to determine whether the proposed terms will meet its needs and that it will be well worth its time and effort to do so. 

The Amendments

I recently had an opportunity to speak with a representative in the Office of the Information and Privacy Commissioner of Alberta in connection with Alberta’s new obligations surrounding notification and disclosure of outsourcing arrangements involving personal information. On May 1^st, Alberta’s Personal Information Protection Amendment Act, 2009 amended the provincial Personal Information Protection Act (PIPA). Now, while I’m not an Alberta lawyer, it’s clear to me that the amendments impact all organizations that collect personal information from residents of Alberta. I have worked from time to time with my firm’s Alberta office when PIPA privacy issues have arisen in the context of outsourcings, and (based on these amendments) it looks like I will be working with my Alberta colleagues even more often in the years ahead. That’s because the amendments require that, where organizations subject to PIPA use service providers located outside Canada, they:

• notify individuals before or at the time personal information is collected or transferred to a foreign service provider:
  • that the organization uses a service provider outside of Canada to collect personal information or that the organization transfers, directly or indirectly, personal information to a service provider outside of Canada;
  • how written information about the organization’s policies and practices regarding service providers outside of Canada can be obtained; and
  • contact information for a person who can answer questions about the collection, use, disclosure or storage of personal information by the organization’s off shore service providers; and
• maintain written information about the organization’s policies and practices regarding the use of foreign service providers that identifies:
  • the countries outside Canada in which the collection, use, disclosure or storage of personal information is occurring or may occur (including back-up); and
  • the purpose for which the service provider has been authorized to collect, use or disclose personal information on behalf of the organization.

By specifically targeting foreign service providers, the PIPA amendments are curiously protectionist. Service Alberta issued an Information Sheet on this amendment which is available through the Government of Alberta’s Private Sector Privacy website. The Information Sheet notes that the amendments are “designed to foster openness and accountability in private-sector organizations with respect to the use of service providers outside Canada.” Ostensibly, the basis for focusing on foreign service providers is that such service providers may not be subject to legislation protecting personal information similar to that existing in Canada. However, PIPA already imposes requirements to ensure that personal information, regardless of where it is located, is subject to protections necessary to satisfy applicable requirements. Since a different level of protection would not apply in the context of offshore service providers, one has to wonder why the additional requirements apply solely to offshore service providers. Concerns about an organization’s use of service providers would presumably not be limited to non-Canadian service providers and concerns about storing and processing personal information outside Canada would likely extend to the organization’s own practices and not just those of its foreign service providers.

In spite of the apparent significance of the amendments, the representative I recently spoke to at the Office of the Information and Privacy Commissioner of Alberta was not aware of any feedback that had been received on the outsourcing disclosure requirements and was also unaware of any steps that affected organizations had taken to meet the requirements. Confirming this view, I looked at the websites of various organizations operating in Alberta and couldn’t find any of the required information. Since that conversation, I have been wondering whether the lack of compliance is attributable to any specific concerns of industry, or perhaps to operational delays in implementing compliant practices — or whether the amendments are simply viewed as being insufficiently significant to justify the time and expense of immediate compliance. Or maybe it’s simply that a lot of companies just haven’t been paying attention.

New Notification Requirements

The new notification requirements found in Sections 13.1(1) and (2) immediately follow the existing notification requirement in Section 13.1, which requires organizations to notify individuals of the purposes for which personal information is collected before or at the time such information is collected and to specify an individual or position who can respond to questions about such collection. Sections 13.1(1) and (2) impose a similar notification requirement where a foreign service provider collects personal information on behalf of the organization (for example, where customer support which requires the collection of personal information is provided by an offshore service provider) or where personal information may be transferred to a foreign service provider. Although the word “notification” implies an express duty to actively communicate the requisite information to an individual, since most organizations effectively meet their notification requirements under Section 13.1 through their privacy policies (by setting out the purposes for which personal information is collected) – organizations should be able to similarly comply with the outsourcing notification requirement by simply modifying an existing privacy policy to disclose that service providers outside of Canada are used, how to obtain additional information regarding the organization’s policies and practices for offshore service providers and contact details of an individual who can to respond to questions regarding such policies and practices. Similarly, if organizations provide any disclosure of their personal information practices in documents presented to customers (such as enrolment and contest forms), such disclosure can be similarly modified to reflect the requirements of the new amendments. 

Although the new notification requirements are not onerous, compliance still presents issues. Organizations that operate in jurisdictions other than Alberta need to consider the potential impact (including any competitive disadvantage) that may result from their compliance with the Alberta legislative requirements in other jurisdictions. In addition, there are no grandfathering provisions excusing any outsourcing that preceded the amendment from the application of the notice requirements. Thus, a number of organizations who are subject to PIPA face the dilemma of how to communicate the required notification to existing customers – is a change to a privacy policy sufficient, or should an organization take additional measures to bring the change to their customers’ attention? Lastly, in my experience organizations tend to be cautious about making information about their use of offshore service providers public.

Written Policies and Procedures

Section 6(1) of PIPA requires organizations to maintain personal information policies and practices. The new Section 6(2) imposes a requirement for an organization to maintain information about the organization’s policies and practices regarding the use of offshore service providers. Pursuant to Section 6(3), organizations are required to make all policies and practices maintained under Section 6(1) and (2) available upon request. The Information Sheet notes that organizations can either incorporate the information required for services providers outside Canada into their general privacy policy or can maintain a separate policy document for offshore service providers.

Practically, organizations should not use their generally available privacy policy to communicate their outsourcing practices except in the most general sense. Since the use of offshore service providers is subject to constant changes and because outsourcing is often a key strategic initiative, it would be prudent to maintain a separate outsourcing policy which would only be provided to individuals upon request. This policy could be regularly updated and modified as necessary to reflect the organization’s practices and could be customized before being released to any individual to provide only the required information requested.

Taking Action

As previously stated, I have yet to see any evidence that organizations are working towards compliance. This might be attributable to the typical administrative delay in implementing changes to practices. Alternatively, organizations may be adopting a “wait and see” policy to determine how the Office of the Information and Privacy Commissioner of Alberta intends to enforce the new requirements and how much information about offshore outsourcings competitors will disclose. Equally likely, organizations may feel that the new requirements are not sufficiently material to be worth focusing on at this time. 

I would imagine that, like myself, many organizations are questioning the need for the amendments and whether it is sound policy for the government to impose a requirement to disclose sensitive commercial information to the public. However, regardless of the reason, it is curious that organizations are not, at a minimum, taking the requisite steps to at least visibly indicate compliance – which would really only require a modification to privacy policies to advise that non-Canadian service providers are used and to provide contact information for someone that can respond to questions regarding such service providers. The more problematic document detailing the actual policies and procedures employed with respect to offshore service providers can be discussed internally so that something can (hopefully) be in place before a request is made for such information.