If nothing else will cause CIOs insomnia in 2011 it will be the potential disruptive effects of legal issues that walk hand in hand with this year's IT trends. Most of the lists of trends look the same and there are those that will be proved to be over hyped. One thing that is certain after Wikileaks, Facebook privacy issues and an ever growing cloud on the horizon, it will be a busy year in the courts.
Waking in a cold sweat may be a common malady for CIOs this year. We will see somebody in Court in a Cloud-related dispute. Last year we had the first inkling of the problems we might see; Eli Lilly ended its use of Amazon's EC2 because it could not agree terms relating to liability for various things including data outages and security breaches. Cloud computing contract terms tend to deny all liability for those issues, provide no warranties and limit damages. Size seems to be no immediate advantage in negotiating more favourable terms. Conversely, Amazon ended Wikileaks' use of EC2 in circumstances which raised interesting legal questions about when a contracted service can be denied if the customers activities and interests are not in step with those of the provider.
Virtualisation and cloud computing
Virtualisation and cloud computing will be the first legal sea change for CIOs. They will bring about more disputes and they won't be as easily resolved. They are game-changers of your legal and other relationships.
IT implementations and agreements have, to date, largely been co-dependant relationships which had immediate consequences for how the disputes were resolved. Unless things are really bad at home, you don’t sue your partner, however you might sue daycare.
This co-dependency in agreements and relationships caused informed lawyers to develop a dispute resolution model which moved from dispute resolution techniques back into structured renegotiation as the parties couldn't easily escape their relationship. As a result, the Courts, Arbitration and, to a lesser extent, mediation were not used other than as levers or stages in the process for defining the issues.
2011 may see that model thrashed by virtualisation and Cloud computing. Unless lawyers can do better and find a new dispute model many disputes are destined to end up in Court or locked within their exisiting dispute mechanism.
Virtualisation and cloud computing will also disrupt the model where business units were seen and able to act as the owners of business critical applications.
Almost invariably, the disputes I have seen in recent times revolved around:
- A disconnect between what suppliers were originally asked to provide and business units' expectations of the solution or failure to appreciate their role in implementation or vice versa; or
- Suppliers simply not understanding the business units requirements at the outset.
Business units will have to cede more control to the CIO. Customisation, re-engineering a solution and business unit control of the solution are not as infinitely or flexibly on offer. Cloud services enterprises are unlikely to engage in renegotiation or re-engineering an application, information or other business services it provides to that customer. When considered in light of the Cloud computing model, it becomes clear why they try to avoid liability as one failure could result in claims from many customers.
Business units will have to modify their expectations and priorities, and in some cases entirely abandon control. While some Cloud providers offer negotiable contracts, customised terms and resources (and may have to do so to attract significant business opportunities), they are unlikely to offer Saville Row tailoring.
Unless an organisation is aware of the different dynamic and can adapt to the cultural change, the discipline required to know what is required and can be abandoned and cede more control to the CIO then more disputes are inevitable. Indeed many see those issues as a fundamental impediment to the success of virtualisation and the cloud.
The Berlin wall seemed like a good idea at the time but as times changed so the wall came down. Security in IT has been a walled paradigm which is as quaint as the walled cities in hilly Tuscany. IT professionals in recent times have seen an evolution towards monitoring, pattern identification, audit and other security tools. These challenges are ever increasing.
Significant security and privacy challenges have been created by the emergence cloud applications, virtualisation, social networks and associated marketing, mobile applications, analytics. Each has ensured your organisation, employees and customers are deeply concerned with security and privacy. Julian Assange has ensured boards will pay close attention to the issue over the next 12 months.
In addition to the straight security issues increased legal compliance costs – just working out the potentially applicable laws at any one time can be a headache. There will be an incentive for jurisdictions to make themselves attractive as a hosting jurisdiction (both from a financial and compliance point of view).
There will be problems in permanently destroying (or enforcing retention) of data on shared servers. CIOs will have to identify the information that can go to the Cloud and the information that must be kept elsewhere. They will have to decide what 'Cloud' services are and are not acceptable in terms of customer acceptance, security, and legal and enforcement risks.
The iPad (and similar devices) are contributing to the ever diminishing distinction between work and personal usage. Issues relating to the extent organisations can mandate limitations on the use of devices and social networking sites has already been in the news and the Courts.
We will see a rise in legal action by clients over loss or misuse of their business information, more ex-employees suing over privacy breaches, more criminal and regulatory investigations involving interception or possession of information.
Already there have been legislative responses as the adoption of Cloud computing services will demand a review of the adequacy of current privacy and data security legislation in relation to the use of Cloud computing. Such a review will be particularly important as data within a cloud may be stored at various locations outside of Australia, with differing privacy and data protection legislation.
In October 2009 the Australian Government agreed to recommendations to significantly tighten privacy law with respect to offshore transfers and focus on the ongoing 'accountability' of the sender of the information. One of the key changes relates to the offshore transfer exemption which permits offshore transfers where the recipient is subject to a law, scheme or contract which upholds principles similar to the NPPs.
The reforms will lead to increased focus on which non-Australian jurisdictions data may be sent to. Customers will want to place obligations on their Cloud computing suppliers to only store their data in nominated countries, which they believe have privacy protections compatible with Australian privacy law.
A revised Privacy Principle 8, released in an exposure draft in June 2010, creates new requirements for organisations outsourcing data that identifies Australian citizens to offshore data centres. The revised Privacy Principles won't be debated until mid-2011. But if passed, these laws could have serious repercussions for customers hosting data offshore.
Currently, the principal piece of legislation in Australia, the Cybercrime Act 2001 (Cth), covers only a small part of cybercrime (specifically, offences against data security and electronic communications integrity). In May 2010 the Standing Committee of Attorneys-General committed to a national cybercrime regime to create a nationally co-ordinated approach to the prevention and prosecution of cybercrime. The national approach will include a review of hacking laws and more co-ordination between federal and state law enforcement agencies.
A voluntary code for Internet Service Providers (ISPs) aimed at protecting Australian internet users from online threats came into effect on 1 December 2010. The 'iCode' was developed by the Internet Industry Association in partnership with the Australian Government. Some commentators have criticised the iCode for being overly concerned with minimising the burden on ISPs' operations. The Internet Industry Association has called for the iCode to be tested before mandatory legislative measures are put in place.
Dealing with disruptive influences
So how do you deal with these disruptive influences? Some tips:
- Clear SLAs regarding how and where data will be used, stored and protected.
- Contracts that focus on building trust in cloud computing services. Providers will have to adopting clear and transparent policies on how their customers' data will be used, stored and protected.
- Understand the mechanisms and protections the supplier will use to protect the data (including the personal information of their customers and employees).
- The Australian Academy of Technological Sciences and Engineering (http://www.atse.org.au/resource-centre/func-startdown/263/) has recommended that there needs to be an approach that builds on Service Level Agreements (SLA). This could involve:
(a) agreement upon policies for sharing information ahead of any interaction between the client(s) and cloud service providers. This may be achieved through the use of contracts or SLAs defining access to specialised services or access control policies; (b) rigorous proofs of agreed good behaviour (as defined in the SLA) between the cloud service provider and their clients during all critical interactions, and after the policy agreements have been reached; and (c) ensuring externally verifiable and auditable “good behaviour” records are kept over the life span of interactions, from commencement to termination.
Robert Todd is a Partner at legal firm, Blake Dawson.