Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

Managing legal risks arising from cloud computing

Posted in Cloud Computing

By Phillip Kelly and Elinor Thomas, DLA Piper (UK)

On 26 June 2014, the European Commission announced that it had been presented with guidelines on the standardisation of Service Level Agreements (SLAs) for cloud computing services.

The publication of the guidelines represents only the latest step in the Commission’s wider European Cloud Strategy, which was launched in 2012 with the objective of delivering a net gain of 2.5 million new European jobs, and an annual boost of €160 billion to European GDP by 2020.

The size of the market for cloud services across the EU, and the opportunities for growth that have already been identified, are indicative of the benefits that cloud services can bring to businesses of all sizes.   It is easy to see why there has been such a high take-up of cloud services and why the market is predicted to grow at such a rapid rate.  With the necessary infrastructure being the responsibility of the cloud service provider (CSP), the customer is spared the maintenance costs, capital expense and IT resource time typically associated with in-house IT projects.  Equally, because the infrastructure sits with the CSP, necessary resource and capacity can be acquired by the customer as and when it is needed, which can lead to very significant efficiency savings.

However, cloud services also bring risks, particularly for businesses with potential exposure to litigation or regulatory investigations, where documents may need to be accessed on a time sensitive basis and where any failings in document retention could result in significant negative consequences.  This article considers the nature of those risks and the steps that businesses can take to protect themselves in the context of the evolving cloud services market.

Summary of EU guidelines

The Commission’s publication of the guidelines for standardisation of SLAs for cloud services is undoubtedly a positive step towards assisting businesses across the EU in managing the risks associated with cloud services.  The guidelines have been prepared by a Cloud Select Industry Group, which included major CSPs such as Amazon, Google, Microsoft, Oracle and IBM and international professional service firms including DLA Piper and PwC.

The guidelines identify the types of objective criteria that should be included within SLAs to enable customers to measure performance.  Such criteria include the following:

  • availability levels, CSP response times, support and maintenance commitments and data retention policies;
  • security standards, including in respect of service reliability, user authentication, data encryption and security auditing rights;
  • data management standards, including in respect of data classification, data mirroring, backup and restoration policies, data lifecycle and data portability; and
  • personal data protection standards, including in respect of data protection compliance, data processing, notification of disclosure requests and limitations on the circumstances in which data can be transferred cross-border.

Users of cloud services within the EU will be better placed to control and monitor risk if the guidelines are adopted by CSPs within their standard form SLAs.  The Commission has indicated that it expects that adoption of the guidelines will lead to greater trust in cloud solutions, which in turn will lead to increased revenues for CSPs as the market continues to grow.

The objective of generating greater trust in cloud solutions should be also furthered when the proposed EU Data Protection Regulation finally comes into force.  The intention behind that Regulation is to create a single pan-European law for data protection, replacing the current position where, although the EU Data Protection Directive (No 94/56/EC) sets minimum measures for data protection, it is open to member states to implement stricter requirements.  This results in inconsistencies in national data protection laws and competing provisions applying to services that are provided across more than one member state.

Risks arising from the use of cloud services in the context of legal proceedings

Whilst the risk profile of using cloud services across the EU will likely change once the SLA guidelines and the EU Data Protection Regulation are adopted fully, businesses with exposure to litigation and regulatory investigations should be aware of the types of risks that are inherent when using cloud services.  In particular, the varying requirements under the laws of different European jurisdictions in relation to the retention, search for and disclosure or production of documents in the event of domestic or foreign litigation and varying data protection/privacy laws, can all lead to complications in the context of cloud storage solutions.

While typically more of an issue in common law jurisdictions (such as England, where parties to litigation are under a duty to retain and then disclose relevant documents in their control), cloud storage of documents may mean that document disclosure issues can also arise in civil law jurisdictions where obligations to produce documents are typically far more limited.  Particular issues arise in this context in relation to cloud document storage because of the attendant uncertainties concerning the physical location of cloud data.  As explained above, cloud storage is usually provided by a third party and located remotely from the business, often in another jurisdiction, in multiple jurisdictions, or even in changing locations.  In practice, therefore, a company’s data is often divided and stored in different countries and may become subject to the laws of the jurisdiction in which it is stored (e.g. where the CSP’s servers are located).

This can become problematic because of the varying laws, even across European jurisdictions, in relation to the collection of documents for foreign proceedings.  For example, while the search for and collection of data in the control of a party may be mandated by one law, the law of another European can prohibit the search for or disclosure of documents located in that jurisdiction for use in foreign proceedings.  The English court considered this issue (although not in the context of cloud services) as recently as last year in the cases of Secretary of State for Health and others v Servier Laboratories Ltd and others and National Grid Electricity Transmission plc v ABB Ltd and others, effectively deciding that documents stored in France must be disclosed notwithstanding that French law gave rise to a risk of prosecution for doing so.  Businesses may therefore end up in a position where the use of cloud storage solutions and the requirement to collect documents in the event of litigation exposes them to potential breaches of local laws even where they may not have been aware that their documents were located in the relevant jurisdiction.

Another key risk arising from cloud services in the context of disputes is the possibility of applications for third party disclosure being made directly against CSPs to compel them to provide documents within their control.  This is highly undesirable both for CSPs and customers and leads to the risk of conflicts between the CSP’s contractual obligations to customers and legal requirements imposed by, for example, a court order mandating disclosure.

Businesses should also be aware that the cross border nature of cloud storage could lead to the possibility of governments, law enforcement agencies or regulatory bodies in jurisdictions where data is stored being able to access their documents for the purposes of investigations or surveillance.  Generally speaking in these circumstances (unless the request can be challenged because it does not comply with applicable laws), the CSP will have little option other than to give access to its customer’s documents.  While it has always been the case that governments generally have rights under national laws to access privately held data in circumstances where national security or serious crime is an issue, cloud users should be particularly aware that the multi-jurisdictional features of cloud storage mean that documents may be susceptible to access by different governments across the world.

The particular legal issues that arise in the context of cloud computing can be mitigated against by businesses keen to use it because of the significant commercial advantages that it provides.  Ideally, cloud customers should undertake due diligence into their CSPs at the outset to determine which jurisdictions documents are likely to be stored in and therefore which national laws will be at play.  It is also good practice to engage with CSPs about their procedures for dealing with disclosure requests from third parties (whether courts or government/regulatory bodies) in order to gauge the CSP’s awareness of the issues and their processes for considering and responding to such requests.

It is also important for customers to select CSPs who can easily facilitate the preservation of documents in the event of litigation or investigations by implementing the immediate suspension of auto-deletion procedures (thereby preventing possible adverse inferences in the event of the loss of data) and who offer sophisticated search tools that can provide benefits in any litigation or investigation.

The use and reach of all three varieties of cloud computing is expanding, and although undoubtedly a positive development for businesses across Europe, its limitations and risks should not be overlooked. Businesses should be cautious when deciding whether to utilise the technology, the CSP they choose, and the extent to which cloud storage is implemented, particularly in light of the difficulties that could arise in the context of document retention, litigation and investigations. This is particularly relevant as a result of the differing nature of technology and privacy laws across the EU, and whilst steps are now being taken to increase certainty and cooperation between and across states, different interpretations and approaches to disclosure and document retention will continue to cause difficulties for businesses. However, as long as businesses (especially those operating cross border) are aware of the issues and have open communication with CSPs, the actual and potential benefits of using cloud computing technology appear to far outweigh the risks.

Federal District Court Decision in Microsoft Case re Warrants for Content Stored Outside US

Posted in International Privacy, Privacy and Data Security, Technology and Commercial, US Federal Law

Written by Sydney White

On July 31, the district court judge issued a ruling in the case involving the US Government’s warrant issued to Microsoft to compel production of data stored on the servers of its wholly owned Irish subsidiary located in Ireland (In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp. (S.D.N.Y.)).  The judge upheld the magistrate’s decision that Microsoft must produce the emails stored in servers located in Ireland stored by its Irish subsidiary.  The decision is stayed as Microsoft appeals.

This case could have profound implications for US companies storing or hosting data overseas because foreign competitors will be able to argue that data stored outside the US is not safe from not only US intelligence but also US law enforcement.  It likewise could lead to chaotic choice of law disputes as other countries begin to demand reciprocal treatment in the US for law enforcement process.  This follows on increasing requirements in other countries for data localization following the Edward Snowden revelations.

The judge agreed with the magistrate that the issue is not the location of the data but instead control over the data.  As such, Microsoft is required to produce the data regardless of where it is stored.  This follows the Bank of Nova Scotia line of cases.

Ultimately, this case could end up before the Supreme Court or it could lay the ground work for Congress to step in and clarify the legal standards for law enforcement access to electronic information.

What?? The Target Company Does Not Own its IP!?

Posted in Licensing, Technology and Commercial

Written by Mark Lehberg

We have been working on a number of private company mergers and acquisitions transactions this year where the technology and the intellectual property of the target company (the “Target”) are the key value drivers for the transaction.  It is always surprising when the Target has not used “good housekeeping” with regard to its intellectual property and when the Target has transacted business without regard to what might happen in the event of an acquisition.  This is especially a surprise since the exit strategy for many (if not most) private companies is an acquisition.

In a current transaction, our client is buying a private software company based in Europe.  The software, technology and intellectual property are the key value drivers in the deal.  The following are some of the issues in the transaction.  These are key issues for acquirers in M&A transactions and are issues that private companies can easily avoid.

  • IP Developed by Employees.  The agreements between the Target and its employees do not include a present assignment of intellectual property from the employees to the Target.  Consider the Stanford v. Rochedecision.
  • IP Developed by Contractors.  Similarly, the agreements between the Target and its contractors do not include a present assignment of intellectual property from the contractors to the Target.
  • IP Developed by Engineers’ Personal Management Companies.  In this transaction, some of the key engineers (who are also significant shareholders) were not employees of the Target, but instead contracted with the Target under separate “personal management companies.”  These personal management companies are common in the particular European jurisdiction for tax reasons.  So the key engineers are the sole employees of a personal management company, which in turn provides services to the Target and may, in some cases, provide services to other companies.  In some cases the personal management company has an agreement with the Target, while in other cases there is no agreement with the Target.  If there is an agreement with the Target, the agreement does not include an assignment of intellectual property to the Target.  To make matters more complicated, the engineer has no agreement with the management company.  As a result, it is not clear who owns the intellectual property – the engineer, the management company or the Target.  In one case, the personal management company was liquidated.
  • Patents.  The Target received an assignment of a patent from a European University, but the patent assignment was incomplete and did not fully assign the patent to the Target.  Other patent assignments were sloppy and incorrectly identified the Target as the assignee.
  • Inbound Licenses.  As a result of the Target’s relationship with the European University, the Target used “academic” as opposed to “commercial” licenses to certain third party software.
  • Tax Subsidies from Local Government.  The Target received tax subsidies for product development efforts and the subsidies included restrictions on the “transfer” of the result of the development work.  However, the term “transfer” is not defined.

If you are a private software or technology company and your “exit plan” is an acquisition, follow good housekeeping when it comes to your ownership of your intellectual property and your transaction will go much more smoothly.  If you are an acquirer, do not overlook the diligence around these “fundamental” issues.

 

FRANCE: A French Court orders a Swiss company selling French game tickets over the Internet to prevent French Internet users from accessing part of its websites

Posted in E-Commerce and Social Media, Gambling & Gaming, Licensing

By Florence Guthfreund-Roland & Mathilde Hallé

On April 10, 2014, the Court of First Instance of Paris found that VIAGOGO, a Swiss company operating a website selling sports tickets on the Internet, had no right to sell tickets for a French soccer game organized by the French Professional Soccer League. On that basis, the Swiss company was ordered to take appropriate steps to prevent French Internet users from accessing the content of its online communication service on several of its websites.

The French Professional Soccer League (the “LFP”) is the French entity in charge of the organization of professional soccer competitions, including the French national soccer cup.

In February 2014, the LFP sent a cease and desist letter to the Swiss company VIAGOGO asking the latter to cease the commercialisation of game tickets for the French national soccer cup final, on the grounds that VIAGOGO was in breach of the LFP’s monopoly as it was not authorised by the LFP to sell such tickets online. The LFP also claimed that the tickets were sold by VIAGOGO at a price much higher than the one set by the LFP when they brought an action against VIAGOGO before the interim relief judge of the Court of First Instance of Paris in March 2014. The LFP  asked the Court to order VIAGOGO to withdraw from its websites, and especially from the website www.viagogo.fr, any offer for sale of tickets for the French national soccer cup final.

In defence, VIAGOGO contended the following:

  • the French Courts had no jurisdiction over the disputed matter since the LFP had not demonstrated that the websites www.viagogo.lu and www.viagogo.com targeted the French public, nor that there was a substantial and significant link with the French public;
  • the fact that part of the content posted on the disputed websites was in French was not sufficient to grant the French Courts jurisdiction over the disputed matter;
  • the website www.viagogo.com did not target the French public since prices were displayed in dollars on the website;
  • VIAGOGO was not responsible for the offer of the website viagogo.fr; and
  • the Paris professional soccer team had entered into an agreement with VIAGOGO in relation to the website www.viagogo.fr.

However, the Court found that it had jurisdiction over the disputed matter considering that: (i) the three disputed websites could be accessed from France and target the French public. Moreover, online transactions could be made in Euros; and (ii) the fact that the company operating the website was not located in France was not relevant, nor was the fact that the hosting providers involved were not incorporated in France.

In line with previous case law on the monopoly of sports organizations, the Court further held that the offering for sale of the tickets by VIAGOGO consisted in an obviously illicit disorder since VIAGOGO does not have the right to commercialise such tickets and does not abide by the conditions of sale set forth by the LFP. In other words, and even if not innovative from a legal standpoint, the Court confirmed that the sale of tickets for any soccer game organised by the LFP falls within LFP’s monopoly, and therefore remains subject to the LFP’s prior authorisation and to its general conditions of sale.

On that basis, the Court ordered VIAGOGO to take any measures to prevent French Internet users from accessing the content of its online communication service accessible from the websites www.viagogo.fr, www.viagogo.lu and www.viagogo.com, without distinguishing between soccer tickets submitted to the LFP’s monopoly and other sports tickets. It can be noted that such measures may put a disproportionate burden on VIAGOGO as, under French law, the interim relief judge is in theory only allowed to grant measures which are strictly necessary to put an end to the acknowledged disorder and prevent any damage.

For further information, please contact Florence Guthfreund-Roland (florence.guthfreund-roland@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlaiper.com).

Why Ximpleware May establish New Rules in the Open Source World

Posted in Licensing

Written by Vicky Lee

Ever since the GPLv2 was released in 1991, lawyers and software professionals have analyzed its terms, blogged about them and argued about them.  Interpretations of GPLv2 have evolved over the years and there is a consistent pace of enforcement actions by the Software Freedom Law Center.  There have been cases interpreting the GPLv2 over the years also but mostly out of Europe.  Now we have a case here in the United States that may finally provide some clarity on what it takes to comply with GPLv2.

The Ximpleware  case actually started as the Versata case.  In Versata v. Ameriprise, Versata licensed some software to Ameriprise that Amerirpise used in its financial services business.  Ameriprise’s license included a prohibition on using the software to develop competitive products.  Versata sued Ameriprise alleging that Ameriprise breached the license because it made the software available to competitors of Versata.  As a defense to what started off as “run of the mill” commercial dispute between two sophisticated companies, Ameriprise claimed that Versata incorporated into its software an open source component released by Ximpleware under GPLv2, and pursuant to the terms of GPLv2, Versata was obligated to make the object code and the source code of its software available to Ameriprise.  Once Ximpleware found out about the alleged non-compliance with GPLv2 (since it was now part of the public record in the Versata/Ameriprise dispute), Ximpleware then sued Versata and Ximpleware alleging a violation of GPLv2.

The case is complicated and likely will undergo much procedural maneuvering before the court will get to the substance of the case.  However, a key question that the courts will likely look at is whether a violation of GPLv2 gives a plaintiff a right to a contractual remedy or a claim for copyright infringement.

We will keep an eye on the case and provide updates as they are available.

PCI Security Standards Counsel: Recently Published Recommendations

Posted in Privacy and Data Security, Technology and Commercial

Written by Ryan Sulkin

The PCI Security Standards Council has recently published recommendations for ensuring that payment data and systems entrusted to third parties are maintained in a secure and compliant manner, in accordance with PCI-DSS requirements.  The recommendations are available at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf.

A merchant, prior to engaging a supplier that will access its cardholder data environment or that will otherwise process, store or transmit cardholder data on the merchant’s behalf, must consider how that supplier will satisfy PCI-DSS requirements in a manner that will allow the merchant itself to remain PCI-DSS compliant.  The Council’s guidance provides merchants with a framework for understanding: (i) how a supplier’s own PCI-DSS compliance folds into the merchant’s PCI-DSS compliance requirements; (ii) how to evaluate a supplier’s level of compliance pre-engagement and allocate compliance responsibilities for applicable PCI-DSS requirements during the engagement; and (iii) options for addressing scenarios when a supplier may not be formally certified as a PCI-compliant service provider or have a ROC that can be provided to the merchant.

The dynamic between merchant and service provider is often one can that spawn unique scenarios and challenging questions, and this new guidance from the Council provides merchants and suppliers with a deeper perspective than was previously available and is a must-read.

HACKERS STEAL 1.2 BILLION PASSWORDS – 4 STEPS TO TAKE NOW

Posted in Privacy and Data Security, Security Breaches

Written by Aravind Swaminathan and Tara McGraw Swaminatha

The New York Times reported this week that an organized Russian criminal group stole approximately 1.2 billion user name and password credentials associated with more than 500 million email addresses from hundreds of thousands of websites around the world.

The article notes that the hackers used a large botnet (a group of computers that a hacker has taken control of for his or her own use) to probe websites methodically for vulnerabilities that would give the hacker access to the websites’ databases containing sensitive information such as email addresses, user IDs and passwords.

Although the victims have not been identified, there are certain steps you should consider taking, all in close consultation with your experienced IT staff.

Find out more.

NEW RELEASE: Chapters 14 and 15 – Termination AND Exit Management

Posted in Technology and Commercial

DLA Piper’s award-winning global Technology and Sourcing team is pleased to release the newest chapter of the Sourcing Reference Guide, our handbook to conducting successful sourcing transactions.

Chapter 14 looks at termination and Chapter 15 looks at exit management.

To create the complimentary Sourcing Reference Guide, we’ve combined best practices from our leading global team, covering a range of sourcing transactions – ITO, AD/AM, BPO, F&A, HRO, FM, infrastructure, networks and more.

Following are the chapters included to date – the newest chapters are in bold face:

1. Sourcing Structures
2. Sourcing Agreement Structures
3. The Services Description
4. Offshoring
5. Timing, Delivery and Delay
6. Service Levels
7. Service Credits
8. Charging Models
9. Tax
10. Benchmarking
11. Compliance
12. Data Protection
13. TUPE and Employee Issues
14. Termination
15. Exit Management

We will be adding additional chapters to the Sourcing Reference Guide throughout the year and will keep you abreast of new updates.

For more information, please contact sourcingreferenceguide@dlapiper.com.

FCA guidance for firms thinking of using third-party technology (off-the-shelf) banking solutions

Posted in Cloud Computing, Commercial Contracting, Security Breaches, Strategic Sourcing, Technology and Commercial

Written by Nichola Prescott, Associate, London

The Financial Conduct Authority has published a document setting out a list of points for financial services firms to consider when preparing for and evaluating third-party technology banking solutions.

Where a third-party provides services which are critical to a regulated firm’s business operation, it will be considered an outsource service provider (“OSP“) and the firm will be subject to certain regulatory obligations as a result.

Primarily firms must meet the FCA’s “appropriate resource” and “suitability” threshold requirements set out in COND 2.4 and 2.5 respectively, and comply with the general outsourcing requirements set out at SYSC 8.1.  The FCA document reminds firms of the overall aim of the regulatory objectives with regards to outsourcing, namely that:

  • firms must appropriately manage and remain responsible for the operational risk associated with its use of third-parties; and
  • the arrangements with third-parties must not impair the regulator’s ability to regulate the firm.

The publication addresses six main areas for assessment by firms considering the use of third party technology, each of which is then further defined by reference to a series of questions for firms to ask themselves as a checklist of their own “thinking” in connection with satisfying their regulatory objectives.  The six principal areas cover:

  • the rationale behind the decision to outsource the delivery of critical technology services;
  • the selection of the OSP and the solution;
  • oversight and governance of the OSP, including service levels;
  • operational elements, including support and maintenance, quality and incident management;
  • service protection, including security, disaster recovery and testing; and
  • data protection.

The document makes clear that the questions are not-exhaustive (either of the points that firms should consider in preparing third party arrangements, or of the points that the regulator(s) will consider when assessing an application for the delivery of regulated services), so of course each firm will need to consider its own specific requirements, internal operation and other relevant issues.  However, the document will be helpful in structuring that process, and also potentially useful in identifying the “right” terms to be included in any relevant contract.

The document is available at http://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf

Back to Top of Page