TomiLaw | Technology, Online, Media & IP from DMH Stallard

Should European businesses really fear the USA Patriot Act?

2012-05-17T08:24:00.000+01:00

This article first appeared on CloudPro and now features both parts.

The US Patriot Act has struck fear into European users but don't forget that our authorities have powers too

The USA Patriot Act probably ranks alongside Sarbanes-Oxley in terms of recognition and fear of US legislation outside the US. It is widely known that this is the means by which FBI can get access to confidential data and the reason that some UK businesses may be holding back from cloud adoption, preferring an on-premise solution. But are they right to fear the Patriot Act?

The EU data protection regime prevents the transfer of data outside the European Economic Area to a country with inadequate data protection laws or unless the recipient will provide the adequate protection. The European Commission keeps a list of safe countries. Canada and Switzerland are on this list and so is the EU-US negotiated self-regulated Safe Harbor. Most of the large US cloud providers have signed up to the Safe Harbor principles which allow them to transfer data from the EU to the US. The EU Commission is proposing to extend data protection in its proposed new data protection regulation by stating that it applies to EU data held outside the EU.

The USA Patriot Act was passed shortly after the atrocities of 11 September and served to revise and consolidate counter-terrorism laws. This includes sweeping surveillance and search powers without the need for court order. TheAmerican Civil Liberties Union has challenged the issue of “National Security Letters” which allows the FBI to collect information and to prevent anyone receiving a letter from publicising it. While they have had some success, the Act remains in force.

Impact outside the US
Keeping data in the EU is not enough. In June 2011, the managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US. While it would try to inform its customers before this happens, it would not guarantee this. This means that if you do business with a UK subsidiary of a US-based cloud operator and you specify that English law applies and you choose a UK-based data centre operating under EU data protection laws, the FBI can still get access to your data. While this had already been suspected, this was the first clear affirmation and is true for any US-based cloud provider.

So what can you do?
The UK Information Commissioner has warned of the effect of the Patriot Act but has not really provided substantive guidance as to how to overcome it. Legitimate use of the US Patriot Act for anti-terrorism surveillance is likely to fall within an exemption under the existing and revised EU data protection regimes.

You can keep your data away from US organisations. This means checking your entire supplier chain to make sure that there is no US company involved in the chain and not even a back-up or failover in the US.

UK, EU and Swiss owned and based cloud service providers have used this as an opportunity to promote their cloud services based in EU or Switzerland-based data centres with no US involvement and therefore immunity from the Patriot Act.

There have been some high profile examples of this recently. The Norwegian data protection regulator has warned the public sector about use of Google Apps over fears of the Patriot Act and the Dutch government looks set to exclude US IT providers from government contracts. Also, BAE Systems revealed in December 2011 that it was all set to adopt Microsoft Office 365 but had abandoned it after its lawyers warned about the effects of the Patriot Act.

Of course, it is worth remembering that the US is not the only country with anti-terrorism legislation. For example, the UK has its Anti-terrorism, Crime and Security Act and the Regulation of Investigatory Powers Act. The Telegraph reported on the use of RIPA by councils to tackle dog fouling, the unauthorised sale of pizzas, the abuse of the blue badge scheme for disabled drivers and even to take sound recordings of noisy children.

Although this led to some tightening of these powers, the UK government still has broad powers to intercept communications and gain access to data including where it is protected by encryption or passwords. And don’t forget, the UK government shares intelligence with the US government.

Ultimately, the best way to keep data completely secure is to keep it on-premise solution. But you do have to ask yourself: is it really likely that the US or UK government will want to access your data for anti-terrorism reasons?

IP IP ’ooray

2012-04-26T16:18:00.000+01:00

Today, 26 April, is World Intellectual Property Day and organisations round the globe are celebrating “visionary innovators” with a raft of events.

The UK public has singled out Apple’s Sir Jonathan Ive as our favourite British Visionary Innovator with almost 50% of votes. Other contenders included the artist Banksy, Sir James Dyson for industrial design and author JK Rowling.

IPAN, the Intellectual Property Awareness Network, is running an event tody for parliamentarians highlighting the significance of creating value from those with vision about IP as a positive force. DMH Stallard is one of the sponsors and TomiLawyer and DMH Stallard Partner Nick Kounoupias is attending the presentations which include one by Dids Macdonald, IPAN’s Parliamentary Convenor and CEO of ACID.

The day is about highlighting the contribution of IP to the arts, music and technology. It’s a valuable opportunity to raise awareness of IP issues and to stimulate discussion about the role IP plays in the journey from an idea to practical application.

As the poet James Russell Lowell once eloquently said “creativity is not the finding of a thing, but the making something out of it after it is found”. And so say all of us!

Return of the cookies monster

2012-04-25T09:25:00.003+01:00

You may recall there was uproar when the “Cookies Directive” was introduced last year. The Information Commissioner’s Office (ICO), however, took a relaxed view and allowed businesses one year’s grace to implement changes. The bad news is the grace period ends on 25 May 2012.

If your website is accessed by European users, you will have to comply with the new rules regardless of where your business is located. You have two key obligations: (i) inform users that you are using cookies and their purpose; and, (ii) obtain users’ informed consent to store cookies on their hardware - you must obtain that consent before the cookie is set or soon after the user has accessed your website.

Those looking for an exemption are advised these are limited: for example, cookies used to facilitate secure online banking are exempt. The ICO has stated it will take a dim view of those that ignore the new rules and may fine businesses for non-compliance.

There are a number of simple steps you can take to keep within the law. These include:

Talking to your web designer about adapting your log-in page or adding headers, footers or pop-up boxes. Users only need to provide informed consent once so consider a tick-box.

Ensuring that your website carries a prominent notice about cookies and their use and refer users to a section of your website that tells them about the way cookies operate and the types used.

Updating both your privacy policy and website terms of use to include information about cookies.

Reviewing and implementing the guidance from the ICO and the businesses’ organisation, the International Chambers of Commerce.

If you would like any further advice, please contact Frank Jennings or John Yates.

This article was first published in South East Business Magazine, May 2012.

Smile - you're on camera

2012-04-20T11:17:00.001+01:00

British legal history was made this week with the first televised sentencing in a criminal trial - in Scotland. While cameras are forbidden in most court proceedings in England and Wales under the 1925 Criminal Justice Act and the 1981 Contempt of Court Act, it the Queen’s Speech is expected to include proposed legislation for the wider recording and broadcasting of cases, starting with Court of Appeal hearings and extending to Crown Court trials.

While there are obvious concerns about necessary safeguards to protect witnesses and victims, as noted by Victim Support and the Director of Public Prosecutions, both Government and the judiciary are broadly in favour of more transparency and public awareness of proceedings.

As with Supreme Court hearings which have been broadcast since its inception in October 2009, it is unlikely that judges will become TV celebrities or that any prime time spots will be taken by the broadcasts but this still is an interesting development in open access and demystifying the legal process.

Sally Creissen, Library and Information Services Manager

Should European businesses really fear the USA Patriot Act?

2012-04-18T14:30:00.002+01:00

The US Patriot Act has struck fear into European users but don't forget that our authorities have powers tooThe USA Patriot Act probably ranks alongside Sarbanes-Oxley in terms of recognition and fear of US legislation outside the US. It is widely known that this is the means by which FBI can get access to confidential data and the reason that some UK businesses may be holding back from cloud adoption, preferring an on-premise solution. But are they right to fear the Patriot Act?

The EU data protection regime prevents the transfer of data outside the European Economic Area to a country with inadequate data protection laws or unless the recipient will provide the adequate protection. The European Commission keeps a list of safe countries. Canada and Switzerland are on this list and so is the EU-US negotiated self-regulated Safe Harbor. Most of the large US cloud providers have signed up to the Safe Harbor principles which allow them to transfer data from the EU to the US. The EU Commission is proposing to extend data protection in its proposed new data protection regulation by stating that it applies to EU data held outside the EU.

The USA Patriot Act was passed shortly after the atrocities of 11 September and served to revise and consolidate counter-terrorism laws. This includes sweeping surveillance and search powers without the need for court order. The American Civil Liberties Union has challenged the issue of “National Security Letters” which allows the FBI to collect information and to prevent anyone receiving a letter from publicising it. While they have had some success, the Act remains in force.

Impact outside the US

Keeping data in the EU is not enough. In June 2011, the managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US. While it would try to inform its customers before this happens, it would not guarantee this. This means that if you do business with a UK subsidiary of a US-based cloud operator and you specify that English law applies and you choose a UK-based data centre operating under EU data protection laws, the FBI can still get access to your data. While this had already been suspected, this was the first clear affirmation and is true for any US-based cloud provider.

Frank Jennings

This is part 1 of the article that first appeared on CloudPro. Now see the full version here.

Cloud security - 5 top tips

2012-04-17T09:30:00.003+01:00

When asked whether an organisation intended to adopt cloud computing for the first time in 2012, 35% of large organisations said they do (Source: Cloud Industry Forum “Cloud Adoption and Trends for 2012”). However, cloud has its own risks. Get it wrong and your business could be looking at some very serious financial – and regulatory – consequences. Perhaps not surprisingly, those same large organisations cited data security and data privacy as their main concerns about the adoption of cloud in their business.

Customers need to evaluate their options and choose wisely. Here are our five top tips:

Research the market and perform due diligence on your cloud service provider.
Cloud can be more secure than traditional IT but you must factor in security right from the start. Do not leave it to last minute and do not leave the provider with sole responsibility.
Accreditations and certifications take time, money and effort to obtain. You should ask if your cloud service provider has any. For example, have they certified under the Cloud Industry Forum’s code of practice?
Do not abandon key IT disciplines and engage with your provider on reliability, security and liability issues.
Ask questions of your cloud service provider and make sure you get the answers.

Ultimately, cloud adoption is about appointing a partner not simply a supplier. If a cloud service provider is not engaged with you as the customer, then maybe you should shop around for one that is.

The full version of this article was first published on our DMH Stallard website.

10 million .UK domain names – and still growing

2012-03-19T09:47:00.002Z

A small – and now famous – company has registered the 10 millionth .uk domain name for their new magazine. Nominet, the operator of the registry, has seen registrations grow at an average rate of 10% per year recently from the 26,000 in existence in 1996, with the first million mark achieved in 2000. The UK domain name is now the second most popular country code suffix in the world after Germany's .de with 15 million registrations.

There are a whole new raft of domains to be launched next year with the forthcoming announcement in May from ICANN on the list of applications for the grant of new generic Top-Level Domains. A huge expansion from the current 22 is expected.

As with all new domain suffixes, this increases the opportunity for cybersquatters as the variety of naming options increases. While the megabrands may solve the problem by buying a domain suffix incorporating their mark, the smaller brand owners will have to watch for cybersquatters.

Sally Creissen, Library and Information Services Manager

European data reforms could mean major changes to business practice

2012-03-13T14:52:00.000Z

This article was first published on CloudPro.

The EU's proposed data protection laws could have major consequences for European businesses, although there's still time to change them In January 2012, the European Commission finally unveiled its proposals for a radical overhaul to the current data protection rules which it estimates will save businesses €2.3 billion a year.
The existing rules hail from the 1995 EU Data Protection Directive and have been criticised because, far from introducing consistent protection, they have led to 27 different interpretations of data protection across the European Union. Also, the original directive was prepared in a time before social media and cloud computing and the time is right for modernising and harmonising the rules.
There are positives and negatives in the proposal. There is hope that the Commission will reduce the impact of some of the negatives before the regulation comes into force.

Some positives:

The new data protection regime will be by way of a regulation. This means that the same rules will apply across all EU member states without the need for local implementation. This should, at last, introduce consistent EU-wide protection without the need for a cloud service provider having to analyse the differences in law across the EU.
A data controller will have to notify just the data protection authority in the member state in which its head office is located rather than in each member state where it is trading. This reduction of red tape should save CSPs money and time.

The negatives include:

A big step up in fines. Under the new proposals national data protection authorities will be able to penalise data protection breaches by imposing fines of up to 2 percent of the global annual turnover of a business. This single measure is likely to put data protection on every CEO’s agenda.
A processor must notify a controller immediately after a breach and a controller must notify the supervisory authority within 24 hours. Given the amount of time it will take to investigate breaches, this may be unrealistic.
There will be a principle of “privacy by default” and a suggestion that consent must be "explicit" in relation to the particular processing being considered. This is likely to mean that cloud providers will require customers to grant extensive permissions for a wide range of processing activities.
A right to be forgotten. Individuals will have the right to have their personal data deleted if there is no legitimate reason for an organisation to keep it. This may have a knock-on effect on cloud service providers who hold back-up and archive copies of data.
Application outside EU. The Commission proposes that the regulation will apply to businesses based outside the EU but which have customers inside the EU. This is likely to affect cloud providers based in the US who have EU customers. It is not clear how the Commission will enforce this if the provider’s only contact with the EU is its customers.
Data transfers outside the EU will still be subject to the same restrictions. Again, with so much of the cloud industry based outside the EU, it was hoped that this restriction would be loosened by imposing the obligation on the controller to ensure the data is safe.

The data protection regime was due an overhaul and the reduction of cost and red tape is a welcome change. However, the EU Commission’s proposals are not as cloud-friendly as they could be. As reported last week, the Cloud Industry Legal Forum has submitted a response to the UK Ministry of Justice and there is hope that the European Parliament will steer the regulation in the right direction.

DMH Stallard commits further to cloud computing by co-founding Cloud Industry Legal Forum

2012-03-08T14:15:00.002Z

The Cloud Industry Forum (CIF), of which DMH Stallard currently chairs the code governance board, has announced the formation of a new group to address legal concerns in the cloud computing market. With new regulations and laws across the globe lacking coordination when it comes to cloud, CIF aims to offer a legal framework to benefit the industry.

The new division has been named the Cloud Industry Legal Forum (CILF). The first task being taken on by CILF is the examination of the latest EU data protection proposals and it has just filed a response to the Ministry of Justice’s call for evidence.

Andy Burton, Chair of CIF and CEO of Fasthosts, stated: “The irony surrounding the coming-of-age of Cloud Services is that it is not, as so many often comment, the advent of new technology that is so compelling and valuable to the market; rather, it is the agility, scalability and almost utility basis of supply that is transforming IT procurement and challenging the way IT is purchased, provisioned and maintained. Cloud, by nature, is creating a greater sense of capability and collaboration, which can, if not checked, drive contractual and operational ambiguity. This is further exaggerated by the diversity introduced in the supply chain that cloud enables from self service, to partner led via Systems Integrators, Technical VARs and Managed Service Providers through to resale, distribution and brokerage models. Clarity on the services delivered and accountability and responsibility of the parties involved in delivering them is key.”

The legal sub group itself will focus on all aspects of cloud computing law, working to reduce the fear, uncertainty and doubt, which act as barriers to the adoption of cloud computing services. This will include cloud service types, data protection issues, software licensing in the cloud, service definitions and levels, liability, procurement, applicable law, customer data and the future of cloud law encompassing both the UK and the EU.

Frank Jennings, Chair of CIF's code governance board, stated "Cloud computing is revolutionising IT and the Cloud Industry Legal Forum will ensure that the cloud sector is aware of the legal issues that affect them and will ensure their voice is heard by government in the creation of relevant laws."

Anyone interested in joining the Group should contact Breda O’Shea at Breda@cloudindustryforum.org

Other founding members of CILF include: Hogan Lovells, Bird & Bird, Eversheds, and Wragge & Co.

ISPs lose their court battle over online filesharing

2012-03-07T14:11:00.004Z

BT and TalkTalk yesterday failed in their bid for a ruling that provisions in the Digital Economy Act which require ISPs to send warning letters to alleged file sharers and provide lists of these to copyright holders are incompatible with EU law.

Copyright owners are likely to be cheered by this decision but the appellants may take the case to the Supreme Court and it remains to be seen how the consumer will be affected. It has been suggested that broadband prices will increase as ISPs attempt to claw back the costs of the regime, which would include a contribution to the costs incurred by Ofcom in setting up an appeals body against consumer challenges to imposed fines.

So uncertainty continues and we still await the final Code of Conduct from Ofcom.

Sally Creissen, Library & Information Services Manager

The long arm of the law reaches through cyberspace

2012-02-22T16:00:00.000Z

It started in Australia in 2008, and was used in England by Hastings County Court as a medium to serve a summons on a debtor in 2011. Now the High Court has allowed a claim to be served on a proposed defendant via Facebook.

Anyone determined to hide from the courts may need to delete their social media profiles as well as physically going into hiding in future.

Brighton's Broadband Brush-Off

2012-01-25T12:54:00.003Z

Culture Secretary, Jeremy Hunt, has rejected Brighton and Hove’s request to be allowed to bid for a slice of a £100 million fund to introduce superfast broadband to 14 UK cities.

Cities with more than 150,000 dwellings are eligible to bid, meaning Brighton and Hove narrowly misses out with just 125,000 dwellings.

The “Let Brighton Bid” campaign, led by Brighton Pavilion’s Green MP, Caroline Lucas, argued that Brighton and Hove should be considered for the scheme despite the shortfall in meeting the criteria, because of the city’s substantial digital industry.

Whilst Hunt rejected the appeal, he did commend the city’s enthusiasm for high speed broadband, and expressed his commitment to meeting and working with the city leaders to cultivate its reputation as a “technology and culture hub”.

Although the rejection has been met with disappointment by campaigners, they remain resolute that this is not an end to the matter, and determined to take the Culture Secretary at his word.
Alex Morrison, chairman of Wired Sussex and director of media consultancy, Cogapp, says:

“The fight is far from over and we will keep pushing to meet him and do all we can to push Brighton and Hove forward as a digital media hub”.

DMH Stallard at Interiors 2012

2012-01-16T15:34:00.001Z

ACID Accredited Exhibition Interiors Birmingham is the UK’s largest event within its industry and includes halls complete with Furniture, Furnishing Accessories, Design Interiors, Lighting, Lighting Collection, Collection and Outdoor Collection.

For all exhibitors to Interiors, DMH Stallard and ACID will be on hand on Stand B28 in Hall 2 to give one to one advice on design protection and IP clinics on a whole range of subjects.

Offering visitors a world of British design over 12 halls of the NEC, Interiors Birmingham is the ultimate showcase of the best in traditional and contemporary, interior and exterior products and design for the trade. Delivering pioneering show features alongside new suppliers, product launches, new designers, ideas and interiors trend prediction areas, this event has the complete interiors solution.

Interiors Birmingham takes place from 22-25 January at the NEC, Birmingham.

Patent Box – reduced tax on patent profits

2012-01-16T10:42:00.000Z

What better way to encourage growth in UK innovation and products than reducing the level of tax payable on patents? And, this is exactly what the government is proposing to start in 2013. Following a consultation last year, the government has drafted legislation (and guidance) to reduce the corporation tax for qualifying patents to only 10% from the existing rates of 20-27.5%. The wide scope of the legislation means that all companies that receive royalties for patents and sell or use products or processes protected by patent for new and existing IP could benefit.

Qualifying Patents would include patents granted by the IPO, European Patent Office, regulatory data protection, supplementary protection certificates (SPCs) and plant variety rights and the Patent Box would cover products paid for separately or embedded in the price of products. However, identifying and calculating the relevant taxable income is not going to be straightforward and some say this might even diminish the appeal of the Patent Box savings altogether.
We’ll report back when we hear further.

DMH Stallard at Cloud Expo Europe 2012

2012-01-06T15:28:00.004Z

Frank Jennings, Head of Commercial at DMH Stallard, will be presenting at Cloud Expo Europe 2011 on "Best practice in cloud contracts - how to stand out from the crowd" on 26 January 2012 at National Hall Olympia in the Security and Governance theatre from 14.20 -14.45.

As cloud services mature, customers are shopping around for the best solution. Customers are asking how can they ensure their data is secure, how can they trust their cloud service provider when they want to exclude all risk and how do they get their data back or move it to another provider? In a crowded market, cloud service providers and resellers are looking for ways to stand out from their competitors by offering some of these protections to customers without taking on too much risk. This session will clarify how providers and resellers can offer protections in their customer contracts by adopting best practice recommendations promoted by the Cloud Industry Forum. These range from transparency and accountability regarding the location of data centres, documenting their management systems and processes, and clearly stating which of the customer’s losses a cloud provider will cover. For more information, please click here.

Frank will also be presenting "Negotiating Cloud Contracts" with the Cloud Industry Forum (CIF) on 25 Janaury from 15.00 - 15.30 in the CIF theatre.
Click here to register for this free event or here for the full programme. To view examples of our recent experience in relation to Cloud Computing, please click here.

Cloud Expo Europe is now established as the leading seminar-led exhibition, focused on cloud computing and virtualisation. The longest running European event, now in its third year, Cloud Expo Europe will run at the National Hall Olympia, on 25th - 26th January 2012.

IP and Design - Reform is on the Way

2011-12-20T13:09:00.001Z

The Government announced yesterday its first assessment of the need for reform of the design intellectual property framework. In May 2011, in his report to the Prime Minister, Professor Hargreaves concluded that design had a “very important contribution to make to growth” to the tune of £33 billion, yet he was critical of the policy makers whose role in supporting IP in this significant branch of the economy had been neglected.

The Government plans to publish a formal consultation on how to proceed in late spring 2012.
Nick Kounoupias, IP specialist at DMH Stallard and ACID’s Chief Legal Counsel said, “I am delighted to see that the possibility of introducing criminal sanctions for unregistered design right infringement is finally on the Government’s political agenda. It has been for too long anomalous that copyright and trade mark infringement can in appropriate cases be punished with a criminal sentence whilst unregistered design right infringement cannot. The harm caused to small and medium sized businesses by the flagrant and systematic copying of their designs is horrendous and to the layman in tantamount to theft. Accordingly it should be dealt with in the same way.”

ACID’s CEO Dids Macdonald said, “I welcome this assessment for design reform. However, it is important that any further research makes clear the relationship between (registered) design rights and innovation in the context of product design. The majority of the UK’s 232,000 designers (in 55 different design disciplines) rely on unregistered (copyright, design and trade marks) and informal rights. In this initial assessment, it is clear that UKIPO has listened and understands the problems facing many SME’s within design. Now the challenge will be to address them sensibly, practically and proactively with more action and less words”.

ACID also urges the Government to fully consider supporting the UK’s designers with the introduction of criminal sanctions for unregistered design right infringement, retaining UK unregistered rights protection and ensuring that in reforming the small claims access to justice system, they fully consider the relative effectiveness of remedies available and costs v outcome.

This announcement by Government is timely because in 2012 ACID will re-launch its “Commission it, Don’t Copy It” positive campaign aimed at retail buying departments which is “win win” all around. The designer is paid a commission and a royalty, The Retailer may use their purchasing power to produce the products more cost effectively and also has the opportunity to create a UK design signature range, thus, actively supporting UK Design and respect for IP in CSR. The consumer still gets an excellent deal but in the full knowledge that they are buying an original design and supporting British design.

DMH Stallard is a member of ACID, is trade association for designers and manufacturers with a diverse membership ranging from individuals to multinationals and spanning many industry sectors. The organisation is committed to fighting design theft and lobbying Parliament for design law reform.

Functionality is fair game!

2011-12-16T10:31:00.002Z

The dispute between SAS Institute Inc v World Programming Limited looks to be nearing an end following Attorney General Bot’s preliminary opinion.

Central to the dispute is SAS’s contention that WPL had infringed its copyright by developing scripts which mimicked the functionality of SAS’s own - WPL’s scripts enabled SAS users to use SAS software without a SAS scripts’ licence. There was no suggestion WPL had accessed SAS’s source code or decompiled its object code to create the “offending” scripts.
The High Court referred to the issue to the European Court of Justice (CJEU) as it concerned the scope of EU copyright protection in regards to interoperability. The CJEU, in turn, looked to the AG for an opinion.

That opinion includes useful guidance and good news for developers designing software to be interoperable with other programs in that:

• Neither program functionality nor a programming language are, as such, eligible for copyright protection.

• Subject to two conditions, a licensee (such as WPL) may, without the author’s (read, SAS) authorisation, reproduce the source code or translate the form of the code of a data format in that program so as to write, in the licensees’ own program, a source code which reads and writes that data format.

The two conditions are:

(i) the reproduction must be absolutely indispensable for the purposes of obtaining the information necessary to achieve interoperability between the elements of the various programs; and

(ii) the reproduction must not have the effect of enabling the licensee to recopy the code of the original program in the licensee’s own program.

Before developers get too carried away, there still remains considerable room to infringe copyright when seeking to reproduce the functionality of another program. This may, for example, happen where a developer copies elements of another program’s build, including the programming steps taken and the way in which those steps are expressed to deliver efficiency and speed.

Of course, the AG’s opinion is just that: the CJEU may take an entirely different view when its delivers its decision, expected in early 2012.

How to balance risk in cloud contracts by adopting best practice

2011-12-08T17:02:00.002Z

The first of a two-parter that looks at how to minimise risk when moving to cloud.

Enthusiasm for cloud computing is undiminished with survey after survey showing that cloud adoption is significant. But, in their rush to embrace cloud, are customers taking on greater risks than they need to? And are cloud service providers seeking to exclude all risks when providing services?

The allocation of risk between a cloud service provider and its customer is done through the contract. A Cloud Industry Forum survey earlier this year indicated that 45 percent of customers were not offered the opportunity to negotiate contracts suggesting that cloud service providers are using standard contracts and click-through arrangements. Also, a third of customers reported that their cloud service providers could change the contract by simply posting a new version online. In some ways, the more revealing statistics are that many customers did not try to negotiate their contractual position and simply did not know what their contractual exposure was.

That is changing. Clearly, where customers are looking for a standardised or cheap cloud service there will not be much opportunity for them to discuss the allocation of risk with their cloud service provider, nor should they expect to. Otherwise, as cloud services mature, with more service providers and channel resellers offering cloud products, customers will have the ability to shop around for the best protection.

Not surprisingly, in a crowded market, cloud service providers and resellers are looking for ways to stand out in a crowded market. This includes joining industry bodies, such as the Cloud Industry Forum, which offers an accreditation scheme to a code of practice.

Cloud providers can also adopt best practice in their contracts. In conjunction with Cloud Industry Forum, earlier this year we published a whitepaper providing guidance to customers and cloud service providers on best practice in cloud contracts.

Best practice recommendations include:

Local law for local customers

A cloud service provider that offers a standardised public cloud service with data centres in the cheapest location will not wish to be drawn into any discussions, let alone the customer’s ability to apply its local law. But, where a service provider offers a bespoke or private cloud solution, then it might be willing to adopt the customer’s local law or concede on other issues instead. Not surprisingly, data location and security are key concerns for customers and if the data centre is local to the customer then choosing local law is probably not that difficult.

Identifying location of data centres

Overall, 75 percent of customers said it was important that their cloud service provider stores their data in the UK or the EU, with this increasing to 80 percent within the SMB sector and 82 percent in the public sector. The EU-wide data protection laws are possibly a contributory factor here, but clearly, a cloud service provider stands more chance of winning business the UK or the EU if it has its data centre in the UK or EU. Disclosing where the data centre is located is crucial to this. If the service provider offers a secondary facility from a non-UK/EU data centre, such as a back-up or failover service, it should state this too. It goes without saying that all cloud service providers will need to put in place adequate measures to ensure data security and avoid data leakage or loss.

Documented management systems, processes and resources

Not all cloud service providers are alike. Although there is not yet an international standard that applies to cloud solutions, there are others which might be useful and the customer should investigate. For example, does the provider comply with ISO 90001, ISO 27001 or SAS 70? Does the provider adhere to an industry code of practice, such as the one run by the Cloud Industry Forum? Has the provider documented its management systems, processes and resources? Is the provider willing for the customer to review these (under an obligation of confidentiality or otherwise)?

Best practice recommendations include:

•Local law for local customers
•Identifying location of data centres
•Documented management systems, processes and resources
•Clear SLAs showing average availability times
•Clear statements of what losses a cloud service provider will cover
•Changing and terminating the contract
•Adequate opportunity for customers to retrieve their data
•Migration assistance to a replacement provider

This article first appeared on CloudPro.

Treat cloud service providers like estate agents

2011-11-23T09:15:00.000Z

Some interesting items from the inaugural ITPro/CloudPro Cloud Summit yesterday:
- Max Cooter of CloudPro: When lastminute.com launched, it cost £6m to fund IT infrastructure, it would now cost £300,000
- Laurent Bachal of Ovum: Don't ask if the cloud is ready for you, ask if you are ready for the cloud
- Bob Harris of Channel4: SLAs mean users can get some money back. What users really want is for their IT to work
- Liam Quinn of Richmond Events: Don't forget the comms piece in the cloud - latency is the killer
- Rene Millman of IDC: there is a perception that just because it's cloud, it's insecure
- Rik Ferguson of Trend Micro: Treat cloud service providers like estate agents: get quotes from several CSPs and choose the one in the middle
- Nigel Beighton of Rackspace: Although cloud providers are secure, you should approach them as if they are insecure to ensure *you* take security into account when adopting cloud
- Nigel Beighton of Rackspace: Cloud does some things really well but others not so well
- David Chalmers of HP: To avoid the US government using the Patriot Act to seize your data, ensure your data centre is in Europe
- David Chalmers of HP: Cloud contracts are all about the exit. Getting in is easy. You should plan for the exit.

Q: Is cloud secure? A: Yes, but…

2011-11-23T08:59:00.000Z

A panel of experts debated the question “Is the cloud secure”. The answer is yes it can be, but the user must remain involved in the process.

While the key drivers for cloud adoption are flexibility and scalability, the key concern for users remains data security and this is borne out again in the Cloud Industry Forum’s latest whitepaper. At the inaugural ITPro/CloudPro Cloud Summit yesterday, a panel of experts analysed data security issues. The panel was composed of Rik Ferguson of Trend Micro, Rene Millman of IDC, David Chalmers of HP and Nigel Beighton of Rackspace.

The panel agreed that the various different cloud computing models have developed rapidly and cloud offers a secure option. However, there are dangers from a user perspective. First, cloud is an unknown quantity for some users and they assume that, because it’s cloud it’s insecure. Second, and conversely, some users seem to leave security to the cloud service provider. Clearly, a cloud solution can be secure but the user must take security into account. Users can adopt a secure cloud model and the panel highlighted a number of areas where the user can take control:

• Research the market and perform due diligence on your cloud service provider
• Cloud can be more secure than traditional IT but factor in security right from the start
• Accreditations take time and effort to obtain. Has your cloud service provider got any?
• Don’t abandon key IT disciplines and engage with your provider on security issues
• Ask questions of your cloud service provider and make sure you get the answers

Ultimately, cloud adoption is about appointing a partner not simply a supplier. If a cloud service provider isn’t engaged with the user, then the user should shop around for one that is.

Data security breach? £500k please

2011-11-18T10:21:00.002Z

In its latest whitepaper “Cloud Adoption and Trends for 2012”, the Cloud Industry Forum reiterates that data security and data privacy remain the key concerns for businesses around cloud adoption. Coupled with this is the issue of where that data is held and, in particular, whether it’s held in the UK or at least within the EEA, the area recognised by the European Commission as having adequate data protection laws.

It may come as a surprise then, to learn that a senior lawyer in the UK was found to be in breach of the UK Data Protection Act. This isn’t the much criticised ACS:Law which saw the personal details of 6,000 computer users exposed after a hack attack. This was the theft of a laptop from Ruth Crawford QC’s house which contained information about the cases she was working on, including details relating to individuals' physical and mental health. The Information Commissioner warned that legal professionals hold some of the most sensitive information available and that it’s vital they take adequate data security measures. The Commissioner can issue fines of up to £500,000 for data protection breaches but Crawford escaped a fine as the breach took place before the fines came into force.

Time to encrypt and virtualise or let a cloud service provider fix the problem for you? And don't forget best practice recommendations in the cloud service provider contract.

Cloud Industry Forum awards first certifications to the CSP Code of Practice

2011-11-14T16:05:00.003Z

The first certifications to the Cloud Service Provider Code of Practice established by the Cloud Industry Forum, designed to promote trust, security and transparency within the sector, have been announced.

Four industry members of the Cloud Industry Forum and one non-member are the first to gain certification. ChannelCloud UK/Ireland, Rise, Unit4 and Webroot, all members of CIF, as well as Nexus AB are the first to formally be recognised as Certified against the Cloud Service Provider Code of Practice.

The Code of Practice enables participating vendors to promote online confidence and trust in their brand to the end user community by ensuring that they offer end users appropriate transparency about their business and services, commitment to operational capabilities and practices, and executive accountability for the declarations made to achieve Certification. By achieving Certification the Cloud Service Provider enables the end user to have confidence that they can access relevant and meaningful information in a structured way that has been accepted by the Cloud Industry Forum to enable rational assessment.

Frank Jennings, Chairman of the CIF Governance Board and Head of Commercial at DMH Stallard said: "Certification to the Code of Practice will help cloud service providers differentiate themselves in the market by demonstrating that they have assessed their resources and capability to deliver a secure and robust cloud solution. Certification will also increase confidence for a business to have a better chance of maximising benefit and reducing risk in their selection of cloud applications."

To find out more, please visit the Cloud Industry Forum Website.

Any questions? Freedom of Information Act extended

2011-11-04T12:16:00.001Z

The Ministry of Justice has extended the Act to the Association of Chief Police Officers (ACPO), University Central Admissions Body (UCAS) and the Financial Ombudsman Service (FOS), following a period of consultation, on the basis that they all perform functions of a public nature.

Lord McNally, Justice Minister, is keen to see a range of other bodies such as the Local Government Association, examination boards and harbour authorities brought within the scope of the Act and consultations are underway with several such bodies.
Increasing scrutiny of public bodies will no doubt lead to more work for the ICO and possibly even more revelations of data protection disasters like those recently reported from Big Brother Watch.

LinkedIn the workplace - The implications of social networking

2011-10-14T09:29:00.003+01:00

In light of the significant increase of internet and social media usage over recent years, ACAS has now published some helpful guidance for employers on the implications of social networking within the workplace. The guidance considers the impact of sites such as Facebook, Twitter, LinkedIn and YouTube and provides tips for employers on how best to tackle these new issues.

It is estimated that the misuse of the internet and social networking by workers costs Britain’s economy billions of pounds each year and studies have indicated that, on average, workers spend seven hours online per week. This is, therefore, an issue that employers must take seriously.

To view recommendations and a summary of the guidance, please click here.

Be quick to block your .xxx domain

2011-10-07T14:37:00.000+01:00

ICM Registry is currently accepting registrations for the adult-orientated domain, .xxx. Last month we blogged about how you should protect your brand against domain name squatters as this could bring your brand into disrepute if it's associated with adult services. ICM Registry, the registrar responsible for the .xxx domain has excluded 15,000 names from the registration process, including 4,300 famous names but has just announced that it has sold gay.xxx for $500,000, "the highest price ever paid for a domain name in any extension pre-launch."

It's still not too late to block your brand: you have until 28 October. Visit our main DMH Stallard website to learn how.