For starters, the SaaS provider had operations in the U.S., Europe and Canada. "Europe and Canada are two jurisdictions that heavily regulate [the use of] personal information. Since this was an HR system, there would be a lot of personal information," recalls Rebecca Eisner, an attorney specializing in outsourcing who represented the food company.
The provider also wanted the flexibility to move the company's information to data centers anywhere in the world, and that would subject the company to the laws of whatever country the data passed through or landed in.
To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in. Computerworld - Last year, a global food manufacturing and distribution company set out to move its HR talent management processes to a software-as-a-service provider. But as attorneys for the food company reviewed the proposed contract, they found some potentially serious legal land mines.For starters, the SaaS provider had operations in the U.S., Europe and Canada. "Europe and Canada are two jurisdictions that heavily regulate [the use of] personal information. Since this was an HR system, there would be a lot of personal information," recalls Rebecca Eisner, an attorney specializing in outsourcing who represented the food company.
The provider also wanted the flexibility to move the company's information to data centers anywhere in the world, and that would subject the company to the laws of whatever country the data passed through or landed in.
But there was no turning back. The company was as smitten with the SaaS application as it was unaware of the legal risks. After two months of negotiations, the two sides agreed on a contract.
"The [SaaS provider] didn't want to admit their lack of sophistication on these issues. But they understood where we were coming from," says Eisner, a partner in the Chicago office of the law firm Mayer Brown. "Ultimately, they understood that if they were going to get [the food company] as a customer -- and other global companies in the future -- they needed to provide these kinds of minimum protections. So they went along with it."
If you're operating in the cloud or plan to move there soon, here are five areas of legal risk that you shouldn't ignore.
Health Insurance Portability and Accountability Act (HIPAA) requires companies that disclose personal health information to third parties to enter into "business associate agreements." These contracts stipulate how the third parties should handle such data. "A lot of people don't think of that requirement when they're doing cloud computing -- they don't think of it as 'disclosing information' to a third party, but in fact it is," says Polly Dinkel, an attorney at Sideman & Bancroft in San Francisco.
Similarly, the Gramm-Leach-Bliley Act requires financial institutions to enter into contracts with third parties with whom they share their customers' personal information, in order to ensure that the third party stores the data securely. "There has to be a contractual requirement to implement and maintain that kind of safeguard," Dinkel adds.
Executives of financial institutions can be held personally liable for failure to meet those requirements in cloud deals, she says.
The tricky part is knowing exactly where all the cloud providers' data centers and subcontractors are located, says attorney Dan Masur, a partner at Mayer Brown. He says the Sarbanes-Oxley Act requires the original owners of the data to know where the data is and maintain control of it in the cloud.
No comments:
Post a Comment