Stories by Michael Wigley

Should you pay up and if you do, what’s next? Lawyer Michael Wigley weighs in on the issue.

Sub–optimal outcomes in feral ICT contracts are avoidable – so why are they very common in the New Zealand business landscape? asks ICT lawyer Michael Wigley.

Vendors frequently undertake software audits that are problematic for CIOs, writes IT lawyer Michael Wigley.

First, your organisation’s law firm can be a soft target to hack into instead of the organisation, writes ICT lawyer Michael Wigley.

Don’t assume that any early termination charges are set in stone.

The top lawyers in the UK’s largest companies have recently come together and recommended a “defensive shield” strategy to deal with their companies’ legal cybersecurity risks.

What can corporates do when faced with events like the XT outages? Can they pull out of contracts, for example, or change them?
Many corporates will use XT services along with other Telecom/Gen-i services such as WANs, data hosting, and so on.

When evaluating cloud computing, organisations are of course concerned about security issues. Information is hosted elsewhere, often offshore. Legal aspects are important for wider security considerations, although reputational risk of a security breach can be more significant. The risk of security/privacy breach may be lower overall with cloud computing than applies in the status quo (for example on-site processing of data). In assessing whether to move to cloud computing, it is important to compare with the benefits and risks of the status quo. I outlined this in my earlier column<em> CIO</em> article, <a href="http://cio.co.nz/cio.nsf/opin/9AD644B12571BCC0CC257610000176AA">The Case against Cloud Computing revisited</a> (See <em>CIO </em>August 2009 and http://cio.co.nz/cio.nsf/opin/9AD644B12571BCC0CC257610000176AA), picking up on the same theme in Bernard Golden's excellent <em>CIO</em> article, <a href="http://cio.co.nz/cio.nsf/tech/5A0205E0026F8131CC25754D007F48E1">The Case against Cloud Computing</a>.<strong>Privacy and security risks?</strong>It's not just about privacy legislation. People often discuss cloud computing as though the considerations stop and start with privacy legislation. There is general law that applies too, such as the law in relation to negligence, contract, confidentiality and so on. However, following the principles in the Privacy Act will often lead to compliance with other legal obligations as well. <strong>Privacy Act</strong>For cloud computing, the key obligation is in Information Privacy Principle 5 in the Privacy Act. This requires:• The New Zealand organisation to protect information with such security safeguards as are reasonable in the circumstances; • If it is necessary to give information to a third party (for example a cloud computing service provider), that New Zealand organisation must do everything reasonable in its power is done to prevent unauthorised use or disclosure. <strong>For cloud computing, several conclusions flow from this:</strong>• 100 percent security protection is not required. What is called for is protection of information by such safeguards as are "reasonable in the circumstances to take". • Robust industry practice, codes, and so on, are likely to be relevant in determining the appropriate approach.• If the organisation (for example the New Zealand-based company using cloud computing services) gives information to a cloud computing provider, that organisation must "ensure ... that everything reasonably within [its] power ... is done to prevent unauthorised use or unauthorised disclosure of the information". This obligation applies whether the cloud computing provider is based in New Zealand or offshore.• That obligation also means that the New Zealand-based organisation often won't be able to rely solely on, for example, a supply contract under which the provider takes responsibility. This assumes that the provider does take responsibility. At present, many cloud computing providers do the opposite. So, further due diligence, systems, monitoring, and so on are likely to be required on the part of the New Zealand organisation in order to be Privacy Act-compliant.<strong>Offshore considerations </strong>Because the New Zealand organisation retains responsibilities, it should assess whether a particular service provider should be permitted to have the information in particular countries, some of which may have a weak privacy regime. It is one thing to send the data to Australia or Europe (each with a robust privacy regime). It is another to send it to a country without such law and practice.The EU provides useful guidance on the adequacy of protection of data in other countries (see <a href="http://tinyurl.com/2w47yu">http://tinyurl.com/2w47yu</a>). Increasingly, cloud computing customers can require providers to limit the transmission of their information to certain countries. For example, it could be limited to Australia, to New Zealand itself, or even, in the case of government, limited to public sector networks and servers (the so called G-cloud).<strong>Reducing risk</strong>The way contracts are framed can of course impose greater risk (for example, a contract term ensuring that all data will remain secure is risky for an organisation). Of course, just as the cloud computing provider will seek to limit its risk in its contract with the New Zealand organisation, so can the latter seek to do so with its customers. This may be achievable where the New Zealand organisation's customers are businesses. It is more difficult where the information is personal information and the customers are individuals. Standard form contracts from cloud computing providers currently tend to eliminate liability to a large degree. Increasingly over time, larger users of cloud computing services, in particular, may be able to negotiate more favourable terms.<strong>The public sector</strong>The public sector has additional considerations such as the Public Records Act and the Official Information Act, as well as certain security requirements specific to Government.When assessing the benefits and risks of cloud computing, the comparison should be with the real world (the status quo) not perfection.<strong>Michael Wigley is the Principal of Wigley &amp; Company, a law firm specialising in ICT. He can be reached at michael.wigley@wigleylaw.com.</strong>

Early this year, CIO online ran Bernard Golden&#8217;s excellent article, &#8220;The case against cloud computing&#8221;. Having formulated key issues against cloud computing, he concluded that there are, usually, solutions.
Golden&#8217;s five key issues all raise legal questions as well. So, is the case against cloud computing made out from a legal perspective?

Bad economic times lead to more situations where customers look at recovering losses caused by their ICT suppliers. From my long experience with disputes, full-blown litigation is not for the faint-hearted. But this far from rules out seeking to recover losses, especially with careful planning and a lateral approach.
Much will depend on how well the customer positions itself, relative to the vendor, if it has a potential claim. (The same points in this article apply on the flip-side to vendors too).

Tough economic times can see CIOs wishing they weren&#8217;t stuck with contracts negotiated with suppliers in better times. Can they do anything about it?
Quite often they can and usually in a way that sees the vendor benefit too.

Minimising the risk of software IP problems is important for organisations, including ensuring ongoing availability of software through ownership or licence. But organisations often don&#8217;t nail this, relying on slim arrangements or vendor-friendly agreements.
Government recently announced it would change the &#8220;commissioning&#8221; rules in the Copyright Act, to standardise the approach. Where an organisation commissions another to develop IP, the default position will be that the party creating the IP owns the IP.

Panel contracts are widely used to provide a pre-selected list of suppliers from which an organisation can pick and choose for particular jobs. Although typically used for professional services providers, they can be great too for wider purposes, such as supply of goods and services, software development, etc. Well handled, they can cut down on the time and cost of going through repeated RFPs.
Recent public sector changes have shone the spotlight on panel contracts, in a way that is informative for the private sector too. (However, the private sector has freedom to move away from the public sector constraints).

Among the digital changes in the Copyright Act, which will come into effect later this year, there is some protection for &#8220;ISPs&#8221; against claims for breach of copyright. Many companies and public sector entities come within that &#8220;ISP&#8221; definition.
With the protection come obligations and the need for systems to handle copyright infringement.