Companies Must Include Legal Risks in Business Case for Moving to the Cloud

Three questions every manufacturer should ask before they move valuable information outside company walls.

Companies are rapidly doing away with their own internally managed data centers in favor of “Infrastructure as a Service” or IaaS. This means that sensitive company information used by managers, ranging from employee records, customer profiles, reports on plant operations or real-time operational information, which many companies typically stored on company servers overseen by in-house IT staff, are now increasingly being stored outside company walls with third-party vendors. The true location of stored data can sometimes be difficult to trace.

Manufacturers, especially those with multiple locations, may see potential for significant cost savings and increased operational efficiency. While this burgeoning new industry has, in many ways, improved the way manufacturing companies are managed, it has also brought with it a myriad of new domestic and international regulations. 

As the legal climate surrounding IaaS continues to change, manufacturing executives can ask themselves a few questions to ensure that in making their business case for an investment in moving to “the cloud,” they factor in legal compliance and risks in the overall analysis:

Question 1: Does your company understand the domestic and global data security and privacy landscape?

As more companies join the data storage trend, there is an increased level of government scrutiny on the protection of data. These efforts to guard privacy and prevent theft or security breaches, while important, have substantially increased the amount of effort needed to demonstrate adequate data security and controls, and have increased the overall compliance risk associated with the use of IaaS.

In the U.S., privacy and security law is defined by industry sector where types of data are deemed to be particularly sensitive. The corresponding laws, rules and regulations are widely known by the legislators who sponsored them or acronyms (Gramm-Leach-Bliley in financial services, HIPAA and HITECH in healthcare, and Sarbanes-Oxley in securities reporting).

Globally, many countries use a standardized approach to enforcing data privacy and security that is uniform across industries. The European Union nations and Switzerland have passed expansive legislation in compliance with EU and Swiss directives on privacy, security, eCommerce, distance selling, and the use of “cookies” and other devices that impact the privacy of personal information across industries. Other nations including Canada, Australia, Mexico and the major industrialized nations of Asia have enacted stringent privacy and security laws and regulations or guidelines that apply to all cross-border data transmissions.

One consequence of the laws, rules and regulations imposed on companies seeking to share data across an international enterprise or via third-party data centers is the conflict that companies face when considering the U.S. industry-specific regulations and international country-based regulations at the same time.

For example, the recommended security standards under HIPAA and HITECH in the United States are the standards published by the U.S. National Institute of Standards and Technology, while the recommended security standards under the data security laws of the European Union and Switzerland are the International Organization for Standardization (ISO) 27000 standards. This means that many companies must be aware of two or more sets of rules, and must prepare to be compliant with both sets.

Question 2: Is your company adequately protected from legal risks and contract breaches?

Manufacturing executives who opt for IaaS are able to contractually shift some of the risk in managing critical infrastructure, such as liability for data loss or theft, to their third-party vendor. Therefore, in order to maintain compliance with government regulations, and to avoid fines in some cases, companies must also be confident that their vendors are in compliance with applicable laws, which as described, can be complex when dealing across borders.

Cloud-based data storage has grown into a global industry with a variety of vendors supporting all types of customers. Many companies including market leaders Amazon Web Services, Microsoft Azure, Terramark, Savvis, CSC, Dimension Data, Rackspace, Tier 3, SAP/Success Factor and IBM/Sterling Commerce, as well as lesser known regional players, and specialized players such as Lexis Data and Equifax Information Services in the financial services sector, have entered the marketplace offering IaaS and data warehousing services. At the international level, companies such as AT&T, IBM, Datapipe, Hosting.com, Tata Communications and Virtacore Systems have become recognized participants.

An illustrative example for manufacturers of an international compliance challenge comes from the so-called “Mega Rule” under HIPAA and HITECH, a recently passed extension of U.S. health care regulations that requires companies of all types to safeguard their employee health information. Companies that use IaaS for the storage of employment data should specifically be aware of this rule. Companies need to understand the full details of the Mega Rule and to ensure their IaaS vendors are Mega Rule-compliant. Some are, but many are not.

Another example arises under the federal Sarbanes-Oxley Act. Companies registered with the SEC are required to certify annually that the proper controls are in place, which ensure the accuracy of financial data in their public filings. Companies that manage their financial data across locations and utilize cloud services will need to demonstrate that their information and processes are secure.

Many contracts involving vendors now include clauses that specify HIPAA/HITECH compliance on the part of the vendor as part of the terms. When it comes to Sarbanes Oxley, a publicly-traded company utilizing an IaaS service may be able to include in a contract a periodic security audit of a vendor, and require that the vendor provide indemnity for data security lapses and breaches. Before selecting a vendor, companies may wish to request a thorough explanation of this security audit process.

In addition, companies are able to shift some of the risk inherent in managing critical infrastructure to third party IaaS vendors contractually through service level, disaster recovery and other provisions, reduce manpower needs for infrastructure maintenance and support or shift workers to other critical projects, and achieve increased levels of critical infrastructure redundancy and geographic diversity than they might otherwise may not be able to achieve without IaaS.

Question 3: Has your company included compliance in the business case for ‘the cloud?’

The business case for IaaS may look clear on the surface, and all companies will see the advantages, but a closer look at the complex domestic and foreign legal environment reveals that a compliance strategy must be developed at the same time to obtain the clearest picture.

The benefits of an outsourced model for infrastructure and data storage remain the same – cost and efficiency. IaaS provides companies large and small the ability to utilize the availability, scalability and cost savings inherent in third-party IaaS offerings. 

Asking questions in the vendor selection process can also help frame an agreement that addresses your company’s needs. We often provide a checklist to help clients address all areas of concern. Major questions include: What are the vendor’s policies and procedures for managing non-compliance with information security? How does the vendor dispose of or remove data from recycled systems and devices? Does the vendor have employee background check procedures and compliance agreements in place? How are employees trained on security awareness?

Companies looking to charge forward into more expansive use of cloud-based, business-process outsourcing must do so with their eyes wide open to the issues and risks associated with a legal environment that is not always in step with the many positive attributes of the cloud. Working with legal counsel to conduct a risk and compliance assessment can lead to creation of a more precise business case that includes an evaluation of the costs or risks associated with security breaches or non-compliance, along with an understanding of the internal process required to implement controls.

 

Michael Stovsky is chair of the Innovations, Information Technology & Intellectual Property (3iP) Practice Group at the Cleveland office of international business law firm Benesch. For more information visit www.beneschlaw.com.

Toshiba To Cut 3000 Jobs

Toshiba Corp on Monday announced that it will implement structural reform of its visual products business, including LCD TVs, toward improving profitability and strengthening foundations of the business.

The company noted that it will adjust its visual products business global consolidated headcount in this fiscal year, by about 50% from fiscal 2012, to 3,000 people, through certain measures, including reallocating resources in Japan, integration of overseas manufacturing facilities and reform of overseas sales operations.

The company noted that it will focus on emerging markets including Asia, the Middle East and Africa, where growth in demand is expected. In addition, Toshiba will end sales in unprofitable regions.

The firm said that it will integrate its overseas TV manufacturing facilities, from three to one, excluding joint venture facilities, within this fiscal year. This measure will allow the company to increase products from original design manufacturers or ODMs in the global market from the current rate of about 40% to 70% by fiscal 2014. The company further plans to reduce fixed costs and improve productivity by reducing the number of ODMs and models and by integrating manufacturing facilities.

The company noted that it will allocate resources to large screen Ultra HD (4K) LCD TVs, where growing demand is expected, to differentiated functions for viewing and recording. The company will also reinforce development of visual products for business applications, including digital signage, another area where demand is growing.

Separately, the company said it has finalized a decision to split off its visual products business from the Digital Products & Services Company, a Toshiba in-house company, and to transfer it to Toshiba Home Appliances Corporation or “THA”, a consolidated subsidiary of Toshiba.

Completion of the transfer is scheduled for within fiscal year 2013.

Once the transfer has been effected, THA will change its trade name to Toshiba Consumer Electronics Corporation, the company said.

The company noted that it will finalize details, including organization and operations, and plans to establish the new company in the fiscal half starting October 1st, through procedures.

Toshiba said it aims to improve efficiency in sales and after-service operations in the Japanese market, to strengthen and expand sales in overseas markets, primarily emerging economies, and to promote investments to develop new business fields including smart home appliances, by integrating operations and promoting use of shared resources.

Going forward, the company aims to see profit in its visual products business in the second half of this fiscal year through continued review and reform of business processes and operations.

Official Statements:
http://www.toshiba.co.jp/about/ir/en/news/20130930_2.pdf?fromRSS=IR2013093001

http://www.toshiba.co.jp/about/ir/en/news/20130930.pdf?fromRSS=IR2013093002

 

3D Printer Market to Grow Rapidly Through 2015: Gartner

Gartner predicts that 3D printing will have a high impact on industries, including consumer products, industrial and manufacturing. Rapid quality and performance innovations across all 3D printing technologies will drive enterprise and consumer demand as worldwide shipments of 3D printers priced less than $100,000 will grow 49 percent in 2013 to reach a total of 56,507 units, according to a report from IT research firm Gartner.

The company’s first forecast of the less-than-$100,000 consumer and enterprise 3D printer market projected shipments would increase further in 2014, growing 75 percent to 98,065 units, followed by a near doubling of unit shipments in 2015.

Gartner predicts that 3D printing will have a high impact on industries, including consumer products, industrial and manufacturing, a smaller impact on construction, education, energy, government, medical products, military, retail, telecommunications, transportation and utilities and a low impact on banking and financial services and insurance. “The 3D printer market has reached its inflection point,” Pete Basiliere, research director at Gartner, said in a statement. “While still a nascent market, with hype outpacing the technical realities, the speed of development and rise in buyer interest are pressing hardware, software and service providers to offer easier-to-use tools and materials that produce consistently high-quality results.”

In 2013, combined user spending on 3D printers is expected to reach $412 million, up 43 percent from spending of $288 million in 2012. Enterprise spending will total more than $325 million in 2013, while the consumer segment will reach nearly $87 million.

In 2014, spending will increase 62 percent, reaching $669 million, with enterprise spending of $536 million and consumer spending of $133 million.  “As the products rapidly mature, organizations will increasingly exploit 3D printing’s potential in their laboratory, product development and manufacturing operations,” Basiliere said. “In the next 18 months, we foresee consumers moving from being curious about the technology to finding reasons to justify purchases as price points, applications and functionality become more attractive.”

In addition, Gartner projected that by 2015, seven of the 50 largest multinational retailers will sell 3D printers through their physical and online stores, as prices decrease during the next several years due to competitive pressures and higher shipment volumes. Meanwhile, as advances in 3D printers, scanners, design tools and materials reduce the cost and complexity of creating 3D printed items, the applications of 3D print technology will continue to expand to include areas such as architecture, defense, medical products and jewelry design. “The hype around consumer 3D printing has made enterprises aware that the price point and functionality of 3DP has changed significantly over the last five years, driving increased shipments beginning in 2014,” Basiliere said. “Most businesses are only now beginning to fully comprehend all of the ways in which a 3DP can be cost-effectively used in their organizations, from prototyping and product development to fixtures and molds that are used to manufacture or assemble an item to drive finished goods. Now that many people in the organization, not only the engineering and manufacturing department managers but also senior corporate management, marketing management and others, have heard the hype, they want to know when the business will have a 3D printer.”

 

Article by Nathan Eddy