Observations: Cloud computing can be thought of as an all-inclusive environment in which the vendor provides in a timely fashion all computing resources (hardware, software, networking, storage, …) to clients as client demand dictates¹. Legal considerations that organisations must address before committing to cloud computing services include:

• Service quality assurance and vendor penalties

• Contract termination

• Data privacy and geopolitical obligations

• Data protection and access

• Discovery requirements

• Meeting business obligations

• Security obligations

This, the third of a series of articles, explores some business-related legal issues that apply to data processing in a cloud computing contract. The first two articles^2,3 addressed the first four of the above topics.

Discovery requirements: E-discovery is becoming an important part of the legal discovery process. Both the Australian and NZ governments recognise that many legal disputes require access to data and records stored on computer systems and have regulated accordingly^4,5. Electronic documents and communications, particularly emails can provide critical trial evidence in litigation and those in any organisation responsible for storage and retrieval of electronic data must be aware of e-discovery requirements and be able to meet these if required. If data and transaction records are outsourced then the vendor must be able to assure the client that all legal e-discovery requirements can be met. This applies in all outsourcing situations (including SaaS, IaaS, and PaaS) but can be more demanding in a cloud environment.

A lawyer representing an organisation likely to be involved in meeting e-discovery requirements from cloud based data must be able to assure the courts that the e-discovery process is robust and the resulting data is accurate and reliable. American Law Reports suggest that good practice for e-discovery requires those involved in a case requiring e-discovery demonstrate “the reliability of the computer equipment”, “the manner in which the basic data was initially entered”, “the measures taken to insure the accuracy of the data as entered”, “the method of storing the data and the precautions taken to prevent its loss”, “the reliability of the computer programs used to process the data”, and “the measures taken to verify the accuracy of the program”. This may not be able to be satisfactorily demonstrated in some cloud based systems.

Meeting business obligations: Cloud computing from reputable providers can be as reliable as, and in some cases more reliable than, any other utility, product or service. However, things can go wrong. For example, third party legal actions could have a significant impact on cloud computing clients. In April 2009 CBS reported that FBI agents raided, seized and confiscated web servers at Core IP Networks in Dallas, Texas, and left nearly 50 businesses without access to their email and data. The FBI was evidently investigating a company that had purchased services from Core IP in the past. The FBI said that it could take several days to restore the servers of the affected companies. In the interim, clients’ business activities were severely curtailed.

Similarly, a cloud vendor’s bankruptcy can have the same effect if the vendor’s subcontractors or receivers prevent access to clients’ data stored on the vendor’s systems. This will effectively shut down the clients’ services. Cloud vendor size may not be a protection. Only intervention by the US government stopped GM going bankrupt. There may be no government or other external intervention if a cloud provider⁶ goes bankrupt.

While unlikely, execution of an Anton Pillar order⁷ on a cloud computing vendor because of activities of one client would be disastrous for other users of the service⁸.

Business continuity planning becomes critically important for organisations with cloud computing based activities. Cloud clients can be particularly vulnerable if they have time critical legal and commercial commitments.

Security obligations: Most jurisdictions with data protection laws impose stringent obligations to ensure the security of information. This is particularly the case with the EU Data Protection Directive and increasingly applies in countries outside the European Economic Area. This requires personal data to be kept secure from unauthorised or unlawful processing, accidental loss, destruction or damage. Failure to do so may lead to regulatory sanction, and civil and criminal liability.

Driven by local data security legal requirements, most outsourcing contracts specify the security and data protection management techniques that must be used by the provider. In standard outsourcing, these requirements can be monitored and audited. This is not necessarily the case when outsourcing to the cloud. John Chambers, CEO of Cisco, has claimed that cloud computing “is a security nightmare and it can’t be handled in traditional ways.”⁹. Most cloud computing agreements are one-sided and not easily negotiated (in some cases read “non-negotiable”). Some cloud providers give no assurances about data security and accept no liability for unauthorized access, use, corruption, deletion or loss of any data¹⁰. It is probable that contracts with cloud outsourcing providers will involve little negotiation and so will require more due diligence about security. For these reasons, data security and data protection requirements may be the biggest barriers to outsourcing cloud computing for applications involving sensitive or confidential data.

Organisations must understand their legal obligations for data security and ensure that their cloud providers offer at least the equivalent levels of data security they can deliver internally or via standard outsourcing suppliers. For the organisation’s protection, these should be supported by, and preferably in the contract with, the service provider.

Next Steps:

1. Involve your legal advisors immediately when contemplating moving any services to cloud computing.

2. Ensure that full e-discovery can be done in the proposed cloud environment and that the cloud vendor will support any e-discovery operations on your data.

3. Review and modify business continuity plans so that they will apply after any loss of access to services provided by the cloud computing vendor.

4. Determine the security provided by the cloud computing vendor and confirm that they will meet the security requirements that apply to your operations.