Cloud Computing: Legal Risks Every CIO Should KnowBy Milton L. Petersen | Posted 06-07-2011
It comes as no surprise, especially in this challenging economy, that cloud computing continues to gain popularity among businesses, as it is often viewed as an easy way to reduce IT costs and increase efficiencies.
This trend is likely to continue, as technologies evolve and the world becomes ever more interconnected. However, before joining this trend, prospective cloud customers need to be aware of the significant legal risks and implications associated with cloud computing. These include:
- Limited user protections under standard form contacts;
- Data security and privacy concerns;
- eDiscovery and issues around who controls the data.
There are several different types of cloud computing, and definitions of the term cloud computing can vary significantly. Generally speaking, cloud computing refers to the use of remote computer networks or resources operated by a service provider to process, store, and manage data. Particular service offerings also vary, but the largest cloud service providers (such as Amazon.com, Google Inc., and Salesforce.com) basically provide computing services on what is essentially a commoditized basis -- much like a utility company provides water, gas, or electricity.
Through economies of scale, large cloud service providers may offer pricing that, at first glance, seems quite attractive. Prospective cloud customers need to look beyond the promised silver lining of cost savings, however, to understand the legal risks and implications of the bargain they are striking with their cloud service providers
While large organizations may, in some cases, have the leverage to negotiate material changes to the form contracts or standard terms offered by cloud service providers, small companies may be faced with a take-it-or-leave-it situation. And the form contracts or terms that many cloud service providers offer (especially in online, "click-through" agreements) can be quite one-sided and contain few, if any, terms to protect their customers from potential legal risks and liabilities.
For example, the form contracts or standard terms offered by most cloud service providers typically describe the services to be provided only in very general terms and contain few truly meaningful commitments by the provider. Service levels (i.e., minimum required levels of performance) to be met by the provider, if included in the standard terms, are often drafted so as to be basically meaningless.
Cloud service providers generally make only very limited warranties and indemnities in their form contracts or standard terms, and the limitations of liability in these agreements are also carefully crafted to protect the provider and shift risk to the customer. As an example, if the cloud service provider experiences a data security breach, almost all damages that will be suffered by the cloud customer will be considered incidental and consequential damages. These types of damages are excluded from recovery under the form contracts and standard terms of most cloud service providers.
Issues relating to data security and privacy represent some of the most important legal risks and concerns associated with cloud computing. Prospective cloud customers should be especially wary if they will be storing personal or individually identifiable information (such as customer's names, addresses, credit card numbers, etc.) on a cloud service provider's computing resources, as the potential liability that could result from a security breach at a cloud service provider (not to mention the reputation damages suffered by the cloud customer) could be quite high.
Nearly every state in the U.S. now has a law that requires notification of affected individuals in the event of a security breach involving unencrypted personal information. Companies in certain industries, such as healthcare, finance, and telecommunications, are subject to additional regulations regarding the use and disclosure of personal information. Public companies in the U.S. are required to maintain appropriate operational controls, processes, and safeguards.
Export regulations, as well as restrictive privacy laws of other countries (such as those of the member states of the European Union), may also possibly apply to data stored in the cloud. And, besides this complex web of legal restrictions, industry standards or requirements (such as the data security standards of the payment card industry) may need to be considered.
In addition, in certain situations, information stored in the cloud (especially things like email, business correspondence, and collaboratively produced documents) may be relevant to legal proceedings or the subject of court orders. In those cases, the cloud customer needs to be sure that it will be able to readily access the relevant information, and that all relevant information will be preserved, as necessary.
Failures to comply with court orders, discovery requests, and the like can have very serious consequences. However, if these issues are addressed at all in most cloud service providers' form contracts or standard terms, they are usually addressed only so as to protect the service provider.
While cloud customers relinquish physical control over their data -- and the data of their customers -- that they choose to store in the cloud, they remain responsible and potentially liable for what happens to those data. Therefore, before sailing off into the cloud, prospective cloud customers need to conduct due diligence investigations and assess potential risks.
Here are six key questions to consider:
- What data will be stored in the cloud?
- Will this include unencrypted personal information?
- Where will data be stored, and will the customer have any control over where data are stored?
- Who will be able to access the data, and what rights will the cloud service provider have to the data (or to metadata relating to the stored data)?
- When and in what format will data be returned to the customer?
- What meaningful commitments is the cloud service provider willing to make with regard to data access, retention, protection, and security?
While small companies may not always have enough leverage to negotiate material changes to the form contracts or standard terms offered by cloud service providers, any prospective cloud customer can always choose whether to send data off into the cloud or not.
Cloud computing is rapidly evolving, and some cloud service providers are beginning to emphasize the importance of data security protections in their offerings. Prospective cloud customers might be wise to shop around, compare service offerings and terms, or even simply watch the sky from the ground for a while, while the cloud computing industry matures.
Milton L. Petersen is an attorney whose practice focuses exclusively on information technology-related transactions and issues. He is a partner in the Information Technology Practice Group at the law firm of with HunterMaclean in Savannah, Georgia and can be reached at 912-238-2629 or firstname.lastname@example.org.