The Legal Side of the Cloud: Worrisome?The Legal Side of the Cloud: Worrisome?

Cloud computing from a legal standpoint is all about the trust the customer has with the service provider. And that trust is only as good as the contract terms and conditions.

Cloud computing from a legal standpoint is all about the trust the customer has with the service provider. The customer expects that the data stored in the cloud will be safe. The customer wants guarantees that their data will not be mis-used by the provider. The provider must also accept a number of legal qualifications and limitations that protect the customer. Having faith in the provider is not good enough.

I began my career as a U.S. Air Force officer in military intelligence research and development. There I learned about collecting and protecting information. I also was tasked with finding ways to bypass the protections. Further, I learned that by collecting information from several sources, I could construct a data base that provided a broader picture than any single source had. This knowledge has led me to consider what could happen to cloud-based information.

I am not a lawyer, but some of the security and legal issues have already become clear, as I've outlined in some recent blogs:

* Cloud-Based Communications: Right for You?
* More Privacy Regulations: U.S. and Europe
* Hosted IPT and UC: Limited in Europe?
* E-Discovery Resources: Use Them
* Cloud Security, Some Guidance

This article contains many recommendations, but the customer should use internal and/or external lawyers to review and comment on any specific cloud service contract or offer, not just use my recommendations as legal advice.

What Lawyers Tell Lawyers about the Cloud
Lawyers are looking at the cloud for their own operations. The cloud is attractive for new law firms and smaller firms that have limited IT resources and talent. And even larger firms may be approaching the end-of-life for their systems and licenses and open to considering the cloud. Lawyers may be even more concerned than the average enterprise about the legal aspects of using cloud services.

There is an interesting post at Westlaw News and Insight January 25, 2011, N.Y. Bar Association Provides Opinion on ‘Cloud Computing by Phillip D. Robben. The New York State Bar Association's Committee on Professional Ethics released its Opinion 842, in September 2010 on the use of cloud computing. It was issued in response to an inquiry from a lawyer seeking guidance as to whether or not lawyers may use cloud computing resources. This is for a lawyer using cloud computing within the law firm.

This is an excerpt from Robben’s post summarizing Opinion 842.

The Gartner View of the Cloud
Gartner Inc. advises CIOs and IT organizations about technologies and their influence on enterprise operations. Gartner's IT Council has defined six rights and one responsibility of cloud service consumers. These rights and responsibility were created to help cloud service providers and service customers create and maintain successful business relationships. See Gartner Global IT Council for Cloud Services Outlines Rights and Responsibilities for Cloud Computing Services press release.

The six rights identified in the Gartner press release are:

* The service consumer should retain ownership and control of their data. The enterprise must know what the provider expects to do with their data. What happens if the provider goes bankrupt or is sold to another organization must be clearly defined in the contract.

* The Service Level Agreement (SLA) must address the liabilities, business outcomes and remediation when there are limitations or loss of service. The contract should specify how the provider adds and delivers capacity to ensure the SLA.

* The enterprise has the right to be informed in advance of any changes that will affect their use of the service and business processes.

* The consumer must be provided with the information to understand the technical limitations of the service. The provider's architecture and systems should be fully exposed to the enterprise.

* The consumer must be made fully aware of the legal jurisdictions where the provider operates. Where is the data stored? Does the data move from one jurisdiction to another? Will the data stored in a jurisdiction help or hinder the enterprise from meeting their legal and regulatory requirements? Will the data storage of the provider possibly violate a jurisdiction's legal requirements? Will this affect HIPAA, the Graham-Leach-Bliley act or Sarbanes-Oxley?

* The security processes that the provider follows must be known by the enterprise. The provider needs to understand the security processes of the enterprise before embarking on the service initiation. The continuity plans of the entrprise and provider should be compared and the provider should offer continuity service that meets the enterprise requirements.

The single responsibility is the software which is the key to the provider services. The provider must adhere to all the licensing requirments and ensure that the software used adheres to the license agreements. Software may provided by the enterprise or the service provider. Each must be held responsible for their software licenses, not the others' licenses.

Additional information is available in the Gartner report Gartner Global IT Council for Cloud Service: Rights and Responsibilities for Consumers of Cloud Computing Services.

Cloud Computing Nightmares

Where Is the Demarc?
The demarcation point is extremely important. The cloud service contract may only cover the provider's site. The access network, most likely the Internet, will probably not be included. If it is included, the service may be accessed over MPLS connections. Does the cloud service provide any software that must run at the consumer locations? Will this be covered by the contract? In other words, there will islands of coverage but not an end-to-end contract.

Where Is the Demarc?

The demarc for accessing the cloud services may be much further away than the customer expects. The distant demarc means that the provider will not have to meet the SLA at or near the customer premises or desktop.

For those elements not covered by the contract, how does the provider help to resolve problems with those elements not covered? The division of responsibilities must be clearly stated and enforced for both the provider and consumer.

Search Warrants and Data Subpoenaed
The service provider must notify the consumer if the provider receives a search warrant or subpoena for information. What if the consumer's data is stored on the same systems as other customers? A posting on Wired, FBI Defends Disruptive Raids on Texas Data Centers, discussed just this situation. FBI agents seized about 220 servers belonging to Crydon Technology and its customers, as well as routers, switches, and cabinets for storing servers. Another data center, Core IP Networks, was also raided by the FBI. What if your data was stored on one of the servers or you had co-located equipment at one of these sites? You could be out of business through no fault of your own. Your data just happened to be in the same place as that of the FBI search warrants.

Hacker Attack
A survey conducted with 100 IT professionals attending the DEFCON 2010 Hacker conference in Las Vegas revealed that hackers see the cloud as having a silver lining for them. Barmak Meftah, chief products officer at Fortify Software stated in a press release,

Breaking down the survey responses, 21 percent believe that Software-as-a-Service (SaaS) cloud systems are viewed as being the most vulnerable, with 33 percent of the hackers having discovered public DNS vulnerabilities, followed by log files (16 percent) and communication profiles (12 percent) in their cloud travels.

The Epsilon data breach March 30, 2011, exemplifies the risks an organization takes when they use outside services. The breach has compromised the e-mail marketing efforts of about 2,500 companies. It would be interesting to review the contracts offered by Epsilon and the responsibilities that Epsilon accepted.

E-discovery
E-discovery may seem to be a distant issue for the IT staff, but it cannot be ignored. Data is likely to be implicated in any case and in any court. IT conformance to the E-discovery requirements should be as responsive as possible.

The December 2006 revisions to the Federal Rules of Civil Procedure addresses the discovery of "electronically stored information". Electronically stored information will cover a wide range of data storage. The cloud customer should definitely look at the storage and retrieval impact on the IT function.

The contract should specify how quickly the service provider will respond to e-discovery requests and ensure that the data will be easily retrieved. If not, the consumer will find they will become liable to fees and penalties because the provider does not respond to the e-discovery request correctly and in a timely manner. Fines can be as high as $50,000 a day.

Litigation Risks
This may sound a bit far-fetched, but customers using cloud services may put themselves at risk of patent litigation. The risk is low but the customer should address this issue in the contract to ensure that they are protected.

The article Cloud Computing Raises Risk of Patent Litigation, Attorney Says, contains comments made at Interop 2010 in Las Vegas by Nolan Goldberg, a patent and trade secret litigation attorney for Proskauer Rose LLP in New York:

One model of enforcing patents says I can go after the manufacturer, but once I do I'm done because then all his sales are licensed. But if I keep going after all his customers, I can keep going forever and the customer is really not in the best position to fight back. So it creates increased risk.

The Cloud in Europe
European governments have enacted regulations about privacy, in 1995 before today’s Internet existed, that are more stringent than those of the U.S. They fear that personal information will be used by cyber criminals and marketers once the collected information leaves the boundaries of the European Union. See the New York Times article, Cloud Computing Hits Snag in Europe, by Kevin J. O'Brien. The European definition of personal data is far broader than in the U.S. Even names, addresses and phone numbers are considered personal data. The European Data Privacy Directive that governs the laws relating to privacy generally prohibits the movement of data outside the EU.

The situation can be even more complex. What if data originating in Bulgaria passes through several countries, e.g., Romania, Hungary, Austria, Germany and the Netherlands, before the data leaves the EU? Would the U.S. cloud service have to apply for permission from all of these countries? There is no answer yet, but these complications might prevent the use of hosted/cloud computing for most applications. Expect to learn of new privacy regulations sometime in later 2011.

Subcontractors in the Cloud
The service provider may hire subcontractors to supply products and/or services that are then offered to customers through the provider. Usually when a company is subcontracting on projects, the subcontracting agreement is solely with the prime contractor. The subcontractor has no contractual relationship with the consumer.

There is a posting by Onvia, Subcontract Flow-Down Clauses Explained that helps to explain the role of subcontractors and their relationship with the prime contractor. Check with the service provider about their use of subcontractors and their part in the prime contract with the customer. The prime should have some form of flow-down clause to ensure that the subcontractor is equally liable as the provider.

The Exit Clause
The customer needs a legal path to cancel the cloud service. Providers such as ISPs change their terms and conditions unilaterally. The customer either agrees to the changes or the ISP cancels their service.

The contract should contain an exit clause that protects the customer if the arrangement does not work to the customer's satisfaction or the service provider goes out of business or is sold to another provider. This clause should also ensure that the data stored and the software licenses can be returned without delay. A specified data format should also be defined in the exit clause. If there is no exit clause, then the customer faces provider lock in.

Provider Lock-in
What can a customer expect when it wants to move applications and data to another provider? Provider lock-in is one of the major fears expressed by IT leaders who are considering a move to cloud services. Provider lock-in exists if the customer cannot move an application and data from one system to another easily. An example of provider lock in occurred when Coghead Inc., a producer of a cloud-based enterprise application development systems, closed for business. Coghead posted a letter citing "economic challenges" as the reason for its decision to close. Customers were given a short period of service usage but the usage came with no support. A lack of cloud service standards limits the portability of data and applications among systems and services.

Contracting for Performance
The Service Level Agreement (SLA) for a cloud service may be measured over a long period of time, possibly weeks. The SLA is most important when the traffic busy hour occurs. Experience with the SLAs of MPLS services shows an example of the type of arrangements that clearly need to be negotiated to satisfy the busy hour performance required by the customer.

Most cloud SLAs cover both reliability and availability. The service subscriber would like 99.99+% availability for the service. This usually includes the cloud site but does not include the network access or the devices at the enterprise's location. Since there are other elements in the chain of access to the provider's site, 99.99+% will not be the availability seen by the user. It will be somewhat less, maybe 99+%, which may still be acceptable depending on the applications running.

Contract Questions
There is no way in which all the possible questions to pose to a provider can be imagined. The following list is presented to stimulate the customer to ask those questions that may be the most important.

* Where are the data and application stored, in or outside the U.S? This could be constantly changing in a virtualized environment. See Is Your Cloud in China?, a humorous blog by Ben Schorr.

* If there is a requirement for forensic analysis for e-discovery or subpoenas, how will this work?

* What government regulations (HIPAA, Graham-Leach, SOX) will the cloud provider have to adhere to in the U.S.? If the data is stored in another country, what regulations apply?

* What happens if the provider loses information or releases the data without the customer's permission or through hacking?

* How does the provider support e-discovery in an accurate and timely manner?

* Is the customer protected from fines and/or sanctions because of a provider problem?

* How is the data on individual users protected and used by the provider? Can the provider sell the data?

* Will the traffic information that is sent and received be protected as well?

* Can user presence information be sold to third parties?

* Will the provider use their access to the customer's users to send out information (sales and marketing) created by third parties?

* Is the provider able to sell profile information of the customer’s users?

The trust in a cloud service provider is only as good as the contract terms and conditions. Moving to the cloud may be best for your organization but remember you are giving your most valued information assets to another to maintain and protect.