Cloud computing has come to the forefront recently as a means for businesses to reduce costs and create efficiencies for IT departments and company employees in utilizing software, infrastructure, and platform as a service. However, the use of cloud computing also comes with potential legal risks and issues of concern. This brief article will touch on some of the issues that should be considered when moving a company's documents and applications to a "cloud."
Cloud computing refers to computing services provided over the internet. Consumers and businesses have been using cloud computing for years, through services such as web-based email from AOL, Yahoo and Gmail, or social-networking and information-sharing sites like Twitter, Facebook and WebMD. Generally, third-party service providers supply various software and/or hardware infrastructures on an as-needed "pay as you go" basis, thereby making cloud computing more scalable and flexible to meet a company's changing needs for software, infrastructure or storage. Frequently, these services include software applications that an end user might access for basic functions like email and word processing. Additional services provided by a third-party vendor would be infrastructure such as networking and storage capabilities, and more advanced software applications, which could include custom applications.
Although cloud computing can reduce costs and provide flexibility, there are risks that must be assessed and accounted for when moving a company's valuable data, including intellectual property, to a cloud hosted by a third-party. Of prime importance is making sure that a company's assets and data are in a safe environment, protected from theft and modification, while also complying with the laws of the location(s) where the company and the cloud may be located. The risks can be minimized by entering into a detailed agreement dictating the terms relating to security, access, performance, location, management and control of a company's assets in the cloud.
The security of a company's data is a primary concern, as the third-party provider has access to the data which is stored on servers and systems over which the company does not have complete control. While the customer legally owns its data in the cloud, it is important that the customer ensures that the provider is contractually obligated to protect the data on a level that complies with the customer's internal policies. Also of concern is protecting the data in a fashion sufficient to meet the regulatory levels of protection required by the locales of the cloud and the customer. This is of particular importance to companies operating in Europe, Canada, or other foreign locations where data protection, security and privacy obligations may be different. It may therefore be necessary to specify particular locations for cloud storage, rather than unknowingly run afoul of the law due to the provider's location or movement of the cloud.
Security issues are also of utmost importance when protecting intellectual property, such as undisclosed patents and trade secrets. Since it is not uncommon for third-party providers to store one company's data at a location where data belonging to other companies (potentially including company's competitors) is also stored, proper protocols should be contractually defined to ensure that there is no commingling of data with that of another company. These terms would include protocols for access rights and encryption standards, thereby preventing data from being improperly accessed or removed by an unauthorized user.
Performing due diligence on the service provider, including stability of the service provider as an on-going entity, continuous availability of data, backup contingencies, and ability to retain and transfer data to another provider are also of utmost importance. If entering into an agreement with a service provider, a company should also secure assurances that the service provider has obtained any necessary intellectual property licenses, while also getting indemnification for any potential infringement by the provider. The negotiated contract must also provide for the safeguarding and transfer of data in the event the provider ceases to exist. Inability to fully control company's data and intellectual property assets on a daily basis, as well as in a force majeure event, including bankruptcy or change of ownership of the third-party provider, can negate potential benefits of using a cloud.
Location of the cloud is important not only in terms of compliance with privacy and security laws. Where the data resides may be a critical factor in determining what law applies to the dispute, and how easy it may be to actually access and control the electronic information. Since data stored in foreign countries may be subject to strict requirements with respect to privacy and security, cross-border litigation can become more complicated. Preservation and record-retention policies, including segregation of privileged, confidential or proprietary information such as intellectual property, must be reviewed in light of compliance with litigation protocols.
While cloud computing can provide financial and scalable benefits to companies and IT departments, potential legal issues and risks that it carries must be carefully assessed, evaluated and contractually provided for in a negotiated agreement before a company's valuable data and intellectual property is moved to the cloud.
Vol. 53, June 2010