News
Computing In The Cloud
A primer on storing sensitive data and information on the Internet by Charles Bieneman This article originally appeared in MI Lawyers Weekly on September 7, 2009
You are going to be hearing a lot about cloud computing over the next few years. More and more of us have clients or work for companies that use some form of cloud computing, and some law firms themselves use it, too.
Naturally, more legal issues are arising from this form of doing business.
But what exactly is cloud computing? And what should you know about it?
A basic definition is this: using hardware or software provided by another party over a network.
Cloud computing is thusly called because a network, such as the Internet, will often be referred to as a “cloud.” The metaphor is apt; when using cloud computing services, a user does not need to how or where those services are provided.
The user only needs to know that the services are somewhere off in the network cloud, and how to access them.
Although the line can be blurry, cloud computing differs from what is sometimes referred to as “dedicated hosting” or “co-location,” in that a service provider of dedicated hosting services generally provides dedicated hardware to which the customer has virtual — and sometimes even physical — access.
You are probably familiar with a few examples of cloud computing. There’s Google Docs, where Google provides users with word processors, spreadsheets, and other office productivity software — entirely through a Web browser.
Similarly, via software applications accessed through the cloud, Salesforce.com provides its customers with services for customer relationship management (CRM), customer service, and the like.
An example of cloud computing with which you may be less familiar is provided by a company with which you likely very familiar: Amazon.
Having built a large and sophisticated information technology infrastructure to support its Web sites, Amazon has gone into the business of allowing others to use its infrastructure.
The Amazon cloud allows you to pick your operating system, choose the amount of computing power you need, access a database, and even obtain a static IP address. Thus, a customer may use the cloud for almost any computing application he or she desires.
In cloud computing models, such as Amazon’s, services are generally paid for according to increments of time (e.g., per hour of computing time used) or on a flat-rate basis (e.g., a fixed rate for a period of years). The cost benefits, even to larger companies that have already invested in information technology infrastructures, can be significant.
Reward versus risk
With little or no capital investment, computer resources can be scaled up in a hurry. This is why many companies, at least for applications that are not mission-critical, are moving to the cloud computing model.
However, cloud computing can create business and legal risks. You are at the mercy of your service provider meeting its service level commitments.
That is, what if you pay for time on a server, and the server crashes just as it is performing an important function?
What if the service provider fails to provide the correct, or adequate, hardware or software?
You also may have privacy obligations with respect to data stored in the cloud. What if the service provider doesn’t adequately protect your data or, worse, data you are storing for someone else?
As the foregoing questions suggest, agreements to provide cloud computing services have twists that the average contract attorney may not have previously considered. Agreements to provide cloud computing services are often not negotiated, and may be boilerplate provided by the service provider.
Regardless, anyone contracting for cloud computing services should pay attention to a number of important issues, which may require negotiation, or may dictate choosing a cloud computing provider offering acceptable terms.
The basic outline of a cloud computing agreement will present familiar concepts. For example, the “Big Three” of risk allocation — indemnification, warranties, and limitations on liability — generally feature prominently in any agreement to provide computer software and/or hardware.
As with any agreement, depending on the price being paid, and the relative leverage of the parties, risks can be allocated according to the parties’ agreement.
Of course, things like indemnifications and warranties should be specifically tailored to the services being provided.
Privacy and security
More particular to cloud computing agreements are provisions governing privacy and security. Most customers will want to ensure that data stored in the cloud is encrypted adequately.
Further, although far beyond the scope of this brief article, the U.S. government, many states, and many foreign jurisdictions all have laws and regulations governing data privacy (e.g., HIPAA, Federal Trade Commission rules), on the one hand, and the government’s right to obtain data from service providers, on the other (e.g., the Patriot Act).
Another concern lies with trade secrets. Even if under requirements of security and confidentiality, trade secrets may enjoy less protection when reposed with third parties. A cloud user should therefore be aware of the possibility of third party subpoenas and government requests for data, and should know what the provider will do in such events.
The questions of data privacy and application security tie in with an issue, glossed over in many agreements, that is particularly important in cloud computing agreements: the question of jurisdiction in the event of a dispute.
When your application or your data is in the cloud, you usually do not know where your data is physically located. The cloud potentially extends as far as the Internet, which is all over the globe. Many providers tell you nothing about where your application may be hosted, or your data stored. Therefore, for many applications a customer may want to use one of the minority of providers who, for example, promise to keep all data within U.S. borders.
Cloud computing is a vast and complex topic, and a primer such as this barely scratches the surface.
The best lesson to draw upon is to be ready to learn about a new world, and a new host of legal concerns, when you or your client purchase services in the cloud.