Legal Issues in the Cloud

One of the most publicized concerns about the cloud is security and data privacy. Some small to medium-sized companies go to the cloud for enhanced security offered by the cloud vendor that the companies themselves cannot provide. On the other hand, the cloud environment presents greater or additional security risks. Because cloud providers store large volumes of data from various parties, they present an attractive target for hackers. Google, Amazon and Salesforce.com have all reported major data breaches, and a survey this summer found that nearly half of IT executives reported a security lapse or security issue with their cloud services providers within the last 12 months.

A cloud customer could be liable for security breaches by the cloud provider it uses. Therefore, the cloud customer should be sure that its contract protects its data. Of course, the agreement with the cloud vendor should include confidentiality provisions requiring the vendor to protect the customer's data as confidential. In addition, the customer should require the vendor to comply with SAS70, or the recent Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which applies to reporting periods ending on or after June 15, 2011. SAS70 and SSAE 16 provide auditing standards covering, among others, a service provider's controls for safeguarding its customer's data. The customer should also require the vendor to comply with ISO 27002, which establishes data security standards. The customer should also require the vendor to conduct the SAS70/SSAE 16 and ISO audits at least annually and the contract should obligate the vendor to correct any deficiencies revealed by the audits.

In addition, cloud customers will want to have the right to conduct independent security assessments or audits. However, unless the customer is large, the cloud vendor may not agree to this because it disrupts operations to have numerous customers conducting audits and because an audit might expose data of other customers. Cloud vendors should note though, that if a customer is subject to audit by regulatory agencies, such as in the financial or healthcare sectors, the vendors need to allow for audits by these agencies and the vendor should agree to cooperate with any such required audits.

From the vendor side, cloud providers need to develop an incident response plan to promptly notify customers of any security breach affecting that customer's data and to cooperate with the customers to mitigate the breach and to comply with notification laws.

Data Issues

Cloud computing raises several issues concerning the storage and treatment of a customer's data, including the location of the data and jurisdictional issues; legal compliance issues; ownership issues; and, access and retention issues.

One of the first questions a cloud customer should ask is, “Where is my data stored?” Virtualization in the cloud environment presents new challenges for jurisdictional issues and legal compliance. Virtualization refers to technologies designed to provide a layer of abstraction between computer hardware systems and the software running on them, so that, for example, numerous “virtual” servers can be created on a single server. Where a customer's data is stored, even on a temporary basis, can determine the law applicable to the data. For example, the US PATRIOT Act and the UK Regulation of Investigatory Powers Act of 2000 allow both governments access to private data stored in their countries. The European Union's Data Protection Directive also prohibits the transfer of personal information of EU residents from the EU to countries (including the U.S.), which do not meet certain level of data protection.

Cloud computing can also raise issues with respect to U.S. export laws. Earlier this year, the Bureau of Industry and Security of the U.S. Commerce Department issued two advisory opinions clarifying the applicability of export laws to the cloud environment. The opinions state that providing computing capacity through cloud and grid services is not an export. However, users who transmit software or technology via the cloud could be subject to the export regulations, and the cloud vendors that store or transmit software or technology subject to export regulations could also be subject to the regulations.

Accordingly, vendors in the cloud may have to inquire about the location or nationality of their customers and whether the data or software they are processing or storing is subject to export restrictions. Customers should verify where their data is stored to determine whether the locations cause any problems. Some cloud providers, though, refuse to reveal where data is stored or processed. Either they don't want to, they don't know, or it's too difficult to track. On the other hand, some cloud vendors (such as Amazon) offer the option to store a customer's data only in a certain country or area, such as the U.S. or the EU.

In addition to determining where their data is stored, cloud customers should also find out how their data is being stored. Will the customer's data be stored in a virtualized environment? In such a shared environment, there is the potential for one customer to have access to data of another customer. This shared, virtual environment could also present a business interruption issue: In July of this year, the FBI launched “Operation Trident Tribunal” and conducted raids related to the LulzSec hacker group. The feds seized several servers from a data center in Virginia used to provide cloud services. Because the cloud service provider did not segregate customers' data and software, the FBI raids knocked 120 unrelated companies' websites offline for several days.

The next question a cloud customer should ask is, “What type of data will be stored in the cloud?” Depending on the type of data being stored, there are various laws, regulations and industry standards that may apply to the security and storage of the data. For example:

• The Sarbanes-Oxley Act of 2002 (SOX) applies to publicly traded companies and contains requirements related to, among other things, e-mail retention, data security and integrity, as well as oversight requirements which encompass cloud providers.
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act regulate the use and protection of health information. Companies in the healthcare field may need to have their cloud service providers sign a Business Associate agreement. HIPAA also requires that individuals have access to their health information, so cloud vendors may need to adjust their policies and procedures to allow for such access.
• The Gramm-Leach-Bliley Act (GLB) governs the collection, disclosure and protection by financial institutions of consumers' nonpublic personal information.
• The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards providing requirements for security and storage of credit card information; in June, it was clarified that the PCI DSS apply to cloud providers.
• State Laws: Almost all states have laws covering notification in the case of a data breach. Also, some states, such as Massachusetts and Nevada, have enacted laws providing requirements for data security.

A customer subject to any of these laws or standards needs to be sure that the cloud provider it is using complies with the laws or standards. Conversely, a cloud provider should know what data its customers are storing in its systems because the vendor could also be liable for complying with these laws.

Access and Retention Issues

Many companies are familiar with “e-discovery” and have data retention, storage and destruction policies in place that apply in the event of litigation. If a cloud customer is sued, or there is the threat of litigation, the customer may have to initiate a “litigation hold” to preserve documents, including electronic documents and any metadata in the documents. This could present a challenge in the cloud if the customer's data is comingled with that of other clients or if the customer's data is stored on parallel servers. Cloud customers should determine the vendor's ability to prevent the destruction, alteration or mutilation of customer data in the vendor's possession, as well as the vendor's search capabilities for the data. Cloud customers should also make sure that their corporate policies and procedures account for any data in the cloud. Do the data retention and destruction policies of the cloud vendor align with those of the customer?

As for the vendors, they need to develop a process for dealing with e-discovery requests and should provide notice to their customers promptly (within hours, not days) of any subpoena or other legal process seeking access to the customer's data. Vendors may also need to provide the customer with access to its logs and reports to verify the security, integrity and chain of custody of the customer's data.

Service-Level Agreements and Business Continuity Issues

There may be little room to negotiate service level agreements (SLAs) with cloud service providers. Of course, a cloud customer wants high service levels, but the cloud customer also needs to pay attention to the definition of uptime and a service level breach, and any exceptions to the measurement of uptime. For example, in a recent cloud services agreement I negotiated, the contract included certain typical exceptions to uptime measurement, such as planned maintenance, but the cloud service vendor also tried to include a general exception for 150 minutes of downtime per week.

Vendors typically try to make credits the sole and exclusive remedy for failures to meet agreed-upon service levels. It is sometimes difficult to get vendor to move on this, so cloud customers should try to negotiate the right to terminate the agreement if some level of severe or repeated service level breaches is reached.

The cloud-computing environment raises business continuity issues in that the more dependent a company is on cloud services and the more mission critical systems are in the cloud, the more vulnerable the company is to business interruption issues. In a well-publicized incident earlier this year, Amazon's cloud services were out for two days, causing problems for many companies using them. Also, in the past few months, both Google and Microsoft 365 reported suffering outages. Cloud customers should do due diligence on, and be familiar with, the cloud vendor's disaster recovery or business continuity plan (BCP).

Many non-cloud contracts contain a force majeure clause, which provides that a party will not be liable for a default under the contract for “acts of God.” However, these clauses require new attention in the cloud environment. For example, the Google Apps Premier Online Agreement provides that Google will not be liable for “inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and Internet disturbance) that was beyond the party's reasonable control.” One of the reasons, though, that many cloud customers go to the cloud is to reduce their vulnerability to such disasters. Cloud customers should review force majeure clauses carefully, particularly the list of possible force majeure events, to be sure they are appropriate for the cloud environment. The customer should also be sure that the force majeure clause only applies if the vendor has followed its BCP.

Liability Issues

Many cloud services contracts limits the vendor's liability; however, the damages disclaimed by vendors (e.g., loss of content or damages due to inability to use the services) are often precisely the types of damages a cloud customer is likely to incur if there is a problem with the service. It is very difficult to get a cloud vendor to change these provisions, though a cloud customer might be able to get the vendor to increase the cap on direct damages. The customer could also try to remove certain types of damages from the exclusions, such as loss of data, which is particularly important when the cloud vendor has complete control over the data and its backup.

Subcontractor Issues

Many cloud vendors subcontract with other entities. For example, in the SaaS environment, a third party often hosts the software vendor's programs. The issues discussed above are complicated by the cloud vendor's use of subcontractors. Will the subcontractor allow access to the customer's data? Can the subcontractor comply with a litigation hold? For jurisdictional issues, where is the subcontractor located?

If there is a dispute between the customer and the cloud vendor, the vendor may try to shift liability to the subcontractor, and the customer may not have the right to bring an action directly against the subcontractor. Some customers try entering into direct contractual relationships with the subcontractor. For instance, in the SaaS scenario, the customer might enter into an agreement with the SaaS vendor and also with the hosting service used by the SaaS vendor.

Cloud customers should conduct due diligence to confirm, if subcontractors are used by the cloud vendor, what those subcontractors provide. Then, the customer must perform the same diligence on the subcontractor as discussed above. The customer should also review the contract with the cloud vendor to be sure that the customer can have access to and control over its data held by a subcontractor, and that the vendor remains liable for acts or omissions of a subcontractor. If a vendor has the right to change subcontractors, it could be difficult to get the vendor to agree to give the customer the right to approve of such changes, but, again, it might be possible to get the vendor to provide the customer with notice of the change and the right to terminate if the customer objects to the new subcontractor.

Conclusion

The cloud-computing environment provides many advantages; however, it also presents new and complicated legal issues. Cloud service providers need to consider not only the laws and regulations that apply to them, but also those that apply to their customers. And cloud customers need to conduct appropriate due diligence on potential cloud services providers, making sure that they carefully review with their legal counsel the contracts to provide cloud services.

Andrew Goldstein is a Chicago-based partner in the Business Law Group of Freeborn & Peters LLP. Goldstein focuses his practice in the area of Intellectual Property and Information Technology. He may be reached at [email protected].

A study reported earlier this year that 37% of all organizations worldwide are deploying cloud computing solutions, and predicted that by 2014 businesses in the U.S. will spend more that $13 billion on cloud computing, a 400% increase from today. Many companies are considering moving to cloud service providers that offer access to software applications on a “software as a service” (SaaS) basis, and many software companies are moving to cloud hosted environments as a means to offer their programs. Cloud computing, however, raises new and challenging legal issues for both cloud computing users and vendors.

Vendors typically have the advantage in negotiations for cloud services because they write the contracts and determine the terms they will offer. Many cloud services, particularly those used by small and medium-sized companies, are made available only through click-wrap agreements that are non-negotiable. Consistent with the cloud model of a “one-size-fits-all” commodity service, vendors are also typically reluctant to negotiate different terms for different customers. Those faced with non-negotiable contracts must review the terms of the agreement and do their diligence on the cloud vendor to be sure that the customer is not taking on more risk than it should and to determine whether the terms of the click-wrap agreement pose any problems to the customer.

Security and Data Privacy Issues

One of the most publicized concerns about the cloud is security and data privacy. Some small to medium-sized companies go to the cloud for enhanced security offered by the cloud vendor that the companies themselves cannot provide. On the other hand, the cloud environment presents greater or additional security risks. Because cloud providers store large volumes of data from various parties, they present an attractive target for hackers. Google, Amazon and Salesforce.com have all reported major data breaches, and a survey this summer found that nearly half of IT executives reported a security lapse or security issue with their cloud services providers within the last 12 months.

A cloud customer could be liable for security breaches by the cloud provider it uses. Therefore, the cloud customer should be sure that its contract protects its data. Of course, the agreement with the cloud vendor should include confidentiality provisions requiring the vendor to protect the customer's data as confidential. In addition, the customer should require the vendor to comply with SAS70, or the recent Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which applies to reporting periods ending on or after June 15, 2011. SAS70 and SSAE 16 provide auditing standards covering, among others, a service provider's controls for safeguarding its customer's data. The customer should also require the vendor to comply with ISO 27002, which establishes data security standards. The customer should also require the vendor to conduct the SAS70/SSAE 16 and ISO audits at least annually and the contract should obligate the vendor to correct any deficiencies revealed by the audits.

In addition, cloud customers will want to have the right to conduct independent security assessments or audits. However, unless the customer is large, the cloud vendor may not agree to this because it disrupts operations to have numerous customers conducting audits and because an audit might expose data of other customers. Cloud vendors should note though, that if a customer is subject to audit by regulatory agencies, such as in the financial or healthcare sectors, the vendors need to allow for audits by these agencies and the vendor should agree to cooperate with any such required audits.

From the vendor side, cloud providers need to develop an incident response plan to promptly notify customers of any security breach affecting that customer's data and to cooperate with the customers to mitigate the breach and to comply with notification laws.

Data Issues

Cloud computing raises several issues concerning the storage and treatment of a customer's data, including the location of the data and jurisdictional issues; legal compliance issues; ownership issues; and, access and retention issues.

One of the first questions a cloud customer should ask is, “Where is my data stored?” Virtualization in the cloud environment presents new challenges for jurisdictional issues and legal compliance. Virtualization refers to technologies designed to provide a layer of abstraction between computer hardware systems and the software running on them, so that, for example, numerous “virtual” servers can be created on a single server. Where a customer's data is stored, even on a temporary basis, can determine the law applicable to the data. For example, the US PATRIOT Act and the UK Regulation of Investigatory Powers Act of 2000 allow both governments access to private data stored in their countries. The European Union's Data Protection Directive also prohibits the transfer of personal information of EU residents from the EU to countries (including the U.S.), which do not meet certain level of data protection.

Cloud computing can also raise issues with respect to U.S. export laws. Earlier this year, the Bureau of Industry and Security of the U.S. Commerce Department issued two advisory opinions clarifying the applicability of export laws to the cloud environment. The opinions state that providing computing capacity through cloud and grid services is not an export. However, users who transmit software or technology via the cloud could be subject to the export regulations, and the cloud vendors that store or transmit software or technology subject to export regulations could also be subject to the regulations.

Accordingly, vendors in the cloud may have to inquire about the location or nationality of their customers and whether the data or software they are processing or storing is subject to export restrictions. Customers should verify where their data is stored to determine whether the locations cause any problems. Some cloud providers, though, refuse to reveal where data is stored or processed. Either they don't want to, they don't know, or it's too difficult to track. On the other hand, some cloud vendors (such as Amazon) offer the option to store a customer's data only in a certain country or area, such as the U.S. or the EU.

In addition to determining where their data is stored, cloud customers should also find out how their data is being stored. Will the customer's data be stored in a virtualized environment? In such a shared environment, there is the potential for one customer to have access to data of another customer. This shared, virtual environment could also present a business interruption issue: In July of this year, the FBI launched “Operation Trident Tribunal” and conducted raids related to the LulzSec hacker group. The feds seized several servers from a data center in Virginia used to provide cloud services. Because the cloud service provider did not segregate customers' data and software, the FBI raids knocked 120 unrelated companies' websites offline for several days.

The next question a cloud customer should ask is, “What type of data will be stored in the cloud?” Depending on the type of data being stored, there are various laws, regulations and industry standards that may apply to the security and storage of the data. For example:

• The Sarbanes-Oxley Act of 2002 (SOX) applies to publicly traded companies and contains requirements related to, among other things, e-mail retention, data security and integrity, as well as oversight requirements which encompass cloud providers.
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act regulate the use and protection of health information. Companies in the healthcare field may need to have their cloud service providers sign a Business Associate agreement. HIPAA also requires that individuals have access to their health information, so cloud vendors may need to adjust their policies and procedures to allow for such access.
• The Gramm-Leach-Bliley Act (GLB) governs the collection, disclosure and protection by financial institutions of consumers' nonpublic personal information.
• The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards providing requirements for security and storage of credit card information; in June, it was clarified that the PCI DSS apply to cloud providers.
• State Laws: Almost all states have laws covering notification in the case of a data breach. Also, some states, such as Massachusetts and Nevada, have enacted laws providing requirements for data security.

A customer subject to any of these laws or standards needs to be sure that the cloud provider it is using complies with the laws or standards. Conversely, a cloud provider should know what data its customers are storing in its systems because the vendor could also be liable for complying with these laws.

Access and Retention Issues

Many companies are familiar with “e-discovery” and have data retention, storage and destruction policies in place that apply in the event of litigation. If a cloud customer is sued, or there is the threat of litigation, the customer may have to initiate a “litigation hold” to preserve documents, including electronic documents and any metadata in the documents. This could present a challenge in the cloud if the customer's data is comingled with that of other clients or if the customer's data is stored on parallel servers. Cloud customers should determine the vendor's ability to prevent the destruction, alteration or mutilation of customer data in the vendor's possession, as well as the vendor's search capabilities for the data. Cloud customers should also make sure that their corporate policies and procedures account for any data in the cloud. Do the data retention and destruction policies of the cloud vendor align with those of the customer?

As for the vendors, they need to develop a process for dealing with e-discovery requests and should provide notice to their customers promptly (within hours, not days) of any subpoena or other legal process seeking access to the customer's data. Vendors may also need to provide the customer with access to its logs and reports to verify the security, integrity and chain of custody of the customer's data.

Service-Level Agreements and Business Continuity Issues

There may be little room to negotiate service level agreements (SLAs) with cloud service providers. Of course, a cloud customer wants high service levels, but the cloud customer also needs to pay attention to the definition of uptime and a service level breach, and any exceptions to the measurement of uptime. For example, in a recent cloud services agreement I negotiated, the contract included certain typical exceptions to uptime measurement, such as planned maintenance, but the cloud service vendor also tried to include a general exception for 150 minutes of downtime per week.

Vendors typically try to make credits the sole and exclusive remedy for failures to meet agreed-upon service levels. It is sometimes difficult to get vendor to move on this, so cloud customers should try to negotiate the right to terminate the agreement if some level of severe or repeated service level breaches is reached.

The cloud-computing environment raises business continuity issues in that the more dependent a company is on cloud services and the more mission critical systems are in the cloud, the more vulnerable the company is to business interruption issues. In a well-publicized incident earlier this year, Amazon's cloud services were out for two days, causing problems for many companies using them. Also, in the past few months, both Google and Microsoft 365 reported suffering outages. Cloud customers should do due diligence on, and be familiar with, the cloud vendor's disaster recovery or business continuity plan (BCP).

Many non-cloud contracts contain a force majeure clause, which provides that a party will not be liable for a default under the contract for “acts of God.” However, these clauses require new attention in the cloud environment. For example, the Google Apps Premier Online Agreement provides that Google will not be liable for “inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and Internet disturbance) that was beyond the party's reasonable control.” One of the reasons, though, that many cloud customers go to the cloud is to reduce their vulnerability to such disasters. Cloud customers should review force majeure clauses carefully, particularly the list of possible force majeure events, to be sure they are appropriate for the cloud environment. The customer should also be sure that the force majeure clause only applies if the vendor has followed its BCP.

Liability Issues

Many cloud services contracts limits the vendor's liability; however, the damages disclaimed by vendors (e.g., loss of content or damages due to inability to use the services) are often precisely the types of damages a cloud customer is likely to incur if there is a problem with the service. It is very difficult to get a cloud vendor to change these provisions, though a cloud customer might be able to get the vendor to increase the cap on direct damages. The customer could also try to remove certain types of damages from the exclusions, such as loss of data, which is particularly important when the cloud vendor has complete control over the data and its backup.

Subcontractor Issues

Many cloud vendors subcontract with other entities. For example, in the SaaS environment, a third party often hosts the software vendor's programs. The issues discussed above are complicated by the cloud vendor's use of subcontractors. Will the subcontractor allow access to the customer's data? Can the subcontractor comply with a litigation hold? For jurisdictional issues, where is the subcontractor located?

If there is a dispute between the customer and the cloud vendor, the vendor may try to shift liability to the subcontractor, and the customer may not have the right to bring an action directly against the subcontractor. Some customers try entering into direct contractual relationships with the subcontractor. For instance, in the SaaS scenario, the customer might enter into an agreement with the SaaS vendor and also with the hosting service used by the SaaS vendor.

Cloud customers should conduct due diligence to confirm, if subcontractors are used by the cloud vendor, what those subcontractors provide. Then, the customer must perform the same diligence on the subcontractor as discussed above. The customer should also review the contract with the cloud vendor to be sure that the customer can have access to and control over its data held by a subcontractor, and that the vendor remains liable for acts or omissions of a subcontractor. If a vendor has the right to change subcontractors, it could be difficult to get the vendor to agree to give the customer the right to approve of such changes, but, again, it might be possible to get the vendor to provide the customer with notice of the change and the right to terminate if the customer objects to the new subcontractor.

Conclusion

The cloud-computing environment provides many advantages; however, it also presents new and complicated legal issues. Cloud service providers need to consider not only the laws and regulations that apply to them, but also those that apply to their customers. And cloud customers need to conduct appropriate due diligence on potential cloud services providers, making sure that they carefully review with their legal counsel the contracts to provide cloud services.

Andrew Goldstein is a Chicago-based partner in the Business Law Group of Freeborn & Peters LLP. Goldstein focuses his practice in the area of Intellectual Property and Information Technology. He may be reached at [email protected].