A brief forecast of the legal issues in cloud computing, as well as legal issues brewing on the horizon

1. “Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computingby:Thomas A. Kulik, PartnerScheef & Stone, L.L.P.Dallas Bar Association – Computer Law SectionSeptember 27, 2010 

2. About the Presenter Tom Kulik is a Partner in Scheef & Stone, L.L.P. and chairs the firm’s Intellectual Property Practice Group out of its headquarters in Dallas, Texas. With an understanding of how intellectual property assets influence business, he strategically counsels clients on matters involving the evaluation, acquisition, development and protection of intellectual property rights, with an emphasis on creatively leveraging such assets both domestically and internationally. Prior to matriculation in law school, he was an award-winning systems engineer for 3Com Corporation, where he was responsible for local and wide-area network architecture and design supporting both Fortune 500 and start-up companies in the computer services, financial and pharmaceutical industries. Leveraging this industry experience, his practice focuses on intellectual property transactions, particularly within the context of the computer software, emerging Internet technologies and e-commerce, and includes an extensive trademark preparation and prosecution practice and attendant intellectual property litigation. 

3. What is the “Cloud”?... 

4. …and What is “Cloud Computing”? “SaaS” “PaaS” “IaaS” 

5. “Cloud Computing” – A Hazy Phrase for a Foggy (Evolving) Concept “As a metaphor for the Internet, "the cloud" is a familiar cliché, but when combined with "computing," the meaning gets bigger and fuzzier…[but essentially] encompasses any subscription-based or pay-per-use service that, in real time over the Internet, extends IT's existing capabilities.” What Cloud Computing Really Means, Eric Knor & Galen Gruman, InfoWorld, 2009 

6. “Cloud Computing” Definition – The National Institute of Standards and Technology “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of fiveessential characteristics, threeservice models, and fourdeployment models.” The NIST Definition of Cloud Computing, Peter Mell and Tim Grance, Version 15, October 7, 2009 

8. Broad network access – services available through the network to cellphones, PDAs, laptops, iPads, etc.

9. Resource pooling– dynamic assignment of physical andvirtual computing resources

10. Rapid elasticity – quick scale-out/scale-in – seamless and seemingly unlimited to the user

11. Measured Service – automatic control to optimize management of resources (storage, processing, bandwidth, accounts)

13. External software hosting in a cloud infrastructure

14. Platform-as-a-Service (“PaaS”)

15. Think “SaaS-plus” – computing platform and “solution stack” for building and running custom applications by the user

16. Infrastructure-as-a-Service (“IaaS”)

17. Data processing, storage, network and other fundamental computing resources in cloud infrastructure

19. Amazon Elastic Compute Cloud (EC2), Amazon S3, Rackspace

20. Software-as-a-Service (“SaaS”)

21. Google Apps, Zoho, Facebook Applications

22. Platform-as-a-Service (“PaaS”)

23. SalesforceAppExchange, Google AppExchange

25. Used solely by/operated solely for the organization

26. Community Cloud

27. Used by/operated for multiple organizations tied to a “specific community” with “shared concerns”

28. Public Cloud

29. Owned by CSP providing cloud services to the public

30. Hybrid Cloud

31. Composition of 2 or more distinct clouds “bound together by standardized or proprietary technology that enables data and application portability” 

33. May be pay-per-use

34. Even free!

35. Why the Cloud Model? A “Perfect Storm” Economics - IT capital cost pressures pushing for better ROI More for Less - Technological Innovation is permitting: Better communications bandwidth availability Improved microprocessor/bus speeds Increased storage capabilities “Virtualization” – easier for CSPs to maximize infrastructure for the services provided and offload much IT management 

37. Contractual Considerations

38. Intellectual Property

39. E-Discovery & Litigation

40. Ethical Considerations for Lawyers

42. Is a “multi-tenant” architecture – data stored on a virtual server that shares same physical server with other virtual servers

43. Security dependent upon configuration of the virtual servers and API vulnerabilities

44. Geographic distribution concerns – the “cloud” knows no boundaries

45. Breach harder to detect & manage

46. CSP may use third-party providers for elements of the service

47. Audit trail across multiple platforms not necessarily integrated

48. Geographic distribution concerns remain

50. Trans-border flow of private information may trigger obligations

51. U.S. laws far LESS restrictive than other countries (particularly the European Union)

52. Liability for breach depends upon who controls the data versus mere data processors

53. Many data privacy laws pre-date cloud computing capability

55. Graham Leach Bliley Act - Financial institutions must have policies/procedures in place to protect “non-public personal financial information” from improper disclosure

56. HIPAA/HITECH Act – “Covered entities” required to notify affected persons of breach of unencrypted “personal health information”

57. FTC Safeguards Rule – Financial institutions required to have written security plan regarding customer’s private information

58. FTC Red Flags Rule – Institutions holding credit accounts must have written identity theft program

59. Stored Communications Act - protection from disclosure for emails and other private data that are in such electronic storage

61. EU Data Protection Directive 95/46/EC – no transfer of data to countries OUTSIDE the EU unless they offer an “adequate level of protection” OR where exceptions apply...like the U.S. Safe Harbor List

62. U.S. Department of Commerce negotiated a safe harbor framework with the European Commission to “bridge” differences in privacy protection with EU member states

63. Certifying to the “safe harbor” will assure that EU organizations know that your company provides "adequate" privacy protection

65. REVIEW CSP privacy policy AND security procedures for continuity with existing company procedures & guidelines (i.e. audit/reporting requirements, security breach notifications)

66. IDENTIFY and SPECIFY data security controls at the software level (i.e. encryption, firewalls), as well as physical security

68. Location of service/data NOT fixed, but distributed

69. CSP owns the technology, NOT the user/company

70. Contracts normally NOT negotiable

71. Risk allocation far more difficult to address

72. No traditional software “license” – is an access model

73. Little to no indemnity/infringement protection from CSP

74. Limitation of liability may not cover anticipated risk

76. Governing law/Venue always favors the CSP

77. Limitations of Liability

78. Usually no liability for damages whatsoever (data deletion, corruption, failure to access, etc.)

79. Limited to No Warranty

80. “AS-IS” or “as available”

81. No warranty that service uninterrupted/error-free – limited to SLA, which may be inadequate

83. CSPs usually reserve right to terminate unilaterally

84. Data portability in event of termination? Avoid “lock-in”

85. What is CSP goes bankrupt?

86. Service Level Agreement (“SLA”)

87. Usually rely upon service credits in event of specified period of downtime, BUT credits mean little when the service is down!

88. Auditing/compliance?

89. The Legal Considerations in Cloud Computing: Contractual Considerations Google Apps Examples: “Representations. …Google warrants that it will provide the Services in accordance with the applicable SLA.” “Disclaimers. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. GOOGLE MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICE. THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS. 

90. The Legal Considerations in Cloud Computing: Contractual Considerations Google Apps Examples: “Limitation on Indirect Liability.NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.” “Limitation on Amount of Liability.NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID BY CUSTOMER TO GOOGLE DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY. “Governing Law. This Agreement is governed by California law, excluding that state’s choice of law rules. FOR ANY DISPUTE RELATING TO THIS AGREEMENT, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA. “ 

92. REVIEW service levels/credits with a wary eye – may NOT be enough to cover for impact of downtime on business

93. MUST address data export capabilities and ensure compatibility with business continuity and DR plan

94. NEGOTIATE…NEGOTIATE…NEGOTIATE!

96. Trade secrets issues – inconsistent with cloud model?

98. Remote storage DVR system held not to be a violation of U.S. copyright law (See Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2nd Cir. 2008), cert. den’d129 S.Ct. 2890 (2009))

99. Opens door for Digital Entertainment Content Ecosystem (DECE) – a.k.a. “Ultraviolet” - purchase content once, then view in many formats and on many devices from cloud-based account

102. REVIEW any legacy system tie-in to cloud for license compliance

103. RETHINK placing trade secret information within the cloud – law is evolving here

105. Data preservation/integrity hard to manage

106. Data may be housed in multiple countries

107. CSPs may use 3P providers

108. Jurisdictional issues

109. Enforceability – multiple countries vs. governing law

110. Country where data is resident in computer facility – governmental access?

112. Unlike outsourced solutions, users may not know what infrastructure they are using or the physical location of data

113. CSP may be able to retrieve the data, but NOT know where your data is for the purpose of a litigation hold

114. CSP may use third-party service providers for elements of services provided to the user, exacerbating the issue

115. Courts may NOT distinguish servers in the “cloud” from ones in direct possession

117. Cloud infrastructure increases spoliation risk

118. Where CSPs use 3P providers – greater danger

119. Data Integrity

120. Data at rest – MUST be free from corruption

121. How to ensure NO CHANGE to data upon hold?

122. Standard CSP agreements do NOT account for possibility of ESI preservation by default

124. DEMAND accountability for handling of ESI

125. General “cooperation” clause

126. Acknowledge compliance with litigation holds

127. STRONGLY CONSIDER a separate agreement

129. Considerations are more delicate for law firms due to client confidentiality obligations, privilege, etc.

130. Bottom line: it is available, but is it ethical?

132. 2 states: Use of CSPs for storage of client files so long as a reasonable standard of care is exercised:

133. NJ: N.J. Sup. Ct. Advisory Comm. On Professional Ethics, Opinion 701 (2006)

134. NV: Nev. State Bar Standing Commission on Ethics and Prof. Responsibility, Formal Opinion 33 (2006)

135. More on the way

136. North Carolina Proposed 2010 Formal Ethics Opinion 7, “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (April 15, 2010)

137. Texas?

139. MUST be knowledgeable about CSP handling of data

140. MUST contract with CSP to preserve confidentiality/security of data

141. Transposing the “reasonableness” standard from “brick & mortar” to the “cloud” not as easy as you may think:

142. Security – client confidentiality requires strong contractual protections

143. Backups – MUST think about IaaS infrastructure

144. Data access – SLA service credit should NOT be sole remedy

145. Portability – Transfer of data in event of termination crucial

146. Bankruptcy of CSP – how to account for possibility?

148. Understand how the CSP will handle the data

149. Don’t be afraid to ask questions – arguably have a duty TO ask them!

150. Security should cover both software capabilities AND physical facilities

151. Bottom Line: LET’S BE CAREFUL OUT THERE!…

152. “Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computing Email: tom.kulik@solidcounsel.com LinkedIn: www.linkedin.com/in/tkulik Twitter: www.twitter.com/TomKulik (@TomKulik) Blog: www.legalintangibles.com 