With applications, documents, videos, podcasts and other programs, businesses are running into a common problem – limited space (or memory) to host files locally or internally. Many businesses are increasingly looking to “the cloud” as a solution, allowing scalable and secure data storage accessible anywhere via the Internet or via a private network, with a reduction in costs associated with maintaining and acquiring data storage equipment, infrastructure and software. However, cloud computing also raises several unique legal considerations, including data privacy, security, and e-discovery issues. Understanding the legal and regulatory landscape before entering into a cloud relationship will allow businesses to take advantage of the benefits offered by cloud computing while avoiding any unexpected pitfalls down the road.
Which Cloud Works for You?
Cloud computing generally refers to the delivery of “on-demand” computing resources from a remote location, and is available in several service models. The most common type is the cloud software as a service model (SaaS). Under this model, a user is given access to a provider’s software and uses that software as a service. Examples of SaaS include, among others, customer relationship management, sales automation, customer service, human resources, e-commerce, procurement, business intelligence, budgeting, compliance or accounting. The second service model is cloud infrastructure as a service (IaaS). With IaaS, a service provider provisions fundamental computer capabilities such as processing or storage, and offers pools of IT infrastructure resources, like servers, storage or other network components on a pay-per-usage basis. The cloud service provider owns the equipment and is responsible for the housing, cooling, operation and maintenance of its systems. The third service model is cloud platform as a service (PaaS). Under this model, the service provider gives the customer access to a full-functioning computing and solution stack on which user-created applications (with provider-supported programming languages and tools) are deployed. Under the PaaS model, customers typically pay only for the services used.
Businesses should also be aware of cloud computing infrastructure models because each model presents varying degrees of data security, risk and investment. Typically, there are four main cloud infrastructure models:
- Private Cloud In a private cloud arrangement, the business maintains all components of the associated technology, which includes any servers or software required to deploy cloud resources. Private clouds give companies a great degree of control over the data stored on the cloud. Since businesses use dedicated equipment and networks for the private cloud, the service can be more expensive given the physical space, hardware and environmental controls required. However, a private cloud arrangement offers businesses the most control over data stored on the cloud.
- Public Cloud The public cloud is available to any customer, including individuals or large organizations. Unlike the private cloud, the public cloud is owned and controlled by the provider of the service. Since several users “share” the public cloud, this model offers the greatest potential flexibility and cost savings for customers. However, the public cloud requires separate security considerations.
- Community Cloud Community cloud infrastructure is shared by several organizations with a common goal or purpose. In a community cloud model, many of the functions and costs of cloud computing are split among a number of organizations within the same industry or various businesses using the cloud for a similar function, like accounting or sales. With the community cloud, the costs of deployment and access are spread over fewer users than the public cloud, but more users than the private cloud.
- Hybrid Cloud This type of cloud arrangement is a mix of the private, public or community clouds. For example, customers can also use a hybrid model to augment a traditional private cloud with resources of a public cloud to manage any unexpected surges in workload. While hybrid clouds provide flexibility and allow customers to keep each aspect of their business in the most efficient environment, there are increased potential risks with accessing multiple cloud security platforms.
In evaluating the various cloud models, a business should pay special attention to the type of data that it will store on the cloud and its duties related to the data. For example, businesses are responsible for customer data under Section 5 of the FTC Act, which prohibits unfair or deceptive business practices,[1] and may have liability for failing to take reasonable steps to provide consumer information stored on the cloud. Similarly, the Health Insurance Portability and Accountability Act (“HIPAA”)[2] requires “appropriate” safeguards for health information and for financial institutions, and the Gramm-Leach-Bliley Act (“GLB Act”)[3] requires privacy and opt-out notices where customers’ personal information is shared with unaffiliated entities. Numerous states have also implemented regulations governing a business’s use of consumer information.[4] A business’s choice of cloud model should be guided by the type of data that will be stored on the cloud and the business’s legal obligations relating to that data.
Contracting Considerations
Regardless of the type of delivery or infrastructure model a company chooses, cloud computing arrangements are governed by an agreement between the business and the service provider. Business should ensure that its cloud arrangements accommodate its risk considerations, such as in performance metrics, data security, force majeure events, business continuity, intellectual property use, ownership and privacy. The following are considerations that a business should evaluate in a cloud service provider agreement:
- Data Collection and Privacy It is important for company users to be aware of whether (and how) a cloud provider may access data associated with a company’s cloud services. Some cloud computing agreements allow a service provider to monitor or use customer data “as necessary” to provide a defined level of service. Further, cloud providers may seek access or control over data to improve their current products or protect other contractual rights. As a result, your business may be required to take additional steps – such as updating the business’s privacy policy – to protect your customers’ personal information if your business’s data is restricted by acts such as HIPPA or the GLB Act.
- Data Storage Many courts hold that in a contract dispute regarding data, the applicable law is dependent upon the state where the data is physically located.[5] Some states even have laws that will invalidate contracts if they require disputes to be litigated outside of the state.[6] In addition, businesses should inquire as to whether their data is housed in the United States or if data may traverse or be collected from other regions of the world. For example, the European Union has a rather robust data protection framework that applies to cloud-stored data and use; a business may require a certification under the U.S. – EU Safe Harbor where personal information is transmitted from the European Union to the United States.[7]
- Service Interruptions Businesses should be aware of how the agreement defines a “service interruption” and what happens if an interruption occurs. It is important for a business to understand where any liability lies if the business cannot gain access to the data it stores on the cloud. Along those lines, some agreements may include provisions disclaiming liability for “unauthorized access” to data, i.e. hacking. To avoid any unintended consequences, businesses should ensure that the agreement applies a level of security to its data in the cloud and provides concrete processes in the event of a data breach.
- Termination Assistance Often, cloud agreements contain provisions wherein, at the end of the relationship, the service provider is obligated to assist the business transition to another service provider to maintain business continuity. These types of provisions usually require the cloud provider to maintain a specified level of service for a predefined period of time. Such a provision may also require the provider to help the business move its data and services from the current provider to another. Any provision dealing with termination assistance should also describe in detail what data should be retrieved or transitioned and how this data will be treated and subsequently destroyed.
- Intellectual Property Rights The agreement should expressly state that the business retains ownership of all data or information provided by or accessed from or through the business, and all data resulting from the processing or aggregation of such data or the performance of the services. However, in SaaS and PaaS arrangements, businesses may assign new interfaces or add-ons that the business develops in connection with use of the cloud service. In addition, the agreement should accommodate provider consents for new processes desired by the business, as well as third-party consents required to operate the applications the business intends to use.
Post-Contracting Concerns: Subpoenas and E-Discovery
A final consideration is whether your business’s data is subject to a third-party civil or government subpoena issued to your cloud service provider. Under the Stored Communications Act,[8] cloud service providers may be required to disclose data pursuant to a warrant or subpoena without notice to your business. And, under federal discovery rules, a cloud service provider is considered a third party to any litigation in which it is not named. As such, under Fed. R. Civ. P. 45, an adverse party may subpoena data held by your cloud provider. Furthermore, cloud service agreements often allow a provider to respond to subpoenas, discovery requests or other lawful service of process by turning over data it hosts for a business.
When turning to a cloud computing solution, evaluate your business’s needs, data requirements and risk assessments at the beginning of the process. Doing so will allow your business to take advantage of the full benefits offered by cloud computing and will ensure your business’s seamless legal and regulatory compliance.
[1] 15 U.S.C. § 45.
[2] 42 U.S.C. §1306.
[3] 15 U.S.C. §§ 6801-6809.
[4] For example, the California “Shine the Light” law. Cal. Civ. Code § 1798.83-1798.84.
[5] See Damon C. Andrews & John M. Newman, “Personal Jurisdiction and Choice of Law in the Cloud,” 73 M.d. L. Rev. 313, 346-47(2013) (“A handful of states have at some point formally adopted a form of the 'lex fori' approach to choice of law. Under this approach, courts generally apply what amounts to a presumption in favor of applying the law of the forum”).
[6] See N.C. Gen. Stat. § 22B-3 (1995) (providing that any provision in a contract entered into in North Carolina that requires the prosecution or arbitration of any dispute that arises from the contract to be heard in another state is against public policy, void and unenforceable.); see also S.C. Code Ann. § 15-7-120 (1990) (providing that any contract with a forum selection clause can be enforced in South Carolina, in addition to the forum state specified within the clause).
[7] See Data Protection Directive 95-46/EC, Chapter IV Transfer of Personal Data to Third Countries, Article 25(1); see also Framework Decision 2008/977/JHA.; see also U.S.-E.U. Safe Harbor Privacy Principles, July 21, 2000, available at http://export.gov/safeharbor/eu/eg_main_018475.asp; see also EEA Joint Committee Decision No. 108/2000, November 2000, available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:045:0047:0048:EN:PDF.
[8] 18 U.S.C. §§ 2701-2712.
Published September 15, 2015.