Legal Issues That Float in the Cloud

Although the rise in cloud computing promises great efficiencies for data-heavy businesses, including those managing power projects, it also presents some new legal loopholes and hurdles that require attention. A recent "white paper" by CommVault Systems Inc. and a new analysis by information technology guru Joseph Foran examine some of the legal issues floating in the cloud.

CommVault is a New Jersey IT firm specializing in data backup and recovery. "Most enterprises are finding that moving to the cloud may improve overall IT cost-effectiveness," write Shannon Smith and Bennett Borden for CommVault, "but the shift raises a number of issues on the legal side of the house that often go unrecognized or unaddressed."

"The existence of vast amounts of electronically stored information (ESI) housed offsite, the potential lack of control of this data, and the challenges of preserving and processing it in connection with a lawsuit or regulatory investigation is enough to cause concern amongst even the most technically-inclined corporate legal teams."

Legal discovery—the requirement to turn over information during a lawsuit or investigation—presents special challenges in a cloud computing environment, notes the CommVault paper. Cloud-stored data (one of the chief values of cloud computing) "could be stored on multiple servers across multiple jurisdictions, making it more difficult to identify, preserve, and collect for litigation or regulatory investigations."

Before making a decision to move to the cloud, the CommVault analysts suggest "that corporate counsel ask the right questions about where and how data is being stored by a potential cloud service provider."

Foran, IT director for FSW Inc., a social services agency in Bridgeport, Conn., says organizations considering hiring a firm to provide cloud computing services should ask the vendor, "Where is the data being stored? Jurisdiction defines your rights. If your data is stored in the small, unruly nation of East Pirateostan, don’t expect muchy protection. And if your data ends up being stored in a location with different laws or regulations, you may forfeit your rights to it. One example is a Las Vegas casino that stores betting data in the cloud, only to learn later that the data is kept in a state that prohibits gambling."

Just as organizations should have policies about preserving onsite data, they should also develop policies covering data stored by third parties, says CommVault. "Will the cloud provider execute a litigation hold or are there tools available that would allow corporate IT or legal to executive a hold against data in the cloud? If the cloud provider will not implement the hold, it is critical to understand and document the process for preserving ESI prior to facing litigation."

The CommVault paper suggests four areas of concern about cloud data storage that enterprises should address as they move into the computing cloud:

  • Record retention and backup. "Will your cloud provider have the ability to execute corporate retention policies? How will the data disposition process be carried out and will it be documented?"
  • Type of data stored and physical location. If a provider won’t offer "the required level of service around privacy, security and authenticity, it would be unwise to store anything but the least valuable corporate data with a third party."
  • Authenticity and chain of custody. "How will the cloud provider ensure that metadata and content remain unchanged and that the data has not been tampered with in the cloud? Equally important is access to logs and reports to verify the security and integrity of the data. Lastly, you will want to include provisions in the service contract to ensure that the provider will comply with requests for declarations or other testimony necessary to establish chain of custody."
  • Exit strategy. "As technology develops, it is likely that corporate IT may want to move data from one cloud provider to another to service its needs. Whatever the driver, corporate counsel needs to understand the legal ramifications of migrating data."

Foran also raises the subject of data logs and access statistics. "To be clear," he writes, "the logs and other statistical information collected by cloud providers are their data, not yours. The provider has every right to collect usage data on their systems . . . just as you have every right to ask what a provider does with their logs."

Foran says the most important question to ask when considering adopting cloud computing is, "Who owns my data in the cloud?" In the case of private clouds, he says, "the hardware, software and data all remain in-house, so ownership is clear. When moving outside of the private cloud, however, there are complex issues to consider." When asking that question, says Foran, "If the vendor’s response isn’t ‘you,’ it is best to walk away and not look back."

The second most important question, Foran says, echoing the CommVault paper, is, "What happens when I need to transfer the data?" The answer to this question involves how the data will be formatted. "It is important to understand exactly what format data will be returned in," says Foran, "so plans can be made to move it to a new system." It is also important to specify turnaround time in returning data. "It doesn’t bode well for ensuring uptime if a contract is supposed to end in January but the files aren’t received until June. This needs to be spelled out clearly in any contract with a cloud provider."

Finally, it’s important that the vendor losing the work cooperate in the transfer, notes Foran. "Contracts for cloud services should include a plan (and the associated fees) for exiting, including any assistance needed."

—Kennedy Maize is MANAGING POWER’s executive editor.

More Stories You Might Like