Cloud computing is an Internet service provided by a third-party vendor that offers data storage and management—functions that were previously done with software installed on an individual computer. The service generally falls into one of three categories: software-as-a-service (SaaS), platform-as-a-service (PaaS), or infrastructure-as-a service (IaaS). Most people are already familiar with SaaS, though they might not know it. Google Maps, Microsoft Hotmail, and Yahoo’s Flickr are just a few of the popular cloud computer applications that live on servers—not a personal computer, hard disk, or USB key—and are accessed through the Internet.
Platform-as-a-service allows users to access a computing platform to develop or host online applications. For example, Google App Engine allows developers to create and run web applications on top of a custom Google platform that uses Google’s computing resources.
The third type of cloud, infrastructure-as-a service computing, provides virtualized resources that are scaled to a user’s needs and stored remotely. Touted as a cost-saver for businesses, IaaS cloud computing would allow a company to order resources on a metered basis—much like they would purchase electricity, water, or any other utility—while making as little or as much use of the service without having to buy, maintain, or upgrade computer hardware.
But the software-as-a-service trend that’s currently on the tongues of techies everywhere brings with it security concerns and legal questions. A recent Information Systems Audit and Control Association survey of more than 1,800 IT professionals in the U.S. found that only 17% said the benefits of cloud computing outweigh the risks. And only one in 10 respondents said they would consider using SaaS for business-critical applications. Still, these concerns have not dampened expectations for the pending cloud computing boom: Several industry watchers have estimated the value of the burgeoning market could grow by more than $100 billion over the next few years.
Before You Leap
Companies considering using cloud computing must take note of the inherent risk that comes with surrendering control of sensitive data; otherwise, the company may be exposed to unnecessary risks and costs. Before converting to cloud computing, a company’s general counsel and chief information officer must consider—and resolve by contract—these questions to ensure that data remains private between the company and the cloud computing service provider:
- What happens to data in the event of a disaster?
- What happens to the data in the event of one of the parties going bankrupt?
- What happens in the event of a security breach?
- Who has access to the data?
In addition, there should be a clear contractual understanding of what the cloud provider will do in response to an information request. There are also questions pertaining to intellectual property and privilege. Trade secret protection should be resolved by appropriate contractual nondisclosure provisions, along with concerns about attorney-client privileged information.
The provider’s data centers are also an issue. One must also keep in mind that "clouds" are still servers sitting in a room somewhere, and a business should make sure it understands the security parameters and limitations of its particular cloud. If servers are located in a foreign country, they pose a potential problem due to widely varying protection laws. Before switching to cloud computing, a general counsel should require that the provider’s data center be located and the services be performed in the U.S.—and that no data be made available to those located outside the U.S.
Companies should consider getting a cyber-liability policy that can protect against unauthorized access to a computer system, theft, destruction of data, hacker attacks, denial of service attacks, and violations of privacy regulations.
A Cloud Computing Checklist
Prior to adopting or deploying cloud-based solutions for the company, or on a specific matter:
- Have a firm understanding of the financial viability of the provider and of the provider’s information security management systems.
- Plan for return of data in the event of an unexpected termination of the relationship.
- Negotiate restrictions on secondary uses of the data and who at the provider has access to sensitive data.
- Negotiate roles for response to e-discovery requests, subpoenas, search warrants, etc.
- Understand roles and notification responsibilities in the event of a data breach.
- Understand and negotiate where data will be stored, what law controls, and possible restrictions on cross-border transfers.
- Include contract clauses on: service level agreement parameters, data processing and storage, infrastructure/security, and vendor relationship.
Standard IT outsourcing contract provisions also can be helpful with regard to privacy and security standards, regulatory and compliance issues, service level requirements, change management processes, and business continuity.
The Bottom Line
While software as a service computing presents innovative promise for businesses, it also offers uncertainty. Asking the right questions and getting the necessary answers is crucial before a company gets lost in the clouds.
—Hugh Latimer (202-719-4989) has experience in a broad range of complex litigation involving advertising, sweepstakes, trademark, antitrust, trade regulation, international trade and other commercial law issues. This is a publication of Wiley Rein LLP providing general news about recent legal developments and should not be construed as providing legal advice or legal opinions. You should consult an attorney for any specific legal questions. Reprinted with permission and edited for this publication.