We all know the phrase “get your head out of the clouds.” Well, your head may not be in the clouds, but your company’s computers may be … if not now, very soon. Cloud computing is the delivery of IT resources over the internet instead of local/internal servers that provide network, web hosting and data storage. In other words, cloud computing uses a remote server “in the clouds” to operate a company’s computer systems, data storage, software, etc.
It is undeniable that cloud computing can offer many benefits from both an IT perspective (eliminating the need for large capital investments in internal hardware and individual software applications) and from an end user’s perspective (facilitating collaborate workflow and permitting convenient access to data from almost any location). In light of the foregoing, together with the attractive cost savings achievable with cloud computing, increased use of cloud computing and cloud services is expected. In fact, recent surveys suggest that 40 percent of all financial services use some cloud services. In addition, in the next three years, it is estimated that more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the cloud.
Thus, as companies consider this new platform, it is important to understand the associated legal ramifications. At the outset, although your company may store its data in the cloud, to the extent such data is responsive to discovery requests, federal courts have consistently treated data stored by third parties to be within a party’s possession, custody and control under the Federal Rules of Civil Procedure Rule 34(a). Accordingly, if your company uses a cloud provider, your company will still be required to identify, preserve and collect electronically stored information (ESI) in the cloud. Such preservation and collection efforts may prove more difficult from a cloud platform when compared to traditional internal IT systems. Nonetheless, from a legal perspective, the data will be considered in your control, and consequently, you will have the initial burden to preserve and possibly collect and produce this data in a usable form.
When negotiating your company’s contract with a third-party cloud provider, you should be aware of some key factors. For instance, is the cloud provider reputable? What level of data integrity does the cloud provider offer? Also consider such essential issues as the protocols and limitations for backup/disaster recovery, encryption and access management. Obviously, efficient, reliable and predictable access to your data is a necessity, and proper testing before transitioning to the cloud is a must. Under the guise of Rule 34(a), also ensure that the contract specifically provides that ownership and control of the data remains with your company, not the cloud provider.
In light of the ever increasing concerns regarding identity theft and privacy issues, these considerations should be addressed at the outset. For instance, specifying that the data is to be held in accordance with Health Insurance Portability and Accountability Act (HIPAA) regulations may be important to your company. The cloud provider, however, may not fully understand HIPAA or its implications, so you want to be clear when establishing your contractual relationship with the cloud provider that the privacy parameters are fully defined and your expectations clearly delineated. Also, if you know you want the cloud provider to ensure segregation of duties, personnel screening, data privacy or other security measures, be sure they are likewise delineated in the contract.
Furthermore, in considering a cloud provider, investigate how the cloud provider responds to subpoenas. More importantly, regardless how the cloud provider typically responds to subpoenas, include language requiring the provider to promptly notify your company upon receipt of a subpoena for your data. Also, be sure your company has the ability to answer, challenge or even seek to quash the subpoena. Your ability to challenge such requests early on in the process may make all the difference in preventing unwanted access to your data.
Another key factor to consider is sustainability. What assurance do you have that your provider will be in business five years down the road? What if the cloud provider suddenly ceases activities, files for bankruptcy or otherwise breaches the service contract? What happens should you decide to end the relationship or use another cloud provider? Be sure the contract with the cloud provider provides continued access to and prompt transition of data to another cloud provider. Depending upon the amount of data, it may be simpler to just move the data back to your company and then upload it to new a supplier. If, however, the amount of the data is large, you should ensure that the contract provides for a secure transfer from the initial cloud provider to the new cloud provider. Regardless of the reason necessitating the transfer, you should ensure that sufficient remedies and safeguards are built in to the contract to provide the necessary security for your company’s continued computer operations and the continued storage of and access to secure data.
Cloud computing certainly has advantages. It does not require hardware or software. It does not require individual maintenance by your company. It also does not require travel and typically provides fast downloading, quick data transfers and works around your schedule. However, ensuring your company’s contract with its cloud provider is sound at the outset will help protect the integrity of your company’s operations while also promoting compliance with its legal obligations.