Archive for April, 2011

How to Conquer Cloud Computing Contracts – Part 2

Posted by fgilbert on April 21st, 2011

Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.

In part 1 of this article we discussed the preliminary planning and due diligence involved with choosing a cloud service provider.

In this part 2, we review critical steps for developing, maintaining and terminating cloud computing contracts.

Read and negotiate the contract

Once you have chosen one or several cloud vendors or cloud offerings, the next step is to enter into a written contract for these services. The contract is intended to accurately describe the agreement and understanding of the parties. It should address the major issues that are critical for the survival of your business.

Depending on the nature of the services, the volume of data, and the leverage of the company, the contract may be in the form of a click-wrap agreement, which is not negotiated, or the parties may negotiate a more complex written document that is tailored to the specific situation.

If only a click-wrap agreement is available, the contract is likely to be one-sided in the favor of the service provider and to lack most of the warranties and protections that a purchaser of the service would wish to receive. In this case, you should balance the risks from foregoing negotiations and protections against the actual benefits, financial savings and ease of use promised by the cloud service provider.

If you have the ability to negotiate the cloud computing contracts, you may be able to add or modify provisions that address your company’s needs while defining the obligations of the parties both during the term of the contract and upon termination. Detailed, comprehensive provisions tailored to the unique risks of operating in a cloud environment should be negotiated.

For example, it is important to know where the data will be stored or processed, because the fact that the data are held on a server in a particular state or country is likely to subject the data to the jurisdiction of the country where the server is located. You may want to look for guarantees with respect to the scope of the services, the prices, the support offered and the downtime. You should also seek commitment from the cloud vendor that it will protect your data with adequate security measures. You may also need to ensure that the vendor will inform you promptly if a security incident has affected the data that you placed in its custody. As the custodian of your employees’ or customers’ personal information, you may have an obligation under U.S. state law or foreign laws to inform them of loss or compromise of their data.

Cloud computing contracts termination

Numerous events may lead to the termination of cloud computing contracts and relationships. The contract may expire at the end of its term and not be renewed. It may be terminated for default or material breach, financial difficulties or bankruptcy. Each such event raises the issue of access to, and ownership of assets; organizations must plan to ensure they will be able to retrieve their data.

Keep in mind that your data will be the most at risk upon termination of the contract. The cloud vendor has no incentive to be nice to a customer that is leaving. Worse, the cloud vendor may be experiencing financial difficulty, which significantly increases the risk of loss and vulnerability of the data. Provide for the proper — and secure — winding down of the relationship in order to ensure business continuity and to limit the risk of loss or alteration of the data.

Plan for termination of the contract before signing it. Ensure that the service agreement lays out whether and how the data will be returned to your company or destroyed, the cost associated with this return, and the procedures to be used in the event of termination.

The volume of data to be returned might require planning and proper logistics. The data might have been commingled with other customers’ data to save space or for technical reasons. This entanglement might make it difficult, time consuming, expensive or perhaps impossible to disentangle the data.

The cloud environment may create unique risks or enhanced exposure. The technology used — i.e., a distributed computing environment — may make it difficult to locate the data. The amount of data may be so large that practical difficulties in collecting the data are very likely. Further, the parties are likely to be located in different jurisdictions, each with a different legal regime, which will increase the uncertainty and complexity.

Continuous monitoring

Throughout the life of the relationship, keep monitoring the activities of the vendor to ensure the performance of the contract according to its terms. To the extent possible, monitor, test and evaluate the services provided in order to verify that the required service levels are reached, the promised privacy and security measures are being used, and the agreed upon processes and policies are being followed.

Keep in mind also that further revisions to the contract might be necessary from time to time. They may be required by external or internal changes. For example, the cloud service provider may have to change its security practices and procedures in order to address new security threats. It may have developed new products or applications that are better suited to your company’s needs. Both the cloud service provider and the customer may need to adapt to new compliance requirements if new laws are passed or regulations are enacted during the term of the contract.

Talk to your lawyer early

In most cases, entrusting your company’s data to a third party will be an important decision. Get help from experienced professionals. Do not wait until the last minute to speak with your lawyer. The more you procrastinate, the more you expose your company to errors and failure. It’s like starting a game with part of the team missing, and waiting until the last 10 minutes to bring in the remainder of the players. It may work occasionally, if you are lucky, but most of the time, playing with an incomplete team will cause you to fail or take unnecessary risks. Your attorney will help you navigate the maze of multilayered cloud computing contracts, decipher obscure, complex, cloud agreements, identify what is missing, and see through puffing and other empty promises.

This article was first published by TechTarget (registration required) in February 2011.

Privacy Laws may be a Barrier to the Taking of Evidence Abroad

Posted by fgilbert on April 21st, 2011

Litigation and trials are handled in the United States in a manner that is significantly different from that which prevails in other countries. While broad discovery is available here, the gathering and use of evidence is much more limited abroad. For years, there have been disputes between US litigants and the foreign parties who were requested to produce information and documents for use in US courts.  While the 1970 Hague Convention on the Taking of Evidence in Civil and Commercial Matters has provided rules for the regulated taking of evidence, there are still many barriers to the gathering of evidence from foreign parties.  One of them is the data protection laws of many countries, especially those in the European Union and the European Economic Area.

The European Union Data Protection Authorities believe that individuals’ right to ensure that their personal data are not collected without their knowledge and are not misused be balanced against an entity’s right to provide documents identified in a discovery request.  Among other things, individuals should be properly notified, the collection of information should be limited to that which is strictly necessary, and the documents or information should be protected at all times by adequate security measures in accordance with the requirements of the applicable national data protection laws.

Francoise Gilbert recently discussed these issues at the meeting of the American Bar Association Section on Dispute Resolution.  The handout of this presentation can be accessed by clicking here.

How to Conquer Cloud Computing Contracts – Part 1

Posted by fgilbert on April 14th, 2011

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

Consistent with this model, which benefits from uniformity and standardization, many cloud services agreements are presented in the form of a click-wrap agreement, where no negotiation is possible, and the customer clicks on an “I agree” button to express consent to the terms. The apparent ease of entry into these contracts makes the process seem as easy or inconsequential as purchasing a song from iTunes.

However, the fact that in most cases the purchaser of cloud services is pushed to interact with vendors through websites and generic form agreements does not adequately reflect the unique complexity and importance of cloud service contracts. Cloud computing relationships are extremely complex and fragile. They involve relinquishing control over, and custody of, a company’s vital data, documents and applications to one or more service providers with whom company executives may not have ever met, and which may be hidden or difficult to identify in the fog created by the so-called cloud. Cloud contracts, however, raise numerous complex technical, business and other issues that could create significant exposure to financial disasters, embarrassment and other problems if not attended to with sufficient precautions.

Cloud computing legal issues, in particular, abound. These issues include: ensuring access, availability and performance; customization and integration with existing technologies; cost and pricing; compliance with regulatory requirements; ability to terminate and move to another service provider or take data in-house; and much more. The security measures used to protect the data entrusted to the vendor are crucial. It is also important to define how liability for the loss of data will be allocated; or to address the extent to which the customer will be able to have access to the data or retrieve the data in case of termination.

Do not be fooled by the appearances; be careful when stepping in the cloud. In part one of this two-part article, we’ll review cloud computing preliminary legal considerations and the due diligence required before choosing a cloud service provider. Part two covers critical steps for developing, maintaining and terminating a cloud service provider contract.

Think before you click

First, do not rush into a cloud service agreement. Cloud providers have made it very easy to purchase their services on the Internet. It is almost as easy to purchase a book from Amazon as it is to purchase a subscription to Amazon’s EC2 services. Wait! Do not click on the “I agree” button until you understand what you are getting, and more importantly, what you are not getting. Just because the service appears so easily available from the vendor’s website does not mean it is the right service for you, or that the terms of the offering are fair and balanced.

Ensure there are no cloud computing legal obstacles

Are you sure that using cloud for the type of data and the types of services that you envision is legal? Companies are the custodians of the personal and other data entrusted to them. These data are frequently protected by laws, regulations or contracts that prohibit, restrict or limit the disclosure or transfer of the data to a third party. For example, health information protected under HIPAA cannot be transferred to a third party or “business associate” without imposing specific obligations to that business associate. Some U.S. state laws require that Social Security numbers, drivers’ license numbers, financial information, and other similar information be encrypted before being transferred to a third party. Other laws require entering into a written agreement with the service provider, with specific terms.

If your data originate in one of the 40-plus countries that have adopted comprehensive data protection laws, it’s likely that the data may not be taken out of its country of origin and transferred abroad because the recipient country is probably not going to provide the adequate protection for the privacy rights of the individual to whom the data pertains unless specific contracts are signed or other specified arrangements are made.

Perhaps your company has signed a confidentiality agreement or a data-transfer agreement with a third party from which it received sensitive data, such as personal information or trade secrets. In this case, this agreement probably prohibits you from transferring the data to a third party without the prior permission of the data owner. Thus, moving the data to a cloud without the prior permission of the data owner would breach this agreement.

Remember: Before exploring the cloud services offering, determine whether your business model and the contracts that bind your company allow for the use of these services, and under which conditions.

Due diligence questions

Once you are confident that a particular application or database may be moved to the cloud without breaching any laws or existing contracts, you must investigate the vendor. Just because a service is attractive or works well for the company next door, does not mean that it is right for you.

Organizations should conduct a thorough due diligence of a proposed cloud service provider in order to determine whether the services offered correspond to its needs. Myriad questions need to be asked and their answers carefully analyzed; for example:

  • What services will be provided?
  • Will the service allow the company to fulfill its computing and access needs?
  • What are the vendor’s technical capabilities?
  • What are its financial capabilities? What is the likelihood that it will remain in business for the next few years?
  • What service levels will be offered? Is there any possibility of downtime?
  • How secure are its operations? What security measures are used?
  • Is the cloud vendor equipped to handle business interruption and disaster?
  • What support will be provided?
  • What will happen if there is a security incident?

Different methods may be used to conduct a due diligence. For example, you could speak with existing clients, send questionnaires and review the answers, review audit reports, and survey comments from current customers on listservs and other forums on the Internet.

Remember that this due diligence is necessary to understand and evaluate the entity to which you will entrust important company information. It’s a well-known “best practice” and required by several laws. Skipping this important step would expose the company and its management to potential claims of negligence and breach of duty of care.

For part 2 of this article click here.

This article was first published by TechTarget (registration required) in February 2011.

Server Location: A Significant Factor in Cloud Computing Services

Posted by fgilbert on April 10th, 2011

In a cloud computing environment, data and applications are hosted “in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from “well… hum … in the cloud” to “we have servers everywhere, data moves around constantly” or “we cannot tell you for security reasons.”

As the custodian of confidential and valuable data — personal or company information — you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint.

In the legal world, location is most frequently associated with jurisdiction. The concept of “jurisdiction” is associated with the power of a judge or government entity to assert authority over the persons or things involved in an action, and to make a decision about a specific issue or sets of facts. Jurisdiction is not necessarily exclusive. Several countries or courts may have concurrent jurisdiction over a matter. Indeed, litigants frequently argue about who has jurisdiction over their dispute. In the cloud environment, where a piece of equipment is located may have significant consequences on the ability of a court or other government authority to assert jurisdiction over that piece of equipment, and, in the case of a server, over the data contained in that server.

If the cloud that hosts your data has servers in a foreign country, the laws of that foreign country may govern your data when stored in that server. As a result, many important foreign laws may govern your data (in addition to those of the United States). Consider the following cloud computing legal issues that stem from data location.

Cloud computing legal issues: Data protection laws

Assume that Cloud X Service provides hosting, email and collaboration solutions to Acme, a U.S. company with no operations abroad. Assume also that the Cloud X network includes servers located in a data center in the United Kingdom. Thus, Acme as Cloud X’s customer ends up using data or servers that are in the U.K.

The Data Protection Act (1998) governs the protection of personal information that is processed in the U.K. Of course, the Data Protection Act applies to companies that do business in the U.K. However, that is not the extent of its reach. Under Section 5(1)(b) of the act,, the law also applies to a data controller that is not established in the U.K. or in any other European Economic Area state (EEA includes the European Union plus Lichtenstein, Norway, Iceland) but that “uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

This means that if a foreign company uses equipment that is located in the U.K. to process personal data, the processing of the data must comply with the U.K. Data Protection Law, even if the company is not established, or does not do business in the U.K.. The same provision can be found in the data protection laws of the 30 EEA member states and other countries.

When a cloud service provider elects to install servers in the EEA or other countries with a similar data protection law, all data that is processed, stored or maintained on these servers are subject to the data protection laws of the country where the servers are located. These laws have extensive requirements,restrictions and prohibitions on what may or may not be done with personal data. They may require registrations with the country’s Data Protection Supervisory Authority; they may prohibit certain transfers of these data, and much more. Failure to comply may have serious consequences.

Cloud computing legal issues: government surveillance

In addition to foreign data protection laws, consider the possibility that a third party or a foreign government might want to have access to a cloud service server that holds your data. In principle, access by a third party, even a government, is restricted, and even the police or secret service may not have access to premises or equipment without appropriate authorization — in the form of a search warrant or court order — before being allowed to search a computer.

However, this is not the case everywhere. For example, if your data is stored on a server that is located in India, the server will be subject to the laws of India. India’s Information Technology Act of 2000 (as amended in 2009) governs many aspects of the protection and use of computers, networks, etc. Section 69 of India’s IT Act allows the Central Government to issue directions for the interception, monitoring and decryption of messages from any computer and other communication device for security reasons, for public order, to prevent the commission of any cognizable offense or to investigate any offense. Section 69B(1) grants the Central Government the power to authorize any agency of the government to monitor and collect traffic data or information generated, transmitted, received or stored on any computer. In both cases, there is no requirement for a court order or other permission, and no limitation to these powers.

What information may be retained and preserved may also be dictated by the Indian government. Section 67C of the Information Technology Act requires companies to preserve and retain such information as may be specified, and for such duration, and in such manner and format as the central government may prescribe. Thus, while the cloud may take advantage of the friendly business environment in a country, it may also subject equipment and data stored in this equipment to the monitoring and surveillance of the government in that country.

Contracting tip

When negotiating your contract for cloud services, decide if knowing where your data is located is important to you. If it is, then try to limit the geographic area where your data will be stored or processed. The City of Los Angeles was able to obtain some restrictions in its contract with Computer Sciences Corp. and Google Inc. for email and other services. Some of the data will be stored only in the continental U.S.. See, Appendix J.1, Section 1.7 of the Professional Services Contract between Google and the City of Los Angeles, which provides:

1.7 Data Transfer. Google agrees to store and process Customer’s email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States. Google shall make commercially reasonable efforts to advise Customer when such data storage capability is made available. Notwithstanding the foregoing, Google may store and process Login Data in any country in which Google or its agents maintain facilities.

Cloud service providers want the freedom to move data to different servers for load balancing or to take advantage of the lower cost of utilities or personnel in different geographies. However, by doing so, they may inadvertently expose their customers’ data to the laws of countries other than those where the customer opted to operate.

It may be that, in the future, countries that wish to attract foreign investments and data centers will carve out a niche from their data protection laws. However, currently, the black letter law in many countries may subject cloud users to the data protection requirements and other laws of the country where the servers are located.

This article was published by TechTarget on 24 February 2011.