The Legal Issues Are Somewhat Cloudy in the Cloud: A Primer for Lawyers on Cloud Computing

By Roy E. Hadley, Jr. and John L. Watkins [1. Roy E. Hadley, Jr. and John L. Watkins are both Partners in the Atlanta office of Barnes & Thornburg, LLP and co-lead the Firm’s Cloud Computing and Cyber-Security Team. Hadley practices in the Business Department and advises clients regarding data security, data breach and privacy issues. Watkins practices in the Litigation Department, and handles cases involving trade secrets and confidential information, as well as insurance coverage. Watkins also advises business clients on contracts and terms and conditions.]

"Cloud computing" has become a very hot topic. For the uninitiated, "cloud computing" generally refers to providing access to computer software through an Internet browser, with the software and data stored at a remote location at a "data center" or "server farm," instead of on the computer's hard drive or on a server located on the user's premises. This is also sometimes referred to "software as a service."

Proponents of this approach claim many benefits, including lower costs, less need for on-site support and "scalability." "Scalability" means that the number of licenses and available resources can easily be adjusted as the need increases. Access can typically be provided to any computer with a browser and an Internet connection, but can be controlled through password protection and other measures. Proponents also argue that the cloud makes it easier to manage and push down software upgrades. Software as a service is usually provided on a fee for service approach that may result in cost savings compared to the traditional local area network. Think of it as somewhat like renting as opposed to owning.

The Cloud is Here Now

Cloud computing is not a technology of the future, but is here today. Google, for example, uses this approach to provide its suite of business applications intended to compete with Microsoft Office. Google applications are provided free or at very little cost. Salesforce.com is one of the best known providers, providing customer relationship management ("CRM") software to a growing list of companies. IBM, Microsoft and Amazon, among many others, are also entering the playing field.

There appears to be little doubt that cloud computing is here to stay, and that it may indeed represent the future of information technology. There are many advantages and potential advantages to the cloud computing model.  For example, software is managed and upgraded off-site. Hardware costs are lower because all that is needed to access the system is an Internet connection and browser.  Buying and constantly upgrading servers and other hardware is said to be unnecessary.  The need for a large IT staff is diminished. Cloud providers also represent that they provide higher levels of security and uptime than typical networks. In short, it is argued that cloud computing provides the next generation of IT resources through a platform that is cheaper, scalable and more easily managed than local networks.

The Technical Side of the Cloud

That said, from a technical and legal perspective, cloud computing raises a host of issues. As a lawyer advising clients on cloud computing issues, an understanding of these issues is essential to being able to provide meaningful advice and counsel.  Perhaps foremost on most clients’ mind is the question "What happens if they lose my data?" The answers provided by many cloud vendors focus on technical concerns (such as the back-up procedures) and not legal issues.

Technical issues are important, and there are certainly technical safeguards that a client might want to consider, such as maintaining a back-up on site, or a back-up through a separate vendor. These approaches might provide some real practical protection in the event of a catastrophic failure or bankruptcy at the primary provider.  On the other hand, if a client adopts such procedures, the costs may rise. Clients will carefully need to weigh the costs and benefits of whatever solutions they implement.

Other technical issues might focus on what happens when the relationship ends, whether happily or not. Is there another vendor that can provide the software and host the data? Will data have to be converted to a different format? If the customer decides to switch back to a local area network, will the terminals that have been used for cloud computing (which usually can be very basic "low powered" machines) be of any use, or will a completely new network need to be installed?

Clouds Come in Many Different Shapes and Sizes

When clients ask you to help them with a “cloud computing” issue, the first thing you need to understand is what type of “cloud computing’ is the client talking about. Generally speaking, there are three basic types of cloud computing structures, each with different issues and considerations.

The first type of structure is cloud software as a service, which is usually referred to as SaaS.  Under this model, the client would use the vendor’s applications running on a cloud infrastructure.  These services are usually interfaced through a “thin client” such as a web browser. The end user has little control over the software’s parameters other than some minor configuration settings.

The second type of structure is cloud platform as a service, or PaaS.  Here, the client has the capability to deploy onto the cloud infrastructure client-created or otherwise acquired applications.  These applications are usually developed using tools or programming languages that are supported by the infrastructure vendor. The client has control over the applications and potentially some configuration control.  Generally, under both SaaS and PaaS models, the client has no control over the network, servers, storage or operating systems.

The third main structure is cloud infrastructure as a service, or IaaS.  Under this scenario, the underlying computing and network infrastructure is provided to the client.  The client usually controls applications, processing, storage, networks and other resources.  The client can often run software and applications of its choosing.

Generally speaking, based upon which structure is being considered by clients, the technical and legal issues will be specific to that structure. However, with that said, a core group of considerations will have to be addressed by you and your client when considering implementation of a cloud computing solution.

Legal Issues Begin to Rain Down from the Cloud

Clients usually look into cloud computing solutions to trim costs and expenses and gain efficiencies.  However, the reality is that these benefits may not materialize or other issues may arise that essentially take away any cost savings or efficiencies. It is important for clients to remember that “things happen” and no matter how carefully worded a contract may be, unforeseen issues may arise.

From a legal standpoint, cloud computing appears to raise a host of essentially contractual issues to be addressed by the parties' contract or licensing arrangements. There are also potential regulatory issues (ranging from privacy to export control issues), e-discovery issues, and certainly other issues that have not been thought of yet due to the still relatively recent, if widespread, adoption of cloud computing initiatives by businesses.

As businesses and their lawyers become more experienced with cloud computing platforms and issues, it is likely that a consensus will emerge about how cloud computing issues will be addressed. Hopefully, purveyors of cloud computing services will be flexible and reasonable in addressing legitimate business concerns. However, given the prevalence of "standard" licensing in the software field (often on a shrink-wrap or click-wrap basis) and efforts to limit liability under any circumstances, there is some cause for pessimism.

There is also the practical reality that the ability to obtain meaningful modification to a provider’s standard terms and conditions depends on what type of cloud services or infrastructure the client desires to implement. If, for example, a small client wishes to switch to Google’s free or low cost suite of office applications, the client is almost surely going to have to accept Google’s standard terms. If, on the other hand, a client is going to spend millions of dollars with a cloud provider, then it should be possible to negotiate the contractual provisions.

It is also important to consider the client’s industry and risk profile. For example, clients in the healthcare and financial services industries are subject to regulatory requirements and risks that must be considered in utilizing any kind of cloud-based architecture. Such issues are beyond the scope of this general article, but will represent one of the great challenges as clients in these industries move to the cloud. Companies with high-risk profiles and that are regularly involved in litigation also need to consider how adopting cloud architecture could affect access to information.

Regardless of whether the model is SaaS, PaaS, or IaaS, the following are some basic issues that you should consider when advising clients with respect to cloud computing arrangements:

  • What contractual obligations will the vendor assume with respect to protecting data? This could include reference to particular steps and procedures, including back-up obligations. The contract or license may specify a standard of care that the provider must meet.
  • What contractual obligations will the vendor assume regarding uptime, if any? Will the vendor provide any type of uptime warranty? Even if such a warranty is subject to a limited remedy, it would provide some incentive for the provider to limit downtime.
  • Most providers seem savvy enough to disclaim any interest in your data and will freely say -- in a sales setting anyway -- that "your data is your data." Well, that's good, but how does a client physically get their data back at the end of the contract period or if the vendor goes bankrupt? Of course, this issue may be affected (and mitigated) by the back-up procedures adopted.
  • What remedy limitations, if any, are in the vendor’s terms and conditions? Are consequential damages excluded? Are total damages capped (such as to a return of fees paid)? Even if contractual obligations are assumed, if remedies are severely limited, the provider may be shielded from liability.
  • Where is the client’s data going to be stored? Is the vendor willing to agree that all of the client’s data will be kept in this location under specified conditions and at agreed security levels? This could be important for regulatory reasons, but also for reasons associated with meeting general customer confidentiality obligations or complying with privacy policies.
  • Is there a forum selection clause in the terms and conditions? Many providers want to insist on litigating on their home turf (which often, it seems, is a state other than where the client is located), but that is rarely a happy instance for the client.
  • How does the client get out of this arrangement if the vendor does not perform and what is the client’s exit strategy? What rights does the client have upon termination? What obligations does the vendor have to assist in transitioning to a new vendor or back to a self-managed platform?

Don’t Forget About Data Security

Additionally, inherent in the adoption of any arrangement where a company’s data is entrusted to someone else is the issue of data security.  Whether it is malware, hacking, insider malfeasance, espionage, viruses and trojans, data breaches, or the ignorance of the many threats, all companies’ data is increasingly at risk and under attack.  While all threats and risks cannot be eliminated, they can be mitigated through proper policies, procedures and legal diligence.

One of the stated benefits of cloud computing by vendors is the ability to eliminate many of the above-mentioned risks because the vendor will be able to respond to issues and attacks in a real-time manner, either through updates or intervention.  From a legal prospective, however, you will need to contractually ascertain what the vendor will actually be providing and whether that will be sufficient given the client’s circumstances and business.

Don’t Forget About Trade Secrets

Many clients protect their most important intellectual property as trade secrets, instead of managing an extensive patent portfolio. Many types of information can potentially qualify for trade secret protection, including customer lists, business plans, technical specifications, financial information, programs and secret formulas. Under Georgia law, to qualify as a trade secret, the information must have actual or potential economic value and must not be generally known or readily ascertainable by others who can obtain economic value from it. In addition, the information must be subject to reasonable efforts to maintain its secrecy.

If a client is considering storing trade secret information in the cloud, it should consider the potential risks of doing so. Although it is difficult to predict how courts will react to trade secret claims based on information stored in cloud-based systems, a key factor will likely be the steps taken to maintain the secrecy of the information. Courts will likely inquire into whether the cloud provider has access to the data and whether it is bound to maintain the secrecy of such data. Other inquiries will focus on who from the client is permitted to have access to the information, password protection, and other security measures, much as in cases involving information stored on local networks.

It is possible that a cloud based provider may be able to demonstrate a higher level of security than that used in a client’s local area network. Much of the inquiry will focus on the particular architecture used. Nevertheless, because cloud-based technology is relatively new, clients with trade secret information should pay careful attention to documenting the security of the system before moving such important information to a cloud-based application.

Don’t Forget About E-Discovery

In 2006, the Federal Rules of Civil Procedure were amended to provide specific provisions for electronically-stored information (“ESI”).  Although discovery of ESI was permitted before the 2006 Amendments, the Amendments focused attention on e-discovery. Volumes have been written about e-discovery, and comprehensive review of e-discovery issues is beyond the scope of this article.  It is important to note, however, that the adoption of cloud-based technologies may raise new e-discovery issues.

In general, Federal Rule of Civil Procedure 26(b)(2)(B) distinguishes between ESI that is reasonably accessible and ESI that is not.  ESI that is not reasonably accessible does not have to be produced initially, but may be ordered to be produced on a showing of good cause. If a court orders the discovery of ESI that is not reasonably accessible, it may also order the party seeking the information to pay for some or all of the cost of obtaining it.

Courts have reached somewhat differing conclusions regarding the production of ESI. In general, however, courts will order the production of relevant information that is within a party’s possession, custody or control. It is difficult to predict how courts will react to the discovery of ESI that is in the possession of a cloud vendor and arguments about whether some or all of that information is (or is not) reasonably accessible. Of course, each case will largely depend upon the particular circumstances. Companies should not assume, however, that, because they have chosen to use a cloud-based vendor, their information will not be subject to discovery.

Clients, particularly those that face litigation on a routine basis, will want to consider adding provisions to their cloud services contract regarding discovery of ESI. Such provisions should govern access to the data and assistance from the vendor in the event of discovery requests.

Clients who adopt cloud-based technologies but are unable to respond to e-discovery requests, or unable to do so in a timely manner, run the risk of sanctions in litigation. Some courts have imposed substantial sanctions, so the risk is real.

Into the Cloud We Fly

As stated earlier, cloud computing is here to stay – at least until whatever new computing innovations may succeed it.  As more and more clients hear the siren song of cloud computing, namely lower costs and greater efficiencies, you will be increasingly called upon to provide advice and counsel in this multi-dimensional area. If you have clients that are considering going to the cloud, you should attempt to educate them early in the process regarding the potential risks and related mitigation strategies that the client might employ.

From the practitioner’s standpoint, you should stay abreast of the latest developments in cloud computing as many issues have yet to be identified. As matters begin to be litigated and as the case law develops, hopefully, the legal issues should begin to become more clear and settled.  Until then, lawyers need to begin considering these issues, because cloud computing is not likely to be going away anytime soon. Enjoy the flight!