Legal Update

Apr 30, 2009

Issues Related To Cloud Computing Arrangements

Click for PDF

Log onto any technology blog, attend any technology conference, or open any technology related article and chances are you will find at least one discussion of “cloud computing.” Check any second one, and you will probably find another discussion, but with a different definition of cloud computing.

Despite the confusion over the term “cloud computing,” the consensus seems to be that everyone is doing it. The companies offering cloud computing services are some of the biggest and best known in the information technology industry: Google offers the Google App Engine, Amazon.com sells Elastic Cloud Compute (EC2), Microsoft released Azure and Windows Live Sky Drive, and AOL provides Xdrive, to name a few. If you’ve ever used MySpace, Facebook, LinkedIn, Picasa, Flickr, Hotmail, or Gmail, then you’ve used cloud computing. A recent survey conducted by Pew Internet showed that 69% of all Americans use cloud-based software to store pictures, videos, emails, calendars and other various data online. So what is cloud computing? Does it affect my business? If so, what should I do about it?

What is Cloud Computing?

Cloud computing is a way of providing both hardware and software as a service via the internet. Users access the necessary infrastructure, applications, systems, and hardware via the web using their web browser. Cloud computing combines the concept of software-as-a-service, where a software application is accessed and used in a hosted environment, together with the concept of utility computing, where shared, scalable software and hardware is purchased on a usage basis.

The Pros and Cons

The potential benefits of cloud computing include many of the traditional benefits of a hosted solution. Regardless of location, a user can access a cloud computing solution as long as they can access the internet. Software is updated and maintained by the provider, decreasing the need for in-house support. Unique to cloud computing, however, is the potential that comes with shifting the infrastructure components to a shared, instead of segregated, model. Using this shared model, cloud computing advertises the possibility of capacity-on-demand, where software and hardware resources can be quickly scaled up or down to meet increased or decreased usage. Because users do not own the physical infrastructure, they only pay for the resources they use. Cloud computing also shifts the burden of ownership, administration, and operation of hardware from the user to the third-party cloud provider. Cloud computing claims to be a solution to the processing and storage capacity challenges faced, at one time or another, by nearly every organization and provides users with tremendous flexibility in their information technology infrastructure.

With the benefits, however, come risks. Cloud computing gives rise to a number of practical and legal concerns, including the following:

Outages

Unplanned outages are a reality of any cloud computing solution. The inevitable downtime requires organizations to develop strategies and backup plans for how their business needs will be met during times when their cloud applications, and the data stored and processed by those applications, will be unavailable. A company must consider what sort of redundancies and workarounds are necessary to handle both temporary outages and major breakdowns in its cloud-based environment, and how it will be able to implement those alternatives with assistance from the cloud provider and, if necessary, separate and apart from the cloud provider. Understanding the cloud provider’s disaster recovery and business continuity measures, negotiating strong service level agreements and disaster recovery commitments, and implementing various other stop gap measures, such as off-line software synchronization, will help a company weather outages in its cloud computing solutions.

Jurisdiction

A major concern with cloud computing is the difficulty of determining where data will be stored, and, thus, what courts have jurisdiction and what law governs the use and treatment of such data (i.e., local, state, federal, foreign, etc.). Information sent or received by an organization or individual using a cloud computing service could be physically located in the United States or any other country in the world. How will a cloud computing customer address situations where one country’s reporting or discovery obligations conflict with the data privacy laws of another county? How will a cloud computing customer protect its intellectual property rights against infringement or other wrongful activity when its cloud-based applications are hosted in a country that does not recognize certain intellectual property protection measures? These and other potential conflicts between the various jurisdictions involved in a cloud computing solution should be resolved from the outset of the arrangement.

Security and Privacy

Concerns have been repeatedly raised over the ability of law enforcement bodies to access sensitive corporate and personal information stored in cloud computing solutions. With privacy laws varying substantially from country to country, and even state to state in the United States, the potential lack of control over the physical locations of storage and processing creates serious data protection and privacy concerns. To highlight the risk, in some jurisdictions, law enforcement could obtain access to the information stored without the affected party ever knowing. Companies should take note that the concerns over security and privacy are not limited to law enforcement. A company considering a cloud computing arrangement will need to know what steps the cloud provider takes to ensure that a customer’s data is not inadvertently disclosed to another customer who may be sharing the same resources. Organizations need to extensively vet the security and privacy standards of a cloud provider, including asking the following questions: a) What security commitments are taken and are they sufficient to meet my company’s needs? b) Do the terms of use commit the cloud provider to keeping a user’s data secure, or even private, from other legitimate users of the service? c) Do you have the right to perform audits on the cloud provider’s policies and processes? d) What right does the cloud provider have to change those policies and processes?

Licensing and Contractual Issues

Cloud computing requires agreements that provide for a licensing structure and contract terms that fit the cloud computing model of shared resources and web-based computing. Since pricing in cloud computing is typically based on a pay-as-you-go approach, customers need to ensure adequate means for verifying their fee obligations and controls on fee increases. Service levels are key to ensuring that a customer has the needed level of accessibility to its cloud-based IT environment. A customer should carefully consider how it will transition from one cloud provider to another, or away from a cloud computing environment, and what contractual obligations it would need in place to ensure that such a transition occurs smoothly. In addition, any cloud computing agreement should document a comprehensive understanding of each party’s intellectual property rights in the solution, the information stored, the hosted applications, and all developments that result out of the cloud computing arrangement.

Conclusion

Cloud computing will require organizations and individuals to rethink the way they interact with their information. This service has the potential to transform a company’s information technology architecture and create significant cost savings, when used in an appropriate environment. However, organizations and individuals must clearly understand and acknowledge the risks associated with embracing this trend. Any prospective cloud computing arrangement should be fully reviewed and discussed in detail with your legal counsel. Among the issues that need to be addressed prior to proceeding with a cloud computing engagement are the following: a) How and where will data in a cloud application be stored and processed? b) How sensitive is the data and how critical is it to your business operations? c) How will your data be segregated from other cloud customers’ data? d) What access will other customers have to the hardware and software storing your data? e) How critical is the cloud application to your business operations and how will you fulfill its role in the event of an outage? f) What privacy and security standards do you need the cloud provider to follow? g) Does your cloud provider outsource data storage or processing to third parties? h) What inefficiencies and challenges are present in your current information technology environment? i) What is the usage rate of your current software and hardware as compared to its capacity? j) How will data and information be transitioned if you decide to change cloud providers or move the services in house? k) Do you have policies and procedures in place regarding cloud computing services?

If you are interested in learning more about cloud computing, please contact the Seyfarth Shaw attorney with whom you work or a member of the Corporate & Finance Practice Group on our website.