As innovators solve business problems, the "Law of Unintended Consequences" inevitably rears its ugly head. Outsourcing data and computer functions, referred to as "cloud computing," provides a company with a solution to the rapid changes in information technology, competitive advantages and cost savings. Maximizing the benefits of these systems, however, can create serious problems for the general counsel's office.
While the CIO and the CFO drool over increased computing power and reduced costs, the GC faces making absolutely sure she knows every possible thing about this new system as it relates to risk for her company. In the area of cloud computing, a major area of concern relates to data transfer and data privacy laws in the context of international litigation.
What Is Cloud Computing?
"Cloud computing" generally incorporates three distinct concepts:
1. infrastructure as a service (IaaS),
2. platform as a service (PaaS), and
3. software as a service (SaaS).
All of these are accessed over the internet. Hotmail, Gmail and other web-based email accounts are all well-known cloud-computing choices. The software and storage do not exist on your computer - instead they reside on the service's computer in the "cloud."
A draft definition for federal use of "cloud computing" has emerged from the National Institute of Standards and Technology (NIST), a non-regulatory arm of the Commerce Department. The current draft definition of "cloud computing" is:
a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Even middle-market organizations have hundreds of thousands, if not millions, of dollars tied up at any given point in computers, software and support. Every type of employee requires different software to be productive. Frequently their use of a product is minimal but critical. Not every computer can have everything installed. It is also an IT nightmare for each employee to have a completely "custom" software base.
Under the "cloud" concept only one application has to be loaded. That application would allow workers to log into a Web-based service in the very same manner they now access the Internet. This service hosts all the programs the user would need to perform his or her job. Remote machines owned by a vendor would run everything from email to word processing to complex data analysis programs. This concept is cloud computing at its heart.
Why Cloud Computing?
The concept provides several advantages that will only grow as technology advancements continue to increase in speed.
At present it is very difficult for businesses to remain on the cutting edge of technology. As a result, they may be operating on systems that when purchased created a distinct tactical advantage, but are now antiquated when compared to systems more recently purchased by competitors.
Operating in a cloud arena allows the company to rely on a service provider representing many companies to identify and nearly immediately upgrade to the most advanced software, hardware and other technology. As a result, IT ceases to be an impediment to high productivity and global competitiveness.
Because a vendor purchases the new software and hardware and spreads those costs across a wide range of clients, IT costs at the company level are reduced. Fewer IT professionals are required. Since fewer servers are maintained on the premises, special computer and data rooms may be eliminated as may be off-site storage costs. Finally, one can move everything or just selected services to the "cloud." Sensitive or data covered by regulation might be retained on site.
Cloud computing allows access from any computer in the world and at any time. The freedom created in an increasingly mobile business world provides tremendous opportunities. As business becomes more agile, real estate needs are reduced and may become a variable cost. More people can work at home or do business in less costly remote locations. With the latest in communication and instantaneous translation technologies at one's finger-tips, travel becomes less relevant. All of these advantages reduce costs over and above the savings on hardware, software, training of users, and the development of intellectual talent required to keep up with innovation.
Line items that are now fixed costs become flexible and variable. If a vendor fails to provide the high-level software or back-office power required, one simply finds a better vendor who can. There is little question that this is the wave of the future and once it gets legs will run like a cheetah.
One of the biggest advantages of cloud computing is its ability to facilitate international business. Companies are already taking advantage of certain "cloud" features to provide freedom to roam the world with full functionality. As technology advances, this will increase exponentially through other parts of a business and permit medium and smaller businesses to compete on the world stage.
Technology exists today that allows a company to hire the best employees no matter where they are. As innovative "cloud" systems are developed, finding employees and helping them become powerful contributors to the company will become a more common part of business.
Most important, however, is the ability to upgrade instantaneously across an international platform to the latest in high-production software. Small- to medium-sized companies will benefit from greater computer processing power, storage capacity and connectivity than they could ever afford on their own. Globalization, already moving at a brisk pace, will be further accelerated. The options are endless.
OK, What's The Catch?
Companies trying to create a robust and flexible system that optimizes the benefits of "cloud" computing will identify companies that promise the most efficient data transfer, highest processing power and the widest array of applicable software. This company may have several server sites all around the world. Generally all of these servers are connected as though they were one giant hard drive, able to search, share and provide data across the entire network no matter where the data may be located.
Cloud computing is most efficient without geographical boundaries. It will seek out locations and means of operation that will minimize government interference and maximize the speed at which data can be managed. Governments will again begin the long and arduous task of trying to keep up.
International Privacy Laws
Every country in the world has laws protecting the privacy of its citizens. These laws frequently prohibit citizen's data from being moved outside of the country, even if it is on a company-owned system.
If a multinational company begins a cloud system, it must make sure that data from French citizens, for example, is properly maintained in France. These laws may diminish the system's potential and could create conflict between the business leaders and their attorneys.
A "cloud" services provider may not have the ability to insure that all data from one country's citizens will remain located within the boundaries of that country. There are ways, however, to structure a cloud system so that data covered by privacy laws should not end up on the cloud in the first place.
If a company has offices, employees or functions outside the U.S., it probably has existing policies in place to make sure that data covered by foreign and domestic privacy and other laws is handled according to the rules of the resident country. These policies must be reviewed and audited periodically to make sure that they are followed with diligence.
Strong compliance programs are increasingly important as data begins to be stored on the servers of third-party vendors somewhere in cyberspace. There can be severe consequences should restricted or protected data find its way onto comparatively unprotected or uncontrollable "cloud" space.
Perhaps the greatest intruder into foreign private data is the U.S. system of litigation, in particular its discovery rules. International privacy laws are a major impediment to the prosecution of U.S. lawsuits and are the bane of U.S. attorneys and judges. If the data on the computer of a non-U.S. citizen is potentially relevant to a dispute, foreign laws often require that permission be obtained from the individual and that all data be collected and processed in-country. Some countries require local judges to review or oversee the process before any information can be transmitted outside the country.
The problem is that data stored on a cloud system does not stay in one place. It is constantly moved as it is used, linked to other data, processed and queried. The company essentially buys space like a commodity, located wherever there is space. That is the efficiency magic of cloud computing, but it is also a nightmare for general counsel.
These impediments are often used by parties in 26(f) conferences to assert inaccessibility or undue burden arguments. If, however, the data resides somewhere on the web, stored on a server outside the protections and impediments of the country and its laws, data once protected from discovery may become accessible. The advantage of "cloud" computing is the rapid access to data from across a vast and expansive organization. That could be the last thing an attorney defending a case may desire.
The U.S. courts will not care that it should not have been taken out of the host country. Once it is out, it is subject to U.S. discovery laws. The host government, on the other hand, will care. In addition to being required to produce potentially damaging information, the company may find itself facing criminal charges for violation of the host country's privacy laws.
Implementing holds will be increasingly difficult as to certain data held out in "cloud" systems. Data landscape maps and consultants, used extensively now by multi-national companies facing frequent litigation, will become even more relevant as some data will be located on company-owned servers in various countries, while other data will be held by one or more private companies in outsourced "cloud" structures. As medium to smaller companies move to "cloud" structures, they must be prepared to address these issues should litigation arise. For those who find themselves in litigation less frequently, this will end up being a major cost if the initial set-up is not done properly.
Where each sort of potentially relevant data is located, how it can be best accessed, and at what costs must be understood by the parties and the judge so that a workable records management and e-discovery plan can be followed. Issues of inaccessibility to exclude data entirely, and undue burden to shift the costs of production, will depend heavily on one's ability to clearly articulate these issues. The 26(f) hearing will require increasing technical expertise on the part of the attorneys and their team.
The very idea of handing over important and potentially sensitive or proprietary data to another company understandably worries the attorneys responsible for the well-being of the company. Corporate executives, however, will demand access to a high-performance systems to drive profits and will turn to the general counsel to make it happen properly.
Business must advance. The tightrope a GC must walk is how to protect a company without significantly interfering with its ability to make money. The advent of cloud computing poses a great many hurdles to accomplishing that task, but GCs have faced innovation before.
Hope Haslam is a Principal with UHY Advisors FLVS, Inc. and is the Director of its Corporate e-Discovery Group. She earned her Juris Doctorate from Mississippi College School of Law and her Bachelor of Arts from Baylor University. Hope has written extensively on civil litigation and eDiscovery issues over the past 17 years and has conducted a number of CLE courses on the topics. A few examples include discussing issues related to international litigation (data transfer and privacy laws), Export Control Laws (ITAR and EAR), litigation readiness planning and analyzing specific sections of the amendments to the Federal Rules of Civil Procedure. She also has participated in several panel discussions on legal technology. In addition, Ms. Haslam has consulted on and managed several very large litigation projects for a number of Fortune 100 corporations across the country over the past eight years. During this time, she has also become well versed in litigation readiness and active litigation planning.