Published Version
Digital Version
With applications, documents, videos, podcasts and other programs, businesses are running into a common problem – limited space (or memory) to host files locally or internally. Many businesses are increasingly looking to “the cloud” as a solution, allowing scalable and secure data storage accessible anywhere via the Internet or via a private network, with a reduction in costs associated with maintaining and acquiring data storage equipment, infrastructure and software. However, cloud computing also raises several unique legal considerations, including data privacy, security, and e-discovery issues. Understanding the legal and regulatory landscape before entering into a cloud relationship will allow businesses to take advantage of the benefits offered by cloud computing while avoiding any unexpected pitfalls down the road.
Cloud computing generally refers to the delivery of “on-demand” computing resources from a remote location, and is available in several service models. The most common type is the cloud software as a service model (SaaS). Under this model, a user is given access to a provider’s software and uses that software as a service. Examples of SaaS include, among others, customer relationship management, sales automation, customer service, human resources, e-commerce, procurement, business intelligence, budgeting, compliance or accounting. The second service model is cloud infrastructure as a service (IaaS). With IaaS, a service provider provisions fundamental computer capabilities such as processing or storage, and offers pools of IT infrastructure resources, like servers, storage or other network components on a pay-per-usage basis. The cloud service provider owns the equipment and is responsible for the housing, cooling, operation and maintenance of its systems. The third service model is cloud platform as a service (PaaS). Under this model, the service provider gives the customer access to a full-functioning computing and solution stack on which user-created applications (with provider-supported programming languages and tools) are deployed. Under the PaaS model, customers typically pay only for the services used.
Businesses should also be aware of cloud computing infrastructure models because each model presents varying degrees of data security, risk and investment. Typically, there are four main cloud infrastructure models:
In evaluating the various cloud models, a business should pay special attention to the type of data that it will store on the cloud and its duties related to the data. For example, businesses are responsible for customer data under Section 5 of the FTC Act, which prohibits unfair or deceptive business practices,[1] and may have liability for failing to take reasonable steps to provide consumer information stored on the cloud. Similarly, the Health Insurance Portability and Accountability Act (“HIPAA”)[2] requires “appropriate” safeguards for health information and for financial institutions, and the Gramm-Leach-Bliley Act (“GLB Act”)[3] requires privacy and opt-out notices where customers’ personal information is shared with unaffiliated entities. Numerous states have also implemented regulations governing a business’s use of consumer information.[4] A business’s choice of cloud model should be guided by the type of data that will be stored on the cloud and the business’s legal obligations relating to that data.
Regardless of the type of delivery or infrastructure model a company chooses, cloud computing arrangements are governed by an agreement between the business and the service provider. Business should ensure that its cloud arrangements accommodate its risk considerations, such as in performance metrics, data security, force majeure events, business continuity, intellectual property use, ownership and privacy. The following are considerations that a business should evaluate in a cloud service provider agreement:
A final consideration is whether your business’s data is subject to a third-party civil or government subpoena issued to your cloud service provider. Under the Stored Communications Act,[8] cloud service providers may be required to disclose data pursuant to a warrant or subpoena without notice to your business. And, under federal discovery rules, a cloud service provider is considered a third party to any litigation in which it is not named. As such, under Fed. R. Civ. P. 45, an adverse party may subpoena data held by your cloud provider. Furthermore, cloud service agreements often allow a provider to respond to subpoenas, discovery requests or other lawful service of process by turning over data it hosts for a business.
When turning to a cloud computing solution, evaluate your business’s needs, data requirements and risk assessments at the beginning of the process. Doing so will allow your business to take advantage of the full benefits offered by cloud computing and will ensure your business’s seamless legal and regulatory compliance.
[1] 15 U.S.C. § 45.
[2] 42 U.S.C. §1306.
[3] 15 U.S.C. §§ 6801-6809.
[4] For example, the California “Shine the Light” law. Cal. Civ. Code § 1798.83-1798.84.
[5] See Damon C. Andrews & John M. Newman, “Personal Jurisdiction and Choice of Law in the Cloud,” 73 M.d. L. Rev. 313, 346-47(2013) (“A handful of states have at some point formally adopted a form of the 'lex fori' approach to choice of law. Under this approach, courts generally apply what amounts to a presumption in favor of applying the law of the forum”).
[6] See N.C. Gen. Stat. § 22B-3 (1995) (providing that any provision in a contract entered into in North Carolina that requires the prosecution or arbitration of any dispute that arises from the contract to be heard in another state is against public policy, void and unenforceable.); see also S.C. Code Ann. § 15-7-120 (1990) (providing that any contract with a forum selection clause can be enforced in South Carolina, in addition to the forum state specified within the clause).
[7] See Data Protection Directive 95-46/EC, Chapter IV Transfer of Personal Data to Third Countries, Article 25(1); see also Framework Decision 2008/977/JHA.; see also U.S.-E.U. Safe Harbor Privacy Principles, July 21, 2000, available at http://export.gov/safeharbor/eu/eg_main_018475.asp; see also EEA Joint Committee Decision No. 108/2000, November 2000, available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:045:0047:0048:EN:PDF.
[8] 18 U.S.C. §§ 2701-2712.
Michael Dover is a senior associate in the firm’s Chicago office. His practice focuses on communications litigation and regulatory proceedings. Prior to joining Kelley Drye, Mr. Dover worked as a regional network engineer, network planner and build-out project manager for T-Mobile USA (and predecessor entities VoiceStream and Omnipoint). Robyn Mohr is an associate in the firm’s Washington, D.C. office. Her practice focuses on Internet, telecommunications, new media, and privacy matters. They can be reached at mdover@kelleydrye.com and rmohr@kelleydrye.com.