Cloud Computing creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios.
A complete analysis of Cloud Computing-related legal issues requires consideration of functional, jurisdictional, and contractual dimensions.
•The functional dimension involves determining which functions and services in Cloud Computing have legal implications for participants and stakeholders.
•The jurisdictional dimension involves the way in which governments administer laws and regulations impacting Cloud Computing services, the stakeholders, and the data assets involved.
•The contractual dimension involves the contract structures, terms and conditions, and enforcement mechanisms through which stakeholders in Cloud Computing environments can address and manage the legal and security issues.
Cloud Computing in general can be distinguished from traditional outsourcing in three ways: the time of service (on-demand and intermittent), the anonymity of identity of the service provider(s) and anonymity of the location of the server(s) involved. When considering IaaS and PaaS specifically, a great deal of orchestration, configuration, and software development is performed by the customer — so much of the responsibility cannot be transferred to the cloud provider.
Compliance with recent legislative and administrative requirements around the world forces stronger collaboration among lawyers and technology professionals. This is especially true in Cloud Computing, due to the potential for new areas of legal risk created by the distributed nature of the cloud, compared to traditional internal or outsourced infrastructure.
Numerous compliance laws and regulations in the United States and the European Union either impute liability to “ subcontractors or require business entities to impose liability upon them via contract.
Courts now are realizing that information security management services are critical to making decisions as to whether digital information may be accepted as evidence. While this is an issue for traditional IT infrastructure, it is especially concerning in Cloud Computing due to the lack of established legal history with the cloud.
√ Customers and cloud providers must have a mutual understanding of each other’s roles and responsibilities related to electronic discovery, including such activities as litigation hold, discovery searches, who provides expert testimony, etc.
√ Cloud providers are advised to assure their information security systems are responsive to customer requirements to preserve data as authentic and reliable, including both primary and secondary information such as metadata and log files.
√ Data in the custody of cloud service providers must receive equivalent guardianship as in the hands of their original owner or custodian.
√ Plan for both expected and unexpected termination of the relationship in the contract negotiations, and for an orderly return or secure disposal of assets.
√ Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client.
√ Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.
√ As the custodian of the personal data of its employees or clients, and of the company’s other intellectual property assets, a company that uses Cloud Computing services should ensure that it retains ownership of its data in its original and authenticable format.
√ Numerous security issues, such as suspected data breaches, must be addressed in specific provisions of the service agreement that clarify the respective commitments of the cloud service provider and the client.
√ The cloud service provider and the client should have a unified process for responding to subpoenas, service of process, and other legal requests.
√ The cloud services agreement must allow the cloud services client or designated third party to monitor the service provider’s performance and test for vulnerabilities in the system.
√ The parties to a cloud services agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates.
References: Cloud Security Alliance Guide