Clicky

Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

Legal Implications of Cloud Computing — Part One (the Basics and Framing the Issues)

Posted in Cloud Computing, Cloud Computing Series, Special Series

I had the pleasure of hearing an excellent presentation by Tanya Forsheit on the legal issues arising out of cloud computing during the ABA Information Security Committee’s recent meeting (at the end of July) in Chicago. The presentation resulted in a spirited debate between several attorneys in the crowd. The conversation spilled over into happy hour and became even more interesting. The end result: my previous misunderstanding of cloud computing as "just outsourcing" was corrected, and now I have a better appreciation of what "the cloud" is and the legal issues cloud computing raises.

Bottom line: this is not your father’s outsourcing relationship, and trying to protect clients with contracts may be very difficult or impossible unless the cloud computing community begins to build standards and processes to create trust. This post is not for my tech/security friends, it is for the attorneys out there, especially the general counsel and transactional attorneys who draft terms for tech contracts (e.g. outsourcing contracts, ASP contracts, software licenses, etc.). So tech friends, please cut me some slack as I completely mangle proper terminology in order to try to explain this in plain English (and of course if I get something wrong, shoot me a comment or email so I can correct — we attorneys need you on this one).

One final note to the attorneys out there:  there is going to be incredible financial pressure on organizations to take advantage of the pricing and efficiency of cloud computing and if attorneys fail to understand the issues ahead of time there is a serious risk of getting "bulldozed" into cloud computing arrangements without time or resources to address some serious legal issues that are implicated.

(P.S. Special thanks to Tanya Forsheit, John Tomaszewski, Karen Worstell and Peter McLaughlin for the insight and debate).

What is Cloud Computing?

How about a picture to start off:

The National Institute of Standards and Technology (NIST) has provided a definition of cloud computing that is helpful, but not really in plain English.  Moreover, it does not really help to illuminate the legal aspects of cloud computing. So here is my attempt.

From a user’s perspective, when utilizing cloud computing, rather than data processing and storage occurring on an individual’s laptop or desktop computer (or a company’s internal network), it happens on computing platforms run by third parties (such as Google, Yahoo, Amazon, etc). Services that may be available through those cloud platforms include data storage (e.g., infrastructure as a service (IaaS)), application development/deployment  (platform as a service (PaaS) and software hosting (e.g., software as a service (SaaS)). So rather than store data on an organization’s own computer network, if purchasing IaaS, the data is stored on servers "in the cloud" and available on demand by the organization. Rather than installing and maintaining data/software on a network or desktop computer, the data/application is hosted on computers in the cloud and available on demand.

This can result in cost savings because companies using cloud services need not purchase their own infrastructure or software, need not hire people to maintain it, and need not regularly upgrade when necessary.  In addition, cloud computing is highly and cheaply scalable.  So rather than maintaining an over-capacity of computing power (e.g. extra servers only used for the holiday e-commerce rush) companies can maintain variable capacity levels to suit their immediate needs using the cloud.  Moreover, utilizing the cloud will allow companies to take advantage of the best and latest technology since they will not have to disassemble and rebuild their entire IT infrastructure in order to upgrade.  For more information on some of the technical aspects of cloud computing, please check out this white paper put out by Sun Microsystems.

That is all nice, and fairly understandable, but what IS the cloud? Right. Some analogies are in order. Think of airlines and how they sell seats. Sometimes seats are still available for a flight as the departure date gets closer and closer. From the airline’s point of view it is better to sell those seats for a lower price then to let the plane take off with empty seats. As long as can sell the seat for a price that exceeds the cost of taking a passenger. Bring this same rationale to the e-commerce context. Amazon.com has huge server farms that can handle millions of transactions. During the 3 month holiday period its servers and processing abilities may be taxed to their limits because of high online sales volumes. Then of course, February rolls around and all those servers that hummed during the holiday season suddenly lay dormant. Yet Amazon still needs to maintain them so it can be ready for the next holiday rush. What to do? Rather than let that processing capacity go unused, why not sell it to third parties?  Allow an application service provider to host its application on Amazon’s computers for a price. Allow an organization to store and process data on Amazon’s servers.  In fact, since any additional funds received (above maintenance costs) are "gravy" perhaps Amazon could charge a lower price than other companies that provide capacity. This rationale can serve as a building block for companies to get into cloud computing.

The second rationale/building block is economies of scale. Going beyond the Amazon rationale of attempting to sell excess capacity that it had to have anyway, savvy IT companies began to realize that they could sell processing capacity as a business. In fact, computing processing prices have continued to drop more or less as predicted by Gordon Bell’s corollary to Moore’s Law. Beyond that, companies like Google have begun to realize that if they build massive server farms they can bring down their per unit of price for processing power even further. Moreover, with highly evolved technologies they realized they could create additional processing efficiencies and bring down the per unit price of processing even further. Based on these economies of scale, cloud platforms realized they could provide processing capabilities much cheaper than companies that did it all "in house."

Terrific, so how is this any different than a typical outsourcing relationship?  Why is this a Cloud? One of the key differences between a traditional outsourcing relationship and cloud computing is where the data resides or is processed.  For example, in the traditional outsourcing situation, a company looking to offload some of its data storage would create a dedicated data center and then sell the storage capacity to its clients.  The data center might be in another country, but for the most part the client knew where its data was going and where it would be stored and processed.

Enter the cloud.  In a cloud environment, geography can lose all meaning.  Cloud platforms may not be able to tell "where" data is at any given point in time.  Data may be dispersed across and stored in multiple data centers all over the world.  In fact, use of a cloud platform can result in multiple copies of data being stored in different locations.  This is true even for a "private cloud" that is essentially run by a single entity.  What this also means is that data in the cloud is often transferred across multiple borders, which (as discussed below) can have significant legal implications.

It gets more complicated when you begin talking about the "public cloud" or "hybrid cloud" and interactions between cloud providers.  In some public cloud set ups, the players in the cloud are essentially trading processing and storage capacity.  So if Google has excess capacity at a given point and time, and Amazon or Amazon’s clients need more capacity than Amazon can provide, it can buy some capacity from Google.  Some refer to this as "surge computing." The analogy here is electricity companies and providers.  In warmer climates during peak electricity demand times, the local power company may not be able to generate enough electricity to meet increased demand, and will have to purchase it from other companies who are not at full capacity.  Under the cloud arrangement, data is like electricity, essentially fungible and able to be moved instantaneously to available servers and computation resources.  In fact, cloud computing providers will begin charging for the cloud the same way electricity is charged:  based on units of use (in this case computing cycles).  So in the cloud, while the data may have started out on an Amazon server in the European Union, when handed off to Google it may be processed in the United States, China or some other country where Google has servers (in fact countries like China and India are very keen to get into this business since they think they can provide these services for even cheaper).  Moreover, the parts of the data may be copied and sent for processing to other participants in the cloud.  To the Amazon user all of this movement of data and processing across multiple borders involving multiple entities and even multiple copies of data is invisible.  The Amazon user simply gets back the answer it expected when it began the processing transaction.

What are the legal issues?

Transborder Data Flow Triggering Legal Obligations in Multiple Jurisdictions. This sharing and transfer of data within the cloud, the inability for anybody to easily say where the data is or has been, is the key problem that creates legal issues.  An obvious problem is transborder data flow.  For example under the EU Data Protection Directive, unless they take certain steps, organizations are prohibited from transferring personal information to countries that do not provide the same level of protection with respect to personal information of EU residents (the United States is one such country).  A company that does its processing in the cloud may be violating EU law if data goes to servers outside of the EU to prohibited countries.  Unfortunately, contracts may not be too helpful because cloud providers will not be in any position to make any contractual promises to their clients because in many cases they cannot say which countries data will be transferred to or from.  So how can companies seeking the efficiency and cost savings of the cloud utilize it if, by its very nature, it leads to potential legal compliance nightmares?

"Reasonable Security" Under the Law. Then there is the issue of "reasonable security" in the cloud computing context, and potential liability arising out of security breaches in the cloud.  Generally speaking if a company outsources the handling of personal information to another company they may have some responsibility to make sure the outsourcer has some level of reasonable security to protect personal and confidential information.  What happens when the could is utilized? Service providers using the cloud platform essentially rely on the security of each of the cloud participants receiving personal information.  That could be name brand companies like Google who are likely to have some level of adequate security, but it could also be lesser players trying to engage in business as cheaply as possible and not implementing rigorous controls.  The bottom line again is that the organization seeking to do business in the cloud has no way to even perform a due diligence of "the cloud" to ensure that adequate security is in place.  Moreover, cloud companies and service providers that contract directly with such companies are not likely to make any contractual promises around security since they ultimately don’t control it (or even know how good or bad it is within the cloud).  Ultimately, the legal question is, what liability does a company face when there has been a security breach in the cloud that has resulted in the theft or harm of valuable or protected data?

Electronic evidence/e-discovery. Utilizing the cloud can be problematic in the litigation context.  First off, when litigation ensues and a litigation hold is initiated, the organization will have to deal with a third party cloud provider in order to get at the information relevant to the litigation.  It may not be easy for that provider to actually preserve the data that is needed for several reasons.  For example, an organization may be using a third party software provider that itself utilizes the a cloud platform.  The data subject to the litigation hold therefore may actually reside in the cloud and may not be readily accessible/preserved by the software provider.  This could complicate gathering electronic evidence and responding to e-Discovery requests.  Moreover, it could lead to spoliation of evidence.  In addition, considering that multiple copies of data may be created, stored, recompiled, dispersed, reassembled and reused, the idea of what constitutes a "record" or a "document" for evidentiary purposes may be difficult to grapple with in the cloud.

What can lawyers do to address these issues?

Ultimately this is the big question.  Can the law wrap its head around cloud computing (when frankly, the cloud computing industry itself is having difficulty defining key components of the business)?  The first area to explore are contractual arrangements.  Lawyers have been involved in outsourcing transactions for sometime, and have been able to address issues of relative risk between the parties.  However, contracting may be much more difficult in the cloud environment because the players may not be in a position to make certain promises, and additional duties/obligations may destroy the cheap pricing model for cloud computing.  In part two of this series, we dive more deeply into the legal issues around cloud computing and the necessary involvement of lawyers in this context with respect to contractual arrangements.

  • http://www.legalcloud.net Kent Langley

    Hi David, nice work on helping to de-mystify cloud computing and what it means legally. Being a founder of LegalCloud.net these issues are near and dear to my heart. I often use the NIST definitions you reference when discussing our cloud to certain groups. LegalCloud.net follows a Hybrid cloud delivery model that is both Private and Community. Our Community is Law Firms and only law firms. We provide on-premise and off-premise services for our customers that bridge the gap between their own facilities and the cloud facilities we manage. Our delivery model is IaaS. We work hard to embody all of the essential characteristics of Cloud Computing as well. But, going into all that would make this become a very long response! You’ve cued me up for an article I need to write!
    Some of the other issues you touch on in your article that are crucial but not part of the NIST definitions. I can talk about some of those from my context I suppose. They are things like accountability, audit-ability, transparency, geo-location of data, movement of data, security, and more. We address all these in various ways for our clients. I will say that we think that it’s just never okay to say, your data might be over there in that part of the country somewhere. That’s just not acceptable.
    Let me know if you have questions or thoughts. We’re deploying cloud services for Law Firms to use now. We’ve been at it for several months. It’s been an exciting journey thus far! Thanks for the article, I enjoyed it.
    Kent Langley, CTO & Founder, LegalCloud.net

  • Tony

    And once you introduce the notion of PCI compliance, the cloud goes out the window (to use a confusing metaphor), and you’re back to dedicated or co-lo hardware, either of which eats up most of the financial incentive to move to the cloud.
    If there’s an affordable, PCI-compliant host out there, they can certainly step forward to prove me wrong.

  • http://www.infoseccompliance.com David Navetta

    Tony, apparently one might want avoid the Amazon cloud if worried about PCI compliance: http://www.datacenterknowledge.com/archives/2009/08/19/a-pci-compliant-cloud-not-at-amazon/

    “From a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant,” an Amazon representative told a customer in an exchange that was posted on an AWS web forum.

    I wont even get into the fact that if it is not “Level 1 compliant” it is not “Level 2 compliant,” or that the Amazon person is confusing VALIDATION levels with compliance obligations. Level 1 and Level 2 only refer to the type of assessment a company must do, not whether they need to be compliant with the full PCI standard.

  • http://www.trusttone.com Rajesh Kanungo

    I have worked a bit on the technical side of Interception/wiretap of communications including CALEA. I wonder if
    (a) How data movement is impacted by CALEA?
    (b) Just like the NSA, other foreign agencies are sucking up the data flowing inside and across the borders. Do we have any idea of what they do with the data? At minimum, they WILL do industrail espionage.
    Does EU/US safe harbour protect us from the rampant abuse of NSA and NSA like activities?
    -R
    TrustTone Communications

  • http://www.FreelanceLawFirm.com Donna Seyle

    I have read your blog with some dismay. Cloud computing has evolved well beyond the use of google, yahoo and the like. The evolving Saas providers,such as VLOtech (VLOtech.com),Clio (goClio.com) and others, have created platforms that are specifically designed to store privileged communications, documents, etc. on highly securitized servers. This information is not hanging out somewhere in cyberspace ready for the taking. They also provide securitized email functions so that your client communications are secured, far and away superior to the use of public email. If these kinds of platforms are used, an attorney has made diligent efforts to keep the attorney/client privilege intact, the risks are minimal at best, and they are most likely less than keeping such data on traditional servers. Best practices would also include designating any document or communication as privileged, which shifts the burden to the unauthorized reader to stop reading immediately. So if you feel comfortable paying bills online, you should have no problem with a virtual law practice, assuming you do your homework. Second, cloud computing has nothing to do with outsourcing. While in the general business world outsourcing may be a term referring to data storage, in the legal world, it has come to refer to law firms who contract with freelance attorneys to perform legal research and writing or other law-related projects that they do not have time or manpower to handle in-house. Many people confuse outsourcing with off-shore referrals. This is no longer accurate. There are going numbers of experienced, competent freelance attorneys who handle legal projects for other attorneys. Since I am a freelance attorney who does business as a virtual law office, you might stop by my website (FreelanceLawFirm.com)to get an idea of how I’ve put these concepts together. Also,leaders in these arenas include Nicole Black, Stephanie Kimbro, Lisa Solomon and Melody Kramer, among others. Each of them have written extensively on these subjects, and have been my mentors in creating my practice. As I believe these are important issues to be discussed, I hope we all can work together to create a clear message to the legal community. Thanks.

  • http://www.infoseccompliance.com David Navetta

    Donna, thanks for your post. However, I am not sure what the source of your dismay is? Yes, it is possible to work in a cloud environment that addresses the issues I highlighted. The problem is not every environment will do so. That is the problem, and that is why companies (whether lawyers or otherwise) need to be very careful before entering the Cloud. Moreover, that is why Cloud vendors need to anticipate these issue and design their services and environment to alleviate these concerns. I have no idea what VLOtecha and goClio have in place, but I recommend a strong look under the hood (with an IT/Security person in tow, or a lawyer that knows IT/Security) before jumping headfirst into the Cloud. Basic questions to ask: (1) where are the servers that my data will be stored/transmitted on; (2) how are duplicate copies of data wiped?; (3) is my companies’ data “intermingled” with the data of other organizations; (4) how is my data backed up; (5) if I need to put a litigation hold in place what is the procedure to make sure my data is retained; and (5) how are the servers and my data secured?
    Finally, I am confused by your comment that Cloud computing has nothing to do with outsourcing? Much outsourcing is achieved by using a Cloud computing architecture. It appears that this will only increase going forward. Companies will increasingly utilize a “dedicated server” model less and less if Cloud computing comes through on its promise of low pricing, scalability and computing resources on demand. Any attorney entering into an outsourcing relationship involving the Cloud absolutely needs to be on top of these issues.

  • http://blog.3tera.com/ Bert Armijo

    Thanks for an interesting post. All too often we techies plow ahead without concern for legal issues, so I learned a bit from it.
    Once quick point though – you introduce IaaS (Infrastructure as a Service) in the second paragraph after the diagram, but don’t include it in the definition of cloud. Popular IaaS services include Amazon’s EC2, Rackspace’s Cloud Servers, GoGrid and 3tera’s AppLogic.
    IaaS is quite distinct from other cloud services because the subscriber has greater control in how applications are deployed, scaled, backed up etc. These controls do not exist in in SaaS or PaaS. For instance, using Google’s AppEngine PaaS system, I can’t control how many copies of my software are run or where they run. Using EC2 I can specify both. Some system, like AppLogic also give me control of networking and security. Whether this has legal implications I can’t attest as I’m not an attorney, but clearly there is a significantly different relationship between subscriber and provider.

  • Roberta Gigon

    David,
    Thank you very much for the informative series of articles concerning the legal aspects of Cloud Computing.
    I was wondering if you had a reference for the information on Amazon/Google/et al trading processing and storage capacity. I have studied Cloud Computing extensively and this is the first mention of this practice I have come across. My understanding of a hybrid cloud is some combination of resources internal to an enterprise integrated with resources purchased from a Cloud provider.
    Many thanks,
    Roberta Gigon

  • http://solutions.apez.biz David Jung

    What about the distinction between “information” and “data”? Data is meaningless until interpreted as information. Surely most laws relate to how and where information can be accessed, not data.
    So, while you might be required to protect sensitive customer information and not transfer it across certain borders, that is easily addressed by not storing it in any specific location at all. Simple distribute the data such that it is impossible for it to be interpreted as information in any particular location – hence being only possible to access customer information in one place (which you control – and might not be any of the places the data is stored).
    One obvious technology that can achieve that in practice, is encryption. If you encrypt customer information then store the encrypted data without the decryption keys, that data is no longer customer information since it is simply not possible (assuming appropriate encryption) to interpret it into anything meaningful without the encryption keys that you hold and control.
    While such a solution may force you to run your web-site in the US, where the web-server software can decrypt the data for display to US customers, having the data stored in china doesn’t expose any customer information. In fact, you could even store the encrypted data in a publicly accessible facility without any security at all – since the data is completely meaningless.