Data Integrity and Evidence in the Cloud
How does cloud computing affect the risks of lost, incomplete, or altered data? Often, the discussion of this question focuses on the security risks in transmitting data over public networks and storing it in dispersed facilities, sometimes in the control of diverse entities. Less often recognized is the fact that cloud computing, if not properly implemented, may jeopardize data integrity simply in the way that transactions are entered and recorded. Questionable data integrity has legal as well as operational consequences, and it should be taken into account in due diligence, contracting, and reference to standards in cloud computing solutions.
Continue Reading...Legal Implications of Cloud Computing -- Part Four (E-Discovery and Digital Evidence)
Back by popular demand, this is Part Four in our ongoing series, Legal Implications of Cloud Computing. This installment will focus on digital evidence and e-discovery, and follows up on Part One (the Basics), Part Two (Privacy), and Part Three (Relationships). After all, what better topic than the cloud to tackle on the day after Thanksgiving, recovering from tryptophan and wine? As with many other areas previously discussed in this series, the cloud does not necessarily change the legal analysis, it just highlights the need to think through and anticipate the many areas of legal concern that could/are likely to arise when using the cloud. As a litigator, when I think about the challenges posed by the cloud, the one that seems most intuitive is e-discovery/digital evidence. It is always difficult to fully appreciate and digest the scope and volume of information that may be called for in litigation or in an investigation. The presence of corporate data in the cloud multiplies those considerations.
Some, but by no means all, of the digital evidence issues that should be considered in negotiating cloud arrangements and contracts (whether you are putting data in the cloud or designing and marketing a cloud offering), are as follows:
- preservation/retention/disposal;
- control/access/collection;
- metadata;
- admissibility; and, cutting across all of the foregoing
- cost.
As I will discuss below, like other forms of electronically stored information (ESI), one of the best ways for addressing data in the cloud in the discovery and evidentiary context is to plan ahead and discuss treatment of cloud data (a) in records retention policies well in advance of litigation; and (b) at the Rule 26 conference once litigation has commenced. And, if you read to the end, I will comment on the paucity of case law referencing the cloud (and describe the few references that have appeared in federal and state case law to date).
Continue Reading...Legal Implications of Cloud Computing -- Part Three (Relationships in the Cloud)
While there is much debate on the IT side as to whether Cloud computing is revolutionary, evolutionary or “more of the same” with a snazzy marketing label, in the legal context, Cloud computing does have a potential significant impact on legal risk. Part three of our ongoing Cloud legal series explores the relationships in the Cloud, and the potential legal implications and impacts suggested by them (if you would like, for context, you can read Part One [the Basics and Framing the Issues] and Part Two [Privacy and the Cloud] of the series.
In the legal world, some take the position that Cloud is no different than “outsourcing”. Unfortunately, making that comparison reveals a misunderstanding of the Cloud and its implications. It is sort of like saying that running is no different than running shoes. Like “running,” outsourcing is a general term describing an activity. In this case the activity involves organizations offloading certain business processes to third parties. Cloud computing (like “running shoes”) is a “new” method for leveraging existing technologies (and technological improvements that have occurred in the past 20 years) that can be used by outsourcers to provide their services more effectively and cheaply (as running shoes represents a technology that can be used to achieve the activity of running more efficiently). In other words, one can outsource utilizing a Cloud architecture provided by a third party, or by using a more traditional dedicated third party hosted technology solution. Both are different technologies or methods for achieving the same activity: outsourcing of business processes.
For lawyers analyzing outsourcing to the Cloud the question is whether the technology, operational aspects and various relationships of a given Cloud transaction create new legal issues or exacerbate known legal problems. To illuminate this question, this post explores the relationships that exist between organizations outsourcing in the Cloud (“Cloud Users”) and those providing services in the Cloud. Coincidentally (or maybe not so much) understanding these relationships is crucial for attorneys that need to address legal compliance risk and draft contracts to protect clients entering into the Cloud.
Continue Reading...Legal Implications of Cloud Computing -- Part Two (Privacy and the Cloud)
Last month we posted some basics on cloud computing designed to provide some context and identify the legal issues. What is the cloud? Why is everyone in the tech community talking about it? Why do we as lawyers even care? Dave provided a few things for our readers to think about -- privacy, security, e-discovery.
Now, let's dig a little deeper.
I am going to start with privacy and cross-border data transfers. Is there privacy in the cloud? What are the privacy laws to keep in mind? What are an organization's compliance obligations? As with so many issues in the privacy space, the answer begins with one key principle -- location, location, location. For those of you who prefer to listen, check out my recent webinar on International Regulatory Issues in the Cloud, or you can download the slides (PPTX). For everyone else, read on after the jump.
Continue Reading...Legal Implications of Cloud Computing -- Part One (the Basics and Framing the Issues)
I had the pleasure of hearing an excellent presentation by Tanya Forsheit on the legal issues arising out of cloud computing during the ABA Information Security Committee's recent meeting (at the end of July) in Chicago. The presentation resulted in a spirited debate between several attorneys in the crowd. The conversation spilled over into happy hour and became even more interesting. The end result: my previous misunderstanding of cloud computing as "just outsourcing" was corrected, and now I have a better appreciation of what "the cloud" is and the legal issues cloud computing raises.
Bottom line: this is not your father's outsourcing relationship, and trying to protect clients with contracts may be very difficult or impossible unless the cloud computing community begins to build standards and processes to create trust. This post is not for my tech/security friends, it is for the attorneys out there, especially the general counsel and transactional attorneys who draft terms for tech contracts (e.g. outsourcing contracts, ASP contracts, software licenses, etc.). So tech friends, please cut me some slack as I completely mangle proper terminology in order to try to explain this in plain English (and of course if I get something wrong, shoot me a comment or email so I can correct -- we attorneys need you on this one).
One final note to the attorneys out there: there is going to be incredible financial pressure on organizations to take advantage of the pricing and efficiency of cloud computing and if attorneys fail to understand the issues ahead of time there is a serious risk of getting "bulldozed" into cloud computing arrangements without time or resources to address some serious legal issues that are implicated.
(P.S. Special thanks to Tanya Forsheit, John Tomaszewski, Karen Worstell and Peter McLaughlin for the insight and debate).
