Needless to say, due in part to our numerous writings on the legal ramifications of Cloud computing, the InfoLawGroup lawyers have been involved in much Cloud computing contract drafting and negotiating, on both the customer and service provider side. As a result, we have seen a lot in terms of negotiating tactics, difficult contract terms and parties taking a hard line on certain provisions. During the course of our work, especially on the customer side, we have seen certain "roadblocks" consistently appear which make it very difficult for organizations to analyze and understand the legal risks associated with Cloud computing, and in some instances can result in a willing customer walking away from a deal. Talking through some of these issues, InfoLawGroup thought it might be a good idea to create a very basic "Bill of Rights" to serve as the foundation of a cloud relationship, and allow for more transparency and enable a better understanding of potential legal risks associated with the cloud.
Under New York law it's settled doctrine that "contractual provisions that 'clearly, directly and absolutely' limit liability for 'any act or omission' are enforceable, 'especially when entered into at arm's length by sophisticated contracting parties.'" And that New York courts "generally enforce contractual waivers or limitations of liability."
Dave and I recently spoke with BNA's Daily Report for Executives about the importance of due diligence and planning for organizations entering into (or considering) enterprise cloud computing arrangements. You can find the article, "'Cloud' Customers Facing Contracts With Huge Liability Risks, Attorneys Say," here.
Dave and I recently spoke with Nymity regarding privacy and data security issues in cloud computing deals. You can read the interview here.
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at firstname.lastname@example.org
In the end eSignatures provided a tantalizing glimpse of a potential esigning future, but one that remains firmly in the distance at this time. Certainly eSignatures is in fact useful at the moment - for a limited range of actions and signings. But unless its more notable shortcomings are timely and completely addressed this will remain a beta that doesn't reach the other shore.
Institutions of higher learning are often breeding grounds for experimentation and creative approaches to old problems. Thus, it is far from surprising that universities have represented some of the earliest adopters of enterprise cloud computing solutions. Cloud computing is enormously attractive to universities, for a number of reasons, especially when it comes to email. My article, "The Ivory Tower in the Cloud," recently published in Information Security and Privacy News, a publication of the Information Security Committee, ABA Section of Science & Technology Law, briefly explores some of the information security and privacy legal implications for higher education moving into the cloud, and then discusses some recent developments with respect to highly publicized trials of cloud computing services by universities and colleges. You can read the full article here.
It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.
Nearly every day, businesses are entering into arrangements to save the enterprise what appear tobe significant sums on information technology infrastructure by placing corporate data ''in the cloud.'' Win-win, right? Not so fast. If it seems too good to be true, it probably is. Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings. Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse. Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations). My article "Contracting for Cloud Computing Services: Privacy and Data Security Considerations," published this week in BNA's Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services. You can read the full article here, reprinted with the permission of BNA.
I will be speaking on various aspects of cloud computing at two upcoming webinars in May:* Cloud Computing: Emerging E-Discovery Trends, Strafford webinar, May 4, 2010 (1:00 pm Eastern) * Negotiating and Preparing Cloud Contracts, IAPP web conference, May 13, 2010 (1:00 pm Eastern)