Yesterday the National Institute of Standards and Technology announced "the final release of Special Publication 800-145, The NIST Definition of Cloud Computing." NIST's definition of Cloud Computing has been very influential in setting tent pegs in the ground to cabin the scope and discussion of the often nebulous definition of cloud computing.
In the next in our series of free webinars on cloud computing, Information Law Group Attorney Richard Santalesa examines implications arising from NIST's "Guidelines on Security and Privacy in Public Cloud Computing," with a focus on the legal considerations any team tasked with implementation of security best practices will need to grapple with.To register for this free one hour webinar on May 24 at 12pm ET, visit - http://bit.ly/kyRdku
A draft release of a 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing was distributed by the White House CIO Council yesterday, curiously numbered a 0.96 release.
Needless to say, due in part to our numerous writings on the legal ramifications of Cloud computing, the InfoLawGroup lawyers have been involved in much Cloud computing contract drafting and negotiating, on both the customer and service provider side. As a result, we have seen a lot in terms of negotiating tactics, difficult contract terms and parties taking a hard line on certain provisions. During the course of our work, especially on the customer side, we have seen certain "roadblocks" consistently appear which make it very difficult for organizations to analyze and understand the legal risks associated with Cloud computing, and in some instances can result in a willing customer walking away from a deal. Talking through some of these issues, InfoLawGroup thought it might be a good idea to create a very basic "Bill of Rights" to serve as the foundation of a cloud relationship, and allow for more transparency and enable a better understanding of potential legal risks associated with the cloud.
Under New York law it's settled doctrine that "contractual provisions that 'clearly, directly and absolutely' limit liability for 'any act or omission' are enforceable, 'especially when entered into at arm's length by sophisticated contracting parties.'" And that New York courts "generally enforce contractual waivers or limitations of liability."
Dave and I recently spoke with BNA's Daily Report for Executives about the importance of due diligence and planning for organizations entering into (or considering) enterprise cloud computing arrangements. You can find the article, "'Cloud' Customers Facing Contracts With Huge Liability Risks, Attorneys Say," here.
Dave and I recently spoke with Nymity regarding privacy and data security issues in cloud computing deals. You can read the interview here.
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com
In the end eSignatures provided a tantalizing glimpse of a potential esigning future, but one that remains firmly in the distance at this time. Certainly eSignatures is in fact useful at the moment - for a limited range of actions and signings. But unless its more notable shortcomings are timely and completely addressed this will remain a beta that doesn't reach the other shore.
Institutions of higher learning are often breeding grounds for experimentation and creative approaches to old problems. Thus, it is far from surprising that universities have represented some of the earliest adopters of enterprise cloud computing solutions. Cloud computing is enormously attractive to universities, for a number of reasons, especially when it comes to email. My article, "The Ivory Tower in the Cloud," recently published in Information Security and Privacy News, a publication of the Information Security Committee, ABA Section of Science & Technology Law, briefly explores some of the information security and privacy legal implications for higher education moving into the cloud, and then discusses some recent developments with respect to highly publicized trials of cloud computing services by universities and colleges. You can read the full article here.