This Article discusses the cloud computing phenomenon and its potential benefits, and provides practical tips to avoid and minimize key legal risks associated with its use.
Cloud computing represents a new delivery model for information technology (IT) services, allowing users to access and store information, and utilize software functionality, on remote servers owned or operated by third parties, typically over the internet or private networks. These remote servers may be hosted in data centers worldwide, allowing cloud service providers to distribute computing power, storage capacity and data across their data centers dynamically to provide fast delivery and on-demand bandwidth. Because cloud computing affords users a "pay as you go" model, it represents a paradigm shift, enabling companies that use the model to meet their IT needs with smaller capital expenditures and IT departments. Indeed, the Gartner Group has predicted that cloud computing will help 20% of businesses eliminate their hardware infrastructure by 2012 (see Gartner's January 13, 2010 press release, Gartner Highlights Key Predictions for IT Organizations and Users in 2010 and Beyond).
This Article explains the concept of cloud computing and its potential benefits, examines the key legal issues arising from this technology solution and provides practical tips to navigate these risks.
The term "cloud computing" has been used loosely in recent years to describe a variety of remote access computing services, many of which have been available for some time. However, a true cloud computing environment includes the following features and functionality:
Access to computing and data storage services (both hardware and software).
On-demand delivery over a network that is independent of a user's device and location.
Shared resources that are dynamically scalable, virtualized, and released with minimal service provider intervention.
Users who pay for the service as an operating expense without incurring any significant initial capital expenditure.
A metering system that segments the computing and storage resources in appropriate blocks.
For more information, see Subhajyoti Bandyopadhyay, Sean R. Marston, Zhi Li, and Anand Ghalsasi, Cloud Computing: The Business Perspective (Nov. 23, 2009).
Almost any IT resource can be delivered as a cloud service, including software applications, proprietary databases, data storage and retrieval resources, and network configuration and programming tools.
The delivery models by which users can access cloud computing vary in complexity. Some of the available architectural layers include:
Infrastructure as a Service (IaaS). An IaaS offering is the most basic delivery model. IaaS providers can deliver IT infrastructure assets such as additional computing power and storage space on demand through the cloud.
Platform as a Service (PaaS). In PaaS offerings, the cloud provides a computing platform (with such capabilities as database management, security, workflow management and application serving) on which the user can develop and execute its own applications.
Software as a Service (SaaS). The most complex offering, SaaS provides user-facing software applications, thereby eliminating the need for users to install, run and maintain the applications on their own systems. SaaS service providers can offer complete application suites or selected services designed to complement users' already existing infrastructure.
Cloud computing is offered through a variety of service delivery options:
Public clouds. These are resources provided on a shared, self-service, "pay as you go" basis. Public clouds can deliver the best economies of scale, but their shared infrastructure model can limit customization, and may not offer sufficient security for users storing highly sensitive data (see James Staten, Which Cloud Computing Platform Is Right For You?, Forrester Research (Apr. 13, 2009), available on the Forrester website).
Private clouds. In contrast to public clouds, private clouds offer a dedicated hardware environment for the user. This model offers more modest economies of scale, but still provides many of the scaled resource capabilities and responsiveness of public clouds.
Hybrid clouds. A combination of public and private clouds, hybrid clouds allow users to protect their most highly sensitive information on a private cloud, and to reap greater cost savings for less critical data on a public cloud.
Managed clouds. These clouds are managed by a third-party provider like a private cloud, but are owned by the customer. In this sense, managed clouds are similar to a hosted IT arrangement.
Typically, companies are required to purchase third-party services or lease server capacity in defined blocks. Companies therefore need to predict their requirements with some specificity since, if a company overestimates, any unused service or capacity is lost. If a company underestimates, it may not have the resources it requires or may be forced to purchase additional resources at a higher "emergency" price. In the cloud computing model, where customers pay only for the capacity they use, even large organizations can respond quickly and cost-effectively to fluctuations in demand. The benefits of scalability cannot be overstated, both from a computing capacity and a physical space perspective. Server and storage utilization rates in enterprise datacenters typically average less than 50% (see Sun Microsystems, Take Your Business to a Higher Level (2009)). In terms of physical space, "server sprawl" is a growing problem.
Traditional corporate IT systems usually require significant capital expenditures for:
Hardware and equipment that require regular replacement.
Software that needs frequent updating.
Additional infrastructure, such as space and power.
By paying for a platform, capacity, and applications through a cloud computing service, customers can convert capital expenditures to operating expenses. This can have important tax and accounting ramifications for many companies.
Cloud computing allows customers to launch new services quickly and without having to worry that the service will lead to a spike in demand that it cannot handle. In addition, if the new service is not successful, the customer can discontinue it without being concerned that it invested heavily in infrastructure to accommodate the trial. Reliance on a cloud thereby allows an organization to approach business development with increased entrepreneurial freedom.
Although cloud computing offers many potential benefits, companies considering this model must understand the potential legal issues that can arise from its use. In certain circumstances, such as in the private cloud model, a company may be able to negotiate contract terms that help reduce a particular risk. However, in the case of services involving sensitive data or critical business applications, a company may determine that the potential risks in using cloud computing outweigh any possible benefits. The key legal issues to consider, and manage, when evaluating cloud computing services are:
Entering non-negotiable contracts.
Negotiating business continuity and force majeure clauses.
Managing the challenge of interoperability.
Setting service levels.
Developing transition services.
Tracking and auditing data in the cloud.
Maintaining privacy and data security.
Navigating jurisdictional concerns.
Understanding limitations on vendor liability.
Many cloud services, particularly those used by small- and medium-sized companies, are available only through non-negotiable clickwrap contracts, where the customer can simply click an "I agree" button to accept the terms and receive the services. In these situations, the customer has no opportunity to negotiate the terms or to conduct meaningful diligence on the vendor. Since these agreements tend to limit significantly the vendor's liability and contain other vendor-friendly provisions, customers must review the terms of the clickwrap agreement carefully and conduct whatever diligence is feasible (for example, inquiring about the experience of other customers who have used the service) before selecting a vendor.
In the discussion that follows, suggestions about negotiating the cloud services agreement assume that the customer is not faced with a clickwrap agreement. However, even in cases where the services agreement is negotiable, the customer may find that certain substantive changes lead to higher service fees because the cloud vendor's business model is dependent on limiting customization of the contract terms.
Cloud customers are often surprised to learn that many vendors rely on sub-contracts to expand the breadth of their own clouds. For example, a vendor providing data storage services may rely on the servers of other cloud vendors where it is efficient and cost-effective to do so. Similarly, a SaaS offering may be hosted on a platform that is sourced from a third party. Vendors give themselves the flexibility to do this by including broad sub-contracting rights in the services contract and by stating that they "own or license" the services they are providing. Because third-party sub-contractors may not provide the same quality of service or the same security as the contracting party, a customer could face significant operational and legal issues.
In addition, in the event of a dispute, the customer runs the risk that the vendor will seek to transfer liability to the third party — an entity with whom the customer has no privity of contract. Alternatively, the vendor may seek to avoid liability altogether for the conduct of the third party. Customers therefore should review carefully any sub-contracting provisions in the services agreement and either delete them or make sure that the vendor is liable for the acts and omissions of any sub-contracting party. The customer should also confirm through due diligence that the hardware, software and other resources used to provide the services are owned, in fact, by the vendor.
Given that cloud computing uses the internet or a private network as the means of service delivery, customers face exposure to service outages and data loss. A failure of the network or loss of connectivity can become an operational nightmare if customers are relying on the cloud to access critical applications and data. This threat is especially pronounced given growing concerns over cyber-terrorism.
Some customers minimize the risk of service interruptions by engaging multiple cloud providers, thereby preventing a single source of failure. However, these customers may find a lack of interoperability between cloud providers (see The Challenge of Interoperability). The multiple vendor solution may also be impractical in some instances. For example, if any of the multiple vendors is not capable of providing the requisite level of contractual protections and security measures, the customer may have to forgo using multiple vendors to ensure its data and applications are adequately safeguarded. Further, engaging multiple providers to provide the same service may render contract maintenance and administration unwieldy.
Another way customers can address this concern is through careful due diligence of the service provider's infrastructure, particularly its disaster recovery or business continuity procedures (BCP). The service provider's written BCP, or a detailed outline of it, should be attached to any cloud computing services agreement.
Ideally, to further minimize business continuity risk, the customer should require a contractual right to review and approve any changes to the BCP. However, the reality is that in many cloud computing arrangements, each customer utilizes the vendor's existing system and will not be able to obtain approval rights over the BCP. As an alternative, the customer may require prior notice if the BCP changes, with the opportunity to terminate the services agreement if the revised BCP does not meet the requirements of the customer's own business continuity policy. Or, the customer can include minimum requirements for the BCP that the vendor must meet throughout the term (and require prior notice if the vendor plans to make any changes that fail to meet these criteria). This provides the vendor with significant flexibility to modify its BCP without notifying the customer, but provides the customer comfort that its disaster recovery needs will not be neglected. Where the vendor will have access to sensitive data or provides critical applications, the cloud customer should seek the right to audit the vendor's BCP operations or require that the vendor conduct its own internal BCP audit or "recovery drills" and report the results to the customer.
Cloud customers must also be careful with how the force majeure clause of the services agreement is drafted. While these clauses typically excuse performance for natural disasters, in many cases they also excuse performance for any event beyond the vendor's control. For example, the Google Apps Premier Online Agreement provides that Google will not be responsible for inadequate performance to the extent caused by a condition beyond Google's reasonable control. Customers should consider whether such a clause provides the vendor with too much leeway to avoid liability in the event the services cannot be delivered. Customers should also closely review any specific events identified by the vendor in the force majeure clause as being excused. In some cases, the language may be drafted so broadly as to excuse events that are (or should be) within the vendor's reasonable control or for which the vendor should bear the risk. In addition, customers should make sure that performance is excused only when the vendor has tried to implement an approved BCP, but was unable to do so because of the disaster.
As companies increasingly rely on cloud computing, they will likely find themselves using multiple vendors for different services and resources. In addition, as noted above, some customers will want to use multiple vendors to minimize the risk of single vendor failure. However, uniform cloud computing standards do not yet exist.
In response to growing concerns over interoperability, standard setting organizations such as the International Organization for Standardization (ISO) and the Distributed Management Task Force (DMTF) as well as certain vendors have been proactively promoting cloud computing standards. For example, DMTF's Open Cloud Standards Incubator focuses on standardizing interactions between cloud environments by "developing cloud resource management protocols, packaging formats and security mechanisms to facilitate interoperability" (see DMTF's April 27, 2009 press release, DMTF to Develop Standards for Managing a Cloud Computing Environment). In January 2010, Brad Smith, the General Counsel of Microsoft, urged Congress to consider a "Cloud Computing Advancement Act" that would enhance privacy and security protections in cloud computing and create certain industry standards.
As with an outsourcing agreement, a cloud customer and vendor will need to agree on performance service levels that the vendor must achieve, often as part of a service level agreement (SLA) attached as an exhibit to the services contract. However, in contrast to outsourcing agreements, cloud customers will typically find that there is little room to negotiate these SLAs. Vendors will likely establish service levels applicable to all of their customers, and will be reticent to negotiate customized levels for specific customers. Even so, customers that are procuring a material volume of services may extract additional flexibility from the vendor. In addition, customers that are using the vendor to manage the customer's own private cloud should be able to negotiate customized SLAs, because the vendor does not have to guarantee different service levels to different "tenants" of the same cloud.
As with outsourcing agreements, SLAs for cloud computing generally feature service level credits that are paid to the customer (typically through a credit on the next invoice) if a service level is not achieved. However, customers should also require that a root cause analysis be performed after any service level failure to determine its cause and prevent future failures. In cases of severe performance failures, customers often negotiate a right to terminate the contract.
In addition, customers should be circumspect about vendors who demand to receive service level incentives if service levels are exceeded. While vendors may present these incentives as equitable offsets to the service credits that a customer may earn for performance failures, in practice, a customer might not benefit from performance that exceeds a service level. For example, if an uptime service level is set at 99%, the customer may not receive any meaningful benefit if the vendor exceeds that level. Paying an incentive in such cases would simply be a waste of the customer's money.
Customers should ensure that the service level definition matches the customer's expectations. For example, under the current Google Apps Service Level Agreement, an interruption in service does not qualify as downtime until there is a five percent user error rate for a domain. Similarly, intermittent downtime (that is, for periods of less than ten minutes) is not counted towards downtime periods.
Given that cloud customers are relying on third parties to store their data, they also need the ability to "leave the cloud" easily and bring their data back in-house or migrate it to a different vendor. There are a few steps the customer can take to ensure a smooth transition:
Before entering into an agreement with a vendor, customers should develop an exit strategy and then confirm that the vendor can sufficiently locate, isolate and extract data to accommodate that strategy.
The services agreement should include covenants that require the vendor to maintain the data in the agreed-upon manner as well as a specific transition plan for migrating data back to the customer or to the customer's new vendor. This plan might include:
specific steps that the vendor must take;
the format in which the data must be delivered; and
the time period within which the transition must be completed.
Customers should also require the vendor to certify that all customer data has been removed from its systems, and perhaps provide a detailed report as to how the deletion was handled so that the customer can confirm that no residual data was left on the vendor's systems.
One of the key distinguishing features of cloud computing is that any specific piece of data may be constantly "on the move." At any one time, such data can be stored on any of multiple servers that the vendor is accessing around the world, and can be transferred to another server at any time. This can present significant problems for customers that need to establish an audit trail of where data has been stored for regulatory or legal purposes. For example, a number of regulations that contain provisions relating to the storage, protection, or transfer of data require that the relevant data and/or operations be auditable (see Box, US Regulations and Standards).
The ability to show how and where information has been altered and how and where it has been accessed is important in an audit to show compliance and data integrity. Further, if a company is sued, or reasonably anticipates litigation, it may need to institute a "record hold" to systematically retain certain documents, and produce an audit trail establishing that it has complied with that hold. Courts have held that an obligation to preserve evidence arises when a party has notice that evidence is relevant to a pending litigation or should have known that evidence may be relevant to future litigation (for example, see Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003)).
Before signing a services agreement, any customer that will be storing data on the cloud should ensure that the vendor can accommodate such audit trail or record hold requests and implement them promptly and in a manner that will meet the company's litigation obligations as they arise. When conducting diligence of a vendor on this capability, customers should be mindful that in order to enhance reliability and recoverability, providers often back up data many times, and those duplicate files can be stored in parallel servers anywhere in the world. Cloud customers should place the burden on the vendor to establish that it can address the customer's requirements in this area, and that the vendor informs the customer if it receives any subpoena related to the customer's data. More generally, customers should make sure that cloud-stored data is addressed in any corporate policies and procedures relating to document retention or destruction, or litigation record holds.
Perhaps the greatest concerns that customers face when using a cloud computing solution are those relating to security and privacy. In a traditional outsourcing relationship, vendors will typically segregate or partition servers for a specific customer, and a customer may even be able to impose certain physical and logical security requirements. The multi-tenancy nature of cloud computing typically prohibits this level of customization. Therefore, once data is transferred to the cloud, customers are forced to rely on the physical and information security of the vendor to protect their valuable information.
To the extent that personal information is stored in the cloud, customers must also consider compliance with applicable laws governing the privacy and security of personally identifiable information, including laws requiring companies to maintain reasonable security for personal information, encrypt certain sensitive information such as Social Security numbers and notify individuals in the event their personal information has been compromised. Some of these laws further require companies to contractually require their service providers to maintain certain data security safeguards, including, for example, the Gramm-Leach-Bliley Act, which governs the use of personal information collected and used by financial institutions, as well as a new Massachusetts data security regulation that went into effect on March 1, 2010 that applies to all businesses that collect personal information of Massachusetts' residents. As with other legal risks, careful due diligence of the vendor's security procedures and a careful review of the services agreement to check the vendor's contractual commitments are essential. For a discussion of US privacy and data security laws generally, see Practice Note, US Privacy and Data Security Law: Overview (www.practicallaw.com/6-501-4555).
Companies subject to the EU Directive on data protection (Directive 95/46/EC), which governs privacy protection for EU citizens and has been implemented on a national level by each EU member state, may find that by sending data into a cloud, they may not be providing sufficient protection for such data to comply with the EU Directive. In addition, the EU Directive prohibits transfer of personal data from the EU to any country that does not provide adequate levels of data protection, which includes the US. However, a customer using a cloud provided by a vendor in France may learn that the vendor is actually distributing the data to servers throughout the world, thereby causing the customer to violate the EU Directive. In order to combat this, some European companies are requiring that vendors maintain all of their servers in the EU and do not sub-contract data storage to other vendors.
Cloud customers should also be sensitive to the fact that vendors often have access to the data of multiple customers; as such, they may be able to cross-tabulate data to determine business trends or strategies. Cloud customers therefore should include specific clauses in their services agreement that prohibit the vendor from monitoring the customer's data usage or using this information for any purpose other than providing services to the customer. In addition, the services agreement should make it clear that the data usage patterns are owned by the customer and are the customer's "confidential information." The customer should ensure that its confidential information in the vendor's possession is subject to appropriately restrictive contractual obligations on use and disclosure.
As noted, data stored on the cloud is, in many cases, constantly being transferred from one server to another. This can create jurisdictional issues since the site where data is located when a cause of action arises may be impossible to determine with any certainty. Customers also need to consider whether they have become subject to the laws of a specific jurisdiction simply because their data has been stored there, even if only on a temporary basis. For example, the US Patriot Act and the UK Regulation of Investigatory Powers Act 2000 may, in certain cases, provide government access to private data. Customers should consider the jurisdictional ambiguity of cloud computing when determining the risks of this technology solution. In some cases, customers may want to consider including provisions in the agreement designating the jurisdictions in which the services may be performed or customer data may be transferred or stored, recognizing that if the vendor is able to restrict data transfer in this way, it may come at an additional cost to the customer.
Many cloud vendors, particularly those using "click wrap" agreements, will seek to allocate the majority of risk to the customer, including by:
Limiting their liability by excluding incidental, indirect and consequential damages, and, in some cases, even direct damages.
If not excluding direct damages altogether, limiting their liability for direct damages, often to the amount paid by the customer for the service at issue and/or the amount paid by the customer within a certain time period (for example, the twelve month period before the claim at issue arose).
Asserting that the services are being provided "as is," thereby disclaiming any warranties.
For example, the Amazon Web Services Customer Agreement (AWSCA) provides that the services, technology and functions of the web services are provided "as is" (AWSCA § 11.5). The AWSCA also disclaims all direct, indirect, incidental, special, consequential and exemplary damages, including, for example, damages for lost profits, use and data (AWSCA § 11.8). The difficulty for customers is that these are precisely the type of damages they are likely to suffer as a result of a data breach or a system-wide failure. Customers may try to carve back on these limitations, perhaps by increasing any cap on direct damages and shifting the risk of certain indirect or consequential damages to the vendor. Customers may also want to check their insurance policies to determine whether business interruption insurance will cover vendor failures.
Regulators and legislators are still struggling with understanding cloud computing and its ramifications for specific regulations and laws. Many feel that certain regulations will need to be revisited in an environment where data is dispersed globally and constantly moving. Customers entering into cloud agreements will also find that there is not yet any case law addressing the issues raised above. As a result, until the security, privacy and legal implications of cross-border data transfers and storage on the cloud are better settled, companies seeking the benefits of cloud computing may wish to utilize the more conservative approach of private cloud computing, particularly for highly sensitive or personally identifiable data.
A number of US regulations contain provisions relating to the storage, protection, or transfer of data and require that the relevant data and/or operations be auditable, including:
Sarbanes−Oxley Act of 2002 (SOX), Pub. L. 107-204. This applies to public companies and contains provisions related to e-mail retention, data security and integrity, and oversight — all of which must be considered when outsourcing sensitive data to a cloud model.
Payment Card Industry Data Security Standard (PCI DSS). This is a set of requirements for enhancing payment account data security, containing specific requirements related to security management, policies and procedures.
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191. This Act regulates the use and disclosure of protected health information.
Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541, et seq. This Act requires federal agencies to develop and implement information security programs relevant to the agency's own operations.