Cloud Computing Down to Earth: A Primer for Corporate Counsel

Cloud computing is the most exciting evolution in information technology today.

Defined by the National Institute of Standards and Technology (“NIST”) as “a model for enabling convenient, on demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider intervention,” cloud computing represents a fundamental change in the way that corporations conduct business today, a shift that is well underway.

Also See: FULL Expert Archive

Gartner Group predicts that spending on cloud computing applications worldwide will increase at an annual rate of 20 percent for years to come, thereby growing to a market of over $150 billion by 2013 — a staggering figure.

Corporate counsel must understand cloud computing.

They must master relevant law and protect corporate interests contractually. They must learn the language of the cloud so as to be prepared to advise senior management as to the myriad legal issues related thereto. And they must understand how certain cloud-driven business imperatives may affect their relationships with C-suite colleagues such as the chief information officer and others who support such strategic initiatives.

These topics and others were recently the subject of a highly informative webinar hosted by the International Technology Law Association and moderated by Jon Neiditz, a senior partner at Nelson Mullins Riley & Scarborough and the expert founder of the firm’s Information Management Practice.

This article examines these issues in the following manner. First, it provides a primer that both explains the technology at the core of the cloud and why counsel must understand it in order to inform their work inside the corporation. Second, it outlines the legal issues raised by the cloud.

And third, it prescribes specific guidelines that counsel should — and indeed often must — implement both internally and vis-à-vis third parties such as outside counsel and cloud service providers in order to protect the corporation.

Understanding the Cloud

Cloud computing promises the ability to use Web-based applications on demand at any time, anywhere in the world (“location independent”) and independently of any specific hardware (e.g., your work desktop or laptop). If you have Internet access, you can use the same basic cloud applications such as Google Apps for business, see infra — and thus access your work and data — as easily at corporate headquarters in Palo Alto as in an Internet café in Istanbul. For the corporation, cloud computing has many benefits, including, but not limited to, the following:

• Decreased costs of computing power and the ability to scale or decrease service at almost no marginal cost beyond that of the on-demand services, platforms or infrastructures themselves.
• Few (if any) upgrade purchases.
• Drastically reduced capital expenditures for hardware. IDC predicts that cloud computing will reduce the cost of owning IT infrastructure by 54 percent.
• Decreased maintenance and reduced IT support costs as a result of not having to maintain staff to keep infrastructure and software running locally.
• Usage-based pricing with no fixed contracts. Beware, however, for the need for highly structured contracts with cloud service providers is more important than ever, as discussed infra.
• Arguably improved security provided by mega vendors (e.g., Google, Microsoft) whose reputations are on the line around the clock 24-7-365. The extent of such security measures must be subject to strict scrutiny during counsel’s due diligence of vendors, and also memorialized contractually, see infra.

The Underlying Cloud Model

The cloud model itself is a three-tiered structure based on (1) infrastructure-as-a-service (IaaS), (2) platform-as-a-service (PaaS), and (3) software-as-a-service (SaaS). Infrastructure and software are particularly important for corporate counsel to master.

Provisioning infrastructure from a third-party cloud vendor allows corporations to take advantage of processing, storage, networks and other fundamental computing resources on which its computers can run software, including platforms, Operating Systems, and applications.

As the NIST definition makes clear, “[t]he consumer does not manage or control the underlying infrastructure,” but has control over what to deploy on it. An example of IaaS is Amazon’s Elastic Compute Cloud (EC2). Corporate counsel must have an intimate understanding of — and must help define ex ante their corporation’s business and IT strategies in this area — the nature of their company’s cloud infrastructure.

At the platform level, an example of which is Salesforce, the cloud-based corporate platform can be built in-house or acquired from a third party to allow for the deployment and delivery of Operating Systems and SaaS. At the most granular software and user level, SaaS are the applications that are accessible from various client devices (e.g., desktop computers, mobile phones) through a Web browser.

Google Apps (Gmail, Calendar, Docs, etc.) for business is a quintessential example of a SaaS. It bears repeating here a portion of NIST’s definition of SaaS: “The consumer does not manage or control the underlying cloud infrastructure, including network, servers, storage, or even individual application capabilities with the possible exception of limited user-specific application configuration settings.”

In other words, individual corporate implementations of cloud computing that are either underway or will occur — and the question in early 2011 already is no longer “if,” but rather only “when” — must be controlled and carefully monitored at every step by corporate counsel.

The Corporate Dynamics of Cloud Computing

Before turning to the legal issues raised by cloud computing, corporate counsel must understand why this paradigm already is or will soon become one of the most important issues on their radar.

First, Chief Information Officers (“CIOs”) have emerged as executives increasingly valued for their alignment of corporate strategy and IT, and often use the latter to drive the former. As I have argued elsewhere, CIOs “must embrace and implement IT in order to meet short- and long-term strategic goals,” thereby “effectively position[ing] themselves at the center of any corporate hierarchy.”

Second, cloud computing is now an indispensible arrow in a CIO’s quiver.

The cloud is no longer merely a cost-cutting IT luxury, but rather it has become a business (not just an IT) imperative. According to Silicon Valley-based Appirio, a highly respected cloud solution provider, 82 percent of surveyed cloud adopters report that cloud computing already has helped them achieve a specific business objective, with 83 percent reporting that cloud solutions have helped make their business more agile. This movement toward embracing cloud computing to stimulate innovation and corporate growth is well past its tipping point.

Corporate counsel must understand this confluence of factors in order to be able to judge appropriately potential conflicts between their ethical responsibilities and legal duties and strategic initiatives that may have the blessing of the most senior management. Corporate counsel may find this to be a difficult task not only per se, but also in light of the dual roles that they themselves juggle, which I described (as part of a larger ethical discussion) in a recent article here for CorpCounsel.com.

Specific Legal Issues and Concerns Raised by Cloud Computing

Corporate counsel may already be taking advantage of cloud computing’s benefits in their own legal departments.

These include law department and practice management systems, storage platforms, secure document and information exchange servers, secure e-mail networks, and document management. As the American Bar Association’s Request for Comments on “Issues Concerning Client Confidentiality and Lawyers’ Use of Technology” (Sept. 20, 2010) (“ABA Request for Comments”) makes clear, cloud computing raises “specific issues and possible concerns relating to the potential theft, loss, or disclosure of confidential information.” Id. at 3.

These include:

• unauthorized access to confidential client information by a vendor’s employees (or sub-contractors) or by outside parties (e.g., hackers) via the Internet, see id.;
• the storage of information on servers in countries with fewer legal protections for electronically stored information (“ESI”), see id. at 4, which can be especially problematic in regulated industries that have highly defined requirements with respect to the handling of ESI throughout its life cycle;
• a vendor’s failure to back up data adequately, see id.;
• the ability to access corporate data using easily accessible software in the event that the corporation terminates its relationship with the cloud computing provider or the provider goes out of business, see id.;
• the provider’s procedures for responding to (or when appropriate, resisting) government requests for access to information, see id. What if, for example, a government (domestic or foreign) seizes the actual servers (i.e. hardware) on which Corporation A’s confidential and highly regulated data resides in order to take control of Corporation B’s data, which resides on the same shared, multitenant server?;
• policies for notifying the corporation of security breaches, see id., so that counsel can immediately fulfill her duties with respect to client notification under Model Rule of Professional Conduct 1.4;
• insufficient data encryption, see id.;
• unclear policies regarding the corporation’s ability to “control” its own data, which may result in a quandary if served with a request for production of materials under Rule 34 of the Federal Rules of Civil Procedure;
• policies for data destruction when the corporation no longer wants the relevant data available or transfers it to a different host, see id.
• the potential warrantless seizure of corporate electronic mail under the anachronistic Electronic Communications Privacy Act of 1986 (“ECPA”), 18 U.S.C. § 2510, which includes the Stored Communications Act, 18 U.S.C. §§ 2701-12. Signed into law in 1986, the ECPA established a procedural framework for law enforcement authorities to obtain wire and electronic information, including files stored on a computer. Think Miami Vice, not cloud computing. Only two months ago, the Sixth Circuit in United States v. Warshak (6th Cir. Dec 14, 2010), held valid based on the government’s dubious reliance on the Stored Communications Act a warrantless seizure of corporate e-mails notwithstanding a lengthy and informed exposition on the relationship between technology and the Fourth Amendment, see id. slip op. at 14-29.

These legal issues are highly complex and demand the attention of corporate counsel.

Cloud Computing and eDiscovery

The legal issues set forth above are hardly the end of corporate counsel’s legal concerns vis-à-vis the cloud.

By its very nature, cloud computing can significantly impact where ESI resides, thus impacting the traditional model of eDiscovery. As mentioned in the above “seizure of servers” hypothetical, most cloud computing hardware is multitenant, which allows many companies to share the same physical hardware while segregating — albeit insufficiently and dangerously at times — access to each company’s information.

Why is this problematic?

Think back to your company before the cloud. ESI was stored locally on your own servers. You had complete control over where the information resided. Retention policies, backup practices, data restoration ability, and data destruction were all within the control of your IT department.

Cloud computing changes this entire landscape.

Suppose, for example, that the Department of Justice’s Antitrust Division, with its sophisticated eDiscovery procedures, issues your company a Second Request. With your corporate ESI in the cloud — i.e. potentially on a server in China — you are now responsible for identifying precisely where your data physically resides.

In which server farm? On which server?

Shared with which other companies? How will you produce the requested data? The answers won’t always be obvious or easy to come by. Counsel must thus insist on contractual terms and conditions that answer these questions to increase their certainty.

Getting Proactive About Cloud Computing

Cloud computing here is here to stay.

Corporate counsel must thus understand how and why it will impact their companies so as to provide sound legal advice that does not ignore the business realities of this paradigm shift when it is embraced at the highest levels of senior management. And counsel must be highly proactive when dealing with potential cloud solution providers so that their business relationships comport not only with their companies’ specific needs, but also with industry regulations that govern their handling of corporate data.

The following advice is intended to provide a starting point for corporate counsel as they move to master the legal side of the cloud.

• First, be aware of any and all potential changes to the Model Rules of Professional Conduct by both the ABA and your respective state Bar Associations, which can enforce even stricter standards. The ABA has made clear that it is considering amending Rules 1.1 (competency), 1.6 (duty of confidentiality), and 1.15 (safeguarding client property) in order to “emphasize that lawyers have particular ethical duties to protect clients’ electronic information beyond mere practice norms” in the cloud context. ABA Request for Comments at 3.
• Second, follow closely evolving industry standards in the cloud space separate and apart from, yet certainly as they relate to, the regulation of your own industry.
• Third, seriously consider mitigating your corporate risk by purchasing cyberinsurance and/or cyberliability insurance. The former provides coverage for some technology-related losses such as the cost of replacing infrastructure after a cyberattack. Cyberliability insurance, on the other hand, would cover a scenario arising out a cloud vendor’s failure to protect your or your client’s confidential information.
• Fourth, follow advances in technology. The New York Bar Associate Committee on Professional Ethics Opinion 842 (Sept. 10, 2010) (“New York Bar Opinion”) addresses the use of third-party storage providers and confidential information. It provides strong guidance. Counsel “should stay abreast of technological advances to ensure” that its outside storage systems “remain sufficiently advance” to protect corporate data. The vendor landscape in the cloud is changing daily. Make sure that you are working with the best.
• Fifth, race to the top with it comes to implementing a compliance regime that protects your corporation’s legal interests and discharges its legal duties as they pertain to the cloud and its intersection with your industry’s regulations. These policies should have buy-in from the highest levels of management, including the board of directors, and they should be enforced as imperatives throughout the Legal Department, especially in terms of negotiating contractual terms and conditions with cloud solution providers. Ensure also that you constantly discharge your likely-to-change obligations with respect to confidential information under the Model Rules of Professional Conduct. This includes your obligation to notify your clients in the event of an unauthorized release of such information.
• Sixth, conduct meticulous due diligence on all potential cloud vendors and negotiate strict terms and conditions governing their stewardship of your data. The New York Bar again provides sound advice:

o Ensure that your online data provider has an enforceable obligation to preserve confidentiality and security, and that it will notify you in the event of any security breach (defined as broadly as possible) or if served with process that in any way relates to your data. See New York Bar Opinion at 4.

o Investigate the cloud service provider’s security measures, policies, recoverability methods, and other procedures to assess their adequacy. See id.

o Ensure that said vendor is using the most appropriate technology to guard against “reasonably foreseeable attempts to infiltrate the data that is stored.” Id.

o Ensure that the cloud provider can “purge and wipe” any copies of the data and move it to a different host if necessary. Id.

These are serious issues that demand serious action. One final concern comes to mind.

In any contractual negotiations with cloud vendors, insist upon security provisions based upon the data security requirements specific to your industry (e.g., credit card or health care information). For example, can your vendor provide verifiable assurances that it is HIPPA compliant or meets the standards of the Payment Card Industry Data Security Standards?

If not, then work with someone else, as the stakes are simply too high not to do so.

Conclusion

Cloud computing raises daunting legal issues. Yet corporate counsel have no choice but to master both the law and the technology itself. The cloud has become too important to strategic business initiatives to be ignored.

There may, of course, be times when counsel must strongly advise against the use of the cloud. However, sound practice also dictates mastering the paradigm so as to be able to both protect the corporation’s legal interests and allow it to leverage the most powerful paradigm in IT to contribute to corporate growth.

Ben Kerschberg has a Bachelor of Arts in Foreign Affairs and German, summa cum laude and Phi Beta Kappa, from the University of Virginia and a Juris Doctor from Yale Law School, where he was as a Coker Fellow. He clerked for the Honorable Gilbert S. Merritt, Chief Judge of the U.S. Court of Appeals for the Sixth Circuit. Kerschberg is a founder of Consero Group LLC.

Ben Kerschberg – Corporate Counsel

You can follow Ben Kerschberg on Twitter at @benkerschberg

Pulled from/Sourced: Law.com

Tags: ben kerschberg, cloud computing, corporate counsel, eDiscovery, The Cloud