By Kathryn L. Ossian
April 15, 2010
Cloud computing, performed on virtual servers over the Internet, is a wave of the future. The term itself is somewhat misleading, as it can refer to a wide array of applications and functions. Two well-known examples of software as a service applications (SaaS) utilizing cloud computing are Salesforce.com and Google Mail. In addition, cloud computing can be used for network storage, application infrastructure and even general computing resources. Given the diversity of cloud activity, the specific function and purpose must be examined in assessing the level of accompanying risk.
The benefits of jumping on the cloud computing bandwagon are readily identifiable. Using a virtual, shared infrastructure reduces the need for hardware and software, resulting in substantial cost savings and efficiency on many levels. Given that an ever increasing number of well-known and respected companies are offering cloud computing applications increases the likelihood that, ready or not, your organization will become, or already is, one of many users of the cloud.
Cloud computing also comes with a variety of risks, many of which are attributable to the fact that clouds may have several layers - e.g., the provider of the application may be using another provider for cloud infrastructure and either or both may use subcontractors for various functions. With so many potentially involved behind the cloud, the potential risks include:
-¢ Security and Privacy: The lack of traditional security associated with software and hardware set up at a physical location is a big concern. As cloud computing is used for more and more purposes, including the storage of sensitive data, such as customer and employee personal information, the security and privacy challenges become greater. Complying with applicable data protection laws will require true diligence - first, in identifying the various providers and then in having each contractually bound to comply with such laws.
-¢ Warranties: What warranties, if any, come with cloud computing? Providers will seek to limit any warranties on the services offered while users will expect some level of protection. This dynamic is not unique to the cloud, however, the struggle takes on greater importance given the nature of cloud computing - a greater desire for assurance in a setting that may not justify the reliance for any.
-¢ Control and Retrieval: Who is controlling data in the cloud? In addition to the security and privacy concerns, data control and retrieval can often be critical. You will want the ability to potentially switch providers and, thus, move your data from one to another without undue burden. If your organization receives a subpoena or document request, you’ll need to be able to retrieve your information from the cloud or face possible sanction for the inability to do so.
-¢ Jurisdiction: Which court will have jurisdiction to hear and decide a dispute with a cloud provider? The traditional notions of physical presence that often guide courts to determine appropriate jurisdiction and venue can be more complex in the cloud.
Organizations looking to utilize cloud computing should try to minimize their risks by including appropriate protections in agreements with cloud providers. Tailored to the specific applications and functions involved, key contractual terms should include:
-¢ responsibility for subcontractors
-¢ compliance with applicable laws and regulations
-¢ warranties and service levels with specified remedies
-¢ indemnifications
-¢ governing law and jurisdiction
The cloud is an exciting new technology frontier. In light of the forecast for potential risks, braving cloud computing without seeking legal protection is ill-advised.
Kathryn L. Ossian is a principal and leader of Miller Canfield’s Information Technology Team, as well as deputy leader of the Litigation and Dispute Resolution Practice Group. She can reached at [email protected].