The Legal Side of the Cloud: Worrisome?
Cloud computing from a legal standpoint is all about the trust the customer has with the service provider. And that trust is only as good as the contract terms and conditions.
Cloud computing from a legal standpoint is all about the trust the customer has with the service provider. The customer expects that the data stored in the cloud will be safe. The customer wants guarantees that their data will not be mis-used by the provider. The provider must also accept a number of legal qualifications and limitations that protect the customer. Having faith in the provider is not good enough.
I began my career as a U.S. Air Force officer in military intelligence research and development. There I learned about collecting and protecting information. I also was tasked with finding ways to bypass the protections. Further, I learned that by collecting information from several sources, I could construct a data base that provided a broader picture than any single source had. This knowledge has led me to consider what could happen to cloud-based information.
I am not a lawyer, but some of the security and legal issues have already become clear, as I've outlined in some recent blogs:
This article contains many recommendations, but the customer should use internal and/or external lawyers to review and comment on any specific cloud service contract or offer, not just use my recommendations as legal advice.
What Lawyers Tell Lawyers about the Cloud
Lawyers are looking at the cloud for their own operations. The cloud is attractive for new law firms and smaller firms that have limited IT resources and talent. And even larger firms may be approaching the end-of-life for their systems and licenses and open to considering the cloud. Lawyers may be even more concerned than the average enterprise about the legal aspects of using cloud services.
There is an interesting post at Westlaw News and Insight January 25, 2011, N.Y. Bar Association Provides Opinion on ‘Cloud Computing by Phillip D. Robben. The New York State Bar Association's Committee on Professional Ethics released its Opinion 842, in September 2010 on the use of cloud computing. It was issued in response to an inquiry from a lawyer seeking guidance as to whether or not lawyers may use cloud computing resources. This is for a lawyer using cloud computing within the law firm.
This is an excerpt from Robben’s post summarizing Opinion 842.
Reasonable care requires a lawyer, at a minimum, to ensure that the service provider has an obligation to keep data confidential. The lawyer is duty bound to investigate whether or not the provider has adequate security in place (including technology in place to thwart hackers), has the ability to erase data when needed, can shift data to a different provider if necessary. A lawyer is further required to obtain the provider's agreement to notify the lawyer if a subpoena is served seeking access to data stored with the provider. The committee also added that a lawyer should from time to time reconfirm that the provider meets the applicable requirements in light of technological advancements. Additionally, a lawyer needs to monitor legal developments to ensure that a given use of cloud computing resources does not compromise the client's privilege as the law evolves.