DocuCrunch.com » How cloud computing could land IT in court

How cloud computing could land IT in court

September 15, 2009 by Sam Narisi
Posted in: Regulations & Compliance, Security, Special Report

computer-network

Many businesses are turning to cloud computing for an affordable and scalable solution. Others are giving it serious consideration. But what are the legal dangers of keeping all that information in the cloud?
In essence, cloud computing allows users to connect to applicants, data and other resources that are stored “in the cloud” (that is, on the Internet) instead of on local, in-house servers.

The concept is catching on with cash-strapped IT departments that want a computing solution that’s infinitely scalable and where the problems of backup, protection and accessibility are hired out to experts. The downside, of course, is that the company’s data exists “somewhere out there,” rather than in-house.

That creates some tough legal questions. For example:

1. How does the cloud affect your e-discovery responsibilities?

E-discovery obligations cover any data under the company’s control. Whether or not that includes data in the cloud depends on the service agreement, says Nolan Goldberg writing for Computerworld. In most cases, the company retains control of the data and is therefore subject to the same e-discovery responsibilities as with other types of storage.

When selecting a provider, Goldberg recommends choosing a cloud service that can handle your company’s existing document retention practices.

2. Will using a cloud service violate privacy laws?

If any information stored in the cloud is improperly accessed, the company will be on the legal hook, not the service provider. For example, if healthcare info about employees is hacked, the company may be hit for a violation of the Health Insurance Portability and Accountability Act (HIPAA).

With more state and federal laws appearing that hold companies responsible for the theft of customers and employees’ personal data, it’s important to look closely at a cloud vendor’s security practices. Or, decide to keep some information in-house.

3. What happens if the vendor goes out of business?

Companies also need to consider what will happen to their data if a service provider declares bankruptcy or goes out of business. Service agreements should require that all data is backed up somewhere and that the vendor is contractually obligated to return it, says tech consultant R. Jason Straight.

The above are issues that have to be scoped out, green-lighted and built into contracts. Cloud computing is a more serious process than outsourcing, say, payroll or travel arrangements. It may make sense for your company, but it cannot be a casual move. Stored data is a critical asset for all company, and any loss or illegal access could be a disaster for your company. Make sure that a variety of voices (legal, technical, management, financial) get into the decision and the planning.

  • Share/Bookmark

Tags: , , , ,


5 Responses to “How cloud computing could land IT in court”

  1. josephmartins Says:
    September 16th, 2009 at 1:01 pm

    Sam,

    Contracts may have little impact/value in a scenario that involves a service provider’s bankruptcy.

    Regardless what the contract might say, it is very likely that the obligation will be lost in the flurry of activity that consumes a failing business. Should the service be shut down for any length of time, a company may find itself without access to its data for weeks, months or longer. And loss of the control of its data will, in many cases, have legal ramifications.

    Federal statute does give priority to post bankruptcy creditors to enable a company to continue (or wind down) its operations. That may help some customers in their quest to recover data.

    I’m going to go out on a limb here. Legals eagles correct me if I am wrong, but court-ordered damages due to lost data are likely last in line to be paid, along with unsecured debt. So even if the bankrupt service provider fails to fork over the data, it is unlikely that customers will be compensated for their losses.

  2. Robin Dunn Says:
    September 18th, 2009 at 5:34 am

    This is a well written article.

    These are valid concerns for companies. However, in my opinion each of these areas can be addressed by cloud providers.

    For example email compliance and retntion solutions that capture all emails in, out or around an organisation and global based discovery are available. Mature cloud based solutions compete favourably against equivalent on premises solutions.

    Data retention is also key with a number of Cloud Service providers not providing best practice around data backups. On the flip side some are and recovery process is of enterprise class functionality facilitating improved e-discovery capabilities.

    On the issue of data privacy – most good Cloud Service Providers security solutions are of a higher grade than you typically see at corporates’ focusing over and above the usual perimeter security.

    Moving forward stealth technology that provides the same privacy of information that on-line backup will start to become best practise. It will enable encryption of the data before it leaves your premises so the Cloud Service Provider can manage your data but not read it. Watch out too where your data is hosted different countries have their own legislation that can effect you for instance the US patriot act.

    Concerning financial concerns of Service Providers. To do Cloud Service Provision you have to do this on a large scale to make it viable. Many Hosted Desktop providers are turning to the channel for customer acquisition as there are few companies that can achieve the growth they need within their existing customers.

    I predict a large number of Cloud Service Providers going bust. So you need to make sure you do your due diligence properly before sighing contracts. Early signs to watch for are Service Providers infrastructure issues and service provision problems.

    On the plus side switching providers is easier than doing a major infrastructure migration.

    As with most things there are things to look out for and that is where specialist companies like Cloud Computing in the UK can help.

  3. josephmartins Says:
    September 20th, 2009 at 3:18 pm

    I’m curious, Robin, why you would state that “switching providers is easier than doing a major infrastructure migration.” Define “easier” and provide some context.

    In some situations your claim would be true. But I suspect it is not necessarily the case as the complexity of the environment and amount of data under management goes up.

  4. Robin Dunn Says:
    September 21st, 2009 at 2:43 am

    Switching between cloud providers is also normally easier as they tend to be data centric. The data and folder structure can be preserved so you are picking up your virtual environment and dropping it into another service provider. You are not left with an onerous task of gathering data from multiple locations and devices and a migration plan that can take lots of time to plan and deliver.

    Of course you need to do your due diligence on the provider and make sure what they are supplying and how they are delivering it meet your needs but this is no more than the typical due diligence you need to do on a typical infrastructure upgrade. I have see a multiple site upgrade Exchange upgrade, implementation of email archive done with zero down time.

    We don’t see data growth as files are stored in native format and there is little data duplication with a Cloud based environment unlike a typical corporate with multiple sites.

    Consequently the time and cost taken moving from an on premise solution to a cloud based offering is far quicker than a major infrastructure upgrade.

    If you are interested in Cloud Computing news please take a look at my blog http://www.cloudcomputing.ltd.uk/blog/

  5. josephmartins Says:
    September 21st, 2009 at 11:01 am

    It seems that you are [perhaps] assuming a customer would continue to store its data inefficiently internally when it could, hypothetically, perform the same data aggregation/consolidation/normalization/deduplication internally that would be required to efficiently consolidate in the cloud. That is, assuming one does not use the cloud to simply physically co-locate (but not consolidate and scrub the data) from the same number of targets.

    Regarding the notion that one could simply pick up an environment and easily (read quickly and inexpensively) drop it into another cloud, surely you would agree that this is similar to the intent of early application server developers. Clearly it never worked as advertised due to the number of differences between the environments and despite development standards. I would love for it to work this way, but I do not believe it is realistic at this time.

    Thank you for the link. I will take a look there as well.

Leave a Reply


advertisement






Here is a sample of the newest office productivity machines that have earned the Better Buys for Business Editor's Choice Award.

Sharp's Frontier series

Letter/legal copier-multifunctionals with high-end software features

Panasonic KV-S7075C

- one of the fastest flatbed scanners in the industry

Lexmark C734/C736

- Feature-laden color printers, for small-to-midsize workgroups.




The Archives


  • March 2010 (16)
  • February 2010 (27)
  • January 2010 (39)
  • December 2009 (39)
  • November 2009 (34)
  • October 2009 (30)
  • September 2009 (33)
  • August 2009 (29)
  • July 2009 (30)
  • June 2009 (31)
  • May 2009 (26)
  • April 2009 (20)
  • March 2009 (9)


    • Whitepapers