» How cloud computing could land IT in court

How cloud computing could land IT in court

September 15, 2009 by Sam Narisi
Posted in: Regulations & Compliance, Security, Special Report


Many businesses are turning to cloud computing for an affordable and scalable solution. Others are giving it serious consideration. But what are the legal dangers of keeping all that information in the cloud?
In essence, cloud computing allows users to connect to applicants, data and other resources that are stored “in the cloud” (that is, on the Internet) instead of on local, in-house servers.

The concept is catching on with cash-strapped IT departments that want a computing solution that’s infinitely scalable and where the problems of backup, protection and accessibility are hired out to experts. The downside, of course, is that the company’s data exists “somewhere out there,” rather than in-house.

That creates some tough legal questions. For example:

1. How does the cloud affect your e-discovery responsibilities?

E-discovery obligations cover any data under the company’s control. Whether or not that includes data in the cloud depends on the service agreement, says Nolan Goldberg writing for Computerworld. In most cases, the company retains control of the data and is therefore subject to the same e-discovery responsibilities as with other types of storage.

When selecting a provider, Goldberg recommends choosing a cloud service that can handle your company’s existing document retention practices.

2. Will using a cloud service violate privacy laws?

If any information stored in the cloud is improperly accessed, the company will be on the legal hook, not the service provider. For example, if healthcare info about employees is hacked, the company may be hit for a violation of the Health Insurance Portability and Accountability Act (HIPAA).

With more state and federal laws appearing that hold companies responsible for the theft of customers and employees’ personal data, it’s important to look closely at a cloud vendor’s security practices. Or, decide to keep some information in-house.

3. What happens if the vendor goes out of business?

Companies also need to consider what will happen to their data if a service provider declares bankruptcy or goes out of business. Service agreements should require that all data is backed up somewhere and that the vendor is contractually obligated to return it, says tech consultant R. Jason Straight.

The above are issues that have to be scoped out, green-lighted and built into contracts. Cloud computing is a more serious process than outsourcing, say, payroll or travel arrangements. It may make sense for your company, but it cannot be a casual move. Stored data is a critical asset for all company, and any loss or illegal access could be a disaster for your company. Make sure that a variety of voices (legal, technical, management, financial) get into the decision and the planning.

  • Share/Bookmark delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.

Click here to sign up and start your FREE subscription to DocuCrunch!

Tags: , , , ,

6 Responses to “How cloud computing could land IT in court”

  1. josephmartins Says:


    Contracts may have little impact/value in a scenario that involves a service provider’s bankruptcy.

    Regardless what the contract might say, it is very likely that the obligation will be lost in the flurry of activity that consumes a failing business. Should the service be shut down for any length of time, a company may find itself without access to its data for weeks, months or longer. And loss of the control of its data will, in many cases, have legal ramifications.

    Federal statute does give priority to post bankruptcy creditors to enable a company to continue (or wind down) its operations. That may help some customers in their quest to recover data.

    I’m going to go out on a limb here. Legals eagles correct me if I am wrong, but court-ordered damages due to lost data are likely last in line to be paid, along with unsecured debt. So even if the bankrupt service provider fails to fork over the data, it is unlikely that customers will be compensated for their losses.

  2. Robin Dunn Says:

    This is a well written article.

    These are valid concerns for companies. However, in my opinion each of these areas can be addressed by cloud providers.

    For example email compliance and retntion solutions that capture all emails in, out or around an organisation and global based discovery are available. Mature cloud based solutions compete favourably against equivalent on premises solutions.

    Data retention is also key with a number of Cloud Service providers not providing best practice around data backups. On the flip side some are and recovery process is of enterprise class functionality facilitating improved e-discovery capabilities.

    On the issue of data privacy – most good Cloud Service Providers security solutions are of a higher grade than you typically see at corporates’ focusing over and above the usual perimeter security.

    Moving forward stealth technology that provides the same privacy of information that on-line backup will start to become best practise. It will enable encryption of the data before it leaves your premises so the Cloud Service Provider can manage your data but not read it. Watch out too where your data is hosted different countries have their own legislation that can effect you for instance the US patriot act.

    Concerning financial concerns of Service Providers. To do Cloud Service Provision you have to do this on a large scale to make it viable. Many Hosted Desktop providers are turning to the channel for customer acquisition as there are few companies that can achieve the growth they need within their existing customers.

    I predict a large number of Cloud Service Providers going bust. So you need to make sure you do your due diligence properly before sighing contracts. Early signs to watch for are Service Providers infrastructure issues and service provision problems.

    On the plus side switching providers is easier than doing a major infrastructure migration.

    As with most things there are things to look out for and that is where specialist companies like Cloud Computing in the UK can help.

  3. josephmartins Says:

    I’m curious, Robin, why you would state that “switching providers is easier than doing a major infrastructure migration.” Define “easier” and provide some context.

    In some situations your claim would be true. But I suspect it is not necessarily the case as the complexity of the environment and amount of data under management goes up.

  4. Robin Dunn Says:

    Switching between cloud providers is also normally easier as they tend to be data centric. The data and folder structure can be preserved so you are picking up your virtual environment and dropping it into another service provider. You are not left with an onerous task of gathering data from multiple locations and devices and a migration plan that can take lots of time to plan and deliver.

    Of course you need to do your due diligence on the provider and make sure what they are supplying and how they are delivering it meet your needs but this is no more than the typical due diligence you need to do on a typical infrastructure upgrade. I have see a multiple site upgrade Exchange upgrade, implementation of email archive done with zero down time.

    We don’t see data growth as files are stored in native format and there is little data duplication with a Cloud based environment unlike a typical corporate with multiple sites.

    Consequently the time and cost taken moving from an on premise solution to a cloud based offering is far quicker than a major infrastructure upgrade.

    If you are interested in Cloud Computing news please take a look at my blog

  5. josephmartins Says:

    It seems that you are [perhaps] assuming a customer would continue to store its data inefficiently internally when it could, hypothetically, perform the same data aggregation/consolidation/normalization/deduplication internally that would be required to efficiently consolidate in the cloud. That is, assuming one does not use the cloud to simply physically co-locate (but not consolidate and scrub the data) from the same number of targets.

    Regarding the notion that one could simply pick up an environment and easily (read quickly and inexpensively) drop it into another cloud, surely you would agree that this is similar to the intent of early application server developers. Clearly it never worked as advertised due to the number of differences between the environments and despite development standards. I would love for it to work this way, but I do not believe it is realistic at this time.

    Thank you for the link. I will take a look there as well.

  6. Dave Says:

    Bankruptcy of a cloud backup/service provider is only 1 of many concerns. Loss of Internet should be of a higher concern.

    I am continuing to sell the services of an 10 year old data repository provider and I am asked about the possibility of bankruptcy as part of a client’s due diligence ( only though a small portion ever ask). I reply that unless disaster hits the client’s business the exactly the same time as the bankruptcy occurs, each client will recognize through sudden lack of service they will have to start their offsite backups of their production systems promptly with a new provider.

    I then ask them about the reliability of their Internet connection; have they a redundancy plan for that possible loss? I then recommend the features in my services that create redundant backup paths.

    For any Cloud service have a Plan B



  • How to Select a Web Host
    November 27, 2011 by marketing

    Creating a new website?  Not sure how to choose from among all the options?  Need shared hosting, small business hosting, or VPS hosting?  Lots of email accounts? 5-star reliability rating? Fortunately, there’s information available to help. The Best Web Hosts is great resource that will help you select the best web hosting company. It features reviews, rankings, and definitions that can help make your job of selecting a new web host more effective.

  • SMART Steps Towards Workload Automation
    January 19, 2010 by Luke Marchie

    Consolidating job scheduling into a single, comprehensive workload automation solution is a critical first step to effective Workload Automation (WLA).

    Download the free whitepaper here! More…

  • Identifying and Thwarting Malicious Intrusions
    January 12, 2010 by Luke Marchie

    Identifying and Thwarting Malicious Intrusions

    The phenomenal growth in social media has opened the door for all new malicious intrusions from gangs of cyber criminals. Utilizing the trusted relationships in social networking and benefiting from immature security and content controls, hackers are seeing increased performance in their attacks.

    Download the free whitepaper here More…

  • The Security Issues with Web 2.0
    January 12, 2010 by Luke Marchie

    The collaborative benefits of Web 2.0 technologies have fueled rapid growth in online consumer markets and now are being adopted by businesses worldwide. With these technologies come new types of attack vectors.

    Download the free whitepaper here


  • Network-Critical Physical Infrastructure: Optimizing Business Value
    December 29, 2009 by Luke Marchie

    To stay competitive in today’s rapidly changing business world, companies must update the way they view the value of their investment in Network-Critical Physical Infrastructure (NCPI). No longer are simple availability and upfront costs sufficient to make adequate business decisions. Agility, or business flexibility, and low total cost of ownership have become equally important to companies that will succeed in a global, ever-changing marketplace.

    Download the free whitepaper here! More…

  • The New World of eCrime: Targeted Brand Attacks and How to Combat Them
    December 26, 2009 by Luke Marchie

    Nothing is more valuable to a business than its reputation. That is why brand attacks, which leverage a company’s valuable brand for nefarious purposes, must be battled on every possible front. Brand attacks are the new form of eCrime, and they’re being launched with new and rapidly evolving exploits, including phishing and—most recently—malware.

    Download the free whitepaper here! More…

  • DDoS: The Mother of All Cyber Threats
    December 16, 2009 by Luke Marchie

    DDoS: The Mother of All Cyber Threats

    Don’t wait until your business is targeted. A Forrester Consulting study commissioned by VeriSign revealed that nearly 75 percent of the 400 study respondents have experienced one or more DDoS attacks in the past year. Yet, most e-commerce businesses are not prepared for a large-scale DDoS attack. Could your business afford three or more hours of downtime? Avoid that revenue loss by registering for this free white paper

    Click here to download the free white paper More…

  • View more offers

    Quick Vote

    • Does your office have a color printer or copier?

      View Results

      Loading ... Loading ...

  • advertisement