Exploring Legal Issues in the Cloud

Vendors typically have the advantage in negotiations for cloud services because they write the contracts and determine the terms they will offer. Many cloud services, particularly those used by small- and medium-sized companies, are made available only through click-wrap agreements that are non-negotiable. Consistent with the cloud model of a “one size fits all,” commodity service, vendors are also typically reluctant to negotiate different terms for different customers. Customers faced with non-negotiable contracts must review the terms of the agreement and do their diligence on the cloud vendor to be sure that the customer is not taking on more risk than it should and to determine whether the terms of the click-wrap agreement pose any problems to the customer.

Security and Data Privacy Issues
One of the most publicized concerns about the cloud is security and data privacy. Because cloud providers store large volumes of data from various parties, they present an attractive target for hackers. Google, Amazon and Salesforce.com have all reported major data breaches, and a survey this summer found that nearly half of IT executives reported a security lapse or security issue with their cloud services provider within the last 12 months.

A cloud customer could be liable for security breaches by the cloud provider it uses. Therefore, the cloud customer should be sure that their contract protects the customer’s data. Of course, the agreement with the cloud vendor should include confidentiality provisions requiring the vendor to protect the customer’s data as confidential. In addition, the customer should require the vendor to comply with SAS70, or the recent Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which applies to reporting periods ending on or after June 15, 2011. SAS70 and SSAE 16 provide auditing standards covering, among others, a service provider’s controls for safeguarding its customer’s data. The customer should also require the vendor to comply with ISO 27002, which establishes data security standards. In addition, the customer should require the vendor to conduct the SAS70/SSAE 16 and ISO audits at least annually and the contract should obligate the vendor to correct any deficiencies revealed by the audits.

In addition, cloud customers will want to have the right to conduct independent security assessments or audits. However, unless the customer is large, the cloud vendor may not agree to this because it disrupts operations to have numerous customers conducting audits and because an audit might expose data of other customers. Cloud vendors should note though, that if a customer is subject to audit by regulatory agencies, such as in the financial or healthcare sectors, the vendors need to allow for audits by these agencies and the vendor should agree to cooperate with any such required audits.

From the vendor side, cloud providers need to develop an incident response plan to promptly notify customers of any security breach affecting that customer’s data and to cooperate with the customers to mitigate the breach and to comply with notification laws.

Data Issues
Cloud computing raises several issues concerning the storage and treatment of a customer’s data, including the location of the data and jurisdictional issues; legal compliance issues; ownership issues; and, access and retention issues.

One of the first questions a cloud customer should ask is: “Where is my data stored?” Virtualization in the cloud environment presents new challenges for jurisdictional issues and legal compliance. Virtualization refers to technologies designed to provide a layer of abstraction between computer hardware systems and the software running on them, so that, for example, numerous ‘virtual’ servers can be created on a single server. Where a customer’s data is stored, even on a temporary basis, can determine the law applicable to the data. For example, the US PATRIOT Act and the UK Regulation of Investigatory Powers Act of 2000 allow both governments access to private data stored in their countries. The European Union’s Data Protection Directive also prohibits the transfer of personal information of EU residents from the EU to countries (including the U.S.), which do not meet certain level of data protection.

Cloud computing can also raise issues with respect to U.S. export laws. Earlier this year, the Bureau of Industry and Security of the U.S. Commerce Department issued two advisory opinions clarifying the applicability of export laws to the cloud environment. The opinions state that providing computing capacity through cloud and grid services is not an export. However, users who transmit software or technology via the cloud could be subject to the export regulations, and the cloud vendors who store or transmit software or technology subject to export regulations could also be subject to the regulations.

Accordingly, vendors in the cloud may have to inquire about the location or nationality of their customers and whether the data or software they are processing or storing are subject to export restrictions. Customers should verify where their data is stored to determine whether the locations cause any problems. Some cloud providers, though, refuse to reveal where data is stored or processed. Either they don’t want to, they don’t know, or it’s too difficult to track. On the other hand, some cloud vendors (such as Amazon) offer the option to store a customer’s data only in a certain country or area, such as the U.S. or the EU.

In addition to determining where their data is stored, cloud customers should also find out how their data is being stored. Will the customer’s data be stored in a virtualized environment? In such a shared environment, there is the potential for one customer to have access to data of another customer. This shared, virtual environment could also present a business interruption issue: in July of this year, the FBI launched “Operation Trident Tribunal” and conducted raids related to the LulzSec hacker group. The feds seized several servers from a data center in Virginia used to provide cloud services. Because the cloud service provider did not segregate customers’ data and software, the FBI raids knocked 120 unrelated companies’ websites offline for several days.

The next question a cloud customer should ask is: “What type of data will be stored in the cloud?” Depending on the type of data being stored, there are various laws, regulations and industry standards that may apply to the security and storage of the data. For example:

Sarbanes-Oxley Act of 2002 (SOX) applies to publicly traded companies and contains requirements related to, among other things, email retention, data security and integrity, as well as oversight requirements which encompass cloud providers.

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Actregulate the use and protection of health information. Companies in the healthcare field may need to have their cloud service providers sign a Business Associate agreement. HIPAA also requires that individuals have access to their health information, so cloud vendors may need to adjust their policies and procedures to allow for such access.
  

• Gramm-Leach-Bliley Act (GLB) governs the collection, disclosure and protection by financial institutions of consumers’ nonpublic personal information.
• Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards providing requirements for security and storage of credit card information; in June, it was clarified that the PCI DSS apply to cloud providers.

• State laws. Almost all states have laws covering notification in the case of a data breach. Also, some states, such as Massachusetts and Nevada, have enacted laws providing requirements for data security.

A customer subject to any of these laws or standards needs to be sure that the cloud provider it is using complies with the laws or standards. Conversely, a cloud provider should know what data its customers are storing in its systems because the vendor could also be liable for complying with these laws.