You are on page 1of 38

A Strategic Approach to Cloud Computing

Nolan M. Goldberg Senior Counsel IP & Technology February 23, 2011


Today’s Most Important Slide

• All cloud services are not equal.


The Key Legal Question
Is a Particular Cloud Suitable for a Particular Application? - Governed by the service’s contracts, structure, and technology.

The Solution • It is a best practice to undertake a legal due diligence investigation prior to adoption. 4 .

Are the terms of the contract reasonable for a particular application? 3. How will the system’s structure impact the due diligence process and control over my data? 5 . Where will my data be located? 2.Three Due Diligence Questions 1.

A Global Perspective 6 .

For better or worse….. • The physical location(s) of a cloud will influence the legal risks and protections afforded to data on the service. 7 .

SCA will limit the circumstances under which US-based cloud providers can disclose customers’ data.) • The U.S.S.See e.The Stored Communications Act (18 U. V. U..S. et seq. Weaver 8 . . § 2701.C.g.

” 9 .In Re Beluga “…Google and its servers are located within the United States and therefore…the ECPA prohibits Google from disclosing the contents of those email accounts until it receives consents from the email account holders.

10 .The US Constitution •The 4th Amendment provides protections beyond that provided by the SCA.

11 .The US Patriot Act • The Patriot Act provides increased governmental investigatory powers. sometimes without notice to the target.

Protecting Your IP • Should your IP be stolen from a Cloud. 12 . the location of both the system and the theft will impact your ability to seek appropriate relief.

Contracts • The validity or construction of certain common contractual terms will vary based on the location of the cloud. 13 .

14 .Example: Contractual Variation • Terms which allow the provider to vary contract terms with or without notice may be more or less enforceable under different national laws.

[Provider] may make commercially reasonable modifications to the Service. or particular components of the Service. [Provider] will use commercially reasonable efforts to notify Customer of any such changes. a. To the Services.) Modifications.Example (cont. Excerpt from paid cloud service agreement 15 . from time to time.

” Excerpt from free cloud service agreement 16 . We may cancel or suspend your service at any time.Example (Cont. Our cancellation or suspension may be without cause and/or without notice.) “We may change the service or delete features at any time and for any reason.

and • There are demonstrable regional variations on liability limits. 17 .Example: Provider Liability • European legal systems make it more difficult for providers to exclude direct and indirect liability.

Export • Will loading data onto a foreign cloud violate local rules on the export of controlled technologies? 18 .

Jurisdiction • By storing data at a given location. is there an increased chance of being subject to litigation in that jurisdiction? 19 .

Privacy • Can the cloud service comply with applicable processing. retention or transfer restrictions? • Will the operation of the service unintentionally entangle data not already subject to processing restrictions? 20 .

” • “processing” and “personal data” are both defined broadly. • EU blocking statutes impose liability for the transfer of personal or other business data across political boundaries. 21 . Data Directive of 1995 severely restrict the “processing of personal data.U.Example – EU Data Directive • Implementations of the E.

Contractual Suitability 22 .

23 .Example: Trade Secrets • Reasonable steps must be taken to protect the secrecy of a trade secret or it can lose its value.

24 . • There is the potential that rights given to the vendor will diminish the value and protections afforded the underlying data.Data Ownership • Governed by the service agreement.

modify. distribute and display content posted on the service to the extent necessary to provide the service. Excerpt from a Cloud Service Agreement 25 . copy.The Vendor May Need Certain Rights in Your Data to Operate its Service You understand that [Provider] may need and you hereby authorize [Provider] to use.

The Vendor May Want Certain Rights in Your Data to Generate Revenue “Some of the Services are supported by advertising revenue and may display advertisements and promotions.” Excerpt from Cloud Terms of Service (emphasis added) 26 . These advertisements may be targeted to the content of information stored on the Services. queries made through the Services or other information.

27 .Reasonableness The Cloud Computing Project at Queen Mary University of London analyzed cloud contracts to find common practices.

28 .Securing Data in the Cloud • The traditional focus of data security is keeping outsiders off of the network and limiting the access of insiders to appropriate areas. • Data in the cloud should also be secured against other customers of the service and against the service provider.

Structure 29 .

) is the contract. etc. 30 .The Contract “Controls” the Scope of Discovery Obligations The starting point for determining control over ESI on the cloud (or related metadata. log files..

Determining Control in the Cloud Cloud Service Provider Contract Consumer Consumer 31 .

Control of Data in Multi-Party Clouds (cont.) ID as a Service Cloud Infrastructure Provider Contract 2 Contract 3 Cloud Infrastructure Provider 2 Applications Provider Contract 1 Consumer Consumer 2 32 .

) Cloud Service ct ra nt Co Cloud Service Cloud Service Aggregator Contract Consumer 33 Co nt ra ct Contract .Control of Data in Multi-Party Clouds (cont.

Multi-Party Cloud Due Diligence • Do parties have sufficient contractual rights from others to meet obligations to which they have themselves contracted? • To what extent will a multi-party network facilitate a thorough due diligence process? 34 .

blogspot.Example – Los Angeles • Los Angeles is migrating its e-mail to Google Apps.000 over five years.” http://googleenterprise. lowering electricity bills “by almost $ • Computer Sciences Corporation (“CSC”) will act as an intermediary. estimating that the move will free up 100 servers. 35 .

) CSC Contract 1 Google Contract 1 Contract 2 Los Angeles 36 .Example – Los Angeles (cont.

Please e-mail: ngoldberg@proskauer.For More Information….com 37 .

Goldberg Senior Counsel IP & Technology February 23. 2011 38 .A Strategic Approach to Cloud Computing Nolan M.