A Strategic Approach to Cloud Computing

Nolan M. Goldberg Senior Counsel IP & Technology ngoldberg@proskauer.com February 23, 2011

1

Today’s Most Important Slide

• All cloud services are not equal.

2

The Key Legal Question
Is a Particular Cloud Suitable for a Particular Application? - Governed by the service’s contracts, structure, and technology.
3

The Solution • It is a best practice to undertake a legal due diligence investigation prior to adoption. 4 .

Three Due Diligence Questions 1. Where will my data be located? 2. How will the system’s structure impact the due diligence process and control over my data? 5 . Are the terms of the contract reasonable for a particular application? 3.

A Global Perspective 6 .

For better or worse…. • The physical location(s) of a cloud will influence the legal risks and protections afforded to data on the service.. 7 .

) • The U. Weaver 8 .The Stored Communications Act (18 U.See e..S.g. U.C.S. V. SCA will limit the circumstances under which US-based cloud providers can disclose customers’ data. .S. § 2701. et seq.

In Re Beluga “…Google and its servers are located within the United States and therefore…the ECPA prohibits Google from disclosing the contents of those email accounts until it receives consents from the email account holders.” 9 .

The US Constitution •The 4th Amendment provides protections beyond that provided by the SCA. 10 .

sometimes without notice to the target. 11 .The US Patriot Act • The Patriot Act provides increased governmental investigatory powers.

the location of both the system and the theft will impact your ability to seek appropriate relief.Protecting Your IP • Should your IP be stolen from a Cloud. 12 .

13 .Contracts • The validity or construction of certain common contractual terms will vary based on the location of the cloud.

Example: Contractual Variation • Terms which allow the provider to vary contract terms with or without notice may be more or less enforceable under different national laws. 14 .

To the Services.) Modifications. a. from time to time. [Provider] will use commercially reasonable efforts to notify Customer of any such changes. Excerpt from paid cloud service agreement 15 . [Provider] may make commercially reasonable modifications to the Service.Example (cont. or particular components of the Service.

Our cancellation or suspension may be without cause and/or without notice. We may cancel or suspend your service at any time.) “We may change the service or delete features at any time and for any reason.Example (Cont.” Excerpt from free cloud service agreement 16 .

17 .Example: Provider Liability • European legal systems make it more difficult for providers to exclude direct and indirect liability. and • There are demonstrable regional variations on liability limits.

Export • Will loading data onto a foreign cloud violate local rules on the export of controlled technologies? 18 .

is there an increased chance of being subject to litigation in that jurisdiction? 19 .Jurisdiction • By storing data at a given location.

Privacy • Can the cloud service comply with applicable processing. retention or transfer restrictions? • Will the operation of the service unintentionally entangle data not already subject to processing restrictions? 20 .

• EU blocking statutes impose liability for the transfer of personal or other business data across political boundaries. 21 .Example – EU Data Directive • Implementations of the E.U. Data Directive of 1995 severely restrict the “processing of personal data.” • “processing” and “personal data” are both defined broadly.

Contractual Suitability 22 .

Example: Trade Secrets • Reasonable steps must be taken to protect the secrecy of a trade secret or it can lose its value. 23 .

• There is the potential that rights given to the vendor will diminish the value and protections afforded the underlying data. 24 .Data Ownership • Governed by the service agreement.

distribute and display content posted on the service to the extent necessary to provide the service. copy.The Vendor May Need Certain Rights in Your Data to Operate its Service You understand that [Provider] may need and you hereby authorize [Provider] to use. Excerpt from a Cloud Service Agreement 25 . modify.

” Excerpt from Cloud Terms of Service (emphasis added) 26 . These advertisements may be targeted to the content of information stored on the Services. queries made through the Services or other information.The Vendor May Want Certain Rights in Your Data to Generate Revenue “Some of the Services are supported by advertising revenue and may display advertisements and promotions.

Reasonableness The Cloud Computing Project at Queen Mary University of London analyzed cloud contracts to find common practices. 27 .

• Data in the cloud should also be secured against other customers of the service and against the service provider. 28 .Securing Data in the Cloud • The traditional focus of data security is keeping outsiders off of the network and limiting the access of insiders to appropriate areas.

Structure 29 .

The Contract “Controls” the Scope of Discovery Obligations The starting point for determining control over ESI on the cloud (or related metadata. log files. 30 . etc..) is the contract.

Determining Control in the Cloud Cloud Service Provider Contract Consumer Consumer 31 .

) ID as a Service Cloud Infrastructure Provider Contract 2 Contract 3 Cloud Infrastructure Provider 2 Applications Provider Contract 1 Consumer Consumer 2 32 .Control of Data in Multi-Party Clouds (cont.

Control of Data in Multi-Party Clouds (cont.) Cloud Service ct ra nt Co Cloud Service Cloud Service Aggregator Contract Consumer 33 Co nt ra ct Contract .

Multi-Party Cloud Due Diligence • Do parties have sufficient contractual rights from others to meet obligations to which they have themselves contracted? • To what extent will a multi-party network facilitate a thorough due diligence process? 34 .

Example – Los Angeles • Los Angeles is migrating its e-mail to Google Apps.000 over five years.html • Computer Sciences Corporation (“CSC”) will act as an intermediary. estimating that the move will free up 100 servers. 35 .” http://googleenterprise. lowering electricity bills “by almost $750.blogspot.com/2009/12/why-city-of-losangeles-chose-google.

) CSC Contract 1 Google Contract 1 Contract 2 Los Angeles 36 .Example – Los Angeles (cont.

For More Information…. Please e-mail: ngoldberg@proskauer.com 37 .

com February 23.A Strategic Approach to Cloud Computing Nolan M. Goldberg Senior Counsel IP & Technology ngoldberg@proskauer. 2011 38 .