A Strategic Approach to Cloud Computing

Nolan M. Goldberg Senior Counsel IP & Technology ngoldberg@proskauer.com February 23, 2011


Today’s Most Important Slide

• All cloud services are not equal.


The Key Legal Question
Is a Particular Cloud Suitable for a Particular Application? - Governed by the service’s contracts, structure, and technology.

4 .The Solution • It is a best practice to undertake a legal due diligence investigation prior to adoption.

Are the terms of the contract reasonable for a particular application? 3. How will the system’s structure impact the due diligence process and control over my data? 5 . Where will my data be located? 2.Three Due Diligence Questions 1.

A Global Perspective 6 .

• The physical location(s) of a cloud will influence the legal risks and protections afforded to data on the service. 7 ..For better or worse….

SCA will limit the circumstances under which US-based cloud providers can disclose customers’ data.) • The U.. § 2701. U.S.g.See e. et seq.S. .The Stored Communications Act (18 U. Weaver 8 . V.S.C.

In Re Beluga “…Google and its servers are located within the United States and therefore…the ECPA prohibits Google from disclosing the contents of those email accounts until it receives consents from the email account holders.” 9 .

The US Constitution •The 4th Amendment provides protections beyond that provided by the SCA. 10 .

11 .The US Patriot Act • The Patriot Act provides increased governmental investigatory powers. sometimes without notice to the target.

Protecting Your IP • Should your IP be stolen from a Cloud. 12 . the location of both the system and the theft will impact your ability to seek appropriate relief.

13 .Contracts • The validity or construction of certain common contractual terms will vary based on the location of the cloud.

14 .Example: Contractual Variation • Terms which allow the provider to vary contract terms with or without notice may be more or less enforceable under different national laws.

) Modifications.Example (cont. To the Services. or particular components of the Service. [Provider] may make commercially reasonable modifications to the Service. from time to time. a. [Provider] will use commercially reasonable efforts to notify Customer of any such changes. Excerpt from paid cloud service agreement 15 .

Example (Cont.) “We may change the service or delete features at any time and for any reason. Our cancellation or suspension may be without cause and/or without notice.” Excerpt from free cloud service agreement 16 . We may cancel or suspend your service at any time.

Example: Provider Liability • European legal systems make it more difficult for providers to exclude direct and indirect liability. 17 . and • There are demonstrable regional variations on liability limits.

Export • Will loading data onto a foreign cloud violate local rules on the export of controlled technologies? 18 .

is there an increased chance of being subject to litigation in that jurisdiction? 19 .Jurisdiction • By storing data at a given location.

Privacy • Can the cloud service comply with applicable processing. retention or transfer restrictions? • Will the operation of the service unintentionally entangle data not already subject to processing restrictions? 20 .

Example – EU Data Directive • Implementations of the E.U.” • “processing” and “personal data” are both defined broadly. • EU blocking statutes impose liability for the transfer of personal or other business data across political boundaries. 21 . Data Directive of 1995 severely restrict the “processing of personal data.

Contractual Suitability 22 .

Example: Trade Secrets • Reasonable steps must be taken to protect the secrecy of a trade secret or it can lose its value. 23 .

• There is the potential that rights given to the vendor will diminish the value and protections afforded the underlying data. 24 .Data Ownership • Governed by the service agreement.

copy. modify.The Vendor May Need Certain Rights in Your Data to Operate its Service You understand that [Provider] may need and you hereby authorize [Provider] to use. distribute and display content posted on the service to the extent necessary to provide the service. Excerpt from a Cloud Service Agreement 25 .

queries made through the Services or other information.” Excerpt from Cloud Terms of Service (emphasis added) 26 .The Vendor May Want Certain Rights in Your Data to Generate Revenue “Some of the Services are supported by advertising revenue and may display advertisements and promotions. These advertisements may be targeted to the content of information stored on the Services.

Reasonableness The Cloud Computing Project at Queen Mary University of London analyzed cloud contracts to find common practices. 27 .

Securing Data in the Cloud • The traditional focus of data security is keeping outsiders off of the network and limiting the access of insiders to appropriate areas. 28 . • Data in the cloud should also be secured against other customers of the service and against the service provider.

Structure 29 .

The Contract “Controls” the Scope of Discovery Obligations The starting point for determining control over ESI on the cloud (or related metadata. 30 ..) is the contract. etc. log files.

Determining Control in the Cloud Cloud Service Provider Contract Consumer Consumer 31 .

Control of Data in Multi-Party Clouds (cont.) ID as a Service Cloud Infrastructure Provider Contract 2 Contract 3 Cloud Infrastructure Provider 2 Applications Provider Contract 1 Consumer Consumer 2 32 .

Control of Data in Multi-Party Clouds (cont.) Cloud Service ct ra nt Co Cloud Service Cloud Service Aggregator Contract Consumer 33 Co nt ra ct Contract .

Multi-Party Cloud Due Diligence • Do parties have sufficient contractual rights from others to meet obligations to which they have themselves contracted? • To what extent will a multi-party network facilitate a thorough due diligence process? 34 .

Example – Los Angeles • Los Angeles is migrating its e-mail to Google Apps. 35 .” http://googleenterprise.blogspot. lowering electricity bills “by almost $750.html • Computer Sciences Corporation (“CSC”) will act as an intermediary. estimating that the move will free up 100 servers.com/2009/12/why-city-of-losangeles-chose-google.000 over five years.

) CSC Contract 1 Google Contract 1 Contract 2 Los Angeles 36 .Example – Los Angeles (cont.

Please e-mail: ngoldberg@proskauer.com 37 .For More Information….

com February 23.A Strategic Approach to Cloud Computing Nolan M. 2011 38 . Goldberg Senior Counsel IP & Technology ngoldberg@proskauer.