A Strategic Approach to Cloud Computing

Nolan M. Goldberg Senior Counsel IP & Technology ngoldberg@proskauer.com February 23, 2011

1

Today’s Most Important Slide

• All cloud services are not equal.

2

The Key Legal Question
Is a Particular Cloud Suitable for a Particular Application? - Governed by the service’s contracts, structure, and technology.
3

4 .The Solution • It is a best practice to undertake a legal due diligence investigation prior to adoption.

Where will my data be located? 2.Three Due Diligence Questions 1. How will the system’s structure impact the due diligence process and control over my data? 5 . Are the terms of the contract reasonable for a particular application? 3.

A Global Perspective 6 .

. 7 . • The physical location(s) of a cloud will influence the legal risks and protections afforded to data on the service.For better or worse….

SCA will limit the circumstances under which US-based cloud providers can disclose customers’ data.S.g.C.See e. .S. V.S. Weaver 8 . U. § 2701..The Stored Communications Act (18 U. et seq.) • The U.

In Re Beluga “…Google and its servers are located within the United States and therefore…the ECPA prohibits Google from disclosing the contents of those email accounts until it receives consents from the email account holders.” 9 .

10 .The US Constitution •The 4th Amendment provides protections beyond that provided by the SCA.

The US Patriot Act • The Patriot Act provides increased governmental investigatory powers. sometimes without notice to the target. 11 .

Protecting Your IP • Should your IP be stolen from a Cloud. 12 . the location of both the system and the theft will impact your ability to seek appropriate relief.

Contracts • The validity or construction of certain common contractual terms will vary based on the location of the cloud. 13 .

14 .Example: Contractual Variation • Terms which allow the provider to vary contract terms with or without notice may be more or less enforceable under different national laws.

a. Excerpt from paid cloud service agreement 15 . or particular components of the Service. [Provider] will use commercially reasonable efforts to notify Customer of any such changes.Example (cont. [Provider] may make commercially reasonable modifications to the Service. To the Services. from time to time.) Modifications.

Example (Cont.” Excerpt from free cloud service agreement 16 . Our cancellation or suspension may be without cause and/or without notice. We may cancel or suspend your service at any time.) “We may change the service or delete features at any time and for any reason.

Example: Provider Liability • European legal systems make it more difficult for providers to exclude direct and indirect liability. and • There are demonstrable regional variations on liability limits. 17 .

Export • Will loading data onto a foreign cloud violate local rules on the export of controlled technologies? 18 .

is there an increased chance of being subject to litigation in that jurisdiction? 19 .Jurisdiction • By storing data at a given location.

retention or transfer restrictions? • Will the operation of the service unintentionally entangle data not already subject to processing restrictions? 20 .Privacy • Can the cloud service comply with applicable processing.

Data Directive of 1995 severely restrict the “processing of personal data.Example – EU Data Directive • Implementations of the E. • EU blocking statutes impose liability for the transfer of personal or other business data across political boundaries.U. 21 .” • “processing” and “personal data” are both defined broadly.

Contractual Suitability 22 .

Example: Trade Secrets • Reasonable steps must be taken to protect the secrecy of a trade secret or it can lose its value. 23 .

• There is the potential that rights given to the vendor will diminish the value and protections afforded the underlying data. 24 .Data Ownership • Governed by the service agreement.

modify. Excerpt from a Cloud Service Agreement 25 . distribute and display content posted on the service to the extent necessary to provide the service. copy.The Vendor May Need Certain Rights in Your Data to Operate its Service You understand that [Provider] may need and you hereby authorize [Provider] to use.

The Vendor May Want Certain Rights in Your Data to Generate Revenue “Some of the Services are supported by advertising revenue and may display advertisements and promotions. queries made through the Services or other information.” Excerpt from Cloud Terms of Service (emphasis added) 26 . These advertisements may be targeted to the content of information stored on the Services.

Reasonableness The Cloud Computing Project at Queen Mary University of London analyzed cloud contracts to find common practices. 27 .

• Data in the cloud should also be secured against other customers of the service and against the service provider.Securing Data in the Cloud • The traditional focus of data security is keeping outsiders off of the network and limiting the access of insiders to appropriate areas. 28 .

Structure 29 .

30 .The Contract “Controls” the Scope of Discovery Obligations The starting point for determining control over ESI on the cloud (or related metadata.) is the contract. etc. log files..

Determining Control in the Cloud Cloud Service Provider Contract Consumer Consumer 31 .

Control of Data in Multi-Party Clouds (cont.) ID as a Service Cloud Infrastructure Provider Contract 2 Contract 3 Cloud Infrastructure Provider 2 Applications Provider Contract 1 Consumer Consumer 2 32 .

) Cloud Service ct ra nt Co Cloud Service Cloud Service Aggregator Contract Consumer 33 Co nt ra ct Contract .Control of Data in Multi-Party Clouds (cont.

Multi-Party Cloud Due Diligence • Do parties have sufficient contractual rights from others to meet obligations to which they have themselves contracted? • To what extent will a multi-party network facilitate a thorough due diligence process? 34 .

Example – Los Angeles • Los Angeles is migrating its e-mail to Google Apps.com/2009/12/why-city-of-losangeles-chose-google.blogspot. estimating that the move will free up 100 servers.000 over five years.” http://googleenterprise. 35 .html • Computer Sciences Corporation (“CSC”) will act as an intermediary. lowering electricity bills “by almost $750.

) CSC Contract 1 Google Contract 1 Contract 2 Los Angeles 36 .Example – Los Angeles (cont.

For More Information…. Please e-mail: ngoldberg@proskauer.com 37 .

com February 23.A Strategic Approach to Cloud Computing Nolan M. 2011 38 . Goldberg Senior Counsel IP & Technology ngoldberg@proskauer.