As with most modern electronic advancements, cloud computing has swiftly become a force that companies cannot ignore. Its adoption and evolution will continue to grow exponentially, as businesses embrace its potential to streamline corporate data and tame IT budgets. Many companies already rely on cloud computing for at least some part of their operations. However—despite its myriad benefits—without a clear understanding of its potential risks and a decisive plan to protect a company’s assets, information and intellectual property, cloud computing can pose significant legal risks. Following are six common mistakes companies should avoid when adopting this new technology.
1. Not Knowing Cloud Concepts
The term “cloud” is a metaphor for the Internet. The cloud creates a virtual infrastructure that can replace—in whole or in part—a company’s traditional servers, network devices and hardware. The official definition from the National Institute of Standards and Technology is: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources ... that can be rapidly provisioned and released with minimal management effort or service provider interaction.” In other words, the cloud is like a super-computer powered over the Internet.
Cloud computing allows users to take advantage of dynamic scalability, shared instances of software applications, and online data and services to accomplish computing tasks and store data. Further, data security, data backup, and procuring and maintaining hardware and software are taken off the user’s hands and done in the cloud via third-party service providers. When using vendors, data security and privacy are legitimate concerns. However, security in the cloud may actually be better guarded, as cloud providers are usually able to devote more resources to security issues than the typical user.
2. Not Knowing How Your Company Uses the Cloud
There are many ways a company can take advantage of cloud computing. Cloud providers offer hardware, networks, storage, services and interfaces to its users. For example, one company may use email servers and applications in the cloud for its internal and external email services, while another company chooses to use data storage and application software offered by the cloud provider. Cloud computing will facilitate more efficient outsourced data handling, but businesses turning over data to third-party vendors also lose a degree of control over their sensitive information. It is important to know as much as possible about what cloud data you and your company control, and to understand how to access, manage and ultimately dispose of that data.
3. Not Knowing What Is in Your Contract with Your Cloud Provider
Your contract with your cloud provider defines many important aspects of the relationship. Well-executed cloud computing agreements, licensing structures and contract terms will provide comprehensive protection for your business, your assets and your customers.
Key provisions should include:
- Procedures dictating how and when the cloud provider responds to a security breach, in terms of notification, investigation and remedy.
- Provisions setting forth how and when the cloud provider responds to legal process such as complaints, subpoenas or other requests for your company’s data.
- Policies for data retention and destruction, including how soon your company’s data will be wiped off the servers when the contract terminates.
- Indemnification provisions that protect and hold your company harmless if the confidentiality, security or other key provisions are breached by the cloud provider, its subcontractors or others.
4. Not Consulting Your Cloud Provider as Soon as You Get a Subpoena or Are Sued
Companies are required to preserve and produce electronically stored information (ESI) as part of their response to litigation, regulatory inquiries and subpoenas. You should devise a clear process for notifying your cloud provider in the event they must assist with the implementation of a litigation hold—the act of holding from changes or destruction all information that is the subject of pending or potential litigation or investigation.
The Federal Rules of Civil Procedure, the guidelines that govern civil legal actions, include important guidelines—as well as some protections—for companies using the cloud. For example, Rule 34(1) can require any party in custody or control of electronic information to produce the data if requested as part of a legal action. Courts do not currently make any material distinction between data residing behind an enterprise firewall and data residing in the cloud on a server that is physically on another continent. Therefore, if a company has legal right to “control” the information, it cannot shirk its responsibility under Rule 34.
5. Not Knowing the Availability of a Safe Harbor
Rule 37(e) of the FRCP states “absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” In other words, a company is protected if it enacted measures to protect its data yet is still unable to produce it due to circumstances beyond its control. This protection applies to ESI stored in the cloud in the same way as it has been applied to on-premises systems. However, it is imperative that companies develop and implement a strict records management and retention policy and train all employees on the relevant procedures. Without a policy in place, it would be difficult to find calm seas in the safe harbor.
6. Not Knowing About a Clawback Agreement
In litigation involving global companies and a large volume of ESI, the parties may enter into a clawback agreement to speed up the production of documents. The clawback agreement, now part of the FCRP, is a contractual agreement between both litigating parties designed to offer corporations a safeguard against the inadvertent disclosure of privileged information. This means that if a document is unknowingly or unintentionally provided to the opposing party, it does not automatically constitute a waiver of privilege. Further, the producing party may request the return of the document (claw it back) and the other party must comply by returning, sequestering or destroying the protected document. The requesting party is then barred from using the privileged document to further his company’s case.