Legal risks in cloud computing

The advantages of cloud computing for business end-users are well established, but an attorney with global law firm White & Case says there are also precautions that businesses and service providers alike need to consider when adopting managed and virtualized services.

“Cloud computing doesn’t so much raise new issues so much as it creates carryover of historical issues,” said Daren Orzechowski, who handles cases involving information technology, as well as branding and licensing. Chief among those issues are security, legal access and data backup, Orzechowski said.

“Two issues immediately come to mind – who else can see my data and will I have a backup copy if there is a problem?” Orzechowski said. “These are very much the same issues that people have had in IT outsourcing such as software-as-a-service, or ASP [applications service provider] type delivery.”

Orzechowksi advices businesses to “do a lot of diligence around your vendor and their security protocols to know how your data is handled and that you can have control to step in and take your data if there is a problem.” As for service providers, Orzechowski said they need to make sure their policies and procedures are transparent so end-users can easily determine how their data is handled.

“I think on the vendor side, it is very important to spend marketing dollars showing people the security of your offer, that is the most important thing,” Orzechowski said. “Also, it’s important for the customer to have the ability to port data easily – so customer can take the data and leave.”

There is some industry movement to talk about standards for data portability, Orzechowski said, but it doesn’t exist yet, putting the burden on the customer to make sure that they aren’t trapped by an inability to port their own data from one managed service provider or cloud computing provider to another.

“The more people work on this up front and vendors see what customers want, the more they will work to develop a consistent solution,” Orzechowski said.

On the security side, service providers need to be transparent about the physical security they provide at data centers, regardless of where they are located, and about the degree to which hacking or other electronic threats exist, Orzechowski said.

One legal issue which can crop up as a result of data virtualization within data centers or cloud computing is the response to a subpoena when data isn’t centrally stored.

“I think what is making this a little bit more interesting from lawyers’ perspective is that when you use virtualization, you are not necessarily putting a specific customer’s data on one specific computer or server,” Orzechowski said. “That is very different from colocation, where your data is on sever number three. Your data now is spread across services. It’s like an apartment building where you don’t necessarily know what your neighbors are doing. If a subpoena is executed that requires the collection of physical hardware – does your data go along with it? These are things you have to work through. Larger vendors are already very hip to this.”

Similarly, companies opting for network-based storage of data need to be certain they meet requirements for the protection of that data for the legal time period required so that it can be produced in the event of legal action such as a lawsuit, Orzechowski said.

“In the event of court orders or requests – even if there is a government request – it is in the best interest of the vendor to have functionality in place so that if data is virtualized, they can pull together an instance or a copy of that account and isolate what is the subject matter of that request,” Orzechowski said. “This has to be done while preserving the confidentiality of other customers’ sensitive data. If you can’t provide the data, then it’s more likely the [legal entity is] going to take all the hardware, which is a terrible result from vendor side.”

If, on the other hand, the cloud computing provider has a reasonable solution that protects customers, the courts are likely to accept that, he said.