Sunday, April 4, 2010

Cloud Computing: Still Foggy From a Legal Standpoint

By John L. Watkins

I have written previously about the "cloudy" nature of cloud computing from a legal standpoint. Last week, I attended a seminar on cloud computing that was attended by about fifty lawyers and some "techies" interested in technology and cloud computing. The consensus resulting from the seminar appears to be that, although the list of legal issues is becoming a bit more defined (and lengthy), there still are very few answers.

Why Cloud Computing? Cloud computing, which is often called "software as a service," involves providing software and storage remotely (in the "cloud," or at a server farm in a remote location), instead of maintaining the software and storage locally, either directly on a computer or on a server for a local area network. Although this definition is generally correct, you should be aware that there are many variants of cloud-based services and formats that are way beyond the scope of this post.

There are many theoretical advantages to cloud computing, at least from a technology standpoint. Because the software and and storage are maintained remotely, there is less hardware to buy and maintain and much less on-site maintenance. Software updates can be pushed out remotely and handled by the provider. Most services are available anywhere there is an Internet connection and a computer with a browser.

Most people probably already use cloud-based services, whether they know it or not. Facebook, LinkedIn, Plaxo and other social networking sites are cloud-based, with the services accessed through a browser and the information retained remotely. Services provided through Amazon.com and other vendors are cloud-based. Google services, such as the Blogger platform on which this post is being written, are cloud-based, as well as the suite of Google Apps (meant to compete with Microsoft Office). One of the most successful and well known cloud providers is Salesforce.com, which provides CRM (customer relationship management) software and services.

Cloud providers and proponents argue that the security of cloud-based services is probably at least as good as relying on a traditional local area network, if not far better. They also argue that the backup of cloud-based services is more automatic and reliable.

For many businesses, the most compelling reason to consider cloud-based technology is cost. Cloud-based services are typically competitively priced and substantially lessen, if not almost eliminate, expensive hardware and IT services.

The Legal Jungle. As compelling as the technical case for cloud computing services appears to be, the legal minefields are many. By way of full disclosure, I do not claim to be an expert on the many statutes that may apply to those considering cloud computing solutions. I know enough to say, however, that Congress (and some states) have adopted what is literally a crazy-quilt of statutes that potentially create substantial exposure and liabilities for users. Many of these statutes are designed to protect customers or clients from the disclosure or theft (for example, from hackers) of personal information.

Once again, good legislative intentions have created an uncoordinated nightmare of regulatory compliance. However, with the cloud, it does not stop at our border. Cloud providers may maintain server farms in other countries, potentially bringing international regulatory systems into issue. Questions are certain to arise over which country (or state) has jurisdiction over legal issues.

At the seminar, one of the techies in attendance commented that the legal issues could be largely resolved by the U.S. adopting European Union standards. I do not know enough about the EU standards to draw any conclusions, but it is virtually certain that the adoption of understandable international standards would simplify the issues and foster the adoption of cloud-based systems. Although this is a noble goal, it is frankly difficult to imagine that such a solution is viable in today's political environment.

One of the most troubling aspects of the legal jungle surrounding cloud computing is that the cloud providers are, as a general matter, unwilling to accept any contractual responsibility for loss of data or other potential nightmares associated with cloud computing. If cloud providers are really certain that their systems are robust, redundant and foolproof, then why do the legal terms and conditions disclaim responsibility at every turn?

Although it may well be true that the risks of data loss are greater with a traditional local area network, many businesspersons are somewhat understandably reluctant to "turn over the keys" to an off-site provider which may store critical data almost anywhere. And, as one prominent commentator has noted, if an IT department loses critical data, at least the business owner has the cathartic pleasure of calling in the IT director and giving him a pink slip.

At the seminar, the speaker commented that cloud providers are willing to negotiate terms for "large" customers, but are not going to do that "for someone who wants to spend $20,000 for services." This observation is probably dead on, but it provides little comfort for small or medium-sized business for which a $20,000 expenditure is significant. Ironically, many cloud providers target small and medium-sized businesses.

Any Way Out of the Legal Jungle? At the current time, I can offer no easy way out of the legal jungle for those considering cloud-based services. It is true that some aspects of the legal jungle affect any type of computer network. The adoption of cloud-based services, however, creates additional issues.

In a post on this blog last year, I commented that a provider willing to come forward and put its legal terms and conditions -- such as by guaranteeing compliance and against data loss -- where its technological mouth is could probably sell a lot of services, even at a premium price. If there is a provider out there willing to do this (and which has the financial muscle to back up any guarantee), please let me know, as I would love to hear about it.

On a related subject, I recently spoke to an insurance broker that is trying to put together an insurance product to protect companies against liability associated with data breach and other computer-related liabilities. If this product comes to market and appears promising, I will let you know about it in a future post.

Certainly, an insurance solution has some promise (assuming, of course, the insurer would actually perform, which is an absolute roll of the dice with many insurers). An insurer would have every incentive to develop and assist its insureds with risk management approaches that would boost compliance and minimize risk. Many small and medium-sized businesses simply do not have the expertise or resources to do this on their own.

Stay tuned.

1 comment: