The legal environment for Cloud computing is in catch-up mode relative to the pace of Cloud adoption. Many data privacy laws pre-date Cloud computing capability. Cloud computing now possess new legal dimensions and dynamics that have not yet been fully tested, although moving quickly to adopt consensus on standards, responsibilities, liabilities and universality.
It is new territory for legal considerations for both Cloud provider and client. One thing that remains constant that impacts on legal considerations is the threat landscape constantly changes and evolves and both parties require to work together to build the jurisprudence.
Server Cloud Canada is committed and currently exceeds industry standards and ensures best practices when it comes to Regulatory, Compliance, Security and Data Integrity relative to the current legal framework. SCC is committed to contribute to the evolution in the legal protections of both CSP and client.
Cloud computing offers significant benefits to business and reflects the ongoing maturation of our digital economy. However, it is not without complication; especially in the context of civil and IP litigation where Courts maintain adherence to evidentiary principals requiring the best evidence, continuity of evidence, preservation of evidence and the discounting of hearsay. Most often a third party Cloud provider is not a party to a dispute or legal proceeding, yet it may have possession or control over key or only evidence relevant to the case.
Cloud computing engagements entail risks not present in more traditional technology transactions. At the top of the list of unique Cloud risks are privacy, security, and regulatory compliance. Because of the nature of Cloud computing – wherein clients access and store data on service provider’s systems across a public Internet – both parties are forced to confront these regulatory risks, whether they want to or not.
In Cloud computing the legal responsibility for data processing is borne by the user, who enlists the services of a Cloud service provider. The user is the data collector. As in all other cases in which a third party is given the task of processing personal data, the user or data controller is responsible for ensuring that data protection requirements are met.
What are the legal considerations?
There are four key issues:
- Security and Privacy
- Contractual Considerations
- Intellectual Property
- E-Discovery and Litigation
Due to the new capabilities of Cloud, in particular, the “multi-tenant” architecture, meaning, data stored on a virtual server that shares same physical server with other virtual servers, this new dynamic can be cause to create new legal complexities in terms of both CSP and client responsibilities, liabilities, and regulatory.
Geographic distribution concerns are now also a growing universal dynamic, for the Cloud knows no boundaries and creates from a legal perspective the multi-national factor: where compliance with privacy, security, and regulatory laws are no longer a domestic matter. Trans-border laws of private information may trigger obligations.
The fact is that many countries may be involved in a particular Cloud provision. A customer in country A, for example, may use a SaaS offered by a provider in country B, who in turn acquires infrastructure capacity in countries C, D and or E (depending on current price of each). This naturally poses how to deal with regulatory, liabilities, and ownership of failure. For example, EU rules are substantially more restrictive than rules from other countries – particularly in the US.
Compliance covers a lot of ground, from government regulations such as Sarbanes-Oxley and the European Union Data Protection Act, to industry regulations such as PCI-DSS for payment cards and HIPAA for health data. You may have internal controls in place, but moving to a Cloud infrastructure platform, a Cloud-based application suite or something in between will mean giving up some controls to the cloud vendor.
The risk of intellectual property infringement: There are concerns regarding intellectual property (IP) of any data that is outsourced to an external location, such as Cloud. Liability may arise when copyright infringing content is housed CS. In all the above, appropriate policies, procedures and training must be given to employees to ensure compliance. A Cloud computing operator may not always own the intellectual property rights in the software that is the subject of the Cloud-computing service. In this case, the operator will need to arrange for the right to sub-license the software to its customers, or for a direct licence to be entered into between the customers and the relevant third-party licensor.
Intellectual property indemnity: It is common in all IT contracts to include an intellectual property indemnity for the customer’s benefit in the event that a third party makes a claim that the use of IT products by the customer (particularly software) infringes the third party’s intellectual property. The inclusion of intellectual property indemnities in cloud-computing contracts remains important because customers have to rely on the Cloud computing provider to ensure that software licensing issues have been resolved so as to entitle the customer to use the software as part of the service. One of the benefits of Cloud-computing arrangements is that the burden of the upkeep of software licensing arrangements is generally lifted from the customer. However, if the arrangements are not properly made, the customer may still infringe the intellectual property of a third party even though it may have no knowledge of the infringement. Cloud-computing users need to be aware of the possibility of patent infringement through the use of cloud-computing arrangements. Patent protection is increasingly available for computer software in the US and in the EU. Where Cloud-computing arrangements are established on an international basis, the intellectual property indemnity needs to be wide enough to protect the cloud services’ customers in all jurisdictions in which the software will be used.
An issue with new technology is that the law is constantly behind. At Server Cloud Canada we ensure strict security and confidentiality in the protection of data and will ensure to work with our clients intimately to ensure that their most important Trade Secret properties and Intellectual ownership assets.
A trade secret is any information not generally known, that is economically valuable, and subject to reasonable efforts to maintain its secrecy. The heart of the trade secret’s value is its secrecy. A trade secret owner must take reasonable efforts to ensure the information’s secrecy . The company or individual must take actual efforts to protect the trade secret so that the trade secret is not lost through improper, illegal, or unethical means. The burden is on the trade secret owner to keep the information secret. Furthermore, the company or individual cannot expect others to hold a higher obligation to keep the information secret.
Trade secret law protects against misappropriation, i.e., the illegal or unauthorized acquisition, disclosure, or use of information. An issue with new technology is that the law is constantly behind. The use of Cloud computing raises several problems for trade secrets. Thus, placing confidential information in the hands of a third party Cloud provider seems contrary to maintaining secrecy.
Moreover, information placed into the Cloud increases the risk that the information will be accidentally or intentionally disclosed to third parties. One threshold issue is whether confidential information placed into the Cloud diminishes its status as protectable information. In other words, can trade secrets lose their protection in the cloud?
The answer may vary depending on the nature of the information and who places the information in the cloud. Courts have used six factors to determine whether a piece of information is secret. These comprise: (1) the extent to which the information is known outside the company, (2) the extent to which the information is known by employees and others inside the company, (3) the extent of measures taken by the company to protect the secrecy of its information, (4) the value of the information to the company and competitors, (5) the amount of time, effort, and money expended by the company in developing the information, and (6) the ease of difficulty with which the information can be properly acquired or duplicated by others.
Then there is the issue of “reasonable security” in the Cloud computing context, and potential liability arising out of security breaches in the Cloud. Generally speaking if a company outsources the handling of information to another company, they may have some responsibility to make sure the outsourcer has some level of reasonable security to protect personal and confidential information.
Where is your data stored physically? Your data could be stored in any country and you may not even know where the data centre is situated. The ’physical location’ raises the question of legal governance over the data. The customer must be clear as to the provisions of the prevailing law in that particular nation. If a dispute arises, what will be the place of jurisdiction? In case a conflict arises between the Cloud vendor and the customer (you), which country’s court system will settle the dispute?
Where the parties have not expressly chosen a legal system in their contracts: (a) contractual obligations will be governed in accordance with the law of the country in which the party who will perform obligations characteristic of the contract has its habitual residence or central administration. This will generally be the law of the place in which the cloud computing provider locates its servers; (b) where there are non-contractual obligations arising in civil and commercial matters between parties, the law applicable will be the law of the country in which the damage occurs or is likely to occur.
Cloud services usually involve multiple parties which makes the onus and liability shift to one another. Liability and responsibility of sub contractors is often limited or disclaimed. The Cloud computing provider will seek to exclude all liability for content stored or posted on its services and will normally include a right in its standard terms to remove any data from its servers. This is because internet service providers can be liable for failing to take down offensive, defamatory or intellectual property infringing content and Cloud-computing applications often blur the line between public and private networks. In these circumstances, corporate customers should seek an indemnity for any loss suffered as a result of material being unnecessarily deleted or moved and should look to impose a requirement to be notified in advance if any content is to be removed.
Utilizing the cloud can be problematic in the litigation context. First off, when litigation ensues and a litigation hold is initiated, the organization will have to deal with a third party cloud provider in order to get at the information relevant to the litigation. It may not be easy for that provider to actually preserve the data that is needed for several reasons. For example, an organization may be using a third party software provider that itself utilizes the a cloud platform. The data subject to the litigation hold therefore may actually reside in the cloud and may not be readily accessible/preserved by the software provider. This could complicate gathering electronic evidence and responding to e-Discovery requests. Moreover, it could lead to spoliation of evidence.
Trans-border Data Flow
This sharing and transfer of data within the Cloud, the inability for anybody to easily say where the data is or has been, is the key problem that creates legal issues.
Responsibility of Data
Systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems.
When users have online use of software at a computer without a licence, they commit copyright infringement. The licences granted by cloud computing operators are usually very narrow and limited to use of the online application for the business own purposes. Customers have no rights to make copies of or modifications or enhancements to the software, and they cannot sub-license to third parties. So the business, before accepting the software licence, must ensure that it can comply with its obligations and if not it must make the necessary changes to allow for sub-contracting or outsourcing.
Use of Open Source Software:
Although the use of open source software helps keep the costs down and many cloud computing operators build their services using such software, the open source software licences vary considerably and some require onward licensing of source code when open source is incorporated into other software or deployed in a hosted environment, which could have serious consequences for businesses. It is thought however, that pure cloud services are not considered to involve a conveyance according to the General Public Licence Version 3 and therefore code disclosure requirements should not be triggered. However, it is preferable for businesses to check this issue with their provider.
The standard terms offered by many cloud computing operators allow them to use any content stored on its servers. These licences are often expressed as being perpetual and irrevocable often giving the cloud computing providers the right to pass the content to third parties or use it for the purpose of promoting the cloud computing service. This may not be appropriate for information such as personal data, third-party intellectual property rights or confidential information contained in or attached to e-mails. Customers should therefore take care in identifying and amending any rights they are agreeing to provide to the cloud computing operator before they sign the relevant contract.
Checks must also be made to establish which jurisdiction’s laws will apply in case of a dispute – the application owner’s, or the vendor’s head office, or the vendor’s data centre locations where the application and data are being kept?
Third Party Access:
The vendor may grant some privileged third parties access to your stored data. The identity of such parties, if any, must be disclosed to the customer. Here, the third party could be a legal authority or even an internal employee. The customer should always be informed before the vendor allows third parties to access the stored data.