Last year, a global food manufacturing and distribution company set out to move its HR talent management processes to a software-as-a-service provider. But as attorneys for the food company reviewed the proposed contract, they found some potentially serious legal land mines.
For starters, the SaaS provider had operations in the U.S., Europe and Canada. "Europe and Canada are two jurisdictions that heavily regulate [the use of] personal information. Since this was an HR system, there would be a lot of personal information," recalls Rebecca Eisner, an attorney specializing in outsourcing who represented the food company.
The provider also wanted the flexibility to move the company's information to data centers anywhere in the world, and that would subject the company to the laws of whatever country the data passed through or landed in.
But there was no turning back. The company was as smitten with the SaaS application as it was unaware of the legal risks. After two months of negotiations, the two sides agreed on a contract.
"The [SaaS provider] didn't want to admit their lack of sophistication on these issues. But they understood where we were coming from," says Eisner, a partner in the Chicago office of the law firm Mayer Brown. "Ultimately, they understood that if they were going to get [the food company] as a customer -- and other global companies in the future -- they needed to provide these kinds of minimum protections. So they went along with it."
If you're operating in the cloud or plan to move there soon, here are five areas of legal risk that you shouldn't ignore.
Health Insurance Portability and Accountability Act (HIPAA) requires companies that disclose personal health information to third parties to enter into "business associate agreements." These contracts stipulate how the third parties should handle such data. "A lot of people don't think of that requirement when they're doing cloud computing -- they don't think of it as 'disclosing information' to a third party, but in fact it is," says Polly Dinkel, an attorney at Sideman & Bancroft in San Francisco.
Similarly, the Gramm-Leach-Bliley Act requires financial institutions to enter into contracts with third parties with whom they share their customers' personal information, in order to ensure that the third party stores the data securely. "There has to be a contractual requirement to implement and maintain that kind of safeguard," Dinkel adds.
Executives of financial institutions can be held personally liable for failure to meet those requirements in cloud deals, she says.
The tricky part is knowing exactly where all the cloud providers' data centers and subcontractors are located, says attorney Dan Masur, a partner at Mayer Brown. He says the Sarbanes-Oxley Act requires the original owners of the data to know where the data is and maintain control of it in the cloud.
As Masur puts it: "You have data moving all over the world to wherever [the cloud provider] has capacity. It's not just the provider, but a whole web of subproviders and subcontractors and platforms. Where exactly is it at any moment in time? How many countries is it hitting and thereby [subject to] the laws of those countries? Even if you have a contract in place with the provider, can you really be sure they have flow-down clauses that apply the contract terms to this web of subcontractors?"
Customers need to insist that the subcontractors be identified and that contract terms apply -- or "flow down" -- to them, Masur says. The good news is that some major cloud providers will offer U.S.-only public clouds, as well as assurances that the relevant terms of the contract have been applied to subcontractors.
At Schumacher Group, a Lafayette, La.-based healthcare company, about 80% to 90% of IT processes are hosted in the cloud through 12 different service providers.
"All of the vendors we select must have HIPAA policies and compliance in place," says CIO Douglas Menefee. He also requires cloud providers to sign a business associate agreement that says vendor employees can only look at information that is relevant to their jobs, and only when necessary.
2. Cross-Jurisdiction Compliance
Gartner's Global IT Council for Cloud Services -- a group of CIOs trying to hammer out standard ways of working in the cloud -- complains that "service providers have not done a good job of explaining which jurisdictions they put data in and what legal requirements the service consumer must therefore meet."
The group's manifesto says cloud customers have "the right to understand the legal requirements of jurisdictions in which the provider operates." Otherwise, if the cloud provider stores or transports the customer's data in a foreign country, "the consumer becomes subject to laws and regulations it may not know anything about," the council says.
For example, the European Union has some of the strictest privacy laws in the world -- and complying with those laws gets more complicated in the cloud.
Transferring data out of the EU is prohibited unless the EU deems that the receiving country has "an adequate level of protection" -- and very few countries meet that requirement, says Dinkel. "That's definitely a concern if you have servers in this country with data related to an EU person and are moving the data from one server to another," she says. "Some providers have segregated clouds for EU data to get around this problem."
European regulators are now examining cloud computing to try to figure out how the new technology fits its existing framework for regulating the use, collection, storage and transfer of personal data. Dinkel says cloud computing users can expect to jump through extra hoops. For example, they may have to obtain special approvals and file reports with European data protection authorities detailing plans for the use and storage of data.
Cloud users should also know that the location of the provider or its servers could determine where a lawsuit would be brought if a problem arose. "You may find yourself defending an action in another state or another country, depending on where your provider is located," Dinkel says.
Schumacher Group's cloud contracts require that data be stored at centers inside the U.S. "It doesn't make sense for them to store our data overseas," Menefee says.
3. Search Warrants
One of the scary features of public clouds is that data from multiple customers may be kept on the same server, says Dinkel. "If the provider gets served by a warrant with regard to one customer, and a number of other customers' data happens to be on the same server, all that data could be seized and become inaccessible to the company that was not the intended target of the search," she explains.
Commingling of data was a serious problem in 2009, when the FBI raided two data centers in Texas as part of an investigation involving a specific data center customer. FBI agents seized about 220 servers, as well as routers, switches, server cabinets and even power strips. Press reports indicated that the seizure resulted in millions of dollars in lost revenue for the data center. It also put many of the data center's customers out of business or at risk of closure, according to reports.
How do you mitigate such risks? A private cloud can certainly eliminate commingling. If that's not an option, get assurances from the cloud service provider regarding how customer data is partitioned, so that a search warrant and seizure doesn't affect your data.
A data owner who is sued has an obligation to preserve any information that's relevant to the litigation and to collect it for legal discovery purposes. The requirement to preserve data applies if the data is in your "custody, control or possession." And for cloud customers who own data, "it's pretty clear at this point that if it's in the cloud, it's still considered to be in your custody, control or possession," says Dinkel. So if the vendor doesn't preserve it or can't produce data before the discovery deadline, then the cloud user "can be sanctioned for that," she says.
What's more, the opposing party can go directly to the cloud provider to find relevant records. "The data owner loses control of the situation at that point," Dinkel says.
Complicating matters further, cloud providers have different storage procedures, and if data isn't mapped properly, retrieving it could be difficult and expensive.
When an e-discovery request lands at your door, you must be able to produce documents in a timely manner. If you can't, you could face heavy fines (in one case, the proposed fine was $50,000 per day). What's more, companies may have to go back three to five years for relevant data because cases can take years to reach the courts.
Big cloud providers are aware of the need for prompt action on e-discovery requests, and they're often able to track and retrieve data quickly by maintaining the original metadata attached to the records.
Lawyers say cloud contracts should require vendors to maintain metadata for easy retrieval and compel them to meet deadlines for producing electronic documents when requested.
5. Data Security
Methods for protecting data in the cloud, such as encryption, are well documented. But there are also risks associated with having all of a company's records in one location, where they would provide hackers with a tempting smorgasbord of information. Some cloud providers are already addressing that risk.
The security model for Google Apps, for instance, allows stored data to be separated at the bit level and distributed to multiple sites across the country. "We found that intriguing," says Menefee, a Google Apps user. "If they had a breach, the [hacker] would only have components, pieces of a giant puzzle."
Another question: Who pays for costs associated with a security breach in the cloud? "You want [the service provider] to be paying for it -- because it may be something on their end that caused the breach," says Dinkel.
In many states, an organization that's storing customer data in a public cloud is responsible for notifying its customers in the event of a data breach at the cloud vendor. "But you may not know in a timely fashion if there's been a breach," unless timely notification is required in the contract, she says.
Menefee includes security-related clauses like that in all of Schumacher Group's cloud contracts. "If there is a breach, it's their responsibility, not ours," he says.
Risks are always changing, and it's important to consult with legal counsel when contracts are up for renewal to make sure new issues are addressed. For example, Menefee plans to add exit clauses to future contracts to protect Schumacher Group if a provider undergoes a change of ownership.
"That was kind of an 'Aha!' moment in the past six months. There's going to be a huge consolidation, I believe, inside the cloud marketplace. I'm looking for the ability to exit out of contracts" if there's a change in ownership or a service provider fails to meet the service-level agreement during a changeover, Menefee says. "For me, it's going to become part of our standard governance."