Cloud computing has become an increasingly popular option for businesses to cheaply and efficiently manage their data systems. Businesses interested in utilizing these services should be cautious, however, when entering into agreements to use these services. Just like with any corporate transaction, the contracts and agreements for cloud services must be drafted effectively so as to mitigate business risks to the greatest extent possible.
In Part I of our cloud-computing blog series we addressed some of the privacy and security concerns of which businesses should be aware and offered some guidance as to what steps they should take to mitigate risks to their businesses and stored data.
In Part II of this series we now take a close look at some of the jurisdictional issues that may arise in cloud-computing agreements as well as what rights and responsibilities the cloud-service provider has “ or may have “ in a subscribers data.
1. Jurisdictional Issues in Cloud Computing
As recently as a few years ago, if one company shared computer files with another company under a data sharing agreement, it was reasonably certain that those data files would be physically stored somewhere. The files would be sent by CD, thumb-drive, or some file transfer protocol (FTP) from computers physically residing in one location to computers physically residing in another location. It was easy back in the “old days” to say that a Data Sharing Agreement was governed under Florida law, for example, because the files were actually located in Florida. As a result, jurisdiction of Florida courts over those files was never an issue.
We recently concluded a major merger and acquisition transaction in which a companys data located in the Cloud was sent via file transfer software (also resident in the Cloud) to a recipient Company which was also storing the data in the Cloud. On a conference call we discussed jurisdiction over the data between the Florida corporation and the Delaware LLC. The Chief Information Officer (CIO) of the Delaware company remarked, “State jurisdiction what a quaint concept.”
To be sure, the advent of cloud computing raises a bevy of data location and cross-border issues of which companies need to be aware when entering into cloud-computing agreements. The nature of subscriber data and the physical location of its processing may expose subscribers to litigation and will dictate what legal obligations (and possible remedies) prospective subscribers may have.
For example, one of the most important questions that subscribers can ask their cloud service providers is whether they employ servers in foreign countries for cloud services. Cross-border data flow issues are not new; however, in a cloud-computing context they are magnified because of the free flow nature of the technology. Under the European Union (“EU”) Data Protection Directive, the movement of personal information of EU residents to countries outside of the EU can constitute a violation of EU law. Canada also has similar data transfer provisions. Under the United States dual-use export control regime, the Export Administration Regulation (“EAR”), companies may unintentionally subject themselves to liability for export violations by transmitting sensitive technical data on foreign servers.
Furthermore, processing data in an unexpected country may expose subscribers to legal risks and subject them to different laws and regulations that could otherwise have been avoided on a jurisdictional basis. Many foreign companies are aware of this and purposely maintain their data outside of the United States to avoid the U.S. Governments compelled disclosure provisions of the PATRIOT Act.
The previous examples illustrate how important it is for subscribers to be aware of the possible consequences that can stem from trans-border data flow. Below we have provided a few steps that subscribers can take to help insulate themselves from possible jurisdictional troubles:
The subscriber should require their respective cloud-service provider to reveal the physical location of all servers that will be processing the subscribers cloud data and provide reasonable notice of any changes.
Some cloud service providers may not be able to provide server location information because they lack the infrastructure or resources to track this content. We strongly suggest that subscribers avoid working with a cloud data provider which cant provide this information, especially if the information to be stored is sensitive customer information.
Finally, the subscriber should also require the service provider to collaborate with the subscriber to assure compliance with local laws and restrictions stemming from the transfer of data from one jurisdiction to another. Compliance provisions covering all possible jurisdictions and covenants not to allow data to stray outside of the disclosed jurisdictions should be the norm in cloud-based service agreements.
2. Cloud-Vendor Rights in Data and Service Level Agreements
The Service Level Agreement (“SLA”) is an ancillary component of most cloud-based service agreements. SLAs typically function as an outline for all of the cloud-service providers access and availability commitments. A good SLA will formally define the level of service by providing quantifiable target performance levels, operational requirements, and cloud-vendor responsibilities. SLAs also define technical terms and very often delineate the cloud-service providers rights in the subscribers data.
This is a critical component of the SLA. Without realizing, a company can allow a service provider to access (and potentially use) subscriber data. Due to this risk, it is advantageous for subscribers to tailor the SLA as narrow as possible to limit cloud vendor rights to utilize data outside of the subscribers business requirements.
Subscribers should also limit the cloud-providers use of third-party platforms whenever possible. While the subscriber and service provider may have well crafted non-disclosure, confidentiality, and data security provisions in their agreement, very often cloud agreements do not restrain the service providers right to use third-parties for data storage, back-up, and other technical services. In fact, in the cloud environment, the use of third-party services is ubiquitous. Google, for example, describes itself as a “data processor” and uses “agents” to perform other functions.
Whenever third parties are involved, the subscriber and data provider need to address the applicability of the service agreement to those third parties as well as any prospective liability and service failure issues that may arise. By carefully negotiating and drafting this portion of the agreement, subscribers can significantly mitigate risks associated with the potential unauthorized use of their data.
A cloud-service provider may also create and incorporate additional code in attempts to provide customized solutions for its subscribers. It is prudent for subscribers to specify clearly the ownership interests in and to any intellectual property created in the course of the agreement. Following the cloud-service agreement negotiations, both parties should be aware of whether or not any resulting intellectual property is maintained and owned by the cloud-service provider or the subscriber as work for hire.
In the third and final installment of the cloud-computing blog series, we will discuss cloud-based data retention and termination issue. We will also address how business customers should protect themselves from possible issues that can arise when a prospective cloud-service provider transfers ownership of a customers data through a merger or sale of the cloud-service providers business.