"Cloud Computing: Understanding Security and Jurisdictional Issues"

by Skadden, Arps, Slate, Meagher & Flom LLP


[author: Stuart D. Levi]

Few topics in the recent history of information technology have garnered as much attention as cloud computing. To some, it is a revolutionary  and far less expensive approach to the provisioning and use of computer services. To others, the concept storing a company’s data on servers operated by a third party or using remote applications hosted on a third-party platform is not new, and there are many who assert that this is merely marketing phenomena. However, there are some important differences with the current proliferation of cloud computing.

First, there is an increasing number of applications available for remote access on an as-needed basis, including applications that companies traditionally purchased and stored on their own computers. Second, there has been a significant proliferation of companies offering remote storage services, including many that cater to small-to-midsize companies. Finally, and perhaps most importantly from a legal perspective, cloud computing has become a globally provided resource. As a result, a U.S. company that retains a cloud provider might find that its data is stored on computers located in multiple countries, and that such data is constantly “on the move.”

‘Private’ Versus ‘Public’ Clouds

As with many IT solutions, cloud computing comes in a few different solutions, and the solution that a company selects will have important ramifications on the business and legal issues it must consider. “Private clouds” offer a dedicated hardware environment for the customer that is not shared with any of the vendor’s other customers. This model offers more modest economies of scale, but nonetheless provides many of the same scaled-resource capabilities offered by public clouds. In certain cases, the private cloud customer also can dictate in which country (or countries) its data will be hosted. This allows a customer to avoid situations where its data is being hosted in a country that the customer considers high-risk (e.g., for security or regulatory reasons). “Public clouds,” in which resources are provided on a shared, self-service, “pay-as-you-go” basis, can deliver the best economies of scale, but the shared infrastructure model can limit customization and may not offer adequate security for customers storing highly sensitive data. “Hybrid clouds” are a combination of public and private clouds in which users protect their most highly sensitive information on a private cloud but store less critical data on the vendor’s public cloud. This allows a customer to take advantage of security of a private cloud when necessary and enjoy the cost savings of a public cloud when appropriate.

Data Protection

The first issue that companies need to consider when determining whether to use cloud computing is security. Most security experts note that cloud computing provides an enticing target for hackers since so many different companies’ data may be stored in a single location. In addition, since security only is as strong as the weakest link, grouping companies together may mean that all are exposed to the security protections of the weakest customer. In general, companies should analyze carefully the type of data they plan to store in a cloud, and whether the security protocols followed by the cloud provider meet the company’s vendor requirements. While cloud providers can tout a more secure environment than those offered by their customers, they often are making this comparison against small or mid-sized companies that cannot afford robust security protection on their own. Large companies may find that the security offered by certain cloud computing providers fall short.

Jurisdictional Issues

Companies also need to consider the jurisdictional issues presented by cloud computing. Unless the company uses a private cloud solution in which it can specify where its data is to be stored, companies should expect that their data may be stored in countries where they currently do not do business. As a result, potential cloud customers often question whether using cloud computing will mean that they are “doing business” for jurisdictional purposes in all countries where their data is being stored. To date, no court has addressed this issue, and it would seem difficult to find that a company is doing business in a jurisdiction simply because a third-party vendor is storing its data in that country.

The jurisdiction issue that has received the most attention has been the potential application of the U.S. Patriot Act to foreign companies that use a U.S. cloud provider. The argument is that under the Patriot Act, the U.S. government has the authority to subpoena data from any entity that has (i) “minimum contacts” within the U.S. sufficient to establish personal jurisdiction; and (ii) “possession, custody or control” of the data in question, regardless of whether such data is located within the U.S. or elsewhere. The use of the “possession, custody, or control” terminology is viewed by some as giving the U.S. government broad latitude to subpoena cloud data stored in the United States. Their argument is that a cloud provider located in the U.S. satisfies the minimum contacts test and has possession of data (even though the data belongs to the third party).

The power afforded the U.S. government under the Patriot Act is not unlimited. Governmental authorities only may access data pursuant to the Patriot Act to (i) “obtain foreign intelligence information not concerning a United States person;” or (ii) “protect against international terrorism or clandestine intelligence activities.” Therefore, the Patriot Act may not be used as a means to access data for the purpose of simply investigating business activities. Moreover, the U.S. State Department has stated that the risk that the U.S. government would obtain cloud-based data through the Patriot Act has been overstated. Indeed, many argue that this concern has been raised by non-U.S. cloud providers to provide themselves with a competitive advantage. Nonetheless, the U.S, government has yet to take a definitive stance on this issue. To that end, a 2011 cloud computing report signed by a coalition of 71 experts from companies such as Microsoft and Amazon has urged the Commerce Department to conduct a study of the Patriot Act in relation to cloud computing.1

Overall, cloud computing can provide companies with significant cost-savings and efficiencies. However, unlike other IT solutions, cloud computing can present legal risks that should be carefully considered with the company’s legal department or outside legal counsel.


1  To download a copy of the report, visit http://www.techamericafoundation.org/cloud-commission.

Download PDF Version


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.