Legal Considerations in Cloud Computing

James Clessuras

Partner
Wilson Sonsini Goodrich & Rosati
1700 K Street NW, Washington, DC 20006
Tel: (202) 973-8830; Fax: (202) 973-8899
jclessuras@wsgr.com

20 October 2011
 Agenda  

•   Overview  of  Cloud  Compu4ng  and  Key  Issues  

•   Intellectual  Property  and  Cloud  Compu4ng  
•   Privacy  and  Security  in  the  Cloud  
Overview  of  Cloud  Compu4ng  and  
Key  Issues  
 NIST*  Defini4on  of  Cloud  Compu4ng  
Cloud  compu4ng  is  a  model  for  enabling  convenient,  on-­‐
demand  network  access  to  a  shared  pool  of  configurable  
compu4ng  resources  (e.g.,  networks,  servers,  storage,  
applica4ons,  and  services)  that  can  be  rapidly  provisioned  
and  released  with  minimal  management  effort  or  service  
provider  interac4on.    
 
*  NIST  is  the  federal  technology  agency  under  the  Department  of  
Commerce  that  works  with  industry  to  develop  and  apply  
technology,  measurements,  and  standards.    
 The  NIST  Cloud  Defini4on  Framework  
Hybrid  Clouds  

Deployment Private   Community  

Public  Cloud  
Models Cloud   Cloud  

So6ware  as  a   Pla:orm  as  a   Infrastructure  as  a  

Service Service  (SaaS)   Service  (PaaS)   Service  (IaaS)  
Models
On  Demand  Self-­‐Service  
Essential Broad  Network  Access   Rapid  Elas4city  
Characteristics Resource  Pooling   Measured  Service  

Massive  Scale   Resilient  Compu4ng  

Homogeneity   Geographic  Distribu4on  
Common
Virtualiza4on   Service  Orienta4on  
Characteristics
Low  Cost  SoQware   Advanced  Security  
5
 Examples  of  Cloud  Compu4ng  

SoQware  as  a  Service  

(SaaS)  

PlaWorm  as  a  Service  

(PaaS)  

Infrastructure  as  a  
Service  (IaaS)  
 Comparison  to  Similar  Models  
•  SoQware  Licensing  –  SoQware  installed  locally  within  the  
enterprise  on  owned  or  leased  hardware;  maintenance  
and  updates  charged  separately    
•  SaaS  (SoQware  as  a  Service)  –  Considered  to  be  a  form  of  
cloud  compu4ng;  hosted  soQware  applica4ons  with  
maintenance  and  updates  included  in  monthly  fee  
•  Outsourcing  –  Services  highly  customized;  dedicated  
compu4ng  resources;  may  involve  asset  transfer;  requires  
a  longer-­‐term  contract  with  the  provider  
•  i.e.,  an  evolu4on  rather  than  something  new  
Advantages  to  the  Cloud  Compu4ng  Model  
•  Reduced  cost/efficiencies  
•  Scalability/flexibility  
•  Access  to  new  developments  
•  Reduced  capital  expenditures  (hardware  and  
soQware)  
•  Predictable  costs  
•  Accessible  across  different  devices  
•  Uniform,  high-­‐end  security  
 Tradeoffs  with  Cloud  Compu4ng  Model  
•  Data  security  &  privacy  concerns  
•  Lack  of  ability  to  customize  
•  Inability  to  nego4ate  contract  terms  
•  Lack  of  control  
•  Jurisdic4onal  issues  
Key  Terms  of  Cloud  Compu4ng  Agreements  
•  Service  level  parameters;  service-­‐related  warran4es  
•  Security  commitments  
•  Responsibility  for  data  backup  
•  Data  loca4on  and  no4fica4on  of  changes  
•  Use  of  data  by  service  provider  
•  No4fica4on  of  privacy  and  security  breaches,  government  
inquiries  and  third  party  subpoenas  
•  Export  controls  compliance  
•  Liability  for  data  loss/liquidated  damages  
•  Use  of  subcontractors  and  third  party  service  providers  
•  Transi4on  assistance  -­‐  especially  re  data  
Intellectual  Property  and    
Cloud  Compu4ng  
 IP  Issues  in  Contract  
•  Economics  don’t  lend  themselves  to  Provider  taking  on  
risk  
•  Provider  oQen  won’t  provide  IP  indemnifica4on  (oQen  
requires  IP  indemnifica4on  from  the  customer)  
•  Usually  a  low-­‐risk  issue  
•  Provider  doesn’t  transfer  IP  rights  (may  not  even  need  
to  grant  IP  licenses)  
 
 IP  Issues  in  General  
•  Protec4on  of  Trade  Secrets  
–  Trade  Secrets  require  owner  to  use  “reasonable  
measures  under  the  circumstances”  to  protect  
confiden4ality  of  its  trade  secrets  
–  Is  placing  sensi4ve  data  in  the  “cloud”  with  oQen  limited  
contractual  protec4ons  and  controls  “reasonable”  under  
the  circumstances?  
 IP  Issues  in  General  –  cont’d  
•  What  to  do?  
–  Self  Help  vs.  Contract  
•  Self  Help  
–  Limit  sensi4ve  data  
–  Encryp4on  
–  Disperse  informa4on    
–  Recovery  of  Data  
–  Choice  of  Provider  
•  Contractual  Protec4ons  
–  Clear  standards  of  care  
»  SAS  70  
–  Audit  
–  Liability  and  Indemnifica4on    
 Patents  
•  Ques4on  of  enforcement  of  your  Patents  against  
Infringers  in  the  Cloud  
–  Infringement  requires  prac4ce  of  all  claims  of  a  patent  
–  Patented  process  may  not  be  performed  in  one  place  or  
even  one  country  
–  Need  to  consider  when  draQing  patents  how  prac4ce  of  
inven4on  in  the  cloud  can  be  protected  
–  Bilski  (US  Supreme  Ct.  case)  may  limit  issue  
Privacy  and  Security  in  the  Cloud  
 Unique  Advantages  Create  Novel    
Privacy  and  Security  Risks  
•  “On-­‐Demand”   •  Data flows to
unauthorized parties
Access  
•  Corruption or
•  Scalability     contamination of data
•  Flexibility   •  Security breaches
•  Collabora4on   •  Liability under many
jurisdictions’ privacy
•  Cost-­‐Savings   laws
 What’s  all  the  Fuss  About?  
“…Storage of data on remote computers may…raise
privacy and security concerns for consumers.”

- David Vladeck, Director, Bureau of Consumer Protection,

Federal Trade Commission (FTC), 2010
 Consumer  Concerns  
•  Private  agreements  between  users  and  cloud  providers  are  
the  primary  (and  limited)  means  of  protec4on,  and  these  
terms  can  be  changed  at  will.    
•  Risk  of  losing  data  in  the  cloud  when  companies  don’t  take  
adequate  measures  to  back-­‐up  data.  
•  Centraliza4on  of  user  data  with  a  few  cloud  compu4ng  firms  
creates  unique  privacy  risks.  
•  Gov  agencies  and  private  li4gants  may  obtain  informa4on  
from  cloud  provider  more  easily  than  from  original  creator.  
•  Consumers  lack  enforceable  remedies  against  providers  who  
suffer  a  breach.  
•  Cloud  networks  are  “high  end”  target  for  hackers.  
 Business  Concerns  
•  Data  may  be  transferred  to  loca4ons  around  the  world  
without  your  knowledge,  or  may  be  stored  in  mul4ple  
loca4ons  at  once.  
•  Government  en44es  and  third  par4es  may  try  to  obtain  user  
data  from  cloud  provider,  which  may  not  have  same  
incen4ves  to  prevent  disclosure  of  data  to  other  par4es.  
•  Necessity  of  ceding  control  over  data  security  creates  more  
vulnerabili4es.  
•  Data  destruc4on  and  data  reten4on  complicated  in  the  
cloud  environment.    
•  Risk  that  catastrophic  failure  in  cloud  causes  data  loss.    
 Patchwork  of  U.S.  Laws  Applicable  to    
Cloud  Compu4ng  
•  Electronic  Communica4ons  Privacy  Act  (ECPA)  
•  Patriot  Act    
•  Sector  specific  laws:  
–  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  
–  Gramm-­‐Leach-­‐Bliley  (GLB)  Act    
•  State  Informa4on  Security  Laws  
•  State  Breach  No4fica4on  Laws  
•  Federal  Trade  Commission  (FTC)  Act  
 Interna4onal  Framework  
•  Data  subject  to  laws  and  legal  processes  of  jurisdic4on  in  
which  it  is  stored  or  passes  through,  regardless  of  whether  
there  are  other  contacts  with  that  jurisdic4on.  
•  Once  under  regulatory  control  of  a  par4cular  jurisdic4on,  
moving  data  across  borders  may  violate  data  transfer  
restric4ons.    
•  Poten4al  conflicts  between  the  law  governing  a  contract  for  
cloud  services  and  the  law  of  the  jurisdic4on  where  the  data  
resides.  E.g.:  
–  E.U.  Data  Protec4on  Direc4ve  
 Prac4cal  Advice:  
Protec4ng  Against  the  Risks  
 Managing  Privacy  and  Security  Risks  

•  Diligently  select  an  appropriate  cloud  provider.  

•  Implement  security  standards  and  privacy  
requirements  in  contract  and  opera4onal  plan.  
•  Ac4vely  monitor  performance  and  adherence  to  
standards  and  process.  
 Key  Privacy  and  Security  Issues  in  
Contrac4ng  
•  What  is  nature  of  the  data  collected?  
•  Where  is  the  data  collected?  
•  Where  is  the  data  stored?  
•  Who  has  access  to  the  data?  
•  What  data  security  measures  are  in  place?    
•  What  are  the  risks  of  a  security  breach?  
•  What  addi4onal  jurisdic4onal  liability  results  from  using  
the  cloud  compu4ng  services  of  a  par4cular  vendor?  
 Safeguarding  Privacy  and  Security  
In  reaching  an  agreement  with  a  cloud  provider,  consider:    
•  Security  protocols  to  be  used  by  cloud  provider  
•  Uses  of  data  by  cloud  provider,  if  any  
•  Backup  and  recovery  procedures  and  responsibili4es    
•  Procedures  for  Third  Party  access  
•  No4ce  about  loca4on  of  cloud  provider’s  servers    
•  Limita4ons  on  where  data  can  be  transferred  
•  Plan  for  termina4on  of  cloud  agreement  
•  Compliance  with  applicable  laws  and  regula4ons  
Ques4ons?  
Thank You