Legal concerns curb corporate cloud adoption
By Howard Baldwin
December 3, 2012 06:00 AM ET
Why the Cloud Causes Trouble
Cloud computing is a relatively recent development and therefore an area where legal precedents are scarce. "People don't think about the legal issues because this is so new," says Barry Murphy, an analyst at Boston-based eDJ Group, a research firm that focuses on information governance and e-discovery. "There's no prescriptive case law, so there's a lot of trepidation" among lawyers anxious to both protect the company's data and remain on the correct side of government regulation, Murphy explains.
Case law is clear, however, when it comes to e-discovery in the cloud. "The courts say, 'If you're storing information, we expect you to produce it for litigation or compliance,' " says Murphy. "Most companies aren't smart enough to ask a service provider if they've mapped out a chain of custody for data. And a lot CIOs don't know the implications of privacy and transparency laws."
Legal questions about the cloud are becoming an issue now simply because enterprise adoption of cloud computing is growing. The small and midsize companies that pioneered the move to the cloud were less likely to have legal teams waving red flags, industry watchers say. For one thing, they didn't have a lot of leverage when it came to negotiating the terms of contracts with vendors the size of Microsoft, Rackspace and Amazon. Moreover, they may have been more willing to overlook legal and security concerns because they were eager to embrace a new computing paradigm that promised to help them get applications up and running quickly.
Now that larger companies are considering cloud services, corporate lawyers are getting involved -- and they're rejecting some of the more egregious clauses of standard service-provider contracts. Forsheit, for example, frequently tells service providers that her clients won't blindly sign away protection. "I'm not asking them for unlimited liability," she says. "But if they want our business, they have to compromise."
Martin Fisher isn't a lawyer. But as director of information security at WellStar HealthSystem, a five-hospital group in Atlanta, he's familiar enough with healthcare regulations such as HIPAA to recognize problems in cloud contracts. Fisher looked at one well-known vendor's cloud-based email system before realizing that, in order to comply with HIPAA, he would have to sign what's known as a "business associate agreement" with any other entity whose data resided on the same system. Fisher killed the deal and went with a remote-hosting arrangement, where WellStar's equipment sits in a third-party data center.
Legal, Your New Best Friends
The CIO and legal counsel must recognize that they're on the same team.
"Both sides have to think of things from the other party's perspective," says Paul Lewkowicz, an intellectual property attorney at Daly Crowley Mofford & Durkee in Canton, Mass. "IT has to think about what happens when everything goes wrong. The lawyers have to remember that IT is there to make the business run. [The lawyers] don't want to say no. They want to know what can make the contract more acceptable."
IT should ask counsel to handle contract negotiations. "Negotiating is an art form, and lawyers are trained to do it," Lewkowicz says. "IT people think of contracts as a couple of pages of specifics and then boilerplate. But it's that boilerplate that saves everybody's bacon when something goes wrong."
While it's important that the CIO and corporate counsel have a good relationship, it's even more important that they bring together a team to pore over the agreement and ensure that all issues are covered, says Thomas Trappler, a Computerworld columnist who teaches a cloud computing course at the UCLA Extension school. Admittedly, this may seem counterproductive, because one of the benefits of the cloud is to make IT deployments quicker and easier, but it's worth the time, Trappler insists.
After IT and legal work on a few cloud contracts together and get some experience hammering out terms, the process should get easier -- in theory.
The Right Cloud Questions to Ask
"Lawyers balk at cloud computing contracts because they don't have all the facts. Until they have all the facts, the lawyer can't give you legal advice," observes "David Wells" (a pseudonym for a Fortune 500 corporate counsel who requested anonymity).
He notes that cloud questions should seek the same information journalists are supposed to gather: who, what, where, when, why and how? Wells and other lawyers suggest asking these questions:
Why are we thinking of a public cloud? What are the trade-offs vis-a-vis storing the data on-site?
What kind of data are we putting in the cloud? Is it personally identifiable or sensitive?
Where are the servers located? What privacy laws govern those jurisdictions?
How is the data stored and transmitted? Will it be encrypted?
Who has access to the data? How is it physically protected?
How quickly will we be notified if there's a breach?
— Howard Baldwin