As cloud computing becomes more prevalent, the two groups can find themselves at loggerheads -- though both, in truth, are striving to serve the business.
As an IT leader, how can you come to terms with your legal counsel? How can the two of you, or the team of you, work together to make your company's transition to cloud computing fruitful rather than fretful? The process is fairly simple, cloud pioneers say: It involves asking lots of questions and exercising a healthy dose of due diligence -- all of which can lay the groundwork for future teamwork in the cloud.
Why cloud computing causes trouble
Cloud computing is a relatively recent development and, therefore, an area with scant legal precedence. "People don't think about the legal issues because this is so new," says Barry Murphy, principal analyst for Boston-based eDJ Group, a research firm focusing on information governance and e-discovery. "There's no prescriptive case law, so there's a lot of trepidation" among lawyers anxious to both protect their company's data and remain on the correct side of government regulation, Murphy explains.
Case law is clear, however, when it comes to e-discovery in the cloud. "The courts say, if you're storing information, we expect you to produce it for litigation or compliance," says Murphy. "Most companies aren't smart enough to ask a service provider if they've mapped out a chain of custody for data. And a lot CIOs don't know the implications of privacy and transparency laws."
Legal questions around the cloud are becoming an issue now simply because corporate cloud computing is increasing in popularity. The small-to-midsize companies that led the charge never had a lot of influence over the contracts involved with public clouds offered by service providers the size of Microsoft, Rackspace and Amazon, industry watchers say, but they could see the value of cloud computing in terms of getting applications up and running sooner. They may also been less likely to have a legal team waving caution flags.
Now that larger companies are considering those services, corporate counsel is getting involved -- and putting the brakes on some of the more egregious elements of the standard service-provider contract. Forsheit, for example, frequently tells service providers that her clients won't blindly sign away protection. "I'm not asking them for unlimited liability. But if they want our business, they have to compromise."
Martin Fisher isn't a lawyer, but he's familiar enough with HIPAA regulations to recognize problems early on. Fisher, director of information security for WellStar HealthSystem, a five-hospital group in Atlanta, looked at one well-known vendor's cloud-based email system before realizing that in order to be in HIPAA compliance, he would have to sign what's known as a "business associate agreement" with any other entity whose data resided on the same system. Fisher killed the deal and went with a remote-hosting arrangement, where WHS' equipment sits in a third-party data center.