Cloud computing: Expert legal advice from Milton Petersen

Tweet

 

Beware of the Legal Risks of Cloud Computing 

Article by featured guest Milton L. Petersen
of HunterMaclean

As companies struggle to deal with this sluggish economy, "cloud computing" is often perceived as an easy, efficient way to quickly reduce information technology costs.  However, before heading off into the cloud, companies should be aware of the serious potential legal risks and implications of cloud computing.

"Cloud computing" can be defined in countless different ways, but it generally refers to the use of remote computer networks or resources operated by third parties to process, store, and manage data.  There are also countless different cloud service providers, but some of the largest include Amazon.com, Google Inc., and Microsoft.  While particular service offerings also vary, these large service providers basically provide computing services on almost a commoditized basis - much like a utility company provides electricity, gas, or water.

Potential cost savings is one of the most attractive perceived benefits of cloud computing.  However, at least from the point of view of legal protections, one can't help but be reminded of the old adage that "you get what you pay for."

The form contracts or terms that cloud service providers typically offer (especially in online, "click-through" agreements) are generally quite one-sided and contain few, if any, terms to protect their customers from potential legal risks and liabilities.  Only large companies will likely have the leverage to negotiate material changes to those terms.  Small companies will often be faced with a "take it or leave it" situation.

Some of the most significant legal risks regarding cloud computing relate to what data will be entrusted to the cloud service provider.  Companies should be especially wary if they will be storing personal or individually-identifiable information (such as customer's names, addresses, credit card numbers, etc.) on the cloud service provider's computing resources, the location of which may be unknown or subject to change.

Data privacy and security continue to become increasingly important societal concerns, and nearly every state in the U.S. now has a law that requires notification of affected individuals in the event of a security breach involving unencrypted personal information.  Companies in certain industries, such as healthcare, finance, and telecommunications, are subject to additional regulations regarding the use and disclosure of personal information.  Further, if information on individuals from outside of the United States is involved, stiff privacy laws of other countries (such as the member states of the European Union) may apply.

A cloud computing customer loses physical control over its data by storing it in "the cloud," but it remains legally responsible for what happens to the data.  The potential liability that a company could face in the event of a security breach by a cloud service provider (not to mention reputational damages) could be quite high.  And the limitations of liability in the form contracts typically offered by cloud service providers not only broadly exclude recovery of the types of damages most likely to be suffered as a result of a security breach (i.e., incidental and consequential damages) but also cap the total damages that can be recovered to a relatively small amount.  Thus, the legal recourse that a company may have against its cloud service provider in such a situation could be severely limited.

Companies should carefully weigh the advantages of entrusting sensitive or personal information to cloud service providers.  At the very least, before entering into a cloud computing arrangement, a company should conduct "due diligence" with respect to the prospective cloud service provider and its operations, investigating, for example, where the provider's data centers are located, the types of security measures employed by the provider, whether the provider will commit to third-party security assessments, compliance with third-party security standards, or the conducting of security audits, whether data will be returned at no charge in some industry standard form, etc.  Companies should also carefully review the standard contract terms offered by prospective cloud service providers and determine whether negotiation of those terms is possible

As the information technology age continues to mature, the prevalence of cloud computing is likely to increase.  But before joining this trend, make sure that you are aware of the potential risks.  Don't get lured in simply by the promise of a silver lining.

____________ 

Milton L. Petersen is a partner with HunterMaclean’s Information Technology Practice Group. He can be reached at 912-238-2629 or mpetersen@huntermaclean.com.

To learn more about Mr. Petersen click here to view his bio.