As an observer of the information technology and Internet industries for several decades, I watch with great amusement as new buzzwords surface for old IT concepts.
I was rewarded not too long ago, when the term “cloud computing” appeared on the scene. The technology concept behind cloud computing has been around for more than 50 years, and the legal issues are equally old. Those concerns remain unchanged, despite the new buzzwords.
Dartmouth Time-Sharing – 1964
Connecting to computers remotely (think connecting to a mainframe over telephone lines) has been around since at least 1964, but the current marketing buzz about cloud computing might make you think it’s something new. It’s just not true.
“Cloud computing” is merely the newest label for the 1964 remote computing service originally called “time-sharing” at Dartmouth College. Dartmouth “time-sharing” used General Electric 235 computers (and dumb terminals — teletype 33/34) over telephone lines. Since 1964, the same idea of using remote computing as “time-sharing” has been given a number of labels:
- Application Service Provider (ASP)
- Software as a Service (SaaS)
- Platform as a Service” (PaaS)
At a recent conference, I attended a panel discussion about cloud legal issues; however, not once did the panel ever refer to any of these prior names. In fact, the panel members acted as if the technology and legal issues raised by cloud computing were something new.
How the Big Internet Players Address Cloud Legal Issues
The major cloud providers include IBM, Microsoft, Amazon, Google and Salesforce.com. TheirTerms of Service (ToS) are generally standardized for single and small users — however, major customers can and do negotiate their arrangements.
Small users have no choice. They have to agree to terms that are likely confusing without a lawyer’s help. For example, the standard legal terms of Amazon Elastic Computer Cloud (Amazon EC2) include seven different links:
- AWS Acceptable Use Policy
- AWS Customer Agreement
- AWS Service Terms
- AWS Tax Help
- AWS Trademark Guidelines
What Legal Terms Are Most Important?
If your company is using the cloud to store or access business data, and if you have the clout to negotiate, there are a few key issues you should address:
- How will you get your data when you are no longer happy using your cloud service provider?
Inevitably, each cloud customer will stop using its cloud provider at some point for some reason. When that happens, options are limited to 1) moving the processing back in-house and off the cloud; or 2) moving to another cloud provider. Cloud customers’ lawyers need to negotiate with their cloud providers to clearly define closure, including the data format and the cost for migration of the data to another location. Failure to address this could result in an expensive and painful migration, or a business decision to be stuck without the practical ability to change, similar to the days when changing cell carriers required losing your cellphone number, making customers reluctant to switch.
- After termination, be sure the cloud provider deletes your data.
It is essential that the old cloud provider not retain the customer’s business data, such as accounting and customer data, and other business records. Deletion is even more important because of regulations related to privacy (including credit card information and/or HIPAA health data). The cloud provider agreement must clearly obligate the cloud provider to delete data from its system (including backups) after the customer has migrated away. Of course, the cloud provider should be bound to protect all confidential data at all times.
- Understand data backup obligations.
Speaking of backups, companies routinely create data backups, and cloud providers are no different. Therefore, cloud provider agreements must clearly delineate how customer data and systems are protected from disaster, including sharing where customer data is stored and how the customer can access that data if and when it is needed.
- Ensure protection of trade secrets.
If the cloud customer has trade secrets such as proprietary customer data or software, that customer must properly protect its data or software and have tangible evidence to prove in a lawsuit that it made appropriate efforts to protect those trade secrets. One of the best ways to prove that a trade secret has been properly protected is to show that only the trade secret owner can access the protected information. One solid way to do that is to have the ability to audit.
- Establish the right to audit cloud IT operations.
The Sarbanes-Oxley Act (SOX) requires publicly traded companies to comply with laws of the Securities and Exchange Commission (SEC) including the ability to audit and verify accounting data. In order to conduct a SOX audit of IT/Internet services, customers need audit rights in the agreement. For companies not covered by SOX, but for which a formal CPA opinion is required by stockholders, the right to audit the cloud provider is essential.
Each business has its unique requirements for using cloud services. Signing the standard cloud provider agreements may be convenient, but risky.
Any company using the cloud needs to properly protect its IT and data with a cloud agreement that is clear and specific to its own requirements.