Robert J. Kerwin, Esq. and John D. Finnegan, Esq.

"Cloud Computing" has recently become the catchphrase of those who look to this evolving area to assist their businesses in lowering technology budgets and operating costs.  All manner of business is being conducted.  Even recording studios are operating in the cloud.  Indaba Music, a music social network company, recently launched a web based media recording studio.  World renowned cellist Yo Yo Ma reportedly posted a music track and subscribers recorded their virtual duets.¹  However, many CIOs and IT professionals have urged caution, in light of the increased risks associated with entrusting your company’s data and software to a third-party.  As will be discussed below, a number of legal risks are also associated with the delegation of data and technology infrastructure to a third-party vendor.

Are the benefits real?  Many executives point to Cloud Computing to reduce the costs and space limitations of on-site data management and storage, as well to avoid the costs associated with upgrades to their technology infrastructure.  The good news is that the rewards are indeed real and measurable.  Some of the specific benefits to Cloud Computing include:

Cost Management: Cloud Computing offers enterprises the ability to significantly increase their infrastructure through programs such as “Infrastructure as a Service,” “Platform as a Service,” and “Software as a Service” without the large expenditures required for the purchase of “traditional” IT solutions.  The notion of little or no up-front capital expenditure reveals why Cloud Computing is an attractive avenue for businesses who are trying to do more with less.

Accessibility: Another attractive aspect of Cloud Computing is the lack of long delays in implementing a specific Cloud service.  The timeframe for “traditional” hardware and/or software installations or upgrades are often measured in weeks – and sometimes months.  Cloud Computing service programs can often be implemented in a matter of days, providing the corporate customer with immediate accessibility to the program.

Increased Productivity: The outsourcing of data management services allows enterprises to concentrate on actually doing business, rather than running their business.  Freeing enterprises from the day-to-day requirements of maintaining their technology infrastructure allows businesses to concentrate on expanding, rather than simply maintaining their business.

Disaster Preparedness: Cloud Computing allows enterprises significant security from disasters, whether localized to the business location, or to the general business area.  Utilization of one or more of the Cloud programs means the ability to be “up and running” in short order in the event of disasters, big and small.

What’s the downside?  With all the economic benefits to Cloud Computing, corporate counsel will be hard pressed to pull back on the executive reins.  There are, however, significant risks of which counsel should make the enterprise aware, prior to entering into a contractual arrangement with a Cloud Service Provider (“CSP”).  Some practical risks can include: Security; Ownership; Privacy; and Data Loss.

Security:  For many businesses, security of their information is critical to the viability of their enterprise.  The protection of intellectual property, trade secrets, personally identifiable information, and other sensitive information is of the utmost importance.  Prior to entrusting such information to a third-party, many businesses would perform significant due diligence to ensure that security controls are in place to prevent the disclosure of such information to unauthorized parties.  Cloud Computing increases the risk of such an unauthorized disclosure exponentially.  As such, prior to entrusting electronic data to a third-party where such data will be accessed across a public domain, you should ensure that the Cloud Computing vendor has appropriate safeguards in place to deflect attempts at the unauthorized access of the corporation’s data.  Not to be overlooked is physical security.  Prior to contracting with a CSP, the business should ensure that there are security protocols in place at the physical location of the CSP’s servers to prevent unauthorized access by unauthorized persons, both internal and external.  In addition, the CSP should confirm that it possesses the appropriate data center certifications. 

Ownership:  The prospective CSP’s contract should be scrutinized to ensure that your data remains your data.  Businesses should confirm that once the information is uploaded to the CSP, it cannot be reused or released by the CSP without your specific authorization.  A recent service agreement expressly provided that the “Data provided by the Customer is the property of the Customer” and that the “Customer retains all Intellectual Property rights therein.” Prudent counsel should seek to employ similar provisions.  In addition, CSP’s often store data in an environment alongside information from other customers.  Encryption, while effective, is not a global solution.  The corporation should investigate how the CSP segregates data storage.  A recent contract included a requirement that the servicer will “implement and maintain reasonable technical administrative and organizational measures to protect Data against unauthorized or unlawful use.”  In the event that other customers’ data must be surrendered pursuant to, for example, a subpoena, ensure that the CSP is able to do so without compromising the integrity or security of your corporations’ data.  The transfer of data to a CSP can also result in conflict of law issues.  Where possible, incorporate Massachusetts law and provide, as applicable, that Massachusetts attorney-client and work product privileges apply.  The storage location of the business’ data will be an important factor, as the transfer of data could result in the data becoming subject to the laws and regulations of a foreign jurisdiction.  It may also trigger various privacy, security and regulatory concerns.  Consider requiring, if possible, that the Data to be stored, will be stored in the U.S. and that data will be “irretrievably removed,” when migrated from one server to another.

Privacy:  In an optimal world, business should ensure that the CSP employees are subject to background checks and confidentiality agreements.  Confidentiality will appropriately survive termination of the Agreement.  The corporation should also obtain, if possible, a contractual commitment that the CSP will support specific forms of investigation, in the event of a security breach, along with evidence that such activities have been successfully supported in the past.  In addition, the CSP contract should contain specific language that obligates the vendor to keep the company’s data private and comply with privacy requirements as set forth in statutes such as Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and Payment Card Industry Data Security Standard (if appropriate).

Dealing with Data Loss:  Data loss is a major concern, irregardless of the form which the enterprise chooses to store its data.  The encryption methodologies utilized by the CSP should be designed and tested by experienced specialists.  A failure of the encryption methodology could result in the enterprises’ data becoming unusable.  In addition, the CSP’s continuity and disaster recovery plans should be well documented and tested.  The CSP contract should specify its role in terms of backing up and recovering data.  Timeframes for data recovery should also be specifically enumerated in the CSP contract.

In addition to the above, there are non-traditional risks of which counsel should be aware – specifically with respect to bankruptcy considerations.  Prior to entering into a contractual arrangement, if possible, the enterprise should investigate the financial health of the CSP.  In the event of a filing by the CSP for protection under the U.S. Bankruptcy Code, the company’s data may become inaccessible.  Hence, it is important to note that the data is your company’s data, and does not belong to the CSP as noted above.  Under 11 U.S.C. Section 541, largely all “property” of the debtor becomes property of the bankruptcy estate.  Once property of the Estate it can be managed by the Debtor-in-possession or the Trustee.  Management of the property includes the ability to sell it for the benefit of the estate and its creditors.  If the CSP contract was properly drafted, it should be clear that the enterprise’s data contained on the CSP’s servers is the sole property of the contracting business – not that of the CSP.  However, questions may arise with respect to the treatment of the data if the DIP or Trustee intend to sell the servers on which the data resides.  In a recent case, the U.S. District Court for the Eastern District of California held that third parties retained a reasonable expectation of privacy in their financial, personal and other related data stored at the Debtor’s premises.²  The U.S. District Court further held that intermingling of documents, alone, does not waive a third party's constitutional rights with respect to their property, i.e. the electronic data.³  In addition, as part of the 2005 changes to the Bankruptcy Code, new Sections 332 and an amendment to Section 363(b)(1) provide some protection of “personally identifiable information” by the Debtor-In-Possession or Trustee propose to sell that information to a third party.  Specifically, Section 363 requires the appointment of a Consumer Privacy Ombudsman to report on, inter alia, the Debtor’s privacy policy.  Note that the Ombudsman has no power to independently object to the sale, and the revised Code sections do not detail how the Court should evaluate the report in determining whether to approve a motion to sell.  However, in addition the CSP contractual provisions, the Ombudsman’s report should offer additional support to a business’ objection to the proposed sale of its data.

Under the Bankruptcy Code, the Trustee or a DIP may assume, reject, or assign an executory contract.  An executory contract is generally a “contract under which the obligation of both the bankrupt and the other party to the contract are so far unperformed that the failure of either to complete performance would constitute a material breach excusing performance of the other.”⁴  Generally bankruptcy voids provisions in executory contracts that prohibit or condition the debtor’s ability to assign its rights and obligations.  As such, the enterprise could find itself in a precarious position vis-à-vis the CSP contract, should the provider file for protection under the bankruptcy code.  Specifically, the CSP contract may be rejected⁵ and the enterprise would be forced to find another CSP to host its data and/or applications, depending upon the Cloud program.  Such could result in a logistical nightmare for the migration of data to the new CSP, particularly if the debtor CSP utilizes proprietary platforms.  As such, in an effort to mitigate the difficulty in data migration, prior to entering into the CSP contract, the business should ensure that the platforms utilized are industry-standard.

Conclusion

This area is evolving.  While not all-encompassing, this article has attempted to draw to light some of the benefits and risks associated with Cloud Computing.  As is the case in contracting with any third-party vendor which will be responsible for the business’ data, the CSP’s contractual obligations, risk profile, security infrastructure and oversight ability should be carefully scrutinized.  You should ensure that the CSP can comply with the security and legal requirements applicable to storage and/or hosting of the enterprises’ data.

Businesses should use caution when migrating their intellectual property, trade secrets and privileged information to a CSP.  As such, prior to engaging the services of a CSP, ensure that: i) your business maintains ownership and control rights of all data, IP and proprietary material being migrated to, created, or stored with the CSP; ii) perform as much due diligence as possible with respect to the financial strength of the CSP, as well as any vendors on which it relies in order to provide the services specified in the contract; and (iii) ensure that your data can be easily recovered or retrieved from the CSP in the event of a disaster, whether physical or financial.

Robert J. Kerwin, Esq.  is a former co-chair of the Massachusetts Bar Association Business Law Section Council and a shareholder in the Boston firm of Tarlow, Breed, Hart & Rodgers, P.C.  Rob is also general counsel to the International Association of Medical Equipment Remarketers and Servicers.  He has a wide ranging practicing involving business disputes in a variety of forums including the U.S. Bankruptcy Court.  Rob was retained last year as special counsel by the City of Boston and email deletion and recovery issues.

John D. Finnegan, Esq. is Of Counsel to the law firm of Tarlow, Breed, Hart & Rodgers, P.C. and a member of the firm’s Litigation Group.  John’s practice included business litigation and creditors' rights in bankruptcy.  John frequently practices before various trial courts including the United States District Court; the United States Bankruptcy Court; the Massachusetts Superior Court; the Land Court; and the Massachusetts District Court.  John was named a Massachusetts Rising Star in the years 2005 through 2010 by Boston Magazine, and is a former IT administrator. John earned his B.A. degree from the University of Massachusetts and his J.D. from Suffolk University Law School.