May 25, 2012

The Top Six Blunders in Dealing with the Cloud

Andrews Kurth LLP - Straight Talk is Good Business ®
Wei Wei Jeang
Andrews Kurth LLP
Saturday, September 17, 2011
Civil Procedure / Communications, Media & Internet / Corporate & Business Organizations / Intellectual Property / Litigation / Trial Practice
All Federal / All States / All International
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

As with most modern electronic advancements, cloud computing has swiftly become a force that companies cannot ignore. Its adoption and evolution will continue to grow exponentially, as businesses embrace its potential to streamline corporate data and tame IT budgets. Many companies already rely on cloud computing for at least some part of their operations. However—despite its myriad benefits—without a clear understanding of its potential risks and a decisive plan to protect a company’s assets, information and intellectual property, cloud computing can pose significant legal risks. Following are six common mistakes companies should avoid when adopting this new technology.

1. Not Knowing Cloud Concepts

The term “cloud” is a metaphor for the Internet. The cloud creates a virtual infrastructure that can replace—in whole or in part—a company’s traditional servers, network devices and hardware. The official definition from the National Institute of Standards and Technology is: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources ... that can be rapidly provisioned and released with minimal management effort or service provider interaction.” In other words, the cloud is like a super-computer powered over the Internet.

Cloud computing allows users to take advantage of dynamic scalability, shared instances of software applications, and online data and services to accomplish computing tasks and store data. Further, data security, data backup, and procuring and maintaining hardware and software are taken off the user’s hands and done in the cloud via third-party service providers. When using vendors, data security and privacy are legitimate concerns. However, security in the cloud may actually be better guarded, as cloud providers are usually able to devote more resources to security issues than the typical user.

2. Not Knowing How Your Company Uses the Cloud

There are many ways a company can take advantage of cloud computing. Cloud providers offer hardware, networks, storage, services and interfaces to its users. For example, one company may use email servers and applications in the cloud for its internal and external email services, while another company chooses to use data storage and application software offered by the cloud provider. Cloud computing will facilitate more efficient outsourced data handling, but businesses turning over data to third-party vendors also lose a degree of control over their sensitive information. It is important to know as much as possible about what cloud data you and your company control, and to understand how to access, manage and ultimately dispose of that data.

3. Not Knowing What Is in Your Contract with Your Cloud Provider

Your contract with your cloud provider defines many important aspects of the relationship. Well-executed cloud computing agreements, licensing structures and contract terms will provide comprehensive protection for your business, your assets and your customers.

Key provisions should include:

  • Procedures dictating how and when the cloud provider responds to a security breach, in terms of notification, investigation and remedy.
  • Provisions setting forth how and when the cloud provider responds to legal process such as complaints, subpoenas or other requests for your company’s data.
  • Policies for data retention and destruction, including how soon your company’s data will be wiped off the servers when the contract terminates.
  • Indemnification provisions that protect and hold your company harmless if the confidentiality, security or other key provisions are breached by the cloud provider, its subcontractors or others.

4. Not Consulting Your Cloud Provider as Soon as You Get a Subpoena or Are Sued

Companies are required to preserve and produce electronically stored information (ESI) as part of their response to litigation, regulatory inquiries and subpoenas. You should devise a clear process for notifying your cloud provider in the event they must assist with the implementation of a litigation hold—the act of holding from changes or destruction all information that is the subject of pending or potential litigation or investigation.

The Federal Rules of Civil Procedure, the guidelines that govern civil legal actions, include important guidelines—as well as some protections—for companies using the cloud. For example, Rule 34(1) can require any party in custody or control of electronic information to produce the data if requested as part of a legal action. Courts do not currently make any material distinction between data residing behind an enterprise firewall and data residing in the cloud on a server that is physically on another continent. Therefore, if a company has legal right to “control” the information, it cannot shirk its responsibility under Rule 34.  

5. Not Knowing the Availability of a Safe Harbor

Rule 37(e) of the FRCP states “absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” In other words, a company is protected if it enacted measures to protect its data yet is still unable to produce it due to circumstances beyond its control. This protection applies to ESI stored in the cloud in the same way as it has been applied to on-premises systems. However, it is imperative that companies develop and implement a strict records management and retention policy and train all employees on the relevant procedures. Without a policy in place, it would be difficult to find calm seas in the safe harbor.

6. Not Knowing About a Clawback Agreement

In litigation involving global companies and a large volume of ESI, the parties may enter into a clawback agreement to speed up the production of documents. The clawback agreement, now part of the FCRP, is a contractual agreement between both litigating parties designed to offer corporations a safeguard against the inadvertent disclosure of privileged information. This means that if a document is unknowingly or unintentionally provided to the opposing party, it does not automatically constitute a waiver of privilege. Further, the producing party may request the return of the document (claw it back) and the other party must comply by returning, sequestering or destroying the protected document. The requesting party is then barred from using the privileged document to further his company’s case.

© 2012 Andrews Kurth LLP

About the Author

Wei Wei Jeang
Partner

Wei Wei Jeang focuses on the procurement, licensing and enforcement of intellectual property, including patents, copyright, trademarks and trade secrets of high tech clients. She also works closely with clients on patent reexaminations and legal opinions related to patent infringement, validity, freedom-to-operate, clearance and other issues. She works with clients ranging from Fortune 100 companies to solo inventors to secure and protect their patent rights.

Although her technical degree is in computer engineering, she has worked with clients involved in many industries, including...

weiweijeang@andrewskurth.com
214.659.4688
www.andrewskurth.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.