Cloud computing legal considerations

Cloud computing services present many legal issues. Organizations need to tread carefully and perform due diligence.

This tip is a part of the mini learning guide series, Cloud computing legal issues: Developing cloud computing...


The characteristics of cloud computing -- on-demand self-service, elasticity, metered service or ubiquitous access -- make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost. 

Consistent with this model, which benefits from uniformity and standardization, many cloud services agreements are presented in the form of a click-wrap agreement, where no negotiation is possible, and the customer clicks on an “I agree” button to express consent to the terms.  The apparent ease of entry into these contracts makes the process seem as easy or inconsequential as purchasing a song from iTunes.

However, the fact that in most cases the purchaser of cloud services is pushed to interact with vendors through websites and generic form agreements does not adequately reflect the unique complexity and importance of cloud-service contracts. Cloud computing relationships are extremely complex and fragile. They involve relinquishing control over, and custody of, a company’s vital data, documents and applications to one or more service providers with whom company executives may not have ever met, and which may be hidden or difficult to identify in the fog created by the so-called cloud. Cloud contracts, however, raise numerous complex technical, business and other issues that could create significant exposure to financial disasters, embarrassment and other problems if not attended to with sufficient precautions.

Cloud computing legal issues, in particular, abound. These issues include: ensuring access, availability and performance; customization and integration with existing technologies; cost and pricing; compliance with regulatory requirements; ability to terminate and move to another service provider or take data in-house; and much more. The security measures used to protect the data entrusted to the vendor are crucial. It’s also important to define how liability for the loss of data will be allocated; or to address the extent to which the customer will be able to have access to the data or retrieve the data in case of termination.

Companion tip

Developing cloud computing contracts: Learn about critical steps for developing, maintaining and terminating cloud computing contracts.

Do not be fooled by the appearances; be careful when stepping in the cloud. In part one of this two-part tip, we’ll review cloud computing legal considerations and the due diligence required before choosing a cloud service provider. Part two covers critical steps for developing, maintaining and terminating a cloud service provider contract.

Think before you click

First, do not rush into a cloud service agreement. Cloud providers have made it very easy to purchase their services on the Internet. It is almost as easy to purchase a book from Amazon as it is to purchase a subscription to Amazon’s EC2 services. Wait! Do not click on the “I agree” button until you understand what you are getting, and more importantly, what you are not getting. Just because the service appears so easily available from the vendor’s website does not mean it is the right service for you, or that the terms of the offering are fair and balanced. 

Ensure there are no cloud computing legal obstacles

Are you sure that using cloud for the type of data and the types of services that you envision is legal?  Companies are the custodians of the personal and other data entrusted to them. This data is frequently protected by laws, regulations or contracts that prohibit, restrict or limit the disclosure or transfer of this data to a third party. For example, health information protected under HIPAA cannot be transferred to a third party or “business associate” without imposing specific obligations to that business associate. Some U.S. state laws require that Social Security numbers, drivers’ license numbers, financial information, and other similar information be encrypted before being transferred to a third party. Other laws require entering into a written agreement with the service provider, with specific terms. 

If your data originates in one of the 40-plus countries that have adopted comprehensive data protection laws, it’s likely that the data  may not be taken out of its country of origin and transferred because the recipient country is probably not going to provide the adequate protection for the privacy rights of the individual to whom the data pertains unless specific contracts are signed or other specified arrangements are made.

Perhaps your company has signed a confidentiality agreement or a data-transfer agreement with a third party from which it received sensitive data, such as personal information or trade secrets. In this case, this agreement probably prohibits you from transferring the data to a third party without the prior permission of the data owner. Thus, moving this data to a cloud without the prior permission of the data owner would breach this agreement.

Remember:  Before exploring the cloud services offering, determine whether your business model and the contracts that bind your company allow for the use of these services, and under which conditions.

Due diligence questions

Once you are confident that a particular application or database may be moved to the cloud without breaching any laws or existing contracts, you must investigate the vendor. Just because a service is attractive or works well for the company next door, does not mean that it is right for you.

Organizations should conduct a thorough due diligence of a proposed cloud service provider in order to determine whether the services offered correspond to its needs. Myriad questions need to be asked and their answers carefully analyzed; for example:

•         What services will be provided?
•         Will the service allow the company to fulfill its computing and access needs?
•         What are the vendor’s technical capabilities?
•         What are its financial capabilities? What is the likelihood that it will remain in business for the next few years?
•         What service levels will be offered? Is there any possibility of downtime?
•         How secure are its operations? What security measures are used?
•         Is the cloud vendor equipped to handle business interruption and disaster?
•         What support will be provided?
•         What will happen if there is a security incident?

Different methods may be used to conduct a due diligence. For example, you could speak with existing clients, send questionnaires and review the answers, review audit reports, and survey comments from current customers on listservs and other forums on the Internet.

Remember that this due diligence is necessary to understand and evaluate the entity to which you will entrust important company information. It’s a well-known “best practice” and required by several laws. Skipping this important step would expose the company and its management to potential claims of negligence and breach of duty of care.

About the author:
Francoise Gilbert is the managing director of the IT Law Group, and serves as the general counsel of the Cloud Security Alliance. She focuses on information privacy and security and data governance. She has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of Information Privacy and Security. US News has ranked the IT Law Group as one of the top law firms in the Information Technology Law area. Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyses the data protection laws of 60-plus countries on all continents. She serves on the board of directors of the International Technology Law Association, and on the Technical Board of Advisors of the ALI-ABA.

Next Steps

Forrester advises cautious approach to cloud computing services
While it could save money, many firms should understand the security, privacy and legal issues when using cloud-based services.

Simplifying cloud computing security audit procedures
As a channel partner, you're in the perfect spot to guide customers through the thicket of cloud services. Beth Cohen points out cloud computing security challenges and the best practices that can address them.

Dig Deeper on Cloud Computing SLAs and Legal Issues