A multinational company is negotiating an agreement with a cloud computing provider to maintain and hold all of the company’s electronically stored information and data. The general counsel of the multinational company is concerned about data privacy and data protection both in the United States and worldwide.
What is Cloud Computing?
Cloud computing is the use of computing resources, including both hardware and software, that are made available over the Internet by a subscription-based service provider. Because cloud computing is Internet-based, it offers several advantages over more traditional access to a company’s data and software. Cloud-based software and files can be accessed “on demand” from virtually any computer with an Internet connection. For example, when email is stored “in the cloud,” the contents of a user’s email folders may actually be stored in one or more easily accessed Internet-connected servers located around the world. Moreover, because a company that receives cloud computing services does not rely on its own servers, the amount of data that can be stored is unlimited. Finally, because cloud computing services typically are managed by a third-party provider, they have the potential to reduce a company’s IT costs by eliminating the need to acquire and maintain expensive hardware and software. For all of the above reasons, many businesses are seeking to take advantage of this still-evolving technology.
Potential Risks: Data Privacy, Data Storage, and E-Discovery
Data privacy is an issue of concern for companies, their IT professionals and legal departments, whether files stay on-site or are stored electronically with a cloud computing provider. For companies considering cloud computing options, it is particularly important to carefully evaluate the provider’s policies and procedures to ensure that they provide sufficient safeguards to protect confidential data. The company’s lawyers and IT professionals should develop an understanding of the technology so that they can make informed decisions about whether cloud computing provides the level of protection they require.
One specific risk is that electronically stored information (ESI) may be co-mingled with the ESI of another company or of a separate but related corporate entity. Such situations can make it difficult to determine what entity has “possession, custody, or control” of the data and is under an obligation to preserve or produce the data. Moreover, if a cloud computing provider stores data in multiple servers around the world, ESI may be split up among jurisdictions with different data protection and transfer laws, making it difficult to keep track of how to access and retrieve data, and how to keep data private and secure.
ESI stored with a cloud computing provider can also present challenges to the discovery process in litigation. For example, the U.S. Federal Rules of Civil Procedure allow a party to request discovery of ESI in the responding party’s “possession, custody, or control.” If a company has contracted with a cloud computing provider to maintain and hold its ESI, the company does not have direct control over, or possession of, the ESI. For purposes of discovery, however, the company still has a duty to preserve and produce that data, as long as it has the practical ability to do so.
Tips for Managing Risks
The use of cloud computing should not fundamentally change the way a company handles ESI. No matter where the ESI resides, a company is responsible for being aware of the information that it creates and for governing that information in accordance with applicable business and legal requirements. It is important that the company be familiar with and closely monitor how its information is stored, retrieved, retained and disposed of by its cloud provider. A company should also develop effective procedures for auditing such activities by its cloud provider. At a minimum, the company should make sure it is capturing sufficient data when information is created (including what the information is, who created it, and for what purpose) to properly govern it.
Before signing a service contract with a cloud computing provider, a company should be sure that the contract contains provisions protecting the company’s interests and its need to comply with data privacy requirements. Consider the following items when negotiating a service contract:
The best way to manage the data privacy and security risks associated with cloud computing is to gain a comprehensive understanding of how the company plans to use cloud computing and to establish procedures and contract terms with the cloud computing provider that meet the company’s data security and privacy needs.
For inquiries related to this Tip of the Month, please contact Michael E. Lackey at , Kim A. Leffert at or Patrick M. Tierney at .
You have no pages selected. Please select pages to email then resubmit.