Cloud computing is one of the most recent in the long line of technological developments promised to bring convenience and efficiency to our busy professional and personal lives. According to the National Institute of Standards and Technology (NIST), the term “cloud” is defined by its ability to provide “on-demand self-service, ubiquitous network access, resource pooling, elasticity and metered service to its users.” As with all new technology, various legal issues arise as to the adoption of this new service structure; however, many of these issues can be resolved or answered simply through a thorough reading of the terms and conditions of the cloud service provider (CSP) agreement prior to signing or clicking on the “I accept” button.
Okay, so what is the cloud? In addition to the aforementioned ability-based definition, the cloud is perhaps best described as a virtual communication platform that, in essence, provides application services, voice, video and data resources—visualize a company’s IT department on a massive scale at a designated location. There are three basic service models each containing a cloud infrastructure: software as a service (SaaS), the platform as a service (PaaS) and the infrastructure as a service (IaaS).
In general, each platform permits access to the cloud, but limits the user’s ability to manage or control the underlying cloud infrastructure or individual application capabilities, with exceptions. How cloud computing capabilities are delivered and used is divided into four different models: public, private, hybrid and community. The selection of the delivery model determines the type of CSP agreement offered to the consumer.
Similar to application service provider agreements or hosting provider agreements, CSP agreements are often contained on a clickwrap agreement and, as one would assume, are commonly written in a manner that is favorable to the cloud service (CS) provider. Moreover, as law professors W. Kuan Hon, Christopher Millard and Ian Walden argue in “Negotiating Cloud Contracts—Looking at Clouds from Both Sides Now,” published in the Stanford Technology Law Review, CSP agreements are “potentially non-compliant, invalid, or unenforceable in some countries.”
Hence, to the dismay of many, consumers and businesses should read the agreement and determine whether obtaining the service of the cloud outweighs the risks associated with the use of the cloud—security, liability, privacy, etc. Of course, negotiations can occur to limit or reduce such concerns, but such negotiations may be fruitless if a CS provider is not flexible and/or is restricted on change of terms by law or company policy. However, if a business would like to move forward, certain provisions should be brought to the attention of the potential user.
One provision that should be looked at is what law governs the CSP agreement. If your business is located in Iowa and data is stored in New Mexico and the CSP agreement provides that the laws of California apply to the agreement, a business might have an issue, being unsure of the laws of California. Moreover, a CSP agreement will basically control how, what and where confidential information is stored. Hence, exclusions or limitations of liability for such events such as natural disasters, power outages, cyber-attacks or other unforeseen events are significant. While negotiations can possibly reduce such limitations, users can further safeguard themselves by inquiring whether the CS provider has cloud and managed service insurance, or alternatively, opt to obtain insurance for losses due to said events.
A common topic in the news is the security of information stored in the cloud. To illustrate the potential security and privacy issues of the use of the cloud, just imagine taking all your personal data or your company’s confidential information and placing it in a secured safe and leaving it with a third party for a significant period of time. A natural question would be, “How safe is my data?” Under what circumstances can the CS provider release or share the information to a third party or under what circumstances can the CS provider look at the information or perhaps, sell or mine this data? These matters are often addressed within the CSP agreement and can possibly be further modified by providing that in event of release or review of data to any unauthorized third party or the CS provider, the CS provider must provide written notice prior to the release of any data. Notably, there is a substantial argument that electronically stored data is protected under the Fourth Amendment. (For a compelling argument on cloud protection under the Fourth Amendment, see Laurie Serafino’s “Arguing for Protection of Data Stored in the Cloud,” in the September/October issue of The Pennsylvania Lawyer magazine.)
Along the same lines, the termination of the CSP agreement is also an issue. For example, what happens when the CSP agreement expires? How is the data transferred or deleted from the cloud? How long will it take to perform the termination? These matters are often set forth in the CSP agreement and should be examined by the user prior to signing it.
The evolution of the cloud appears to be a natural progression in our fast-paced society. Businesses and individuals desire technology that will facilitate and accommodate their needs in an efficient and cost-effective manner. Although we cannot rewind these technological advances, we can review and become aware of their implications by reviewing the agreements that govern them, thereby understanding the true value of the service.
Allison E. Butler teaches contracts, the Uniform Commercial Code and international law at California Southern University School of Law. She also has taught and lectured at other academic institutions.