|August 29, 2012|
Previously published on August 31, 2012
“The Cloud” is everywhere these days - Microsoft has a clever ad campaign directing consumers “to the Cloud”; Apple is launching “iCloud” to store all of your music, pictures and apps; and Google Docs has partnered with Box.net to simplify sharing documents by using “the Cloud”. So what exactly is “the Cloud”, and should you move your company’s data there?
“The Cloud” generally refers to cloud computing and is something most of us are doing everyday, perhaps without even knowing it. When you send an email from your personal Yahoo! account, share your photos using Flickr, or pay your bills via online banking, you are using “the Cloud”. In more technical terms, there generally are three service models for cloud computing: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). IaaS and PaaS are similar in what they offer, namely, the “outsourcing of equipment or hardware to support IT operations,” but differ in terms of who is responsible for the configuration and maintenance of the operating system. With IaaS, it is the cloud user who handles those functions; with PaaS, it is the cloud provider who manages them. The third model, SaaS, is the one most of us are familiar with. A third-party provider hosts applications or programs and makes them available over a network, usually the Internet. While the efficiency and cost-savings associated with cloud computing in one form or another are self-evident, there are some legal issues you should consider before making the move.
Data security is a hot-button issue in this age of WikiLeaks and must be considered before moving sensitive business files to the Cloud. It is important that any cloud user understand not only how your provider protects your files, including who has access to those files at any given time, but also how your provider will notify you if there is a data breach, as well as what steps it will take, and when, to rectify that breach.
Another critical question is how do you ensure that data stored in the Cloud complies with your information governance policy? More specifically, when your company’s record retention policy dictates that a certain document or type of document should be destroyed, how can you verify that every copy of that document (including those stored on your cloud provider’s back-up systems, wherever they may be located) has been destroyed as well?
Yet another issue to explore before you engage your cloud provider is understanding how you will get your data out of the Cloud once you move it there. In the event of litigation, you will have an obligation not only to preserve potentially relevant evidence, but also to identify responsive information and ultimately produce it to your opponent. The fact that you have stored your emails and other electronic files with a third-party does not change your discovery obligations, so it is prudent to understand the process, cost and timing related to retrieving information well in advance of the tight deadlines imposed by litigation.
While there are potential risks in moving data to the Cloud, when you identify and address these risks at the outset, you can mitigate their impact and fully enjoy the benefits of efficiency, scalability and cost-savings that cloud providers are able to deliver.
 Bennett B. Borden and Shannon Smith, “Understanding and Mitigating the Legal Risks of Cloud Computing”, Vol. 26, No. 2, The Corporate Counselor (June 2011).