Legal Watch

The wild blue yonder - thoughts on cloud computing

Second, does your contract need to include some form of software license? The answer is probably, depending on how you're providing your services. For example, are you granting your subscriber the right to access any Web site or use any software or shareware as part of the overall service offering? If so, then the answer is yes. And in that case, make sure you limit your obligation so that you can terminate the license for subscriber default.

Use steps to shift the risk of loss from your company

Third, make sure your subscribers carry their umbrellas, too. Your contracts should require subscribers to insure against cyber-based losses and look exclusively to the proceeds of insurance in the event of a loss. Couple this with an effective waiver of subrogation and you've gone a long way to shift the risk of loss from your company and your insurer to the subscriber and the subscriber's insurer.

And while we're on the subject of insurance, make sure your insurance umbrella doesn't have any holes in it. Contact your risk management professionals, too. Most commercial general liability, and errors and omissions insurance policies exclude coverage for cyber risks or cyber liability, including events that take place in the cloud. If your existing insurance program doesn't provide adequate coverage, amend it, or you could face substantial liability without the benefit of insurance, which means you'll be paying lawyers and settlements out of your own pocket.

Check the weather forecast in the cloud

Like real-life weather forecasting, predicting everything that could go wrong in the cloud is impossible. But the more good information you have, the better able you'll be to weather any storms.

Most electronic security providers contract with Web-based providers to provide cloud services. Gather as much information as possible, not only what technology and services a provider can offer, but how it offers them. Here are just a few of the many issues to consider, all of which might impact not only the service you provide to your subscriber, but your legal liabilities as well. Can you control the location of your subscribers' data? (Is the data stored in Milwaukee or Mumbai?) If you can't control where your subscribers' data is to be stored, will the storage of data offshore implicate any of the existing-or proposed-state or federal privacy or data security laws?

Consider whether you need to tell your subscribers their data may be stored in some far-flung jurisdiction where the laws afford far fewer protections. Some subscribers may not be permitted to store their data in foreign jurisdictions, especially those regulated by federal law or who are engaged in highly regulated industries. Chemical facilities, pharmaceutical manufacturers and defense contractors are among those subscribers whose industries have added, real-life implications for security providers. Federal law prohibits the export of certain forms of controlled data. Do these laws apply to your subscribers and the data being stored on their behalf? You'd be surprised to learn how easy it can be to run afoul of these laws and regulations.

Determining where data should be stored includes more than just "what country" too. Do you need to contract with a Tier IV data facility or will some other type facility suffice? If you need Tier IV, make sure the service provider agrees in your agreement to provide Tier IV storage. Otherwise, your data could end up being stored above a barber shop in Altoona, Pa.

Who will have access to subscriber data? What type of data encryption should be applied to your subscriber's data and how will data be segregated? Your vendor should be willing to undergo periodic security audits. How does the provider propose to investigate potential illegal or inappropriate behavior? Does the provider intend to comply with the new standards that are replacing SAS 70? And what impact will these issues have on your ability to market the services to your subscribers? How long will data be stored and how will the data facility make the data available to your subscriber (not you) if the subscriber wishes to move to another service provider? Ownership of the data is an issue although, in my experience, most parties agree the data is owned by subscriber.

Will the service provider help?