Legal Watch

Sept. 7, 2011
The wild blue yonder - thoughts on cloud computing

I've spent increasingly more time in my practice this year dealing with the cloud for my most sophisticated clients. The cloud, as you no doubt are aware, is the Internet-based system of computing resources. Experts pretty much agree we're all moving to the cloud, including the electronic security industry. Truth is, we've all been in the cloud for some time. Google, Gmail, or any of those photo storage sites, among others, are all prime examples. Cloud computing is like having a massive main frame computer at your fingertips. And for the electronic security industry, the cloud delivers significantly increased computing power and storage volumes at a substantially decreased cost. For example, video storage on the Web can be achieved today at significant savings to the subscriber, sending the DVR the way of the eight-track tape.

Moving to the cloud, however, raises a significant number of legal issues that must be addressed. If you're moving to the cloud, consider the following.

In the clouds, storms are inevitable

I'm a lawyer, not an IT expert, but even I know preventing technology failure is impossible. All technology can and sometimes does fail. Cutting-edge technology, by its very nature, has a greater risk for failure, simply because innovation means getting the latest technology into the hands of users as quickly as possible, sometimes before it's been thoroughly time tested and proven; before all the potential problems have been identified and corrected; and before predictable user error can be indentified completely.

Not only is the technology new and unproven, and more likely to have problems, but more sophisticated technology means a steeper learning curve for those who use it, both consumers and IT professionals. The much-publicized Amazon cloud outage in April 2011 that knocked out a number of large, well-known social networking sites and impacted many other of Amazon's customers was caused by a "configuration error" made during a "network upgrade" in one of the company's regions, during which a "traffic shift was executed incorrectly." In other words, someone goofed. Basic human error caused a perfect storm of events that took Amazon nearly two days to correct. You need to protect your company from the fallout from such errors.

Of course, the advantages and rewards in terms of cost, efficiency and efficacy of being an early adopter of new technology are significant to both you and your subscribers. And the more you can minimize the risks, the more you both can take greater advantage of the rewards.

Have an umbrella and don't get "soaked"

Knowing that failures in technology can and will happen, protect yourself from getting soaked.

One important key to protecting yourself are contracts-both with subscribers and with the vendors to which you may have outsourced one or more aspects of your cloud computing, whether it's data storage, platforms or software as a service. When you move to the cloud-and ideally before you implement any new technology-take these important steps.

First, update subscriber agreements in order to address the relevant issues. The standard industry subscriber agreement, commercial or residential, most likely won't address many of the more complex, cloud-related issues. Most agreements that do cover cloud computing address the misperception that because the cloud is Internet-based, the Internet and technology will function correctly 24 hours a day, seven days a week. Make sure your contracts don't promise to deliver a level of continuous service based on technology that isn't always there. Or put another way; make sure that your contracts contain provisions that reduce your legal liabilities for the occurrences you can't control, including an effective force majeure clause. Make sure your indemnity provision also addresses the cloud-related services you provide to your subscribers.

Second, does your contract need to include some form of software license? The answer is probably, depending on how you're providing your services. For example, are you granting your subscriber the right to access any Web site or use any software or shareware as part of the overall service offering? If so, then the answer is yes. And in that case, make sure you limit your obligation so that you can terminate the license for subscriber default.

Use steps to shift the risk of loss from your company

Third, make sure your subscribers carry their umbrellas, too. Your contracts should require subscribers to insure against cyber-based losses and look exclusively to the proceeds of insurance in the event of a loss. Couple this with an effective waiver of subrogation and you've gone a long way to shift the risk of loss from your company and your insurer to the subscriber and the subscriber's insurer.

And while we're on the subject of insurance, make sure your insurance umbrella doesn't have any holes in it. Contact your risk management professionals, too. Most commercial general liability, and errors and omissions insurance policies exclude coverage for cyber risks or cyber liability, including events that take place in the cloud. If your existing insurance program doesn't provide adequate coverage, amend it, or you could face substantial liability without the benefit of insurance, which means you'll be paying lawyers and settlements out of your own pocket.

Check the weather forecast in the cloud

Like real-life weather forecasting, predicting everything that could go wrong in the cloud is impossible. But the more good information you have, the better able you'll be to weather any storms.

Most electronic security providers contract with Web-based providers to provide cloud services. Gather as much information as possible, not only what technology and services a provider can offer, but how it offers them. Here are just a few of the many issues to consider, all of which might impact not only the service you provide to your subscriber, but your legal liabilities as well. Can you control the location of your subscribers' data? (Is the data stored in Milwaukee or Mumbai?) If you can't control where your subscribers' data is to be stored, will the storage of data offshore implicate any of the existing-or proposed-state or federal privacy or data security laws?

Consider whether you need to tell your subscribers their data may be stored in some far-flung jurisdiction where the laws afford far fewer protections. Some subscribers may not be permitted to store their data in foreign jurisdictions, especially those regulated by federal law or who are engaged in highly regulated industries. Chemical facilities, pharmaceutical manufacturers and defense contractors are among those subscribers whose industries have added, real-life implications for security providers. Federal law prohibits the export of certain forms of controlled data. Do these laws apply to your subscribers and the data being stored on their behalf? You'd be surprised to learn how easy it can be to run afoul of these laws and regulations.

Determining where data should be stored includes more than just "what country" too. Do you need to contract with a Tier IV data facility or will some other type facility suffice? If you need Tier IV, make sure the service provider agrees in your agreement to provide Tier IV storage. Otherwise, your data could end up being stored above a barber shop in Altoona, Pa.

Who will have access to subscriber data? What type of data encryption should be applied to your subscriber's data and how will data be segregated? Your vendor should be willing to undergo periodic security audits. How does the provider propose to investigate potential illegal or inappropriate behavior? Does the provider intend to comply with the new standards that are replacing SAS 70? And what impact will these issues have on your ability to market the services to your subscribers? How long will data be stored and how will the data facility make the data available to your subscriber (not you) if the subscriber wishes to move to another service provider? Ownership of the data is an issue although, in my experience, most parties agree the data is owned by subscriber.

Will the service provider help?

While most of these issues can be addressed in a reseller agreement or service-level agreement, many vendors seek to limit their responsibility for the risk of loss from the services they provide much the same way as the typical security provider (smartly) does. Find out upfront if the provider is motivated to get your business and will protect you in the event its acts, errors or omissions result in claims asserted against you by subscribers or other third parties.

No matter what, make sure you've covered yourself in your subscriber agreements so no gap exists between what you're getting from the service provider and what you're providing your subscribers. Be mindful of the clouds: Even the smallest holes in the roof can let in rain during a bad storm.

Eric Pritchard, SD&I's legal columnist, is a partner in Kleinbard Bell & Brecker LLP, Philadelphia, a commercial law firm with a national practice in the electronic security and life safety industries.