Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Computing

1,552 views

Published on

A brief forecast of the legal issues in cloud computing, as well as legal issues brewing on the horizon

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,552
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Narrow Definition: “virtual” servers on the InternetBroad Definition: Anything outside the VPN
  • Community cloud shared concerns = mission, security requirements, policy, and compliance considerations Hybrid = cloud “bursting” for load balancing between clouds
  • Cloud Computing providers expose a set of software interfaces or APIsthat customers use to manage and interact with cloud services.Provisioning, management, orchestration, and monitoring are allperformed using these interfaces. The security and availability ofgeneral cloud services is dependent upon the security of these basicAPIs.From authentication and access control to encryption andactivity monitoring, these interfaces must be designed to protect againstboth accidental and malicious attempts to circumvent policy.Furthermore, organizations and third parties often build upon theseinterfaces to offer value-added services to their customers.
  • Psecond bullet: Liability for breach – Legislation (EU DPD) makes a distinction between a DATA CONTROLLER (party that defines the purpose AND means for data processing) vs. DATA PROCESSOR (a passive performer)-DATA CONTROLLER is liable toward DATA SUBJECTS-DATA CONTROLLER must choose between the right DATA PROCESSORS for the designated purpose, then negotiate appropriate contractual protection
  • How is U.S. different than EU in handling data privacy?-The United States uses a statel approach that relies on a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin.
  • Risk Allocation:Some CSPs (i.e. Google) will provide a limited infringement indemnity; others will not or otherwise attempt to ”pass-through” risk from CSPs own 3P providersMay disclaim “high-risk” activities, but don’t define “high-risk”:Google Apps: EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. GOOGLE MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICE. THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS. Bottom line: NOT your Grandma’s traditional outsourcing model!
  • Avoid “lock-in” – CSP agreements characterized by shorter, subscription-based terms-Control termination triggers; prevent abrupt/uncontrolled terminationsRemember: “click-through” model for many CSPs will not account for certain elements – (i.e. source code escrow NOT part of the standard CSP agreement)-Make inter-operabiity an issue – ensure compatibility with own systems, customer systems, 3P systems and foreseeable future technologiesBankruptcy: Data may be treated as non-intellectual asset and subject to different rules than for copyrighted matter under Section 365(n)-What about personal information? Look to privacy policy, but may not be so clear depending upon the nature of the personal information
  • Legacy model – many licenses prohibited use in a time-sharing or service-bureau environment – cloud model problematic where such restrictions ariseIP creation issues - For example, U.S. law dictates that a copyright vests in an author of an original work when such work is fixed in a tangible medium of expression. Where such works are created and saved by a foreign-national independent contractor for a client using software that resides on a server outside the U.S., whether the work is created under U.S. law, the copyright laws of a foreign territory or where the contractor is a national depend on a multitude of factors that will affect the rights vested in the client. -Remember: assignment of rights misses the pointTrade secrets – basically “CI-plus”, but must have policies/procedures in place that elevate the CI to trade secret status – how accomplished in the cloud?
  • 2nd Circuit opinion - focused on Cablevision's proposed Remote Storage-Digital Video Recorder (RS-DVR) schematic, in which copies of a work in whole or in part were recorded on buffers prior to their being transmitted to customers' receiving equipment. The District Court presumed that those copies constituted the "embodiment" of the recorded work."The district court mistakenly limited its analysis primarily to the embodiment requirement," wrote Appeals Court Judge John M. Walker earlier today. "As a result of this error, once it determined that the buffer data was 'clearly . . . capable of being reproduced, i.e., that the work was embodied in the buffer, the district court concluded that the work was therefore 'fixed' in the buffer, and that a copy had thus been made."But buffers are temporary storage media, Judge Walker went on, designed only to harbor portions of files for a "transitory duration" -- in other words, just long enough to get the file transmitted and removed from memory. He cited an earlier court decision in favor of a repair service that had rescued a customer's hard drive, and in so doing had copied that customer's software -- allegedly illegally. Since the rescue copy was only for a "transitory duration," that court ruled, the duplication wasn't really a "copy" for practical purposes.In the case of RS-DVR, the transitory period was found to be no greater than 1.2 seconds. "While our inquiry is necessarily fact-specific, and other factors not present here may alter the duration analysis significantly," Judge Walker wrote, "these facts strongly suggest that the works in this case are embodied in the buffer for only a 'transitory' period, thus failing the duration requirement."So if the buffer doesn't truly constitute a copy, then the transmission doesn't constitute a "performance" of that copy.
  • The Stored Communications Act ("SCA", 18 U.S.C. § 2701 et seq.) is widely thought to provide protection from disclosure for emails and other private data that are in such electronic storage. However, a less-known loophole in the SCA can permit stored information to be accessed without the author's permission and then divulged to competitors, to adversaries, to strangers, or to the general public, without liability under the SCA. The SCA provides that any person who intentionally accesses stored electronic communications without authorization or beyond the scope of his authorization is subject to civil and criminal penalties. 18 U.S.C. § 2701(a), (b). However, there are two important exceptions to this protection: Even if an author of a communication has not authorized a third party to access that communication, the SCA provides that this unauthorized third party is immune from liability if he/she was authorized to gain access by the provider of the electronic communications service --such as the ISP or the business the operates the network. The SCA further provides that an unauthorized third party is also immune if he/she has been given permission to access the communication by a user of the service on which the communication is stored -- such as a member of a private website, such as a MySpace page. This means that even if the author has not consented for anyone except for the recipients to access his/her private emails, a lot of people could still be looking at them, copying them and doing whoknowswhatelse to them -- with SCA-immunity.
  • Example:- CSP houses data across multiple servers in multiple countries-Subcontracts with 3P providers for facilities (i.e. disaster recovery) as well as peak-load surge demand for excess capacityIf breach – who is responsible?
  • Litigation:Plaintiff’s perspective: who do you serve the litigation hold on?Defendant’s perspective will the hold be acted upon in time? Do my 3P vendor contracts cover this possibility?
  • Litigation:Plaintiff’s perspective: who do you serve the litigation hold on?Defendant’s perspective will the hold be acted upon in time? Do my 3P vendor contracts cover this possibility?
  • Why “it depends”-Seems that a “reasonable standard of care” applies, but little guidance on what is reasonable
  • Why “it depends”-Seems that a “reasonable standard of care” applies, but little guidance on what is reasonable
  • Why “it depends”-Seems that a “reasonable standard of care” applies, but little guidance on what is reasonable
  • Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Computing

    1. 1. “Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computingby:Thomas A. Kulik, PartnerScheef & Stone, L.L.P.Dallas Bar Association – Computer Law SectionSeptember 27, 2010<br /><br />
    2. 2. About the Presenter<br />Tom Kulik is a Partner in Scheef & Stone, L.L.P. and chairs the firm’s Intellectual Property Practice Group out of its headquarters in Dallas, Texas.  With an understanding of how intellectual property assets influence business, he strategically counsels clients on matters involving the evaluation, acquisition, development and protection of intellectual property rights, with an emphasis on creatively leveraging such assets both domestically and internationally.<br />Prior to matriculation in law school, he was an award-winning systems engineer for 3Com Corporation, where he was responsible for local and wide-area network architecture and design supporting both Fortune 500 and start-up companies in the computer services, financial and pharmaceutical industries. <br />Leveraging this industry experience, his practice focuses on intellectual property transactions, particularly within the context of the computer software, emerging Internet technologies and e-commerce, and includes an extensive trademark preparation and prosecution practice and attendant intellectual property litigation.<br /><br />
    3. 3. What is the “Cloud”?...<br /><br />
    4. 4. …and What is “Cloud Computing”?<br />“SaaS”<br /> “PaaS”<br />“IaaS”<br /><br />
    5. 5. “Cloud Computing” – A Hazy Phrase for a Foggy (Evolving) Concept<br />“As a metaphor for the Internet, "the cloud" is a familiar cliché, but when combined with "computing," the meaning gets bigger and fuzzier…[but essentially] encompasses any subscription-based or pay-per-use service that, in real time over the Internet, extends IT's existing capabilities.”<br />What Cloud Computing Really Means, Eric Knor & Galen Gruman, InfoWorld, 2009<br /><br />
    6. 6. “Cloud Computing” Definition – The National Institute of Standards and Technology <br />“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of fiveessential characteristics, threeservice models, and fourdeployment models.”<br />The NIST Definition of Cloud Computing, Peter Mell and Tim Grance, Version 15, October 7, 2009<br /><br />
    7. 7. “Cloud Computing”- Essential Characteristics<br /><ul><li>On-demand self-service – unilateral and automatic provisioning of a user’s computing needs
    8. 8. Broad network access – services available through the network to cellphones, PDAs, laptops, iPads, etc.
    9. 9. Resource pooling– dynamic assignment of physical andvirtual computing resources
    10. 10. Rapid elasticity – quick scale-out/scale-in – seamless and seemingly unlimited to the user
    11. 11. Measured Service – automatic control to optimize management of resources (storage, processing, bandwidth, accounts)</li></ul><br />
    12. 12. “Cloud Computing” – Service Models<br /><ul><li>Software-as-a-Service (“SaaS”)
    13. 13. External software hosting in a cloud infrastructure
    14. 14. Platform-as-a-Service (“PaaS”)
    15. 15. Think “SaaS-plus” – computing platform and “solution stack” for building and running custom applications by the user
    16. 16. Infrastructure-as-a-Service (“IaaS”)
    17. 17. Data processing, storage, network and other fundamental computing resources in cloud infrastructure</li></ul><br />
    18. 18. Examples of Cloud Services from Cloud Service Providers” (“CSPs”)<br /><ul><li>Infrastructure-as-a-Service (“IaaS”)
    19. 19. Amazon Elastic Compute Cloud (EC2), Amazon S3, Rackspace
    20. 20. Software-as-a-Service (“SaaS”)
    21. 21. Google Apps, Zoho, Facebook Applications
    22. 22. Platform-as-a-Service (“PaaS”)
    23. 23. SalesforceAppExchange, Google AppExchange</li></ul><br />
    24. 24. “Cloud Computing” – Deployment Models<br /><ul><li>Private Cloud
    25. 25. Used solely by/operated solely for the organization
    26. 26. Community Cloud
    27. 27. Used by/operated for multiple organizations tied to a “specific community” with “shared concerns”
    28. 28. Public Cloud
    29. 29. Owned by CSP providing cloud services to the public
    30. 30. Hybrid Cloud
    31. 31. Composition of 2 or more distinct clouds “bound together by standardized or proprietary technology that enables data and application portability” </li></ul><br />
    32. 32. “Cloud Computing” – Definition in a Nutshell<br />A fully-scalable service for processing and storing data using third-party shared resources, software and information accessible over a network (i.e. the Internet), and provided to computers and other devices on-demand:<br /><ul><li>Usually subscription-based
    33. 33. May be pay-per-use
    34. 34. Even free!</li></ul><br />
    35. 35. Why the Cloud Model? A “Perfect Storm” <br />Economics - IT capital cost pressures pushing for better ROI<br />More for Less - Technological Innovation is permitting:<br />Better communications bandwidth availability<br />Improved microprocessor/bus speeds<br />Increased storage capabilities<br />“Virtualization” – easier for CSPs to maximize infrastructure for the services provided and offload much IT management<br /><br />
    36. 36. The Legal Considerations in Cloud Computing: More Than A Drizzle…<br /><ul><li>Security & Privacy
    37. 37. Contractual Considerations
    38. 38. Intellectual Property
    39. 39. E-Discovery & Litigation
    40. 40. Ethical Considerations for Lawyers</li></ul><br />
    41. 41. The Legal Considerations in Cloud Computing: Security & Privacy<br /><ul><li>Data in the “Cloud” harder to protect
    42. 42. Is a “multi-tenant” architecture – data stored on a virtual server that shares same physical server with other virtual servers
    43. 43. Security dependent upon configuration of the virtual servers and API vulnerabilities
    44. 44. Geographic distribution concerns – the “cloud” knows no boundaries
    45. 45. Breach harder to detect & manage
    46. 46. CSP may use third-party providers for elements of the service
    47. 47. Audit trail across multiple platforms not necessarily integrated
    48. 48. Geographic distribution concerns remain</li></ul><br />
    49. 49. The Legal Considerations in Cloud Computing: Security & Privacy<br /><ul><li>Compliance with privacy and security laws and regulations no longer a domestic matter
    50. 50. Trans-border flow of private information may trigger obligations
    51. 51. U.S. laws far LESS restrictive than other countries (particularly the European Union)
    52. 52. Liability for breach depends upon who controls the data versus mere data processors
    53. 53. Many data privacy laws pre-date cloud computing capability</li></ul><br />
    54. 54. The Legal Considerations in Cloud Computing: Security & Privacy<br /><ul><li>Some Domestic Considerations:
    55. 55. Graham Leach Bliley Act - Financial institutions must have policies/procedures in place to protect “non-public personal financial information” from improper disclosure
    56. 56. HIPAA/HITECH Act – “Covered entities” required to notify affected persons of breach of unencrypted “personal health information”
    57. 57. FTC Safeguards Rule – Financial institutions required to have written security plan regarding customer’s private information
    58. 58. FTC Red Flags Rule – Institutions holding credit accounts must have written identity theft program
    59. 59. Stored Communications Act - protection from disclosure for emails and other private data that are in such electronic storage</li></ul><br />
    60. 60. The Legal Considerations in Cloud Computing: Security & Privacy<br /><ul><li>Some International Considerations
    61. 61. EU Data Protection Directive 95/46/EC – no transfer of data to countries OUTSIDE the EU unless they offer an “adequate level of protection” OR where exceptions apply...like the U.S. Safe Harbor List
    62. 62. U.S. Department of Commerce negotiated a safe harbor framework with the European Commission to “bridge” differences in privacy protection with EU member states
    63. 63. Certifying to the “safe harbor” will assure that EU organizations know that your company provides "adequate" privacy protection</li></ul><br />
    64. 64. The Legal Considerations in Cloud Computing: Security & Privacy<br /><ul><li>MUST understand the CSP operational model to facilitate compliance with applicable privacy and security laws/regulations (especially internationally stored data)
    65. 65. REVIEW CSP privacy policy AND security procedures for continuity with existing company procedures & guidelines (i.e. audit/reporting requirements, security breach notifications)
    66. 66. IDENTIFY and SPECIFY data security controls at the software level (i.e. encryption, firewalls), as well as physical security</li></ul><br />
    67. 67. The Legal Considerations in Cloud Computing: Contractual Considerations<br /><ul><li>Different contractual considerations from outsourcing model
    68. 68. Location of service/data NOT fixed, but distributed
    69. 69. CSP owns the technology, NOT the user/company
    70. 70. Contracts normally NOT negotiable
    71. 71. Risk allocation far more difficult to address
    72. 72. No traditional software “license” – is an access model
    73. 73. Little to no indemnity/infringement protection from CSP
    74. 74. Limitation of liability may not cover anticipated risk</li></ul><br />
    75. 75. The Legal Considerations in Cloud Computing: Contractual Considerations<br /><ul><li>Jurisdiction
    76. 76. Governing law/Venue always favors the CSP
    77. 77. Limitations of Liability
    78. 78. Usually no liability for damages whatsoever (data deletion, corruption, failure to access, etc.)
    79. 79. Limited to No Warranty
    80. 80. “AS-IS” or “as available”
    81. 81. No warranty that service uninterrupted/error-free – limited to SLA, which may be inadequate</li></ul><br />
    82. 82. The Legal Considerations in Cloud Computing: Contractual Considerations<br /><ul><li>Termination
    83. 83. CSPs usually reserve right to terminate unilaterally
    84. 84. Data portability in event of termination? Avoid “lock-in”
    85. 85. What is CSP goes bankrupt?
    86. 86. Service Level Agreement (“SLA”)
    87. 87. Usually rely upon service credits in event of specified period of downtime, BUT credits mean little when the service is down!
    88. 88. Auditing/compliance?</li></ul><br />
    89. 89. The Legal Considerations in Cloud Computing: Contractual Considerations<br />Google Apps Examples:<br />“Representations. …Google warrants that it will provide the Services in accordance with the applicable SLA.”<br />“Disclaimers. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. GOOGLE MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICE. THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS. <br /><br />
    90. 90. The Legal Considerations in Cloud Computing: Contractual Considerations<br />Google Apps Examples:<br />“Limitation on Indirect Liability.NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.” <br />“Limitation on Amount of Liability.NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID BY CUSTOMER TO GOOGLE DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY.<br />“Governing Law. This Agreement is governed by California law, excluding that state’s choice of law rules. FOR ANY DISPUTE RELATING TO THIS AGREEMENT, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA. “<br /><br />
    91. 91. The Legal Considerations in Cloud Computing: Contractual Considerations<br /><ul><li>MUST take CSP operational model into consideration to address specific points of impact and allocate risk – KNOW the 3P providers
    92. 92. REVIEW service levels/credits with a wary eye – may NOT be enough to cover for impact of downtime on business
    93. 93. MUST address data export capabilities and ensure compatibility with business continuity and DR plan
    94. 94. NEGOTIATE…NEGOTIATE…NEGOTIATE!</li></ul><br />
    95. 95. Weather Brewing on the Horizon: Intellectual Property<br /><ul><li>Intellectual property rights and the “cloud” more difficult to address:</li></ul>No traditional license model<br />“Legacy” systems/software – connectivity to the “cloud” may not be consistent with existing licenses<br />Possible fixation issues due to distributed architecture<br /><ul><li>Evolving technology means the law is desperately trying to catch-up
    96. 96. Trade secrets issues – inconsistent with cloud model?</li></ul><br />
    97. 97. Weather Brewing on the Horizon: Intellectual Property<br /><ul><li>Copyright
    98. 98. Remote storage DVR system held not to be a violation of U.S. copyright law (See Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2nd Cir. 2008), cert. den’d129 S.Ct. 2890 (2009))
    99. 99. Opens door for Digital Entertainment Content Ecosystem (DECE) – a.k.a. “Ultraviolet” - purchase content once, then view in many formats and on many devices from cloud-based account</li></ul><br />
    100. 100. Weather Brewing on the Horizon: Intellectual Property<br /><ul><li>Trade Secrets – protections may be more limited!</li></ul>Trade secret information stored in the cloud may be subject to loopholes that permit unauthorized third-party disclosure. See Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F.Supp.2d 817 (E.D. Mich. 2000) (holding that the Stored Communications Act only prohibits the disclosure of stored communications where the disclosing party provides an “electronic communication service”, and a person who does not provide such a service "can disclose or use with impunity the contents of an electronic communication unlawfully obtained from storage." (citation omitted)).<br /><br />
    101. 101. Weather Brewing on the Horizon: Intellectual Property<br /><ul><li>MUST determine how IP “creators” in organization would be using CSP services and where stored
    102. 102. REVIEW any legacy system tie-in to cloud for license compliance
    103. 103. RETHINK placing trade secret information within the cloud – law is evolving here</li></ul><br />
    104. 104. Weather Brewing on the Horizon: e-Discovery & Litigation<br /><ul><li>Discovery of electronically stored information (“ESI”) dramatically more difficult in the cloud
    105. 105. Data preservation/integrity hard to manage
    106. 106. Data may be housed in multiple countries
    107. 107. CSPs may use 3P providers
    108. 108. Jurisdictional issues
    109. 109. Enforceability – multiple countries vs. governing law
    110. 110. Country where data is resident in computer facility – governmental access?</li></ul><br />
    111. 111. Weather Brewing on the Horizon: e-Discovery & Litigation<br /><ul><li>Preservation is KEY
    112. 112. Unlike outsourced solutions, users may not know what infrastructure they are using or the physical location of data
    113. 113. CSP may be able to retrieve the data, but NOT know where your data is for the purpose of a litigation hold
    114. 114. CSP may use third-party service providers for elements of services provided to the user, exacerbating the issue
    115. 115. Courts may NOT distinguish servers in the “cloud” from ones in direct possession</li></ul><br />
    116. 116. Weather Brewing on the Horizon: e-Discovery & Litigation<br /><ul><li>Spoliation
    117. 117. Cloud infrastructure increases spoliation risk
    118. 118. Where CSPs use 3P providers – greater danger
    119. 119. Data Integrity
    120. 120. Data at rest – MUST be free from corruption
    121. 121. How to ensure NO CHANGE to data upon hold?
    122. 122. Standard CSP agreements do NOT account for possibility of ESI preservation by default</li></ul><br />
    123. 123. Weather Brewing on the Horizon: e-Discovery & Litigation<br /><ul><li>MUST account for specific CSP model and viability of the CSP regarding ability to comply with e-discovery and litigation holds
    124. 124. DEMAND accountability for handling of ESI
    125. 125. General “cooperation” clause
    126. 126. Acknowledge compliance with litigation holds
    127. 127. STRONGLY CONSIDER a separate agreement</li></ul><br />
    128. 128. Weather Brewing on the Horizon: Ethical Considerations for Lawyers<br /><ul><li>Law firm use of CSPs for their IT needs has begun
    129. 129. Considerations are more delicate for law firms due to client confidentiality obligations, privilege, etc.
    130. 130. Bottom line: it is available, but is it ethical?</li></ul><br />
    131. 131. Weather Brewing on the Horizon: Ethical Considerations for Lawyers<br /><ul><li>Answer: IT DEPENDS
    132. 132. 2 states: Use of CSPs for storage of client files so long as a reasonable standard of care is exercised:
    133. 133. NJ: N.J. Sup. Ct. Advisory Comm. On Professional Ethics, Opinion 701 (2006)
    134. 134. NV: Nev. State Bar Standing Commission on Ethics and Prof. Responsibility, Formal Opinion 33 (2006)
    135. 135. More on the way
    136. 136. North Carolina Proposed 2010 Formal Ethics Opinion 7, “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (April 15, 2010)
    137. 137. Texas?</li></ul><br />
    138. 138. Weather Brewing on the Horizon: Ethical Considerations for Lawyers<br /><ul><li>What is considered a “reasonable standard of care”?
    139. 139. MUST be knowledgeable about CSP handling of data
    140. 140. MUST contract with CSP to preserve confidentiality/security of data
    141. 141. Transposing the “reasonableness” standard from “brick & mortar” to the “cloud” not as easy as you may think:
    142. 142. Security – client confidentiality requires strong contractual protections
    143. 143. Backups – MUST think about IaaS infrastructure
    144. 144. Data access – SLA service credit should NOT be sole remedy
    145. 145. Portability – Transfer of data in event of termination crucial
    146. 146. Bankruptcy of CSP – how to account for possibility?</li></ul><br />
    147. 147. Weather Brewing on the Horizon: Ethical Considerations for Lawyers<br /><ul><li>USE COMMON SENSE
    148. 148. Understand how the CSP will handle the data
    149. 149. Don’t be afraid to ask questions – arguably have a duty TO ask them!
    150. 150. Security should cover both software capabilities AND physical facilities
    151. 151. Bottom Line: LET’S BE CAREFUL OUT THERE!…</li></ul><br />
    152. 152. “Partly Sunny with a Chance of Rain”: Forecasting the Legal Issues in Cloud Computing<br />Email: tom.kulik@solidcounsel.com<br /> LinkedIn: www.linkedin.com/in/tkulik<br /> Twitter: www.twitter.com/TomKulik (@TomKulik)<br /> Blog: www.legalintangibles.com<br /><br />

    ×