Managing the Legal Concerns of Cloud Computing


Published on

Presented at the 2013 Pennsylvania Bar Institute as an edition in an annual series on legal concerns around cloud computing ,. This one covers how technology overlaps and where the risk needs to be managed in between systems.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing the Legal Concerns of Cloud Computing

  1. 1. Amy Larrimore, The Empire Builders GroupKathryn Legge, Esq., Griesing Law, LLC
  2. 2. Kathryn Legge, Esq.Kate Legge waspart of the foundingteam of GriesingLaw, LLC. Prior toworking at GriesingLaw, Kate workedat two AmLaw 100law firms. Shesuccessfullyrepresents bothAmy Larrimorepublic and closely held companies, locallyand nationwide, in complex commerciallitigation, business counseling, intellectualproperty and new media matters, includingtrade secret, copyright, unfair competitionand trademark-related disputes. Kate hasrepresented multiple clients in high stakeslitigation on a range of legal issues andhelps both large and small companiesprotect their valuable intellectual property.Amy is themanaging partnerat The EmpireBuilders Group,which focuses onempoweringbusiness to excelin the strategicgrowth andoperational areasShe specializes in putting thesystems, technologies, and businessprocesses in place to help companiessucceed. These areas includeinformation systemsmanagement, technology managementrelated to compliance and dataanalysis, development and support ofstrategic marketing and sales objectivesusing technology (including CRMselection and deployment).
  3. 3. The Franklin Investment Group (FIG) ownsand operates a group of companies thatputs on conferences and trade shows.The study highlights the complexities addedto the management of cloud computing ina complex technology architecture.Case Study
  4. 4. You are negotiating the wrong things at contractclose – SaaS doesn’t negotiate•Location•Protections•NotificationsThe cloud represents less RISK even withoutpreferred terms.Choose Your Battles
  5. 5. SaaS forces the user to agreeto terms as a point of userexperience, not as a constructof contract negotiation.How could this possibly be anagreement in good faith?The Myth of Opt In
  6. 6. The risk managementchallenge is centered inthe fact that manydifferent terms of servicecomprise one workabletechnology “system”If it was only one…
  7. 7. Where exactly is our website?• There are no international rules governingcloud related concerns.• The EU Data Protection Directive provides thattransfer of personal data may be made only tomember states and to jurisdictions withadequate data security standards.• The US is NOT currently deemed to haveadequate data security standards.
  8. 8. Jurisdiction• Courts are wiling to recognizepersonal jurisdiction based onlocation of cloud computingservices.Forward Foods LLC v Next Proteins, Inc., 2008 BL238516 (N.Y. Sup. 2008)• In some jurisdictions whenweighing convenience of aforum, physical recordkeepingtakes precedence.Gelmato S.A. v. HTC Corp., 2011 U.S. Dist. LEXIS133612 (E.D. Tex. Nov. 18, 2011)• Compliance department requiresinstruction on these issues.Which applies tothe FIGArchitecture?
  9. 9. A well done user experience(UI or UX) should seamlesslyhide the transfer betweensystems.How could a user possiblyknow which terms of serviceapply?The Myth of Opt In
  10. 10. The Mask of User Experience
  11. 11. The Mask of User Experience
  12. 12. A well done user experience(UI or UX) couldsimultaneously show contentfrom many systems.How could a user possiblyknow which terms of serviceapply?The Myth of Opt In
  13. 13. The Jigsaw Display
  14. 14. Privacy, 4th Amendment andStored Communications Act• Courts are moving in a more protective direction when itcomes to the Fourth Amendment and electronically-storedinformation• Privacy rights in electronically-stored information are notlost solely because that data is stored in a medium ownedby another.• The SCA provides a potential loophole in mostjurisdictions that may allow the government to issue asubpoena not just for past emails in the possession of theservice provider but also future emails.
  15. 15. Data Breach• Most courts find that a data breach withoutsubsequent identity theft resulting inpecuniary loss is not sufficient to conferstanding.In re Sony Gaming Networks and Customer Data Sec. Breach Litig.,No.11md2258, 2012 U.S. Dist. LEXIS 14691 (S.D. Cal Oct. 11,2012); Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir.2011); Resnick v. AvMed Inc., 693 F.3d 1317 (11th Cir. 2012)• Where there is actual evidence of identitytheft or use of any compromisedinformation, the case is more likely tosurvive dismissal
  16. 16. Protection of Trade Secrets• CFAA: Computer Fraud and Abuse Act• What is unauthorized access?• Employees, Third Party Providers, Social Media• Importance of policy vs. hardware controlsU.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012)• Social media• Use or Excessive Use• Social Media Policy
  17. 17. Issues in E-Discovery• Parties that store third party data should not expectto be shielded from discovery rulesColumbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 2007)• FRCP require production based on “possession, custodyor control”• If responding party has the ability to obtain data, it may becompelled to do so• Discoverable information is still protected byprivilege, wherever it existsTomlinson v. El Paso Corp.,245 F.R.D. 474 (D. Colo. 2007)
  18. 18. Best Practice Recommendations• Use experts to help put in good practices – we are findingthat most exposures are easily preventable• Legal should request a technology architecture, data flowand labor access points from the technology group• Technologists should request executive summaries onlegal risk around the project• Legal should choose their battles, knowing that lack ofaction is critically risky
  19. 19. Kathryn Legge, Esq.www.griesinglaw.com215-732-3924klegge@griesinglaw.comAmy H. LarrimoreThe Empire Builders