This document summarizes a presentation given by Thomas Kulik on the legal issues surrounding cloud computing. It provides background on Kulik's experience in both law and the technology industry. The presentation defines cloud computing, outlines its essential characteristics and various service and deployment models according to the National Institute of Standards and Technology. It also provides examples of cloud computing services and summarizes the concept of cloud computing.
Scaling API-first – The story of a global engineering organization
Legal Issues in Cloud Computing
1. “Partly Sunny with a Chance of Rain II”:
Forecasting the Legal Issues in Cloud Computing
by:
Thomas A. Kulik
Chairman, Dallas Bar Association Computer Law Section
Partner, Scheef & Stone, L.L.P.
Dallas Bar Association – Computer Law Section
October 28, 2013
®
2. About
the
Presenter
Tom
Kulik
is
a
Partner
in
Scheef
&
Stone,
L.L.P.
out
of
its
headquarters
in
Dallas,
Texas,
as
well
as
Chairman
of
the
Dallas
Bar
AssociaBon
Computer
Law
SecBon.
With
a
deep
understanding
of
how
intellectual
property
assets
influence
business,
he
leverages
20
years
of
law
pracBce
with
prior
industry
experience,
strategically
counseling
clients
on
maKers
involving
the
evaluaBon,
acquisiBon,
development
and
protecBon
of
intellectual
property
rights,
with
an
emphasis
on
creaBvely
leveraging
such
assets
both
domesBcally
and
internaBonally.
Prior
to
matriculaBon
in
law
school,
he
was
an
award-‐winning
systems
engineer
for
3Com
CorporaBon,
where
he
was
responsible
for
local
and
wide-‐
area
network
architecture
and
design
supporBng
both
Fortune
500
and
start-‐
up
companies
in
the
computer
services,
financial
and
pharmaceuBcal
industries.
Leveraging
this
industry
experience,
his
pracBce
focuses
on
intellectual
property
transacBons,
parBcularly
within
the
context
of
the
computer
soQware,
emerging
Internet
technologies
and
e-‐commerce,
and
includes
an
extensive
trademark
preparaBon
and
prosecuBon
pracBce
and
aKendant
intellectual
property
liBgaBon.
®
4. …and
What
is
“Cloud
CompuBng”?
“SaaS”
“PaaS”
“IaaS”
®
5.
“Cloud
CompuBng”
–
A
Hazy
Phrase
for
a
Foggy
(Evolving)
Concept
“As
a
metaphor
for
the
Internet,
"the
cloud"
is
a
familiar
cliché,
but
when
combined
with
"compuBng,"
the
meaning
gets
bigger
and
fuzzier…
[but
essenBally]
encompasses
any
subscripBon-‐
based
or
pay-‐per-‐use
service
that,
in
real
Bme
over
the
Internet,
extends
IT's
exisBng
capabiliBes.”
What
Cloud
Compu-ng
Really
Means,
Eric
Knor
&
Galen
Gruman,
InfoWorld,
2009
®
6. “Cloud
CompuBng”
DefiniBon
–
The
NaBonal
InsBtute
of
Standards
and
Technology
“Cloud
compuBng
is
a
model
for
enabling
convenient,
on-‐
demand
network
access
to
a
shared
pool
of
configurable
compuBng
resources
(e.g.,
networks,
servers,
storage,
applicaBons,
and
services)
that
can
be
rapidly
provisioned
and
released
with
minimal
management
effort
or
service
provider
interacBon.
This
cloud
model
promotes
availability
and
is
composed
of
five
essen-al
characteris-cs,
three
service
models,
and
four
deployment
models.”
The
NIST
Defini,on
of
Cloud
Compu,ng,
Peter
Mell
and
Tim
Grance,
Version
15,
October
7,
2009
®
7. “Cloud
CompuBng”-‐
EssenBal
CharacterisBcs
• On-‐demand
self-‐service
–
unilateral
and
automaBc
provisioning
of
a
user’s
compuBng
needs
• Broad
network
access
–
services
available
through
the
network
to
cellphones,
PDAs,
laptops,
iPads,
etc.
• Resource
pooling
–
dynamic
assignment
of
physical
and
virtual
compuBng
resources
• Rapid
elas9city
–
quick
scale-‐out/scale-‐in
–
seamless
and
seemingly
unlimited
to
the
user
• Measured
Service
–
automaBc
control
to
opBmize
management
of
resources
(storage,
processing,
bandwidth,
accounts)
®
8. “Cloud
CompuBng”
–
Service
Models
So7ware-‐as-‐a-‐Service
(“SaaS”)
• External
soQware
hosBng
in
a
cloud
infrastructure
PlaDorm-‐as-‐a-‐Service
(“PaaS”)
• Think
“SaaS-‐plus”
–
compuBng
plamorm
and
“soluBon
stack”
for
building
and
running
custom
applicaBons
by
the
user
Infrastructure-‐as-‐a-‐Service
(“IaaS”)
• Data
processing,
storage,
network
and
other
fundamental
compuBng
resources
in
cloud
infrastructure
®
9. Examples
of
Cloud
Services
from
Cloud
Service
Providers”
(“CSPs”)
Infrastructure-‐as-‐a-‐Service
(“IaaS”)
• Amazon
ElasBc
Compute
Cloud
(EC2),
Amazon
S3,
Rackspace
So7ware-‐as-‐a-‐Service
(“SaaS”)
• Apple
iCloud,
Google
Apps,
Facebook
ApplicaBons
PlaDorm-‐as-‐a-‐Service
(“PaaS”)
• Salesforce
AppExchange,
Google
AppExchange
®
10. “Cloud
CompuBng”
–
Deployment
Models
Private
Cloud
Used
solely
by/operated
solely
for
the
organizaBon
Community
Cloud
Used
by/operated
for
mulBple
organizaBons
Bed
to
a
“specific
community”
with
“shared
concerns”
Public
Cloud
Owned
by
CSP
providing
cloud
services
to
the
public
Hybrid
Cloud
ComposiBon
of
2
or
more
disBnct
clouds
“bound
together
by
standardized
or
proprietary
technology
that
enables
data
and
applicaBon
portability”
®
11.
“Cloud
CompuBng”
–
DefiniBon
in
a
Nutshell
A
fully-‐scalable
service
for
processing
and
storing
data
using
third-‐party
shared
resources,
soQware
and
informaBon
accessible
over
a
network
(i.e.
the
Internet),
and
provided
to
computers
and
other
devices
on-‐demand:
Usually
subscripBon-‐based
May
be
pay-‐per-‐use
Even
free!
®
12. Why
the
Cloud
Model?
A
“Perfect
Storm”
• Economics
-‐
IT
capital
cost
pressures
pushing
for
beKer
ROI
• More
for
Less
-‐
Technological
InnovaBon
is
permipng:
» BeKer
communicaBons
bandwidth
availability
» Improved
microprocessor/bus
speeds
» Increased
storage
capabiliBes
• “Virtualiza,on”
–
easier
for
CSPs
to
maximize
infrastructure
for
the
services
provided
and
offload
much
IT
management
®
13. The
Legal
ConsideraBons
in
Cloud
CompuBng:
More
Than
A
Drizzle…
Security
&
Privacy
Contractual
ConsideraBons
Intellectual
Property
E-‐Discovery
&
LiBgaBon
Ethical
ConsideraBons
for
Lawyers
®
14. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
Data
in
the
“Cloud”
harder
to
protect
•
•
•
Is
a
“mulB-‐tenant”
architecture
–
data
stored
on
a
virtual
server
that
shares
same
physical
server
with
other
virtual
servers
Security
dependent
upon
configuraBon
of
the
virtual
servers
and
API
vulnerabiliBes
Geographic
distribuBon
concerns
–
the
“cloud”
knows
no
boundaries
Breach
harder
to
detect
&
manage
•
•
•
CSP
may
use
third-‐party
providers
for
elements
of
the
service
Audit
trail
across
mulBple
plamorms
not
necessarily
integrated
Geographic
distribuBon
concerns
remain
®
15. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
Think
that
3rd
parBes
are
not
looking
for
YOUR
data?
THINK
AGAIN…
®
16. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
Stengart
v.
Loving
Care
Agency,
Inc.,
990
A.2d
650
(2010)
company
policy
claiming
it
owned
all
informaBon
on
its
computers
NOT
enough
to
permit
retenBon
of
aKorney-‐client
privileged
emails
N.J.
Appellate
Division
reversed
Superior
Court’s
order
ordered
employer
and
its
counsel
to
turn
over
ALL
email
communicaBons
between
plainBff
and
her
counsel
AND
delete
same
for
hard
drives
Ordered
hearing
on
sancBons
Point:
aKorney-‐client
privilege
“substanBally
outweigh[s]”
employer’s
enforcement
of
its
own
policies
®
17. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
City
of
Ontario
v.
Quon,
130
S.Ct.2619
(2010)
–
9-‐0
decision
holding
City
did
NOT
violate
police
employees’
4th
Amendment
rights
by
searching
text
messages
on
city-‐owned
pagers
SCOTUS
rev’d
9th
Circuit
found
search
to
be
“reasonable”
because
moBvated
by
legiBmate
work-‐related
purpose
&
not
excessive
in
scope
Rejected
9th
Circuit’s
“least
intrusive”
means
approach
(i.e.
use
less
intrusive
methods
to
determine
proper
use
of
pagers)
BUT…did
not
address
employee
privacy
expectaBons
when
using
employer
computers
®
18. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
Compliance
with
privacy
and
security
laws
and
regulaBons
no
longer
a
domes-c
maGer
Trans-‐border
flow
of
private
informaBon
may
trigger
obligaBons
U.S.
laws
far
LESS
restricBve
than
other
countries
(parBcularly
the
European
Union)
Liability
for
breach
depends
upon
who
controls
the
data
versus
mere
data
processors
Many
data
privacy
laws
pre-‐date
cloud
compuBng
capability
®
19. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
Some
DomesBc
ConsideraBons:
•
•
•
•
•
Graham
Leach
Bliley
Act
-‐
Financial
insBtuBons
must
have
policies/
procedures
in
place
to
protect
“non-‐public
personal
financial
informaBon”
from
improper
disclosure
HIPAA/HITECH
Act
–
“Covered
enBBes”
required
to
noBfy
affected
persons
of
breach
of
unencrypted
“personal
health
informaBon”
FTC
Safeguards
Rule
–
Financial
insBtuBons
required
to
have
wriKen
security
plan
regarding
customer’s
private
informaBon
FTC
Red
Flags
Rule
–
InsBtuBons
holding
credit
accounts
must
have
wriKen
idenBty
theQ
program
Stored
CommunicaBons
Act
-‐
protecBon
from
disclosure
for
emails
and
other
private
data
that
are
in
such
electronic
storage
®
20. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
Some
InternaBonal
ConsideraBons
•
EU
Data
ProtecBon
DirecBve
95/46/EC
–
no
transfer
of
data
to
countries
OUTSIDE
the
EU
unless
they
offer
an
“adequate
level
of
protecBon”
OR
where
excep-ons
apply...like
the
U.S.
Safe
Harbor
List
•
U.S.
Department
of
Commerce
negoBated
a
safe
harbor
framework
with
the
European
Commission
to
“bridge”
differences
in
privacy
protecBon
with
EU
member
states
•
CerBfying
to
the
“safe
harbor”
will
assure
that
EU
organizaBons
know
that
your
company
provides
"adequate"
privacy
protecBon
®
21. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Security
&
Privacy
MUST
understand
the
CSP
operaBonal
model
to
facilitate
compliance
with
applicable
privacy
and
security
laws/
regulaBons
(especially
interna-onally
stored
data)
REVIEW
CSP
privacy
policy
AND
security
procedures
for
conBnuity
with
exisBng
company
procedures
&
guidelines
(i.e.
audit/reporBng
requirements,
security
breach
noBficaBons)
IDENTIFY
and
SPECIFY
data
security
controls
at
the
soQware
level
(i.e.
encrypBon,
firewalls),
as
well
as
physical
security
®
22. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Contractual
ConsideraBons
Different
contractual
consideraBons
from
outsourcing
model
•
•
•
LocaBon
of
service/data
NOT
fixed,
but
distributed
CSP
owns
the
technology,
NOT
the
user/company
Contracts
normally
NOT
negoBable
Risk
allocaBon
far
more
difficult
to
address
•
•
•
No
tradiBonal
soQware
“license”
–
is
an
access
model
LiKle
to
no
indemnity/infringement
protecBon
from
CSP
LimitaBon
of
liability
may
not
cover
anBcipated
risk
®
23.
The
Legal
ConsideraBons
in
Cloud
CompuBng:
Contractual
ConsideraBons
Don’t
think
third
parBes
are
“looking”?
THINK
AGAIN…
“Just
as
a
sender
of
a
leKer
to
a
business
colleague
cannot
be
surprised
that
the
recipient’s
assistant
opens
the
leKer,
people
who
use
web-‐based
email
today
cannot
be
surprised
if
their
communica9ons
are
processed
by
the
recipient’s
ECS
provider
in
the
course
of
delivery.
Indeed,
“a
person
has
no
legi9mate
expecta9on
of
privacy
in
informa9on
he
voluntarily
turns
over
to
third
par9es.”
Smith
v.
Maryland,
442
U.S.
735,
743-‐44
(1979).”
(emphasis
added)
Google
MoBon
to
Dismiss,
In
re
Google
Gmail
Li-ga-on,
Case
No.
5:13-‐
md-‐02430-‐LHK
(N.D.
Ca.)
®
24. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Contractual
ConsideraBons
JurisdicBon
•
Governing
law/Venue
always
favors
the
CSP
LimitaBons
of
Liability
•
Usually
no
liability
for
damages
whatsoever
(data
deleBon,
corrupBon,
failure
to
access,
etc.)
Limited
to
No
Warranty
•
•
“AS-‐IS”
or
“as
available”
No
warranty
that
service
uninterrupted/error-‐free
–
limited
to
SLA,
which
may
be
inadequate
®
25. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Contractual
ConsideraBons
TerminaBon
•
•
•
CSPs
usually
reserve
right
to
terminate
unilaterally
Data
portability
in
event
of
terminaBon?
Avoid
“lock-‐in”
What
is
CSP
goes
bankrupt?
Service
Level
Agreement
(“SLA”)
•
Usually
rely
upon
service
credits
in
event
of
specified
period
of
downBme,
BUT
credits
mean
liKle
when
the
service
is
down!
AudiBng/compliance?
®
26.
The
Legal
ConsideraBons
in
Cloud
CompuBng:
Contractual
ConsideraBons
Google
Apps
Examples:
“Representa,ons.
…Google
warrants
that
it
will
provide
the
Services
in
accordance
with
the
applicable
SLA.”
“Disclaimers.
EXCEPT
AS
EXPRESSLY
PROVIDED
FOR
HEREIN,
NEITHER
PARTY
MAKES
ANY
OTHER
WARRANTY
OF
ANY
KIND,
WHETHER
EXPRESS,
IMPLIED,
STATUTORY
OR
OTHERWISE,
INCLUDING
WITHOUT
LIMITATION
WARRANTIES
OF
MERCHANTABILITY,
FITNESS
FOR
A
PARTICULAR
USE
AND
NONINFRINGEMENT.
GOOGLE
MAKES
NO
REPRESENTATIONS
ABOUT
ANY
CONTENT
OR
INFORMATION
MADE
ACCESSIBLE
BY
OR
THROUGH
THE
SERVICE.
THE
SERVICE
IS
NEITHER
DESIGNED
NOR
INTENDED
FOR
HIGH
RISK
ACTIVITIES.
CUSTOMER
ACKNOWLEDGES
THAT
THE
SERVICES
ARE
NOT
A
TELEPHONY
SERVICE
AND
THAT
THE
SERVICES
ARE
NOT
CAPABLE
OF
PLACING
OR
RECEIVING
ANY
CALLS,
INCLUDING
EMERGENCY
SERVICES
CALLS,
OVER
PUBLICLY
SWITCHED
TELEPHONE
NETWORKS.
®
27.
The
Legal
ConsideraBons
in
Cloud
CompuBng:
Contractual
ConsideraBons
Google
Apps
Examples:
“Limita,on
on
Indirect
Liability.
NEITHER
PARTY
WILL
BE
LIABLE
UNDER
THIS
AGREEMENT
FOR
LOST
REVENUES
OR
INDIRECT,
SPECIAL,
INCIDENTAL,
CONSEQUENTIAL,
EXEMPLARY,
OR
PUNITIVE
DAMAGES,
EVEN
IF
THE
PARTY
KNEW
OR
SHOULD
HAVE
KNOWN
THAT
SUCH
DAMAGES
WERE
POSSIBLE
AND
EVEN
IF
DIRECT
DAMAGES
DO
NOT
SATISFY
A
REMEDY.”
“Limita,on
on
Amount
of
Liability.
NEITHER
PARTY
MAY
BE
HELD
LIABLE
UNDER
THIS
AGREEMENT
FOR
MORE
THAN
THE
AMOUNT
PAID
BY
CUSTOMER
TO
GOOGLE
DURING
THE
TWELVE
MONTHS
PRIOR
TO
THE
EVENT
GIVING
RISE
TO
LIABILITY.
“Governing
Law.
This
Agreement
is
governed
by
California
law,
excluding
that
state’s
choice
of
law
rules.
FOR
ANY
DISPUTE
RELATING
TO
THIS
AGREEMENT,
THE
PARTIES
CONSENT
TO
PERSONAL
JURISDICTION
IN,
AND
THE
EXCLUSIVE
VENUE
OF,
THE
COURTS
IN
SANTA
CLARA
COUNTY,
CALIFORNIA.
“
®
28. The
Legal
ConsideraBons
in
Cloud
CompuBng:
Contractual
ConsideraBons
MUST
take
CSP
operaBonal
model
into
consideraBon
to
address
specific
points
of
impact
and
allocate
risk
–
KNOW
the
3P
providers
REVIEW
service
levels/credits
with
a
wary
eye
–
may
NOT
be
enough
to
cover
for
impact
of
downBme
on
business
MUST
address
data
export
capabiliBes
and
ensure
compaBbility
with
business
conBnuity
and
DR
plan
NEGOTIATE…NEGOTIATE…NEGOTIATE!
®
29. Weather
Brewing
on
the
Horizon:
Intellectual
Property
Intellectual
property
rights
and
the
“cloud”
more
difficult
to
address:
• No
tradiBonal
license
model
• “Legacy”
systems/soQware
–
connecBvity
to
the
“cloud”
may
not
be
consistent
with
exisBng
licenses
• Possible
fixaBon
issues
due
to
distributed
architecture
Evolving
technology
means
the
law
is
desperately
trying
to
catch-‐up
Trade
secrets
issues
–
inconsistent
with
cloud
model?
®
30. Weather
Brewing
on
the
Horizon:
Intellectual
Property
Copyright
• Remote
storage
DVR
system
held
not
to
be
a
violaBon
of
U.S.
copyright
law
(See
Cartoon
Network
LP,
LLLP
v.
CSC
Holdings,
Inc.,
536
F.3d
121
(2nd
Cir.
2008),
cert.
den’d
129
S.Ct.
2890
(2009))
• Aereo
(retransmission
of
over-‐the-‐air
broadcasts
to
mobile
devices)
• Digital
Entertainment
Content
Ecosystem
(DECE)
–
a.k.a.
“Ultraviolet”
-‐
purchase
content
once,
then
view
in
many
formats
and
on
many
devices
from
cloud-‐based
account
®
31. Weather
Brewing
on
the
Horizon:
Intellectual
Property
Trade
Secrets
–
protecBons
may
be
more
limited!
Trade
secret
informaBon
stored
in
the
cloud
may
be
subject
to
loopholes
that
permit
unauthorized
third-‐party
disclosure.
See
Sherman
&
Co.
v.
Salton
Maxim
Housewares,
Inc.,
94
F.Supp.2d
817
(E.D.
Mich.
2000)
(holding
that
the
Stored
CommunicaBons
Act
only
prohibits
the
disclosure
of
stored
communicaBons
where
the
disclosing
party
provides
an
“electronic
communicaBon
service”,
and
a
person
who
does
not
provide
such
a
service
"can
disclose
or
use
with
impunity
the
contents
of
an
electronic
communicaBon
unlawfully
obtained
from
storage."
(citaBon
omiKed)).
®
32. Weather
Brewing
on
the
Horizon:
Intellectual
Property
MUST
determine
how
IP
“creators”
in
organizaBon
would
be
using
CSP
services
and
where
stored
REVIEW
any
legacy
system
Be-‐in
to
cloud
for
license
compliance
RETHINK
placing
trade
secret
informaBon
within
the
cloud
–
law
is
evolving
here
®
33. Weather
Brewing
on
the
Horizon:
e-‐Discovery
&
LiBgaBon
Discovery
of
electronically
stored
informaBon
(“ESI”)
drama-cally
more
difficult
in
the
cloud
• Data
preservaBon/integrity
hard
to
manage
• Data
may
be
housed
in
mul-ple
countries
• CSPs
may
use
3P
providers
JurisdicBonal
issues
• Enforceability
–
mulBple
countries
vs.
governing
law
• Country
where
data
is
resident
in
computer
facility
–
governmental
access?
®
34. Weather
Brewing
on
the
Horizon:
e-‐Discovery
&
LiBgaBon
PreservaBon
is
KEY
• Unlike
outsourced
soluBons,
users
may
not
know
what
infrastructure
they
are
using
or
the
physical
locaBon
of
data
• CSP
may
be
able
to
retrieve
the
data,
but
NOT
know
where
your
data
is
for
the
purpose
of
a
liBgaBon
hold
• CSP
may
use
third-‐party
service
providers
for
elements
of
services
provided
to
the
user,
exacerbaBng
the
issue
Courts
may
NOT
disBnguish
servers
in
the
“cloud”
from
ones
in
direct
possession
®
35. Weather
Brewing
on
the
Horizon:
e-‐Discovery
&
LiBgaBon
SpoliaBon
• Cloud
infrastructure
increases
spoliaBon
risk
• Where
CSPs
use
3P
providers
–
greater
danger
Data
Integrity
• Data
at
rest
–
MUST
be
free
from
corrupBon
• How
to
ensure
NO
CHANGE
to
data
upon
hold?
Standard
CSP
agreements
do
NOT
account
for
possibility
of
ESI
preservaBon
by
default
®
36. Weather
Brewing
on
the
Horizon:
e-‐Discovery
&
LiBgaBon
MUST
account
for
specific
CSP
model
and
viability
of
the
CSP
regarding
ability
to
comply
with
e-‐discovery
and
liBgaBon
holds
DEMAND
accountability
for
handling
of
ESI
• General
“cooperaBon”
clause
• Acknowledge
compliance
with
liBgaBon
holds
STRONGLY
CONSIDER
a
separate
agreement
®
37. Weather
Brewing
on
the
Horizon:
Ethical
ConsideraBons
for
Lawyers
Law
firm
use
of
CSPs
for
their
IT
needs
growing
ConsideraBons
are
more
delicate
for
law
firms
due
to
client
confidenBality
obligaBons,
privilege,
etc.
BoKom
line:
it
is
available,
but
is
it
ethical?
®
38. Weather
Brewing
on
the
Horizon:
Ethical
ConsideraBons
for
Lawyers
Answer:
IT
DEPENDS
17
states
so
far:
Use
of
CSPs
for
storage
of
client
files
so
long
as
a
reasonable
standard
of
care
is
exercised,
BUT
differences:
Alabama,
Arizona,
California,
ConnecBcut,
Florida,
Iowa,
Maine,
MassachuseKs,
New
Hampshire,
New
Jersey,
Nevada,
New
York,
North
Carolina,
Oregon,
Pennsylvania,
Vermont
&
Virginia
BoKom
Line:
Use
DILIGENCE
and
COMPETENCE
exercising
reasonable
care
MUST
have
a
BASIC
understanding
of
the
technologies
used
Have
an
OBLIGATION
to
remain
current
on
the
technologies
®
39. Weather
Brewing
on
the
Horizon:
Ethical
ConsideraBons
for
Lawyers
What
is
considered
a
“reasonable
standard
of
care”?
• MUST
be
knowledgeable
about
CSP
handling
of
data
• MUST
contract
with
CSP
to
preserve
confidenBality/security
of
data
Transposing
the
“reasonableness”
standard
from
“brick
&
mortar”
to
the
“cloud”
not
as
easy
as
you
may
think:
•
•
•
•
•
Security
–
client
confidenBality
requires
strong
contractual
protecBons
Backups
–
MUST
think
about
IaaS
infrastructure
Data
access
–
SLA
service
credit
should
NOT
be
sole
remedy
Portability
–
Transfer
of
data
in
event
of
terminaBon
crucial
Bankruptcy
of
CSP
–
how
to
account
for
possibility?
®
40. Weather
Brewing
on
the
Horizon:
Ethical
ConsideraBons
for
Lawyers
USE
COMMON
SENSE
• Understand
how
the
CSP
will
handle
the
data
• Don’t
be
afraid
to
ask
quesBons
–
arguably
have
a
duty
TO
ask
them!
• Security
should
cover
both
soQware
capabiliBes
AND
physical
faciliBes
BoKom
Line:
LET’S
BE
CAREFUL
OUT
THERE!…
®
41. “Partly Sunny with a Chance of Rain”:
Forecasting the Legal Issues in Cloud Computing
Q
&
A
Email:
tom.kulik@solidcounsel.com
LinkedIn:
hKp://www.linkedin.com/in/tkulik
TwiKer:
@LegaIntangibls
Google+:
hKp://gplus.to/TomKulik
Blog:
hKp://www.legalintangibles.com
®