As briefly as possible, let us consider the essential pros and cons of Cloud Computing, so that you can be better informed to make a decision on whether or not to join the club.  A detailed analysis on each point and its many sub-points could easily run into a multi-volume treatise.  Hence, I will try to give you enough to get the right questions asked.

ADVANTAGES (potential):

Floor Space: Of course, when you cut down on the amount of space you need for your own servers, wiring, HVAC, and individual desktops with full monitor and CPU packages, you can re-dedicate the space to other internal purposes and business units, earn revenues by sub-leasing (to the extent the landlord lets you), or move to a smaller location.  These are increasingly pertinent considerations in any cost-conscious climate.

Operational Efficiencies: Cloud providers allow clients to pay for only that amount of service that they actually use, in addition to any standby or contingent services that are retained as available for purposes of surge capacity, emergencies, or other events whether or not specified.  This allows for the streamlining of staff and functions, a slimmer I.T. department, and a clearer focus on essential, mission-critical business functions.

Capex to Opex: What would formerly have been capital expenditures for I.T. equipment, including servers, setup and administration costs, and repairs and replacements, can now be expensed as operational costs.  Even with the loss of those once available depreciation allowances, the CFO should be happier with the cleaner budget, and greater cost control through a better defined and appropriately confined predictability of outflows.  Software licensing costs do not have to be so closely monitored and temperamental legacy servers running dedicated software in-house that can or cannot be easily upgraded and updated, can be downgraded in priority, as Cloud Vendors can often accommodate a variety of Cloud subscription fee arrangements including per-seat, per use, per tier, and so forth.

Ubiquity: As defined by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”[1]  The key word here, is “ubiquitous”, with a one to many service model available anywhere, to any or all persons, and at one or all times.  Wireless and satellite Internet access, and portable hotspots where no fixed-site or sufficiently secure or reliable Internet on-ramp exists, make this all possible.  However, this ubiquity comes with costs, as I will outline under the Disadvantages, below; specifically under the Legal and Liability Issues section.

Scalability: The prudent and professional Cloud Vendor will generally maintain sufficient spare capacity to handle the surge requirements of all of its clients.  Certain industries and business models, as well as regular business events – such as for accounting and regulatory filings at the end of a month, quarter, or year – and the happening of special or otherwise distinctive events (public offerings, mergers, bankruptcies, or litigation), will generally lead to a heightened usage requirement due to the additional activities and actors that will be brought online.   That is “really” not the time, if ever, for a Cloud Vendor to say that there is no more to give, or that the capacity to handle such an expected spike was never actually considered or built-in, to the service model.  This nightmare scenario will invariably lead to side litigation on the main instigation, and nervous General Counsel calls to insurers, counterparties, and regulators.  But, we are still listing the Pros; yes?!  Always, always, discuss your actual, anticipated, and remotely potential needs, thoroughly, with the Cloud Vendor, so that “your” package fits “you”.  Besides which, savvy parties are already moving to put adequate and secure capacity in place[2], to ground the infrastructure for this promising but tricky new platform.

DISADVANTAGES (potential):

Vendor Inelasticity: Once you have decided on a particular Vendor, with its services and cost structure, it can be hard to move.  There will always be costs associated with any change in vendor, and it may take quite some time to have the same service or a comparable or better service (depending, of course, on the reason for your relocation), up and running in the successor location, including potentially significant unanticipated costs and delays.  Once you are in, then you should plan to be there for the long-haul.  This is why, one again, due diligence and a mutuality of party good faith, are essential.  In Cloud and outsourcing contracts that I have drafted, I provide for open party communication lines, detailed ADR clauses, and a means to address any failure to meet agreed SLAs.  In addition – always a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible.  Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.

Access to Data: There are at least 5 (“five”) viewpoints on this issue, depending on whether you are talking about source code, backup and contingency planning, customers in the third-party, server location, or insolvency.

(a) The cloud vendor will be very reluctant to escrow its source code, the very essence of its competitive advantage, as we now often see touted by many a commentator.  Onlookers argue that such an escrow arrangement is essential to providing the customer with the peace of mind that their data will always be accessible, and that the service will be replicable, should any calamity befall their Cloud Vendor or a related provider in the chain.  Indeed, there is more than one way to provide peace of mind.

(b) Sensible backup and contingency planning requires multiple levels of redundancy, and the United States Securities and Exchange Commission (SEC),[3] for one, has issued guidance on the disclosure of Cybersecurity risks by issuers.  In time, this may expand to non-issuers in that and other jurisdictions.  I would advise that the customer, and the Cloud Vendor must have and share, and coordinate, their disaster management policies, plans, and procedures.  To the extent that this will require that the customers of a specific Cloud Vendor all know one another and thereby decrease their mutual security, or that a third-party “security coordinating group or consultant” intervenes to preserve some anonymity, or some other solution or suite of solutions is developed for this requirement of mutually assured security and stability, will remain to be seen.

(c) In some industries, such as healthcare in the United States,[4] and generally under the Privacy laws of Canada,[5] the patient (or data subject, as appropriate) of the Cloud Vendor’s client – and therefore who is not in direct privity of contract with the Cloud Vendor – will have a right to access, and track, and by implication correct errors in, their own personal data.  In a growing number of jurisdictions, the right of governments to access data on individuals with or without warrants, and with or without notification to the subject individual, is expanding.  Without a doubt, new legislation will be created, or existing legislation will be interpreted, to permit the accessing of this information in the hands of the Cloud Vendor, without notice to the Customer, or to the third-party customer as patient, for example.  This complicated mix of privacy, information technology, National Security, and contract, should be closely watched, bracketed and predicted and controlled by appropriate and adequate insurance and drafting, and disclosed in advance by all parties collecting or holding information on individuals, and to all parties considering the use or offering of Cloud-based or Cloud-amenable services.

(d) Server location, is a critical issue that may feed or impede point (c).  Having your data in the jurisdiction or jurisdictions that you know, will always let you more easily manage those hiccups that may occur from time to time.  Going after your data in a jurisdiction where you don’t speak the language, where you are unfamiliar with the laws, or where there is hostility to you or one or more of your Cloud Vendors or your government, will always make data recovery and re-custody, that much harder.[6]  Some commentators and practitioners in the field have alerted others to the danger of employees and contractors working with Trade Secrets and other critical information on mobile media and otherwise through the Cloud, including by backing-up devices; even going do far as to say that “no” Trade Secrets should ever be put on the Cloud, at least not yet.[7]  This is a legitimate concern, and cannot be lightly dismissed, because, as they point-out, nobody really wants to be that first test case.  However, with many industries, including the legal profession,[8] moving to the Cloud – albeit cautiously – I think the genie is already pretty much out of that lamp.

(e) Insolvency can be a very complex area with regard to a Cloud Vendor, itself in distress, or when a holder of Intellectual Property Rights (I.P.R.) or an I.P.R. licensee is in distress and a Cloud Vendor gets caught in the middle.  Under recent caselaw in the United States of America, we have seen that sometimes the court will decide that the proper venue is that where the injury is deemed to have taken place and thereby where the I.P.R. claimed to have been violated, were originally held.[9]  Where does this leave the Cloud Vendor that provides the means to access that material across jurisdictions?  Sometimes, the court will refuse to permit a foreign licensor in receivership or a similar insolvency situation, to disclaim or otherwise curtail or constrain the I.P.R. licenses granted to United States entities.[10]  Where does this leave the Cloud Vendor who can be sued by one or both sides for compliance and non-compliance alike, and for contributory infringement,[11] or as an accessory to, or as a first party in, I.P.R. infringement?[12]  Foresight, experience, broad practice area knowledge, and good drafting can address some, but not all of the potentially very serious wrinkles that might very easily arise.

Uptime and SLAs: Service Level Availability agreements run from light, through adequate, to (almost) iron-clad.  Some Cloud Vendors will want to exclude mandatory downtime for maintenance and upgrades, or for addressing user-generated issues (such as hacks and malicious code), and the customer, depending on its business model and leverage, may or may not agree or even be comfortable with this.  In addition, many Cloud Vendors will want to limit available remedies for failing to meet stated or contracted-for SLAs, to service credits, exclusively.  Hence, SLAs must always be cautiously and thoughtfully negotiated.  However, some Cloud Vendors will offer a set menu from which to choose, in which case a potential customer should choose wisely, because when things go wrong, as they well may,[13] downtime could be extensive.[14]

Legal and Liability Issues: There are an appreciable number of legal and liability grey areas that remain to be addressed by contract or legislation, and I have addressed some of these in the foregoing.  Now, the transfer of personal data between jurisdictions in North America and the Pacific Rim has also been eased by the recent establishment of the Asia-Pacific Economic Cooperation (APEC) Privacy Rules, involving 21 (“twenty-one”) nation-parties.[15]

Technical Issues: These mainly revolve around security, privacy, and e-Discovery.  The truth of the matter, actually, is that most people are already using, often heavily, some form of Cloud.  Examples include BlackBerry,[16] Google,[17] Hotmail,[18] and Gmail,[19] for a host of social media, email, regimented,[20] and telecommunications (“Smert”) applications.  2011, alone, has seen technical challenges identified for all of these 4 (“four”), some other known or knowable risks,[21] and spectacular failures to failover.[22]

In terms of privacy and security, the potential to use a Cloud service for wrongdoing[23] has heightened the awareness of the public, of legislators, and of law enforcement and national security entities and their operatives, globally,[24] as to the obvious security and privacy challenges presented by this platform.

Indeed, with the move to criminalize so much misconduct involving e-Commerce and the Internet, a test case will surely come when an as yet unknown Cloud Vendor in e-Discovery, and using a 5th Amendment argument,[25] finally and successfully refuses to turn-over discoverable records that are clearly within its possession or control – whether or not those records are ultimately its own – that may, or indeed, would, tend to incriminate it for some bad act or acts, whether in doing a thing, failing to do a thing, or having a wanton or reckless disregard for risks of harm from doing or not doing a thing.[26]

SUMMARY? (in a way, somewhat):

I say “in a way”, because this fast-moving business platform that touches so many areas of law, as I described in an earlier blog,[27] cannot be so easily summarized.  Many honest I.T. professionals will tell you that their skills can be fast outpaced by the market, very easily, if they do not work very hard to stay current and abreast of developments in the industry.  I do not think you can identify too many weather systems, if any (at least not on this planet of ours), that just stay over the same spot of geography with clouds, rain, high winds, thunder, and lightning that does not stop, waver, or let the sun in now and then.

The above, however, is still a handy checklist to have and consider when looking at the Cloud industry and its development over the coming little while.  The Cloud Vendor contracts may be or become quite complex, if you are a potential Cloud customer, and the customer demands or prerequisite requirements may be or become almost impossible to meet, if you are a prospective Cloud Vendor.  However, seasoned and knowledgeable legal counsel, properly structured insurance coverage, and due diligence coupled with stringent and zealously enforced internal controls, including Social Media usage policies, may still let some or all of those involved, sleep soundly.

Sweet dreams, then, count the sheep well, and don’t forget to set your alarm.  Happy New Year, 2012.

Author:

Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1]Peter Mell and Timothy Grance.  Computer Security Resource Center of the National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology.  Published in September, 2011, at Section 2.  Available at: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

[2]Greg Markey.  Ottawa Business Journal.  Building data storage capacity.  Published on December 21, 2011.  Available at: http://www.obj.ca/Technology/2011-12-21/article-2844044/Building-data-storage-capacity/1

[3] Division of Corporation Finance, United States Securities and Exchange Commission (SEC). CF Disclosure Guidance: Topic No. 2 – Cybersecurity. Released October 13, 2011.  Available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

[4] Under Section 13405 of the HITECH Act, an individual has rights: in subsection (a), to restrict a Covered Entity’s disclosure of their Electronic Health Records (EHR) including Protected Health Information (PHI) and electronic Protected Health Information (ePHI) in certain cases; in subsection (c), to request and receive an accounting of all disclosures of their PHI and ePHI by a Covered Entity; in subsection (d), to be protected against the sale of their PHI and ePHI without “a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual”; and, in subsection (e), to request and receive a copy of their EHR, PHI and ePHI, or designate that said records in the hands of a HIPAA Covered Entity be sent or transmitted to “an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.”  See: Section 13405, Title XIII ELECTRONIC HEALTH RECORDS. American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5, as signed into law on February 17. 2009.

[5] As provided in 4.9, Principle 9 (Individual Access), of Canada’s federal Personal Information and Protection of Electronic Documents Act (PIPEDA): “Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.See generally PIPEDA, SCHEDULE 1 (Section 5). PRINCIPLES SET OUT IN THE NATIONAL STANDARD OF CANADA ENTITLED MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION, CAN/CSA-Q830-96.

[6] Rob McCauley and Ming-Tao Yang.  Finnegan, Henderson, Farabow, Garrett & Dunner, LLP.  Rob McCauley and Ming Yang Discuss the Impact of Cloud, Mobile, and Social Technologies on Trade Secret Law, Podcast, released on December 5, 2011. Available at:  http://www.finnegan.com/lawyers/bio.aspx?lawyer=8a4f9668-a2be-4fc9-8700-800969d07a0&mode=podcasts

[7]Id.

[8]See, e.g. United Kingdom, Information Commissioner’s Office (ICO), Advocate’s legal files lost after unencrypted laptop theft. News release: 16 November, 2011.  Available at: http://www.ico.gov.uk/news/latest_news/2011/advocates-legal-files-lost-after-unencrypted-laptop-theft-16112011.aspx  Lawyers may well be moving to the Cloud, but even offline, significant risks remain that need to be addressed.

[9]See, generally Penguin Group (USA) Inc. v. American Buddha, 16 N.Y. 3d 295 (2011), No. 7, 2011 WL 1044581 (N.Y. Mar. 24, 2011), where the New York Court of Appeals first noted that §302(a)(3)(ii) of the New York, Civil Practice Law and Rules (C.P.L.R.) gave 3 options to determine the situs of the injury, being: “(i) any place where plaintiff does business; (ii) the principal place of business of the plaintiff; and (iii) the place where plaintiff lost business” (16 N.Y.3d at 304).  But then, the New York Court of Appeals determined that due to the ubiquity of the internet and the potential for global and near instantaneous infringement, the best choice was (ii), the principal place of business of the I.P.R. holder, for purposes of establishing personal jurisdiction in that modern-day copyright infringement case (16 N.Y.3d at 307).

[10] In the United States Bankruptcy Court for the Eastern District of Virginia, the court found that it would be against United States public policy to permit the domestic application, in America, of the result of a German insolvency proceeding that would have deprived U.S. I.P.R. licensees of the use of patents granted by a foreign entity that was no longer solvent, under German law.  See In Re Qimonda AG, 433 B.R. 547 (E.D. Va. 2010); decided on October 28, 2011.

[11] Thankfully, [t]he Supreme Court of Canada (SCC) recently ruled that linking to a libelous blog, was not, without more, sufficient to hold the linker additionally liable for “publication” of that defamation.  See Crookes v. Newton, 2011 SCC 47 (CanLII); decided on October 19, 2011.  Perhaps a Cloud Vendor so implicated under Canadian law, might find a way to avail itself of this very solid precedent; which may also one day be analogized and/or stretched to work with “like”, “friend”, and “follow”, but for obvious reasons, perhaps not with “retweets”.   Available at: http://www.canlii.org/eliisa/highlight.do?text=crookes+v+newton&language=en&searchTitle=Search+all+CanLII+Databases&path=/en/ca/scc/doc/2011/2011scc47/2011scc47.html

[12] Amazon recently introduced the Cloud Drive and Cloud Player services, that permit “customers to upload music files to private, user-specific online drives (the Cloud Drive) and then listen to these files remotely using the Cloud Player”.  Questions have been raised, and linger, about issues of I.P.R. management and infringement in relation thereto.  See generally Nickolas B. Solish. The Law of Tomorrow Today.  Is Amazon’s Head in the Clouds?  Published on May 4, 2011.  Available at: http://lawoftomorrow.com/2011/05/04/is-amazon%E2%80%99s-head-in-the-clouds/

[13] On Thursday, April 21, 2011, the Amazon Web Service (AWS) suffered a significant outage as a result of an incorrectly performed capacity upgrade.  A cascading failure of attempted but incomplete re-mirroring efforts resulted in a number of Amazon Elastic Block Stores (EBS) becoming stuck and failing to receive or transmit further instructions, and an even larger impact on the Relational Database Service (RDS), which utilizes multiple EBS.  Amongst the lessons learned, Amazon stated an intention to: alter its procedures (increasing automation to reduce the chance of future human error); modify its platform (for more robust capacity planning and alarming and redundancies to better deal with large scale failures); and its processes (finding and fixing hitherto unknown bugs that causes the events to cascade to such an elevated degree of systemic severity).  See generally Amazon.comSummary of the Amazon EC2 and Amazon RDS Service Disruption in the US East Region; Undated.  Available at: http://aws.amazon.com/message/65648/

[14] From one commentator closely following that April, 2011 Amazon outage, we learn that EBS are spread across multiple Availability Zones (AZ), within each Region of operation.  The above-referenced Amazon outage was especially significant in its impact on those multiple AZ, and therefore upon clients of Amazon’s Elastic Compute Cloud (EC2) that should have been insulated from one another and from any failure in a distinct subsection of a platform that was, logically if not geographically, so widely distributed.   See Cade Metz in San Francisco.  Infrastructure.  Amazon outage spans clouds ‘insulated’ from each other – not what it says on the tin.  Published on April 21, 2011.  Available at: http://www.theregister.co.uk/2011/04/21/amazon_web_services_outages_spans_zones/print.html

See also Cade Metz in San Francisco.  Infrastructure.  Amazon cloud still on fritz after 36 hours “All hands on deck”.  Published on April 22, 2011. http://www.theregister.co.uk/2011/04/22/amazon_elastic_compute_cloud_still_experiencing_problems/print.html

[15] The United States Federal Trade Commission (FTC) announced the inauguration of the APEC Cross-Border Privacy Rules on November 14, 2011.  The 21 (“twenty-one”) APEC members, are: Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, the United States of America, and Vietnam.  Press Release available at: http://www.ftc.gov/opa/2011/11/apec.shtm  As separately implemented, developed, and enforced by each jurisdiction of application, the APEC Privacy Rules are to generally adhere to the 7 (“seven”) principles underlying the E.U. Directive on the Protection of Personal Data, being: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement.  It is interesting to note that while the emphasis is or appears to be on greater monitoring and controls on the Western side of the Atlantic, there is a tendency on the eastern side of the Atlantic to favor a more liberal model.  See e.g. Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL C-70/10; decided on November 24, 2011 (I.S.P.s cannot be obligated to implement a general monitoring or filtering policy, as it would infringe fundamental rights and Directives applicable in the E.U.)

[16] There was a service outage in the BlackBerry service of Research In Motion (RIM), in October, 2011.  See e.g. Research In Motion. BlackBerry Service Update; visited on December 27, 2011.  Available at: http://www.rim.com/newsroom/service-update.shtml.  See also Charles Arthur.  guardian.co.uk. BlackBerry outage: RIM boss’s YouTube apology in full, with transcript.  Published on Thursday, October 13, 2011.  Available at: http://www.guardian.co.uk/technology/2011/oct/13/blackberry-outage-rim-apology-youtube

[17] There was a service outage at Google on September 7, 2011, where again, as with Amazon, an attempted upgrade exposed a hitherto unforeseen technical issue.  See e.g. Official Google Enterprise Blog. What Happened to Google Docs on Wednesday.  Published on Friday, September 9, 2011. Available at: http://googleenterprise.blogspot.com/2011/09/what-happened-wednesday.html

[18] There was a service outage at Microsoft’s hotmail service on December 31, 2010, where user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a glitch in system test procedures, and left undetected for a length of time due to a subsequent failing in the customer issue management matrix.  See generally  Mike Schackwitz.  Inside Windows Live.  What happened in the recent Hotmail outage.  Published on January 6, 2011.  Available at: http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/01/06/what-happened-in-the-recent-hotmail-outage.aspx

[19] There had been an earlier service outage involving Gmail and Google Apps on February 27, 2011.  Again, as with the Hotmail outage, user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a bug “inadvertently introduced in a Gmail storage software update.” See e.g. Google Apps Masters.  Google Apps Tips.  Google Gmail Outage – February 27, 2011 – What happened to my E-mail?  Published on March 10, 2011.  Available at: http://blog.gappsmasters.com/2011/03/google-gmail-outage-february-27-2011-what-happened-to-my-e-mail/

[20] Social Media can be used for a variety of things, including networking, play, jobsearch, and actual work.  Whether one works from home, virtually, on the road, or in a bricks and mortar establishment, there will always be some boundaries, caveats, deliverables, and regulations.  This is why I use the term “regimented”, here, to mean something that has a structure, or some boundaries and rules.  It therefore covers whatever is left of the work-space.

[21] On June 22, 2011, Microsoft’s Business Productivity Online Suite (BPOS), a cloud service, suffered an outage that one commentator described as its “fourth in two months”; wherein users could not use the Exchange email servers or use the Online Web Access (OWA) browser client.  The same commentator reports that Microsoft alluded to the cause being a hardware issue.  See. The Microsoft Update. Julie Bort.  Networkworld.  Microsoft confirms BPOS cloud outage.  Published, on Wednesday, June 22, 2011.  Available at: http://www.networkworld.com/community/blog/microsoft-confirms-bpos-cloud-outage

Later, on August 17, 2011, Microsoft’s Office 365 and Skydrive, additional cloud offerings and with Office 365 having been designed, launched on June 28, 2011, and marketed as a more robust successor to BPOS, suffered service outages.  Once again, access to email and calendars was disrupted, and this time Microsoft declined to give a reason or the cause for the outage.  The company did, however, issue a letter of apology and offer a credit to its customers.  See generally  Mary Jo Foley.  All About Microsoft.  Microsoft: Here’s what caused our cloud outage this week. Published on August 19, 2011.  Available at: http://www.zdnet.com/blog/microsoft/microsoft-heres-what-caused-our-cloud-outage-this-week/10381

[22] The Cloud Foundry outage of April 25, 2011, was initially traced by the company, in total candor and transparency, to a partial loss of the power supply for a systems storage cabinet.  Then, in what was supposed to be a dry-run, tabletop exercise to establish an improved protocol for dealing with the types of events caused by that first outage, someone touched their keyboard, in unmistakable human error, leading to a second outage of April 26, 2011; and as again explained by the company in total candor and transparency.  See Dekel Tankel. Cloud Foundry Forums.  Analysis of April 25 and 26, 2011 Downtime.  Published on April 29, 2011.  Available at: http://support.cloudfoundry.com/entries/20067876-analysis-of-april-25-and-26-2011-downtime

Still on the subject of power supplies, a utility company outage in Dublin, Ireland, on August 7, 2011, first caused a service disruption in the cloud offerings of both Amazon and Microsoft, which have established significant data center facilities in that jurisdiction.  Ordinarily, backup generators would have taken-over and immediately started to supply power.  However, due to the strange nature of the outage – which a number of parties including both Microsoft and Amazon had originally and erroneously blamed on a lightning strike – their emergency backup system failed.  See Rich Miller. Data Center Knowledge. Dublin Utility: Power Outage Not caused by Lightning Strike.  Published on August 10, 2011.  Available at: http://www.datacenterknowledge.com/archives/2011/08/10/dublin-utility-power-outage-not-caused-by-lightning-strike/

[23]Dan Goodin.  Security.  Researcher cracks Wi-Fi passwords with Amazon cloud.  Return of the Caveman attack.  Published on January 11, 2011.  Available at: http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/print.html

[24] An after-hours raid by the United States Federal Bureau of Investigation (FBI) on a Reston, Virginia data centre, and targeting the Lulz Security group, on Tuesday, June 21, 2011, managed to disrupt services for multiple and non-targeted, innocent users.  Where one serves many, a raid on a few can still inconvenience more than the one, as discomfort is passed along.  Whether a warrant was used, I cannot say.  However, it was fortunate that the gag and delay orders on warrantless and warranted searches under antiterrorism and other laws, were not.  Otherwise, the data center operator would not have been able to explain to the client what happened when the client called from Switzerland, or explain where the missing servers had gone, when someone was sent to physically determine why the services that they hosted were all down.  A report of a theft, an insurance claim, or a call to the police, would have had somewhat interesting consequences with regard to jurisdiction issues, and investigating the “disappearance”.  Would that make a false claim or report, one filed on incomplete information, or both?  For an account of that Lulz Security raid, see Verne G. Kopytoff.  NYTimes bitsblogs. F.B.I. Seizes Web Servers, Knocking Sites Offline.  Published on June 21, 2011.  Available at: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/

[25] The Fifth Amendment to the Constitution of the United States of America provides, inter alia, that a person charged with a criminal offence under U.S. law shall not suffer compulsory self-incrimination.  To date, no corporate entity has been permitted to use this “individual” right.

However, as the proliferation of rich clients and thin clients means that Electronically Stored Information (ESI) that may be relevant to the litigation is in the custody or control of multiple, third-party data custodians, including Cloud Vendors and their associates in multiple jurisdictions, who will strenuously argue that they have absolutely nothing to do with what happens on their servers, within their social media, or otherwise, in using them as an innocent conduit, this right may very well be extended at some point; absent some legislative and global, or regional cooperative guarantees, protections, and both specific and generalized immunities, that go far beyond the simple “hold harmless, defend, and indemnify“, found in their contracts.

The United States’ Stop Online Piracy Act (SOPA) that threatens to knock websites offline, which may well include the rights of Cloud Vendors and their affiliates to “vend cloud services”, very much bespeaks caution, and is a portent of some very trying and litigious times to come for that business model, and indeed also for any and all online providers of a “one to many” service, or solution, or suite.

Indeed, the recently publicized Model Electronic Discovery Order adopted by the [t]he Advisory Council for the United States Court of Appeals for the Federal Circuit, may also fall far short in the number of records custodians permitted to be listed and ordered to produce.  See generally website of the United States Court of Appeals for the Federal Circuit.  Available at: http://www.cafc.uscourts.gov/the-court/advisory-council.html; with the actual order available on that same site at: http://www.cafc.uscourts.gov/images/stories/the-court/Ediscovery_Model_Order.pdf

[26] To its credit and in demonstration of its leadership role in the field, Amazon has published and updated a whitepaper on suggested cloud best practices.  See  Jinesh Varia, Architecting for the Cloud: Best Practices Whitepaper.  Version first released by Amazon Web Services (AWS) in January, 2010, and last updated on January, 2011.  Available at:  http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.pdf

[27]Ekundayo George.  Ogalaws. Well-seeding “the Cloud”: Some basic caveats and pointers in “Cloud-sourcing”.  Published in this Blog, on December 1, 2011.  Available at: https://ogalaws.wordpress.com/category/strategic-consulting/outsourcing-and-cloud-computing/

Advertisements

Currently, there is a lot of chatter in military, civilian, political, and business circles on “Cybersecurity” and how best to exploit and secure the cyber-realm or “Cyberspace”.  I wrote in an earlier blog post on the big picture of Cybersecurity, and avoiding data disasters, in general.[1]

Unfortunately, however, while everyone may “think” they are talking about the same thing, I dare say that they are not.  It is, of course, important to know and understand what we are all talking about, before we attempt to secure it with any hope of success.  So, then, what is Cyberspace, we ask?  The answer: almost anything, and nearly everything.  Let me explain, as Cyberspace in its totality, comprises 5 Domains, multiplied by 3 Bundles, to give 15 “e-Compartments; which e-Compartments should be the focal points of and for, specific protective and exploitative techniques and technologies, as appropriate.  This is a different, flexible approach better attuned to the rapidly changing world of technology.  It will take an extremely momentous event or series of events closely related in time and space, to change and re-align all e-Compartments at once, or to render techniques and technologies used for exploitation and security in more than a handful of these, all obsolete at one and the same time.  I will also discuss cyber-breach consequences, and make commonsense recommendations.

5 DOMAINS:

(a) The Internet (“Net”) is its own domain, and comprises all systems and services accessible through same, as well as being the catch-all category for everything “online”.

(b) A second domain is the telecommunications networks (“Telco”), which cover phone, fax, voicemail, voice over I.P., videoconferencing, webcasting, and so forth.  The Net and Telco are becoming increasingly intertwined and to a large extent, near indistinguishable.

(c) Third, is that complex of computers, servers, and thin and thick clients (“I.T.”) that drive and serve and access the above 2 (“two”), and the remaining 2 (“two”) domains

(d) The fourth domain, is that of mobile devices (“Mobile”), or the plethora of “steadily richer clients” in smartphones, PDAs, Notebooks, Tablets, and so forth; along with all the portable drives with capacities ranging from a few megabytes to many terabytes (or even “quigaflops”, as I have also blogged, elsewhere).[2]

(e) The fifth domain of Cyberspace may well surprise some of you, but it shouldn’t.   It includes paper!   Yesterday, today, and tomorrow are not the first times that people will walk critical papers, performances, paintings and portraits, and other personal or positive assets including intellectual property out of monitored or even secure locations, by taking their pictures.  This is the world of “P2ED”, where those papers, performances, paintings and portraits, and other personal or positive assets (collectively being the “P”), can be converted into Electronic Documents (meaning “2ED”), and thereby, in essence: “made to move, to order.”  Modern rapid scanning technologies, the camera-capture tools on almost every mobile data device now available on the market, and the staggering storage capacity of portable drives as earlier stated, mean that almost anything can be relocated in time and space almost instantly and quite completely; often without the victim or “targeted subject” being the wiser.  When you add-in the abilities of three-dimensional printers working with multiple pictures from multiple angles, or simple panned video footage, that “P” can be very easily reproduced in and as an “infringing facsimile”, in any place, at any time, and very many times.

An Electronic Document, I would therefore and expansively, define as: 1 (“one”) or more items of data that may include meta data, created or collected or compiled by electronic means from a paper source or sources, an electronic or other source or sources, or a combination of these and that is:

(i) organized in the same or substantially the same way as the original source or that otherwise characterizes and represents or presents the data in a cognizable format; and

(ii) capable:

(1) of being provided or published or posted or displayed or distributed or otherwise transferred by or to, or retained or reviewed as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others; or

(2) of being received or retrieved or acquired or accessed or analyzed or processed or altered as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others;

in such a way that makes it capable of being stored and therefore used for subsequent reference; and
(iii) capable of being replicated as is or in an alternate format by its creator or compiler, or by any other party or parties with the appropriate access permissions and utilities, or by both of the creator or compiler and others.

3 BUNDLES:

The three bundles by which to multiply each of the five domains, are: Hardware (“HA”), Software (“SO”), and Services (“SE”).

15 E-COMPARTMENTS:

A full treatment of this multiplication into the 15 e-Compartments, would take a very long time; and so, I gladly leave it to the reader.  However, and as a much abbreviated series of examples:

(i) securing one compartment of the hardware (HA) in any or many domains may include access barriers or credentials verification, whether with keys and passes, or by biometric or other technical means.

(ii) Exploiting one compartment of the software (SO) in any or many domains may include knowing and using the vulnerabilities found and from time to time exposed in certain types of programs, where updates and antiviral or other protections are lacking, and in people, by means of social engineering.

(iii) Services (SE), you can further divide into at least 6 (“six”) sub-elements to create “sub-compartments” after the multiplication, of: (a) internal; (b) contracted; and (c) outsourced accredited service personnel, and then the same 3, once again, for actual services performed.  To secure your internal personnel, you would of course, have conducted background checks, and engage in some sort of “lawful” ongoing and periodic monitoring.  Securing contracted services, would involve due diligence of the providers, perhaps additional checks and balances on the personnel to do the actual work, and then of course, there is insurance, appropriate contractual terms including warranties and indemnifications from the provider, and other steps as are reasonable, and sometimes seen as unreasonable by the other side.  When they protest, it can be reassuring to see that they are paying attention and not so desperate for your business as to accept any and all conditions without a word.  Similar steps can also be taken to secure outsourced services, with additional precautions where offshoring or a sensitive industry (such as healthcare, or involving personal information or an especially vulnerable and protected class of persons like children, the disabled, the mentally-challenged, or the elderly), is involved.

(iv) If one were to look at Radiofrequency Identification (RFID) and Near-field Communications (NFC) for example, it becomes obvious how one size does not fit all e-Compartments when trying to secure HA (smart phone passwords), SO (against hacking, tampering, and redirection of funds or data sent or  received), and SE (challenge and handshake protocols, and perhaps using geolocation – to the extent lawful – to guard against someone’s account being accessed with the same credentials, and apparently from the same device, in two or more jurisdictions at the same time, as spoofed, or in less time than one could reasonably be expected to travel between them).  Each Domain must therefore have and maintain its own set of techniques and technologies to secure Ha, So, and Se in RFID and NFC, as and where applicable, inter alia.

3 CONSEQUENCES OF CYBER-BREACH:

Remediation:  This can include the costs of any combination of cash settlements; credit monitoring; credentials replacement for the impacted parties or persons; and changes in the compromised (or absent or insufficient) policies, procedures, personnel, and platforms.

Reputation:  Reputational damage can be felt by its effects on clients, who may leave or reduce their business dealings; labor markets where it may become harder to get the best and brightest talent; media and social media circles, not just the late night talk shows, which may all combine to continue and compound a storm that would otherwise have passed-by and been forgotten more quickly; and of course, insurance deductibles paid and heavier premiums going forwards.  Depending on the specific facts of the situation, the insurer may or may not seek to decline coverage or reduce the available benefits under the applicable policy or policies for errors and omissions, general liability, privacy, and otherwise.  Additional economic impacts may also be felt by issuers in greater “activism” of their shareholders.  The share prices may take a hit, impacting upon debt covenants, debt to equity ratios, leverage ratios – with or without ensuing margin calls – solvency, and directors and officers liability insurance policies, as well.  This, again, could build upon itself in a negative direction if not properly and timely managed.

Regulatory:  The possibility of heavy fines and penalties is always there, whether before or after grueling regulatory investigations that sap time, and resources, and money.  An entity may also face ongoing monitoring and operational restrictions that may go as far as mandatory supervision or takeover.  Suits at law or in equity, or both, may also accrue at a very fierce pace.

4 KEY COMMONSENSE RECOMMENDATIONS:

Systemic SecuritySecure the systems, and those who use and maintain the systems.  This involves the personnel security, the access controls, and educating everyone in the organization on the benefits of compliance with policies, as it could impact upon their salaries and bonuses, the viability of the business, and their jobs.  Where there is a tie-in to their personal realities, stakeholders who see and appreciate potential downsides will be more likely to buy-in to those business practicalities.

Active ManagementHave an Active (and not reactive) Management.  It is never a good recommendation to wait until something bad happens, before thinking about what you will do and how you will react when something bad happens.   More and more jurisdictions are enacting breach notification laws, and so this luxury is no longer an option; even if your jurisdiction has been slow to follow-suit.  Business, today, is hardly so uni-locational as to allow you to be ignorant of global best practices, and still expect to compete and succeed against the competition.  Join and form reputable local industry groups; develop a relationship with a good Public Relations firm; find and retain inside and/or contract and/or outside legal counsel that can cover you on the 3 (“three”) prongs of litigation and e-Discovery, regulatory compliance in your industry, and your contracting and labor practices – in all jurisdictions where you operate; have a solid Social Media presence and policy; and adopt and prepare and plan for, an all-hazards disaster response.

Internal ControlsActive Management must monitor and verify the Systemic Security through internal controls, inter alia.  Your people must be following these wonderful policies and procedures, otherwise you have just been wasting paper in employee handbooks and handouts, and storage space on your intranet or bulletin board system.  Is Social Media being used responsibly during work time, and regarding work but outside the office?  Are employees following your portable data policies and mobile device policies?  Are contractors being properly segregated from physical areas, online accounts, and specific data that they are not authorized to access?  Are those with authority acting within and not exceeding their access, alteration, and audit authorities?  These and other questions must be asked and answered.  Industry-specific internal controls should include, for any entity with developers writing software or an I.T. department, a policy on Open Source Software (OSS), as I will further explain, below.

Legal and Regulatory ComplianceCompliance is also very important.  If and when something goes wrong, it always helps to show that you did or were doing the right things, in accordance with law.  The hammer generally tends to fall harder on those who were lax in their compliance, as the weight of culpability becomes significantly harder to avoid.  This is especially important for entities that do not have any in-house legal personnel, which could mean that there is nobody keeping a regular eye on practices and policies that may well slip or dip from time to time, in the ordinary course of business.  The value of regular legal audits becomes that much greater, for a periodic “compliance fine-tuning”.  One area that requires careful scrutiny, tracking, and audits, is Open Source Software (OSS), which is far from being the “free software” that so many may think it is.  Incorporating someone else’s Intellectual Property in company products, or inadvertently contributing the employer’s Intellectual Property to an outside product, through off-time or online collaboration projects, could have dire results.  Some open source licenses will then require that you post all the source code for free and further use by all and sundry; damming a revenue stream and giving away valuable I.P. rights.  Employees and contractors who’se contracts state that all they create belongs to the employer, should be made aware of this “significant risk area”, and have some restrictions placed on what they can and cannot do in terms of OSS, collaboration, and their skills as co-mingled with employer property.  The penalties for I.P. infringement, whether of copyright, patent, trademark, or trade secrets, can be severe.

SUMMARY:

This different, flexible approach to Cyberspace and its 15 e-Compartments should serve as a roadmap, in guiding your conceptual approach to the issues in a logical, and step-by-step or compartment by compartment strategy.  As the fields of e-Commerce, Cyberspace, and Cybersecurity grow by leaps and bounds and expand into, above and beyond the “Clouds” – at least until we are all hardwired to be and remain online, at the same time, and all the time – the above basic typologies should suffice and remain the same; and the 5 Domains of Cyberspace, as set out and identified so far, should hold fast, again absent any “category-killer-app” as a caveat.

Happy (belated) Cyber-Monday; and Merry Christmas, 2011!

Author:

Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Ekundayo George, Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3).  Published on September 1, 2011.  Available at: https://ogalaws.wordpress.com/category/strategic-consulting/cybersecurity/

[2] Ekundayo George, “M”edia Effectiveness. (Blog Tab).  Available at https://ogalaws.wordpress.com/media-effectiveness/

The advent of the cloud has, indeed, changed outsourcing and litigation, inter alia. For now, all who think they may one day be or become subject to discovery and e-discovery requests in relation to I.T. outsourcing, or cloud-sourcing, or both of these, (as well as those who think it can never happen to them, especially General Counsels), may wish to consider, at a minimum, the following, as gleaned from my knowledge and work in the field and review of assorted arrangements, agreements, laws and developments.

Vendors (“Cloudmasters”):

For Vendors, especially the Master Vendors, or “Cloudmasters”, 3 (“three”) critical and indispensable components of the ecosystem (short for “e-commerce system”) and cloud business model, are the “Air”; the “Water”; and the “Seeds.”

1. AIR: The air is, of course, the environment within which one does business.  Bad air can lead to acid rain.  I think this has been well-enough established in the field of environmental law.  In and comprising the air, there is law, there are regulations, and there is company policy.  It is not impossible for a Cloudmaster to be in compliance with law, and have lax internal controls and policies at the same time.  All the air must be good, or else something will suffer.  Certain jurisdictions have strong privacy laws, and others do not.  Certain jurisdictions and types of activity call for the application of heightened regulatory oversight, and this must be respected.  The Cloudmaster choosing the law of a one jurisdiction as the preferred location for any “rain” must also be and remain aware and relatively up to date regarding the laws of certain other jurisdictions through or by or from which some or all of the cloud Residents are governed, whether as individuals or as businesses, and whether as parties to the contract, or third-parties in interest.  Many laws may be national, but the air knows no borders!  National and sub-national governments may also go in many and conflicting directions at once in terms of cybersecurity,[1] for example, and until things settle, the Cloudmaster must follow the storm and sail in the direction of every conflicting wind at the same time.  Helping shape a uniformity in the direction of these winds is just one of the many ways in which lobbyists “can” be useful.

2. Water: Water, also, knows no borders.  Considering the vast array of chemicals that are toxic, carcinogenic, and persistent organic pollutants, and also water-soluble, and considering also, the richness of microscopic life that can be found in the waters of this glorious planet, I think an analogy of data as water, is quite apt.  You never really know what is in it, until it is in your system and has had a chance to … relax, look around, and spread its wings to feel right at home.  Water that gets into the wrong place of a critical system can cause rust, fry circuits, and give some nasty shocks to anyone in contact with or in the vicinity of, that system.  Bearing all of this in mind, it becomes rather important, in a one- to-many service offering such as with the offering of a Cloud Utility, for the Cloudmaster to “most stringently enforce” some shared responsibilities on the Residents for the good of all, and to credibly and demonstrably promote best practices in safeguarding the resilience of critical processes.  What this means is that “Your” water, as a Resident, gets nowhere near the bigger body, unless you can show that some that, at a bare minimum, some very basic things are in place, such as procedures for enforcing internal controls, employee integrity, and system security; and taken seriously.

Consider this: (i) many reputable antivirus programs will not even install, until after they have performed a basic scan; (ii) a number of educational institutions will not let a user onto their wireless network unless and until the presence of a “current end functioning” antiviral program on that potential user’s system, has been detected;  and (iii) it is always advisable to at least take a tour of a new neighborhood before you move-in, unless you are in the habit of buying “sight unseen”  and without any clue as to what you might be getting into.  Checking the credentials or credit of an applicant or prospective resident, or asking about the standard operating procedures and policies of a landlord, employer, or prospective host, are really not new or alien practices.

Some Cloudmasters will accept all comers in order to grow fast and bulk-up ahead of the competition.  When the indiscriminate taking-on of water catches up with them and becomes too much for the emergency pumps, the market will surely assign them their just rewards.  Know your water source before it gets to your water course, to the extent possible, and ensure that all Residents have, in advance or within a reasonable time after joining, information security, infrastructural security, best practices, acceptable and defined compliance and internal governance programs, and self-certification or third-party certification in the form of a warrant and representation, a covenant and undertaking, or both of these; and always with indemnification.

3. SEEDS: Bad seeds will either not grow, or they will grow into the wrong and unanticipated, and unexpected plant.  Remember, a weed, an insect eating plant, and a cactus, are all still plants – at least to my non-botanist self.  Your seeds are your Residents.  A bad seed may be a rotter on the water, or just not care for the air.  Cloudmasters can ill afford to follow suit, and must be prepared when called for, to give a bad seed the boot, before it really takes root and creates a bad breed that cannot be easily or cheaply removed from the system.  Prevention is always better than the cure; and it is also much cheaper, in most if not all cases.

But, what of those Residents?  Should they not look-upon and treat their Cloudmasters with equal, if not greater suspicion?  Of course, why not!

Customers (Cloud “Residents”):

For cloud Residents, the primary 4 (“four”) critical questions they should consider, begin with: “Who?”; “Where?”; “What?”, and “Why?”

a. WHO: Know your primary cloud vending entity (“Cloudmaster”), draft your agreements defensively, and protect against both changes in control (theirs and yours) and changes in liquidity as a going concern (again, both theirs and yours).

b. WHERE: Be sure to extract an iron-clad guarantee from the Cloudmaster that your data will be kept “solely and entirely” in the appropriate country (such as Canada or the United States), or another jurisdiction acceptable to you, such as the European Union (EU); or the European Economic Area (EEA) to further include Norway, Iceland, and Liechtenstein; or the European Free Trade Area (EFTA) to further include Switzerland, as appropriate.  If the Cloudmaster cannot definitively tell someone where their data will be hosted, or if they just do not know, then the end-result of any decision to continue doing business with such a Cloudmaster, will be solely and completely for the one so deciding to continue.

Everyone who has been paying attention to the news in this area will know that data breaches and the costs of these data breaches in reputation, fines, settlements, and regulatory enforcement actions and investigations and sanctions, have been mounting at a fierce pace.  In addition to your undoubtedly stringent precautions in the above and otherwise, it is not irrational to try to deal with as few privacy regulators as possible, should a breach occur that forces you to make the appropriate disclosures to clients and the proper authorities.  More jurisdictions of operation means more potential discovery and e-discovery obligations; most definitely a greater level of costs for ongoing compliance; and, more than likely, significantly greater costs of remediation in credit counseling and monitoring, changes to and replacement of compromised documents and credentials, and the various and assorted court and regulatory proceedings to monitor and report on the progress of same.  Some courts are becoming rather aggressive in striking-down arbitration clause provisions that specified arbitration (and imposing outright litigation in its stead), or that specified a particular forum (and imposing their own idea of what is or should be, the appropriate forum, which is, invariably, the court striking down that carefully-drafted contract clause).

Just as the cloud has expanded access to hitherto unheard of computing capacity and lowered its costs, it may also lead to either: (a) greater insularity and a lower level of “real” cross-border trades, because of the almost unlimited potential liabilities; or (b) new laws and/or regulations on a regional bloc-basis or on an international or near-international level, in order to control for some of these risks and to put both the market and the consumers more at ease.  Privacy Insurance has already taken a firm hold in a number of jurisdictions; albeit not yet too uniform as to underwriting standards, coverage options, and policy limits.

c. WHAT: In addition to the above, you would be well-advised to develop an in-depth understanding of the Cloudmaster’s security, data retention, and other policies, and also those in the links and structures of the cloud; as well as the who, where, and what of the other cloud participants, sub-vendors, and sub-contractors to the extent that they are disclosed and distinct or otherwise discoverable by due diligence, in order to prevent your being inadvertently caught in a “chain of rain” that brings far more pain than the originally anticipated gain.

d. WHY: Of course, you also need to know what and how often the Cloudmaster does purge or intends to purge, and what logs, if any, they keep and can provide to you without breaching their obligations to other cloud users and deemed cloud residents, whether permanent, or occasional as needed, or transient and otherwise fleeting (each and all deemed and defined herein as “Residents”).

Over-partitioning the data of different Residents, where and as available, adds costs, of course, but it may well also add serious peace of mind in enabling ease of recovery and e-Discovery, and decreasing the risk of inadvertent disclosures  and/or cross-contamination when discovery does come-a-calling.  That is a trade-off computation that must be done and presented to a company’s management for their own good Business Judgment, then the appropriate sign-off can be a waved as shield – once properly discovered – against that judicial Sword of Damocles.  Whether Sarbanes-Oxley requires legal counsel, accountants, or auditors to protest more loudly and publicly where and when a publicly-listed entity is unwilling or unable to pay that extra cost and then fails to disclose this in the MDA or otherwise in accordance with law, such as with the current and growing push by the United States Federal Trade Commission (FTC) for greater disclosure of cybersecurity risks by issuers, is significantly beyond the scope of this little missive.

Let the Cloudmaster know what, how, and how much of that “purgeable content” and other data content you want: (a) not purged and kept in place; (b) not purged and delivered to you in backup format on a periodic basis; (c) purged but similarly delivered to you on a periodic basis; or (d) otherwise dealt with.  A Cloudmaster is not responsible for meeting anyone’s preservation or discovery or e-discovery obligations but its own, except if contractually so bound to comply or assist in the same and appropriately motivated by consideration in cash and contract and consequences of complying-not.  In the case of a Platform-as-a-Service (Paas) or an Infrastructure-as-a-Service (Iaas) Cloudmaster providing a flow-through Utility, appropriate Digital Millennium Copyright Act (DMCA) safeguards and the like, may further so endeavor to hold that Cloudmaster them harmless, and potentially also adequately defended and indemnified against an assortment of potential claims.

SUMMARY:  To the exclusion of any particular industry of Resident focus or Cloudmaster competence, which would be additional, we should all be mindful that cloud computing touches over two dozen practice areas and is therefore extremely complex, by nature.  Anyone who cannot appreciate this fact from the outset, is not setting-out well, at the very least.  Some cloud-touching and cloud-touched practice areas that I have identified, so far, include those listed below, and in no particular order:

Contracts;

Criminal law;

Antitrust law;

Competition law;

Information Technology (I.T.);

Insurance;

Outsourcing;

Class Actions;

Labor and employment law;

Bankruptcy and insolvency policies;

Securities regulation;

Corporate governance;

International trade law;

Choice and conflicts of laws;

Interstate and interprovincial trade;

E-discovery;

E-commerce;

Banking and secured transactions;

Litigation (including forum selection);

Intellectual Property Rights (I.P.R.);

Libel and Defamation;

Alternative Dispute Resolution (A.D.R.);

Constitutional law and National Sovereignty;

Law Enforcement and National Security (LENS);

Media, privacy, new and social media, and moral rights.

The Cloud is still quite new, as was aviation before it, once upon a time.  The aviation industry built-upon the foundations of shipping, which has been in place for a very long time, and the cloud will build upon the lessons, disasters, and opportunities of both of these same – that are themselves, still evolving (in shipping, such as with the Laws of the Sea re: territorial limits, ocean dumping, and piracy; and in aviation such as with GHG emissions, Air Marshalls, Space law and space tourism, and passenger bills of rights when stuck on the ground between the terminal and the flight plan).  Alas, things move significantly faster over the Internet and through the Cloud – especially those things to which significant liability can and does attach, and so these older, tried and tested concepts may need to be speeded-up, re-mixed, re-constituted and re-configured, just to keep pace with the speed of this our human race.

We should also add Taxation to the above listing of practice areas, as the United States and other jurisdictions, are looking with increasing favour and fervor at a tax on internet-based or internet-enabled commerce as a way to boost falling (and flat) government revenues.[2]  Following the earlier lead of the E.U. in this effort,[3] the questions of who is taxable and why, and of what transactions from where and to where, are taxable at what rate or rates, will most certainly keep practitioners in conflicts of laws, constitutional law and national sovereignty, and the other above-listed practice areas, rather busy, then.

For now, watch the weather forecast, but always take your own precautions, scan the horizon, mind the air, the water and the seeds, and keep a reinforced umbrella handy.

Anyone telling you that the Cloud is a simple thing to seed or read, is, I think, mistaken.

Author:

Ekundayo George is a Lawyer and Strategic Consultant.  He is a published author in Environmental Law and Policy; licensed to practice law in multiple states of the United States of America, as well as Ontario, Canada; and has over a decade of solid legal experience in business law and counseling, diverse litigation, and regulatory practice.

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Colin J. Zick, Esq.  More Consumer Data Security and Privacy Legislation Introduced. Posted on September 12, 2011, in a blog entitled “Security, Privacy and the Law”, published by Foley Hoag LLP; (visited on November 28, 2011).  Available at: http://www.securityprivacyandthelaw.com/2011/09/articles/data-breach-1/more-consumer-data-security-and-privacy-legislation-introduced/

[2] ecommercejunkie. Congress Eyes Federal Sales Tax Bill. Posted on August 1, 2011 in a blog entitled “E-Commerce News”, for e-commerce news from around the web; (visited on November 28, 2011).  Available at:
http://ecommercejunkie.com/2011/08/01/congress-eyes-federal-sales-tax-bill/

[3] Martin A. Weiss, Analyst in International Trade and Finance, Foreign Affairs, Defense, and Trade Division; Nonna A. Noto, Specialist in Public Finance, Government and Finance Division. CRS Report for Congress: EU Tax on Digitally Delivered E-Commerce. Updated on April 7, 2005, (visited on November 28, 2011).  Available at: http://ipmall.info/hosted_resources/crs/RS21596_050407.pdf

%d bloggers like this: