Well-seeding “the Cloud”: Some basic caveats and pointers in “Cloud-sourcing”.

December 1, 2011

The advent of the cloud has, indeed, changed outsourcing and litigation, inter alia. For now, all who think they may one day be or become subject to discovery and e-discovery requests in relation to I.T. outsourcing, or cloud-sourcing, or both of these, (as well as those who think it can never happen to them, especially General Counsels), may wish to consider, at a minimum, the following, as gleaned from my knowledge and work in the field and review of assorted arrangements, agreements, laws and developments.

Vendors (“Cloudmasters”):

For Vendors, especially the Master Vendors, or “Cloudmasters”, 3 (“three”) critical and indispensable components of the ecosystem (short for “e-commerce system”) and cloud business model, are the “Air”; the “Water”; and the “Seeds.”

1. AIR: The air is, of course, the environment within which one does business.  Bad air can lead to acid rain.  I think this has been well-enough established in the field of environmental law.  In and comprising the air, there is law, there are regulations, and there is company policy.  It is not impossible for a Cloudmaster to be in compliance with law, and have lax internal controls and policies at the same time.  All the air must be good, or else something will suffer.  Certain jurisdictions have strong privacy laws, and others do not.  Certain jurisdictions and types of activity call for the application of heightened regulatory oversight, and this must be respected.  The Cloudmaster choosing the law of a one jurisdiction as the preferred location for any “rain” must also be and remain aware and relatively up to date regarding the laws of certain other jurisdictions through or by or from which some or all of the cloud Residents are governed, whether as individuals or as businesses, and whether as parties to the contract, or third-parties in interest.  Many laws may be national, but the air knows no borders!  National and sub-national governments may also go in many and conflicting directions at once in terms of cybersecurity,[1] for example, and until things settle, the Cloudmaster must follow the storm and sail in the direction of every conflicting wind at the same time.  Helping shape a uniformity in the direction of these winds is just one of the many ways in which lobbyists “can” be useful.

2. Water: Water, also, knows no borders.  Considering the vast array of chemicals that are toxic, carcinogenic, and persistent organic pollutants, and also water-soluble, and considering also, the richness of microscopic life that can be found in the waters of this glorious planet, I think an analogy of data as water, is quite apt.  You never really know what is in it, until it is in your system and has had a chance to … relax, look around, and spread its wings to feel right at home.  Water that gets into the wrong place of a critical system can cause rust, fry circuits, and give some nasty shocks to anyone in contact with or in the vicinity of, that system.  Bearing all of this in mind, it becomes rather important, in a one- to-many service offering such as with the offering of a Cloud Utility, for the Cloudmaster to “most stringently enforce” some shared responsibilities on the Residents for the good of all, and to credibly and demonstrably promote best practices in safeguarding the resilience of critical processes.  What this means is that “Your” water, as a Resident, gets nowhere near the bigger body, unless you can show that some that, at a bare minimum, some very basic things are in place, such as procedures for enforcing internal controls, employee integrity, and system security; and taken seriously.

Consider this: (i) many reputable antivirus programs will not even install, until after they have performed a basic scan; (ii) a number of educational institutions will not let a user onto their wireless network unless and until the presence of a “current end functioning” antiviral program on that potential user’s system, has been detected;  and (iii) it is always advisable to at least take a tour of a new neighborhood before you move-in, unless you are in the habit of buying “sight unseen”  and without any clue as to what you might be getting into.  Checking the credentials or credit of an applicant or prospective resident, or asking about the standard operating procedures and policies of a landlord, employer, or prospective host, are really not new or alien practices.

Some Cloudmasters will accept all comers in order to grow fast and bulk-up ahead of the competition.  When the indiscriminate taking-on of water catches up with them and becomes too much for the emergency pumps, the market will surely assign them their just rewards.  Know your water source before it gets to your water course, to the extent possible, and ensure that all Residents have, in advance or within a reasonable time after joining, information security, infrastructural security, best practices, acceptable and defined compliance and internal governance programs, and self-certification or third-party certification in the form of a warrant and representation, a covenant and undertaking, or both of these; and always with indemnification.

3. SEEDS: Bad seeds will either not grow, or they will grow into the wrong and unanticipated, and unexpected plant.  Remember, a weed, an insect eating plant, and a cactus, are all still plants – at least to my non-botanist self.  Your seeds are your Residents.  A bad seed may be a rotter on the water, or just not care for the air.  Cloudmasters can ill afford to follow suit, and must be prepared when called for, to give a bad seed the boot, before it really takes root and creates a bad breed that cannot be easily or cheaply removed from the system.  Prevention is always better than the cure; and it is also much cheaper, in most if not all cases.

But, what of those Residents?  Should they not look-upon and treat their Cloudmasters with equal, if not greater suspicion?  Of course, why not!

Customers (Cloud “Residents”):

For cloud Residents, the primary 4 (“four”) critical questions they should consider, begin with: “Who?”; “Where?”; “What?”, and “Why?”

a. WHO: Know your primary cloud vending entity (“Cloudmaster”), draft your agreements defensively, and protect against both changes in control (theirs and yours) and changes in liquidity as a going concern (again, both theirs and yours).

b. WHERE: Be sure to extract an iron-clad guarantee from the Cloudmaster that your data will be kept “solely and entirely” in the appropriate country (such as Canada or the United States), or another jurisdiction acceptable to you, such as the European Union (EU); or the European Economic Area (EEA) to further include Norway, Iceland, and Liechtenstein; or the European Free Trade Area (EFTA) to further include Switzerland, as appropriate.  If the Cloudmaster cannot definitively tell someone where their data will be hosted, or if they just do not know, then the end-result of any decision to continue doing business with such a Cloudmaster, will be solely and completely for the one so deciding to continue.

Everyone who has been paying attention to the news in this area will know that data breaches and the costs of these data breaches in reputation, fines, settlements, and regulatory enforcement actions and investigations and sanctions, have been mounting at a fierce pace.  In addition to your undoubtedly stringent precautions in the above and otherwise, it is not irrational to try to deal with as few privacy regulators as possible, should a breach occur that forces you to make the appropriate disclosures to clients and the proper authorities.  More jurisdictions of operation means more potential discovery and e-discovery obligations; most definitely a greater level of costs for ongoing compliance; and, more than likely, significantly greater costs of remediation in credit counseling and monitoring, changes to and replacement of compromised documents and credentials, and the various and assorted court and regulatory proceedings to monitor and report on the progress of same.  Some courts are becoming rather aggressive in striking-down arbitration clause provisions that specified arbitration (and imposing outright litigation in its stead), or that specified a particular forum (and imposing their own idea of what is or should be, the appropriate forum, which is, invariably, the court striking down that carefully-drafted contract clause).

Just as the cloud has expanded access to hitherto unheard of computing capacity and lowered its costs, it may also lead to either: (a) greater insularity and a lower level of “real” cross-border trades, because of the almost unlimited potential liabilities; or (b) new laws and/or regulations on a regional bloc-basis or on an international or near-international level, in order to control for some of these risks and to put both the market and the consumers more at ease.  Privacy Insurance has already taken a firm hold in a number of jurisdictions; albeit not yet too uniform as to underwriting standards, coverage options, and policy limits.

c. WHAT: In addition to the above, you would be well-advised to develop an in-depth understanding of the Cloudmaster’s security, data retention, and other policies, and also those in the links and structures of the cloud; as well as the who, where, and what of the other cloud participants, sub-vendors, and sub-contractors to the extent that they are disclosed and distinct or otherwise discoverable by due diligence, in order to prevent your being inadvertently caught in a “chain of rain” that brings far more pain than the originally anticipated gain.

d. WHY: Of course, you also need to know what and how often the Cloudmaster does purge or intends to purge, and what logs, if any, they keep and can provide to you without breaching their obligations to other cloud users and deemed cloud residents, whether permanent, or occasional as needed, or transient and otherwise fleeting (each and all deemed and defined herein as “Residents”).

Over-partitioning the data of different Residents, where and as available, adds costs, of course, but it may well also add serious peace of mind in enabling ease of recovery and e-Discovery, and decreasing the risk of inadvertent disclosures  and/or cross-contamination when discovery does come-a-calling.  That is a trade-off computation that must be done and presented to a company’s management for their own good Business Judgment, then the appropriate sign-off can be a waved as shield – once properly discovered – against that judicial Sword of Damocles.  Whether Sarbanes-Oxley requires legal counsel, accountants, or auditors to protest more loudly and publicly where and when a publicly-listed entity is unwilling or unable to pay that extra cost and then fails to disclose this in the MDA or otherwise in accordance with law, such as with the current and growing push by the United States Federal Trade Commission (FTC) for greater disclosure of cybersecurity risks by issuers, is significantly beyond the scope of this little missive.

Let the Cloudmaster know what, how, and how much of that “purgeable content” and other data content you want: (a) not purged and kept in place; (b) not purged and delivered to you in backup format on a periodic basis; (c) purged but similarly delivered to you on a periodic basis; or (d) otherwise dealt with.  A Cloudmaster is not responsible for meeting anyone’s preservation or discovery or e-discovery obligations but its own, except if contractually so bound to comply or assist in the same and appropriately motivated by consideration in cash and contract and consequences of complying-not.  In the case of a Platform-as-a-Service (Paas) or an Infrastructure-as-a-Service (Iaas) Cloudmaster providing a flow-through Utility, appropriate Digital Millennium Copyright Act (DMCA) safeguards and the like, may further so endeavor to hold that Cloudmaster them harmless, and potentially also adequately defended and indemnified against an assortment of potential claims.

SUMMARY:  To the exclusion of any particular industry of Resident focus or Cloudmaster competence, which would be additional, we should all be mindful that cloud computing touches over two dozen practice areas and is therefore extremely complex, by nature.  Anyone who cannot appreciate this fact from the outset, is not setting-out well, at the very least.  Some cloud-touching and cloud-touched practice areas that I have identified, so far, include those listed below, and in no particular order:

Contracts;

Criminal law;

Antitrust law;

Competition law;

Information Technology (I.T.);

Insurance;

Outsourcing;

Class Actions;

Labor and employment law;

Bankruptcy and insolvency policies;

Securities regulation;

Corporate governance;

International trade law;

Choice and conflicts of laws;

Interstate and interprovincial trade;

E-discovery;

E-commerce;

Banking and secured transactions;

Litigation (including forum selection);

Intellectual Property Rights (I.P.R.);

Libel and Defamation;

Alternative Dispute Resolution (A.D.R.);

Constitutional law and National Sovereignty;

Law Enforcement and National Security (LENS);

Media, privacy, new and social media, and moral rights.

The Cloud is still quite new, as was aviation before it, once upon a time.  The aviation industry built-upon the foundations of shipping, which has been in place for a very long time, and the cloud will build upon the lessons, disasters, and opportunities of both of these same – that are themselves, still evolving (in shipping, such as with the Laws of the Sea re: territorial limits, ocean dumping, and piracy; and in aviation such as with GHG emissions, Air Marshalls, Space law and space tourism, and passenger bills of rights when stuck on the ground between the terminal and the flight plan).  Alas, things move significantly faster over the Internet and through the Cloud – especially those things to which significant liability can and does attach, and so these older, tried and tested concepts may need to be speeded-up, re-mixed, re-constituted and re-configured, just to keep pace with the speed of this our human race.

We should also add Taxation to the above listing of practice areas, as the United States and other jurisdictions, are looking with increasing favour and fervor at a tax on internet-based or internet-enabled commerce as a way to boost falling (and flat) government revenues.[2]  Following the earlier lead of the E.U. in this effort,[3] the questions of who is taxable and why, and of what transactions from where and to where, are taxable at what rate or rates, will most certainly keep practitioners in conflicts of laws, constitutional law and national sovereignty, and the other above-listed practice areas, rather busy, then.

For now, watch the weather forecast, but always take your own precautions, scan the horizon, mind the air, the water and the seeds, and keep a reinforced umbrella handy.

Anyone telling you that the Cloud is a simple thing to seed or read, is, I think, mistaken.

Author:

Ekundayo George is a Lawyer and Strategic Consultant.  He is a published author in Environmental Law and Policy; licensed to practice law in multiple states of the United States of America, as well as Ontario, Canada; and has over a decade of solid legal experience in business law and counseling, diverse litigation, and regulatory practice.

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Colin J. Zick, Esq.  More Consumer Data Security and Privacy Legislation Introduced. Posted on September 12, 2011, in a blog entitled “Security, Privacy and the Law”, published by Foley Hoag LLP; (visited on November 28, 2011).  Available at: http://www.securityprivacyandthelaw.com/2011/09/articles/data-breach-1/more-consumer-data-security-and-privacy-legislation-introduced/

[2] ecommercejunkie. Congress Eyes Federal Sales Tax Bill. Posted on August 1, 2011 in a blog entitled “E-Commerce News”, for e-commerce news from around the web; (visited on November 28, 2011).  Available at:
http://ecommercejunkie.com/2011/08/01/congress-eyes-federal-sales-tax-bill/

[3] Martin A. Weiss, Analyst in International Trade and Finance, Foreign Affairs, Defense, and Trade Division; Nonna A. Noto, Specialist in Public Finance, Government and Finance Division. CRS Report for Congress: EU Tax on Digitally Delivered E-Commerce. Updated on April 7, 2005, (visited on November 28, 2011).  Available at: http://ipmall.info/hosted_resources/crs/RS21596_050407.pdf

Advertisements

One Response to “Well-seeding “the Cloud”: Some basic caveats and pointers in “Cloud-sourcing”.”


  1. […] Ekundayo George.  Ogalaws.  Well-seeding “the Cloud”: Some basic caveats and pointers in “Cloud-sourcing”.  Published in this Blog, on December 1, 2011.  Available at: […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: