In the past several months, I have written three articles about cloud computing, including one that outlines the manner in which electronic discovery continues to migrate to the cloud. My enthusiasm for the cloud has not diminished, as I feel that the cloud is a business imperative, not just a technological one. However, I am constantly reminded of the security risks and the legal issues stemming therefrom, especially as they pertain to the important difference between public and private clouds.
It is important to review the history of e-discovery’s move to the cloud, As background, then Google CEO Eric Schmidt began evangelizing the cloud as early as 2006. According to Steve d’Alencon, Chief Marketing Officer of e-discovery vendor CaseCentral, 2006 also witnessed corporations beginning to view e-discovery as a strategic business process. He added: “CaseCentral has been delivering its software as a service since 1994, essentially pioneering the notion of cloud-based eDiscovery. When the cloud paradigm began to gain traction, we were already prepared to take advantage of this shift due to our SaaS-based architecture. As a result I decided to go all-in on the cloud from a marketing perspective, and even trademarked the term ‘CaseCentral eDiscovery cloud.’”
Boeing, for example, a CaseCentral client, centralized its e-discovery in-house while still working closely with outside counsel. Boeing thus achieved consistency and efficiencies the absence of which previously made e-discovery much more challenging and dispersed among outside counsel using different technology platforms.
The Underpinnings of the Cloud
Before we turn to the topic of security in public and private clouds, it’s worth examining the various elements of the cloud computing model.
The cloud model itself is a three-tiered structure based on (1) infrastructure-as-a-service (IaaS); (2) platform-as-a-service (PaaS); and (3) software-as-a-service (SaaS). Infrastructure and software are particularly important for corporate counsel to master.
Provisioning infrastructure from a third-party cloud vendor allows corporations to take advantage of processing, storage, networks, and other fundamental computing resources on which its computers can run software, including platforms, Operating Systems, and applications.
As the National Institute of Standard and Technology definition of the cloud makes clear, “[t]he consumer does not manage or control the underlying infrastructure, but has control over what to deploy on it. An example of IaaS is Amazon’s Elastic Compute Cloud (EC2).
Corporate counsel must have an intimate understanding of—and must help define from the start—their corporation’s business and IT strategies in this area, particularly the nature of their company’s cloud infrastructure.
At the platform level, an example of which is Salesforce, the cloud-based corporate platform can be built in-house or acquired from a third party to allow for the deployment and delivery of Operating Systems and SaaS. At the most granular software and user level, SaaS are the applications that are accessible from various client devices (e.g., desktop computers, mobile phones) through a Web browser.
Google Apps (Gmail, Calendar, Docs, etc.) for business is a quintessential example of a SaaS. It bears repeating here a portion of NIST’s definition of SaaS: “The consumer does not manage or control the underlying cloud infrastructure, including network, servers, storage, or even individual application capabilities with the possible exception of limited user-specific application configuration settings.”
The Benefits of Cloud Computing
The myriad benefits of cloud computing cannot be ignored. These include:
- Drastically reduced capital expenditures for hardware. IDC predicts that cloud computing will reduce the cost of owning IT infrastructure by 54 percent. “This is a critical point often overlooked and misunderstood by prospects,” d’Alencon told me.
- Decreased costs of computing power and the ability to scale or decrease service at almost no marginal cost beyond that of the on-demand services, platforms or infrastructures themselves.
- Few (if any) upgrade purchases.
- Drastically reduced capital expenditures for hardware. IDC predicts that cloud computing will reduce the cost of owning IT infrastructure by 54 percent.
- Decreased maintenance and reduced IT support costs as a result of not having to maintain staff to keep infrastructure and software running locally.
- Innovative Pricing Models—Sometimes. Most, but not all, vendors charge clients on a per-gigabyte basis. Steve d’Alencon shared that CaseCentral has implemented a different model altogether based on the premise that volume cannot be equated with value. “Per-gigabyte pricing is erroneous and unsustainable.” As the amount of electronically stored information (“ESI”) continues to double every 18 months, vendors will have to slash per-GB prices if they wish to capture market share. Don’t be surprised if vendors begin to move to the CaseCental model or offer other innovative pricing.
The lack of control described above makes it imperative that corporations migrating to the cloud vet e-discovery vendors that use the private and public models. There are vital differences between the two with respect to the soundness of their respective security architecures and the legal issues stemming from those differences. Numerous other issues are discussed in detail below.
Public clouds include those offered by Amazon’s AWS services. A corporation’s ESI resides on servers that are shared with the ESI of other companies. This multitenant nature of public clouds raises critical issues described below. Private clouds can also be multitenant, but they consist of servers dedicated to one client, ensuring that data is not comingled. These servers are stored in a vendor’s own secure data centers.
Legal Issues and Concerns Raised by Cloud Computing and Public Clouds
As the American Bar Association’s Request for Comments on “Issues Concerning Client Confidentiality and Lawyers’ Use of Technology” (Sept. 20, 2010) (“ABA Request for Comments”) makes clear, cloud computing raises “specific issues and possible concerns relating to the potential theft, loss, or disclosure of confidential information.” Id. at 3.
- The storage of information on servers in countries with fewer legal protections for ESI, see id. at 4, which can be especially problematic in regulated industries that have highly defined requirements with respect to the handling of ESI throughout its life cycle. Amazon’s AWS site makes clear that “AWS infrastructure is on Amazon-controlled data centers throughout the world.” Hardly reassuring terms.
- A vendor’s failure to back up data adequately, including ensuring redundancy, see id.;
- The ability to access corporate data using easily accessible software in the event that the corporation terminates its relationship with the cloud computing provider or the provider goes out of business, see id.;
- The provider’s procedures for responding to (or when appropriate, resisting) government requests for access to information, see id. What if, for example, a government (domestic or foreign) seizes the actual servers (i.e. hardware) on which Corporation A’s confidential and highly regulated data resides in order to take control of Corporation B’s data, which resides on the same shared, multitenant server? Without guaranteed redundancy, Corporation A may be out of luck (an understatement) with serious consequences.
- Insufficient data encryption. See id. As security expert Bruce Schneier has written, there’s an old saying in the NSA, now the center of the U.S. CyberCommand: “Attacks always get better, not worse.” Data encryption is a game of cat and mouse, with both parties besting the other cyclically;
- Unclear policies regarding the corporation’s ability to “control” its own data, which may result in a quandary if served with a request for production of materials under Rule 34 of the Federal Rules of Civil Procedure;
- Policies for data destruction when the corporation no longer wants the relevant data available or transfers it to a different host, see id.;
- The potential warrantless seizure of corporate electronic mail under the anachronistic Electronic Communications Privacy Act of 1986 (“ECPA”), 18 U.S.C. § 2510, which includes the Stored Communications Act, 18 U.S.C. §§ 2701-12. Signed into law in 1986, the ECPA established a procedural framework for law enforcement authorities to obtain wire and electronic information, including files stored on a computer. Think “Miami Vice,” not cloud computing. As I wrote in February, the U.S. Court of Appeals for the Sixth Circuit in UnitedStatesv. Warshak (6th Cir. Dec 14, 2010), held valid based on the government’s dubious reliance on the Stored Communications Act a warrantless seizure of corporate e-mails notwithstanding a lengthy and informed exposition on the relationship between technology and the Fourth Amendment. See id. slip op. at 14-29.
These legal issues are highly complex and demand the attention of corporate counsel.
Being Proactive about the Risks Associated with Cloud Computing
The following advice is provided by third parties such as the ABA.
Corporate counsel must understand how and why cloud computing impacts their companies so as to provide sound legal advice that does not ignore the business realities of this paradigm shift when it is embraced at the highest levels of senior management. And counsel must be highly proactive when dealing with potential cloud solution providers so that their business relationships comport not only with their companies’ specific needs, but also with industry regulations that govern their handling of corporate data. A proactive approach should be taken when negotiating Service Level Agreements (“SLAs”) This is no easy task, especially with public cloud vendors.
Amazon’s SLA, for example, explicitly makes clear to clients: “You bear sole responsibility for adequate security, protection and backup of your content.” This is hardly an idle issue for Amazon and the public cloud. Last year, pharmaceutical giant Eli Lilly tried to negotiate a contract with AWS that would have shifted to Amazon some accountability for network outages, security breaches, and other forms of risk inherent in the cloud with respect to Eli Lilly’s corporate data. These were perfectly reasonable requests. When a satisfactory deal could not be struck, Eli Lilly left Amazon to work with another vendor.
Corporate counsel should conduct meticulous due diligence on all potential cloud vendors and negotiate strict terms and conditions governing the stewardship of their data. The New York Bar provides sound advice:
- Ensure that your online data provider has an enforceable obligation to preserve confidentiality and security, and that it will notify you in the event of any security breach (defined as broadly as possible) or if served with process that in any way relates to your data. See New York Bar Opinion at 4.
- Investigate the cloud service provider’s security measures, policies, recoverability methods, and other procedures to assess their adequacy, see id.;
- Ensure that said vendor is using the most appropriate technology to guard against “reasonably foreseeable attempts to infiltrate the data that is stored,” see id.;
- Ensure that the cloud provider can “purge and wipe” any copies of the data and move it to a different host if necessary. Id.
These are serious issues that demand serious attention. One final concern comes to mind.
In any contractual negotiations with cloud vendors, insist upon security provisions based upon the data security requirements specific to your industry (e.g., credit card or health care information). For example, can your vendor provide verifiable assurances that it is HIPPA compliant or meets the standards of the Payment Card Industry Data Security Standards? If not, then take your business elsewhere.
The following advice is intended to provide a starting point for corporate counsel to master the legal side of the cloud.
- Be aware of any and all potential changes to the Model Rules of Professional Conduct by both the ABA and your respective state Bar Associations, which can enforce even stricter standards. The ABA has made clear that it is considering amending Rules 1.1 (competency), 1.6 (duty of confidentiality), and 1.15 (safeguarding client property) in order to “emphasize that lawyers have particular ethical duties to protect clients’ electronic information beyond mere practice norms” in the cloud context. ABA Request for Comments at 3.
- Follow closely evolving industry standards in the cloud space separate and apart from, yet certainly as they relate to, the regulation of your own industry.
- Follow advances in technology. The New York Bar Associate Committee on Professional Ethics Opinion 842 (Sept. 10, 2010) (“New York Bar Opinion”) addresses the use of third-party storage providers and confidential information. It provides strong guidance. Counsel “should stay abreast of technological advances to ensure” that its outside storage systems “remain sufficiently advance” to protect corporate data. Race to the top when it comes to implementing a compliance regime that protects your corporation’s legal interests and discharges its legal duties as they pertain to the cloud and its intersection with your industry’s regulations. These policies should have buy-in from the highest levels of management, including the board of directors, and they should be enforced as imperatives throughout the Legal Department, especially in terms of negotiating contractual terms and conditions with cloud solution providers. Ensure also that you constantly discharge your likely-to-change obligations with respect to confidential information under the Model Rules of Professional Conduct. This includes your obligation to notify your clients in the event of an unauthorized release of such information.
- Race to the top when it comes to implementing a compliance regime that protects your corporation’s legal interests and discharges its legal duties as they pertain to the cloud and its intersection with your industry’s regulations. These policies should have buy-in from the highest levels of management, including the board of directors, and they should be enforced as imperatives throughout the Legal Department, especially in terms of negotiating contractual terms and conditions with cloud solution providers. Ensure also that you constantly discharge your likely-to-change obligations with respect to confidential information under the Model Rules of Professional Conduct. This includes your obligation to notify your clients in the event of an unauthorized release of such information.
Cloud computing will remain a business imperative for years to come, both in general and with respect to e-discovery.
At the same time, cloud computing raises daunting legal issues and real concerns about security and the issues outlined above, especially with respect to public clouds. Corporate counsel have no choice but to master both the law and the technology at the heart of this paradigm. The cloud has become too important to strategic business initiatives to be ignored.
There may, of course, be times when counsel must advise against the use of the cloud. However, sound practice also dictates mastering the paradigm so as to be able to both protect the corporation’s legal interests and allow it to leverage the most powerful IT paradigm contributing to corporate growth today.
In any contractual negotiations with cloud vendors, insist upon security provisions based upon the data security requirements specific to your industry (e.g., credit card or health care information), as well as the myriad issues set forth in this article. If you cannot negotiate a satisfactory SLA, then work with another vendor.
The stakes are too high not to do so.
Source: CaseCentral Case In Point