Weigh Legal Risks of Cloud Computing

By Cheree McAlpine  |  Posted 2010-04-08

Cloud computing has the potential to revolutionize how we invent, develop, deploy, scale, update, maintain and pay for data and applications, as well as the infrastructure on which they run. However, a highly optimized public cloud presents a variety of legal risks that companies must consider before deploying.

The “nationless state” of the public cloud creates risk from the uncertainty over where sensitive data and applications physically reside. This could include jurisdictions where laws governing the protection and availability of data are significantly different from what companies are accustomed to. Further, because of the virtual and dynamic nature of cloud computing architecture, information in the cloud can be widely distributed across many legal and international jurisdictions—each with different laws regarding security, privacy, data theft, data loss and intellectual property.

SEE RELATED STORY: Cloud Computing: Public Versus Private Options

Issues revolving around privacy, data ownership and access to data raise significant questions when operating within the cloud. Though there are scant national or international legal precedents for this emerging field, companies must ensure that they have immediate access to their information and that their service provider has appropriate backup and data-retrieval procedures.

The legal framework of cloud computing will also result in a new paradigm of licensing in which traditional software license agreements will be replaced with cloud service agreements. As a result, lawyers representing cloud service providers will seek to reduce the liability of their clients by proposing contracts with the service provided “as is” with no warranty. This means that the service is provided without any assurance or promise of a specific level of performance. This additional risk must be evaluated and considered in the context of the benefits derived from the cloud and the proposed data that will be stored in the cloud.

Finally, cloud computing also poses hurdles for companies that must meet increasingly stringent compliance and reporting requirements for the management of their data.

All these issues pose significant risks in protecting a company’s sensitive data and the information assets their customers have entrusted them to protect. Enterprises must conduct appropriate due diligence to ensure that their cloud service providers specify where their data resides; the legal framework within those jurisdictions; and the security, backup, anti-hacking and anti-viral processes the service provider has in place.

Still, cloud computing has tremendous benefits, so companies should not be afraid to take advantage of the optimization, scalability and cost savings that cloud computing offers. However, organizations should also conduct a more detailed legal analysis and assessment of risks than they would with traditional IT services.

Cheree McAlpine, general counsel at Wyse Technology, is a 15-year veteran of the Silicon Valley legal community. Her legal expertise includes the issues surrounding cloud computing, thin clients and desktop virtualization.