Cloud Computing: Considerations for Data Safety
David Gaffaney, Huron Consulting Group
One of the most comprehensive shifts in information technology over the past decade is the emergence of cloud computing as a strategy for IT systems management. Cloud computing puts the company's mission-critical data and intellectual property in the hands of a third party. The legal team can help company leadership better understand the risks and considerations associated with cloud computing and how the organization may be protected from legal, operational, and compliance perspectives in a cloud computing relationship. Following is a brief summary of issues to consider, including data security; regulatory considerations regarding data location; back-up and archiving procedures; how the vendor will be able to integrate with the organization's records management and e-discovery needs; and an exit strategy for when the relationship terminates.
Cloud computing is very broadly defined as location-independent, ubiquitous computing and storage on demand. The National Institute of Standards and Technology provides a more detailed definition. There are three major forms of cloud computing:
Depending on the service model used, the organization may face different considerations for back-up/archive, records management, and e-discovery.
It is essential to ensure the service provider's security and authentication architecture can be synchronized with the organization's internal security model. In most cases, organizations are not outsourcing all IT systems to the cloud, but rather a small subset of those systems, such as email or document management. Some applications are easier to manage in this manner than others. Email is easier to control because there is usually a specific, named account per user. Content management systems or shared drives are more difficult to synchronize, because access may be at group or department levels.
The location of data is the most complex aspect of the cloud computing model. Before entering a cloud computing arrangement, it is critical to know where data will physically reside, and if, due to its location, there are regulatory or legal requirements to which the data is subject, and to make certain the cloud provider has the capability to deal with these issues. The following are examples only, and not intended as an exhaustive list of all data privacy laws that may be relevant.
Organizations should be aware of the parameters and the eventual resting place for the backed-up and archived data. The cloud vendor or the data owner may govern the archival methods, depending on the application.
A good records management program requires the controls described above, plus adherence to a retention schedule. Failure to destroy data on a scheduled routine basis (except for data subject to "legal hold") can lead to additional costs and legal exposure. An audit process can help verify that the provider is actually deleting and digitally shredding when required by a retention schedule. An audit process should validate not only the contractual arrangement but also the vendor's processes for disposition of information. The level of audit will depend upon the nature of the arrangement between the organization and the cloud vendor. In a SaaS relationship, some responsibility may fall under the control of the provider. For IaaS or PaaS arrangements, the organization is typically in charge and executes controls at an application level. The organization's IT experts may therefore be the ones to set these parameters.
Controls and processes established at the beginning of the relationship governing records management also affect the stages that follow, including identification, preservation, and collection of data.
Understanding the cloud provider's capabilities regarding data search tools before moving to a hosted model will avoid problems in the future. Will these tools be available from the provider, and at what cost? For example, basic search may be available at no cost, with additional charges for using more robust tools like Autonomy's IDOL or Google Enterprise Search. If the organization has search tools already licensed, can it use them on cloud-based data sets? Are there custom data types that require additional capabilities (e.g., searching into image text with optical character recognition (OCR) technology?
Legal hold: It is important to understand the provider's legal hold capabilities. Does the cloud provider's staff (and the organization's IT staff) have the ability to lock down content in place and manage complexities such as multiple overlapping holds? Does the cloud environment support the interaction between records management and e-discovery such that disposition schedules do not override legal holds? At the very least, does is not interfere with that interaction? If this is not the case, it may be necessary to bring the collection set into a fully-controlled repository at this point in the lifecycle.
Delegated authority: In the event the organization uses third parties to perform collections and review, the cloud provider should be able to give them securely administered access to data from a geographically separate location.
Because of the large amounts of data potentially involved, planning an exit strategy can help alleviate future problems. Termination provisions should be negotiated with the vendor at the beginning of the relationship. Negotiation should include items such as:
Cloud computing is an evolving arrangement for IT systems management. A shift to a cloud computing model forces organizations to confront new issues in data security as well as familiar issues that have been around for decades. The GLD Button to the right offers a checklist of some questions an organization should ask.
Have an idea for a quickcounsel or interested in writing one?
Reprinted with permission from the Association of Corporate Counsel
2010 All Rights Reserved
Additional ACC Resources
Aug 2013 InfoPAK
This InfoPAK provides essential legal and practical advice about cloud computing and its increasing use in the health care ...
Oct 2012 Article
This article contains recommendations about cloud computing and security from the National Institute of Standards and Technology.
Aug 2011 InfoPAK
The volume and richness of electronically stored information (ESI) in organizations is rapidly expanding beyond standard ...
Jan 2012 Quick Reference
This Article discusses (i) the growing body of regulations in the U.S. and worldwide, with a concentration on recent U.S. ...
Workplace Information Risk in the Digital Age: Monitoring Employees, Social Media Challenges, Managing Access to Data and Optimizing Flexibility
Jan 2011 InfoPAK
As organizations strive to harness the business potential of the digital age, workplace information risk is on the rise. ...
Apr 2013 Quick Reference
A list of ACC legal resources related to each session presented at the Advanced Mini MBA Business Education course at Boston ...
Jun 2011 QuickCounsel
International eDiscovery presents a new set of challenges and potential pitfalls for corporate counsel who must now comply ...
May 2013 Top Ten
The long-term impact of outside devices cannot fully be realized as technology and the court’s adjudication of such devices ...
Apr 2013 ACC Docket
In the employeremployee relationship, the most advantageous position for an employer in terms of determining duties and ...
Empowering Your Information Security and Data Protection Program Through Facilitated Policy Development
Mar 2012 ACC Docket
With data breaches and security vulnerabilities on the rise, it is essential that your company develop an effective information ...
Need Assistance ?Contact ACC
Sign up for the ACC Newsstand, a daily newsfeed, tailored to your chosen practice areas, providing you with a depth of free practical know-how. Look for news items and stories related to the topic discussed in this QuickCounsel.
Search by expertise and find an ACC Member with in-depth knowledge of the topic discussed in this QuickCounsel who is willing to help.