A Strategic Approach

to Cloud Computing

Nolan M. Goldberg
Senior Counsel
IP & Technology
ngoldberg@proskauer.com

February 23, 2011

1
 Today’s Most Important Slide

• All cloud
services are
not equal.

2
 The Key Legal Question
Is a Particular Cloud
Suitable for a Particular
Application?

- Governed by the
service’s contracts,
structure, and
technology.
3
 The Solution

• It is a best
practice to
undertake a legal
due diligence
investigation prior
to adoption.

4
 Three Due Diligence Questions

1. Where will my data be located?

2. Are the terms of the contract
reasonable for a particular
application?
3. How will the system’s structure
impact the due diligence process
and control over my data?
5
 A Global Perspective

6
 For better or worse…..

• The physical
location(s) of a
cloud will
influence the
legal risks and
protections
afforded to data
on the service.

7
 The Stored Communications Act
(18 U.S.C. § 2701, et seq.)

• The U.S. SCA will limit the

circumstances under which
US-based cloud providers
can disclose customers’
data.
- See e.g., U.S. V. Weaver

8
 In Re Beluga
“…Google and its servers are
located within the United States
and therefore…the ECPA
prohibits Google from disclosing
the contents of those email
accounts until it receives
consents from the email account
holders.”

9
 The US Constitution

•The 4th Amendment

provides protections
beyond that provided
by the SCA.

10
 The US Patriot Act

• The Patriot Act

provides increased
governmental
investigatory
powers, sometimes
without notice to the
target.

11
 Protecting Your IP
• Should your IP be
stolen from a Cloud,
the location of both
the system and the
theft will impact your
ability to seek
appropriate relief.

12
 Contracts
• The validity or
construction of
certain common
contractual terms
will vary based on
the location of the
cloud.

13
 Example: Contractual Variation

• Terms which allow the

provider to vary contract
terms with or without
notice may be more or
less enforceable under
different national laws.

14
 Example (cont.)
Modifications.
a. To the Services. [Provider] may
make commercially reasonable
modifications to the Service, or
particular components of the
Service, from time to time.
[Provider] will use commercially
reasonable efforts to notify
Customer of any such changes.

Excerpt from paid cloud service agreement

15
 Example (Cont.)
“We may change the
service or delete features
at any time and for any
reason. We may cancel or
suspend your service at any
time. Our cancellation or
suspension may be without
cause and/or without notice.”

Excerpt from free cloud service

agreement

16
 Example: Provider Liability

• European legal systems

make it more difficult for
providers to exclude
direct and indirect
liability; and
• There are demonstrable
regional variations on
liability limits.

17
 Export
• Will loading data
onto a foreign
cloud violate
local rules on the
export of
controlled
technologies?

18
 Jurisdiction
• By storing data at
a given location,
is there an
increased chance
of being subject
to litigation in that
jurisdiction?

19
 Privacy
• Can the cloud service comply with
applicable processing, retention or
transfer restrictions?
• Will the operation of the service
unintentionally entangle data not
already subject to processing
restrictions?
20
 Example – EU Data Directive

• Implementations of the E.U. Data Directive of

1995 severely restrict the “processing of
personal data.”
• “processing” and “personal data” are both
defined broadly.
• EU blocking statutes impose liability for the
transfer of personal or other business data
across political boundaries.

21
 Contractual Suitability

22
 Example: Trade Secrets

• Reasonable steps must

be taken to protect the
secrecy of a trade secret
or it can lose its value.

23
 Data Ownership
• Governed by the service
agreement.
• There is the potential that rights
given to the vendor will diminish
the value and protections
afforded the underlying data.

24
 The Vendor May Need Certain Rights in Your
Data to Operate its Service

You understand that [Provider] may

need and you hereby authorize
[Provider] to use, modify, copy,
distribute and display content posted
on the service to the extent necessary
to provide the service.
Excerpt from a Cloud Service Agreement

25
 The Vendor May Want Certain Rights in Your
Data to Generate Revenue

“Some of the Services are supported by

advertising revenue and may display
advertisements and promotions. These
advertisements may be targeted to the
content of information stored on the
Services, queries made through the
Services or other information.”
Excerpt from Cloud Terms of Service (emphasis added)

26
 Reasonableness

The Cloud
Computing Project at
Queen Mary
University of London
analyzed cloud
contracts to find
common practices.

27
 Securing Data in the Cloud

• The traditional focus of data

security is keeping outsiders
off of the network and limiting
the access of insiders to
appropriate areas.
• Data in the cloud should also
be secured against other
customers of the service and
against the service provider.

28
 Structure

29
 The Contract “Controls” the
Scope of Discovery Obligations
The starting point
for determining
control over ESI
on the cloud (or
related metadata,
log files, etc.,) is
the contract.
30
 Determining Control in the Cloud

Contract Consumer
Cloud Service Provider Consumer

31
 Control of Data in Multi-Party
Clouds (cont.)

ID as a Service
Cloud Infrastructure Contract 3 Cloud Infrastructure
Provider Provider 2

Contract 2

Consumer
Applications Contract 1
Provider

Consumer 2

32
 Control of Data in Multi-Party
Clouds (cont.)
Cloud Service
Cloud Service Cloud Service
Co

Contract

ct
ra
nt

nt
ra

Co
ct

Aggregator

Contract

Consumer

33
 Multi-Party Cloud Due Diligence

• Do parties have sufficient

contractual rights from others to
meet obligations to which they have
themselves contracted?
• To what extent will a multi-party
network facilitate a thorough due
diligence process?

34
 Example – Los Angeles

• Los Angeles is migrating its e-mail to

Google Apps, estimating that the move
will free up 100 servers, lowering
electricity bills “by almost $750,000 over
five years.”
http://googleenterprise.blogspot.com/2009/12/why-city-of-los-
angeles-chose-google.html

• Computer Sciences Corporation (“CSC”)

will act as an intermediary.
35
 Example – Los Angeles (cont.)

CSC Contract 1
Los
Angeles
Contract 1
Google Contract 2

36
 For More Information….

Please e-mail:

ngoldberg@proskauer.com

37
 A Strategic Approach
to Cloud Computing

Nolan M. Goldberg
Senior Counsel
IP & Technology
ngoldberg@proskauer.com

February 23, 2011

38