With the U.S. economy still reeling from the aftershock of what is now known as the “Great Recession,” companies large and small are evaluating cloud computing as a means of reducing IT costs. The National Institute of Standards and Technologies (“NIST”) and the Cloud Security Alliance have defined cloud computing as a model for on-demand network access to a shared pool of computing resources over the internet, namely software applications, data servers, networks and other services. Just as businesses and consumers now pay for gas, electricity and other utilities, cloud enthusiasts predict that the cloud will be sold on demand as a pure IT service.
The Silver Lining
Industry groups like ISACA recognize the silver lining in the cloud. For example, there are potential cost savings in the economies of scale that are achievable in a shared computing environment. The cloud also allows companies to scale without any major software or hardware investment. Thus, cloud users are able to deploy new services more rapidly than they could in a traditional IT model. Cloud computing also can accommodate changing business requirements in a flexible and scalable format. By relocating IT services to the cloud, moreover, companies are freed to focus on their core businesses, improve processes, innovate and increase productivity. In short, the promise of cloud computing is compelling – convert IT private networks to an on-demand, pay-as-you-go IT utility service that produces substantial savings for users.
Storm Clouds Gathering
While the benefits of the cloud are clear, the recent security breaches reported by Google highlight just some of the attendant risks. Google notified users that it inadvertently shared private Document and Spreadsheet materials with contacts that were never granted access to them. In response to cloud computing risks, The Electronic Privacy Information Center, an industry watchdog, has filed an FTC complaint to investigate the privacy and security measures of Gmail, Google Docs and Google’s other “cloud computing” services. Even John Chambers, Cisco Systems’ Chairman and CEO, has conceded that the computing industry’s move to an on-demand IT service on the Internet was “a security nightmare.” And, Microsoft now has joined the bandwagon and called on U.S. legislators to enact a “Cloud Computing Advancement Act.”
A 2009 World Privacy Forum report concludes that cloud computing “has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information.” Some of these risks are that:
- a bankruptcy filing by a cloud provider can have a major impact on users, and the provider’s service agreement may not qualify as “intellectual property” under section 365(n) of the Bankruptcy Code;
- the legal status of personal and business information (e.g., trade secrets) may be compromised or commingled with third party data, including that of competitors;
- businesses may be legally barred from placing certain types of information on the cloud (e.g. legally privileged information, health records, financial records);
- cloud providers may impose unreasonable privacy policies or terms of service;
- the physical location of cloud provider servers around the world may result in trans-border information flow and subject information to the laws of multiple jurisdictions;
- the cloud makes it more difficult to develop and enforce enterprise-wide information security policies for risk mitigation;
- cyber attacks directed at cloud providers may impact a large population of unrelated users;
- compelled disclosure by governmental and regulatory authorities or by private parties in E-Discovery may thwart existing legal protections; and
- management would remain legally responsible for compliance with Sarbanes-Oxley requirements under Rule 404 even if internal controls on critical applications or data are delegated to a cloud provider.
It is interesting to note that United States v. Miller has held that an individual’s personal record held by a third party does not have the constitutional privacy protection as applies if the same record were held by the individual.
The Calm After the Storm
It is no surprise that cloud computing is an attractive potential service offering for any business looking to enhance IT resources while controlling costs. The cloud presents some compelling advantages over private networks. However, in light of the above legal uncertainties, we can expect continued cloud-related regulatory action and litigation in the coming years, which likely will result in the modification to existing laws and the enactment of new laws to deal with some of the unique aspects of this business model. Until these storms pass, prudent CTOs and executives considering migrating to cloud computing should seek guidance from competent counsel to ensure that any promised cost savings are in fact outweighed by the potential legal and business risks. While it is unclear today whether cloud computing will become a ubiquitous IT utility that makes private networks technologically obsolete, it is certain to continue expanding rapidly.