As the popularity of cloud computing increases, companies should be aware of the related liabilities, particularly in the areas of security and data access, experts say.
Cloud computing promises cost savings by allowing companies to outsource their information technology infrastructure by using Internet technology to access hardware and software services. The data may be stored in another state or even another country.
By taking advantage of economies of scale, the cloud computer provider can make available up-to-date software and computer capacity in a highly cost-effective manner. But the risks of such an approach underscore the need for due diligence in selecting a provider and ensuring safeguards, including insurance coverage.
Many companies are exploring cloud computing to cut costs, observers say.
“I think people are moving pretty quickly” to use cloud computing, said Jeffrey D. Neuburger, a partner with law firm Proskauer Rose L.L.P. in New York. “We're doing a lot of cloud computing work for clients.”
But because the data no longer is in the end-user company's hands, there is a potential loss of control and accessibility, observers say.
“Although cloud computing offers many opportunities, it also brings with it many risks,” Mr. Neuburger said.
“Fundamentally, it involves a certain lack of control over where your data and applications reside. Along with that comes the risk of system failure, comes the risk of unauthorized access to your materials, comes the risk of a lack of control over privacy and data security, and risks associated with intellectual property and privacy,” he said.
R. Jason Straight, New York-based senior managing director, computer forensics & ESI consulting, with consulting firm Kroll Ontrack Inc., a unit of Kroll Inc., said, these issues are “not something people are thinking about when they go to take advantage of the huge, very compelling cost advantages of moving to cloud computing.” When issues arise, “there's no time to go back and figure these things out. You need to address them in advance,” he said.
Firms should first consider whether cloud computing is even appropriate for their needs, Mr. Neuburger said.
“If you have an application that involves sensitive information or needs to be processed on an immediate, instantaneous, real-time basis, it may not be well-suited for a cloud environment,” he said, noting that information technology staff need to conduct this evaluation.
Peter S. Vogel, a partner with law firm Gardere Wynne Sewell L.L.P. in Dallas, said companies operating their own computer may have it in their office “in an air conditioned, secure location” and those conducting daily backup of the data “know it is being taken care of.” But with cloud computing, “you don't necessarily know” those steps are being taken, even if the contract provides for them, Mr. Vogel said.
Once the decision is made to use cloud computing, security is a major concern, say experts. Mr. Straight said while data management can be delegated to a third party, “the accountability for keeping that data safe will always lie with the company.”
Robert J. Scott, managing partner with law firm Scott & Scott L.L.P. in Dallas, said, “The first thing you have to be thinking about is the risks associated with liabilities arising from loss of customer information that's entrusted to the cloud provider.”
Businesses that have customer records have a “nondelegatable duty” and “can't contract that to another party and absolve itself of liability. As soon as you do a cloud arrangement involving customer information, then you've immediately put yourself in a risk situation,” Mr. Scott said.
In addition, when there is an internal breach, “you're going to need to access logs and other information” from the cloud computing provider to investigate what caused the breach, Mr. Straight said.
Experts say access also is a major concern.
“At the end of the day, you want to get your data back and you don't want to be held ransom by the cloud provider,” Mr. Vogel said.
He said he knows of a case where a cloud provider alleged that his client breached security and cut the client off from his own data, a situation that took a lawsuit and several years to resolve. “If you get crossways with the cloud provider, you run the risk they will cut off your service and you can't run your business anymore,” Mr. Vogel said.
The cloud computing provider's level of service is a critical concern, said Michael R. Overly, a partner with law firm Foley & Lardner L.L.P. in Los Angeles. A company cannot run its business “if data isn't available because the cloud computing provider is having problems with their systems, and it's up for two hours, down for six,” he said.
Retrieving data if the cloud computing provider goes bankrupt is another concern, said Mr. Overly.
Another consideration is “how locked in are you to that particular provider?” There “are not a lot of standards in this space right now,” which means providers' formats can vary significantly. It “commits you to a much longer term than you may have realized initially,” Mr. Straight said.
There are legal issues to consider as well, said Lisa J. Sotto, a partner with law firm Hunton & Williams L.L.P. in New York. “One of the key issues is that it's unclear, typically, where data resides when it's in the cloud, and therefore it becomes (an issue of) which jurisdiction's laws apply to that data.”
In Europe, Ms. Sotto said, “you can't move data (via computer) outside the European Union without having a legal basis in place to transfer that data to another jurisdiction.”
In addition, E.U. privacy laws are stricter than U.S. laws, Mr. Vogel said.
There also could be litigation.
Litigating parties are obligated under federal and most states' rules to preserve relevant electronic evidence. The requirement “becomes much more complicated” when a company has contracted with a cloud provider but “you as a litigant don't have real control” over that data, said Mr. Vogel.
“The largest source of cost and expenditure in the litigation process today is electronic discovery,” which can subject firms to millions of dollars in sanctions for failing to preserve this data, Mr. Straight said.
There even is reputational risk, Mr. Scott said. Contracting with a cloud provider in many instances involves a “relatively close partnership between the cloud provider and its customers, and if something goes bad reputationally with that cloud provider, there could be a spilloff, a ripple effect on its customer in terms of the reputational risk.”