At a LegalTech 2013 event this week, a panel of attorneys presented on an issue that's becoming exceedingly important as more and more businesses migrate their data onto a cloud platform: what you need to have in your contract with your cloud provider and how to be aware of the amassing international legal bureaucracy surrounding cloud storage.
"When you have information on a cloud that can be accessed anywhere, the question is: whose laws will apply?" said Ken Rashbaum, a principle at Rashbaum Associates LLC, a firm that specializes in electronic information storage laws. "Legal boundaries are being blurred because the technical boundaries are being blurred. Nobody quite understands these rules yet; the courts have not ferreted them out, and the law is still very much the tail behind the dog."
He explained that, just because your cloud provider is based out of, say, California, does not mean your data is only subject to California state and Federal laws. Now that it's on a cloud, it's subject to the laws of any place in the world with an internet connection. That also means it may not be protected by the 4th Amendment's searches and seizure clauses when it comes to international subpoenas.
But he expects this to change in the coming years.
"In about five years, the courts, the regulatory agencies, and international bodies will finally have this all sorted out and we won't be living in the wild west any more," Rashbaum said. "The trouble is that you still have five years to wait."
In the meantime, here's the four things, according to Rashbaum, you can do to keep your data as safe and secure as possible:
1. Make sure it's clear in your contract that you own your own data. It may seem obvious, but your contract needs to have a clause in it that says you will still have the ability to access your data and transfer it if your cloud provider goes bankrupt. Also, ask for a notice provision which stipulates that your cloud provider must give you a seven day warning before they declare bankruptcy so that you have ample time to get your data off of their servers. And figure out the successor liability—you need to know what happens if your provider is bought out by another company.
2. Your service agreement needs to stipulate how your cloud provider will respond to a subpoena. It should be written into your contract what your service provider will do if they're slapped with a subpoena or a civil discovery request. Under to the Stored Communications Act, as the data owner--which you should be if you followed step one--you legally must be notified any time your data is subpoenad, but have it in writing with your provider just for good measure. This will give you the 10-14 days you need to file a response in court if need be. Some cloud owners, such as Facebook, have a policy of hardly ever disclosing personal information. Check what your potential provider's blanket policy is before you cut them a check.
3. Your provider needs to make backups of your data and guarantee uptime. Write into the contract how often your provider needs to make backups to your data and to where. It doesn't do you any good if it's on the same server chain in the same warehouse that your primary cloud is stored on. If your provider loses your data, they may be liable for damages, but it doesn't matter: your data is still gone and never coming back. Also, ask your provider to give you guarantees on when your cloud will be available; nothing's worse than having to send everyone home early for the day because the server your cloud is stored on is down for maintenance.
4. Ask for Cyber Risk insurance and look into SSAE16 and SOC2 certification. Not all providers will offer it to you, but ask what their options are in regards to Cyber Risk insurance. It can protect against damages incurred from the inadvertent disclosures and theft of confidential employee or client information. If your cloud provider doesn't have the option for you to opt into it, you can contract your own. SSAE16 and SOC2 are international standards that determine the security, availability, process integrity, privacy, and confidentially of a data server. It's sort of like an audit and a must-have for service-based businesses.