Cloud computing has great benefits for businesses but legal uncertainties threaten to hamper adoption, said a group of lawyers speaking during a seminar in Seattle this week.
"We will have to create a robust legal system and we will have to do it sooner rather than later and before we have the cloud computing equivalent of an offshore oil rig blowout," said Barry J. Reingold, a partner at Perkins Coie in Washington, D.C.
Lawyers speaking at the Law Seminars International event on Monday offered advice about the types of research companies should do before signing up for cloud services to make sure they can protect themselves from potential legal fallout.
One of the most important issues facing companies that wish to store or process data in the cloud is determining which legal systems have jurisdiction over the data. "It's a can of worms," said Andy James, a lawyer with Osborne Clarke.
A company using a cloud service could have users all over the world and those users' information could be shifted to facilities around the globe. "So there are four possible legal locations for the information at any moment," James said. Laws applicable to the location of the company's headquarters, the location of the servers, the location of the consumer and the location of the communications equipment transmitting the information between the user and the provider could all potentially apply.
Unfortunately, he said, different jurisdictions have made different choices on which of those locations to base their cloud rules on.
In the U.S., businesses must be aware of federal and state laws. On the federal level, legislation like the Health Insurance Portability and Accountability Act and the Children's Online Privacy Protection Act defines how businesses handle certain kinds of data like information related to health and children.
In addition, 45 states have laws covering how companies must secure customer data. "Although many state statutes are similar, there are enough outliers that you need to think about them," said Reingold. For instance, some states define personally identifiable information as including a mother's maiden name, biometrics and birth dates while others only include more basic information like name, Social Security number and driver's licence number. Others call out specific technologies that companies must use to secure data.
A new Massachusetts law that went into effect earlier this year covers any company that owns or licenses personal information about a Massachusetts resident. "Is there a cloud provider out there who doesn't essentially do that," Reingold wondered. "I guarantee virtually all of our clients have to think about that."
But things can get even more complicated when data is stored in various international locations.
"The reason we can have this service that is inexpensive is because [cloud providers] can put their servers anywhere and can shift loads based on things like where the cost of energy is lower," said Francoise Gilbert, a lawyer with IT Law Group.
But that movement of data around the world can create a challenging legal environment for companies using cloud services.
She splits the world into three categories. Countries within the European Union follow a privacy regime that applies to any kind of personal data. The U.S. and a few others, including Chile and South Africa, write laws based on the type of data, such as health or financial records. The final group has no protection laws for personal data.
Some companies may initially think it's a good strategy to find a provider with data centers in countries that have no data protection laws. "Don't shout victory," Gilbert advised. "The problem is that often these countries tend to have regimes where the government has more rights than maybe we're used to."
India, a hotbed for outsourced services, is a good example. The country recently changed its technology act, and observers had hoped that it would add language to protect data but instead it gave the government more rights, Gilbert said. "It gives the government the right to come in and ask for information on your servers without a warrant," she said.
Europe and a few countries that have adopted a similar model including Tunisia, Morocco and Uruguay have clear laws covering what kinds of personal data companies can store and whether they can move that data in and out of the country. Those rules tend to cover a wider set of data than companies in the U.S. might expect, Gilbert said.
"Every time I have a new client they say, 'It's OK, we don't handle personal information,' and I say, 'Oh yeah?'" she said. In the U.S., companies that don't handle financial or health information or have any business with children often think they're in the clear. "The rest of the world tends to think of anything you have attached to your person as private. So the fact that someone has travel plans is personal, the names of your spouse and children is personal information," she said.
"In every type of business you are going to be collecting personal information, so don't think privacy is not for you," she said.
Beyond personal information, some countries like those in the EU make considerations for what they call sensitive data, which may include a person's religious affiliation, membership in a trade union or sexual preference. In the U.S., companies may collect some of that information to look for diversity in their workforce. But if they use a cloud provider with data centers in Europe, European law prohibits them from storing that kind of data. "If you have a payroll system in a country that has a concept of sensitive information, you have a problem," she said.
Many of the speakers at the seminar expressed hope that governments around the world might do a better job of making it easier for businesses to use cloud computing services. But for now, they haven't done a great job. "The legal system has been far, far outpaced by technology," said Reingold.