Starting a new law firm and speaking with cloud services vendors has brought my partner and me face-to-face with one of the realities of cloud data storage. Previous “Legal Perspectives” columns have addressed legal issues such as the security of attorney-client privileged information when in the possession of a cloud vendor. Faced, however, with the reality of complex password protections, technical problems, and connectivity issues, we focused on accessing information stored in the cloud. Following on the heels of the access issue, we became concerned with many other issues with legal implications, such as where the data would be stored and what would happen if we were to terminate the relationship with the provider.

Of course, written agreements cover these and other points when legal, financial, institutional, or governmental entities contract for cloud services. In addition, the explosion of electronic data has also resulted in nearly every individual cell phone and computer user having some kind of cloud storage arrangement. For such individual users, agreeing to cloud storage usually consists of a “click-wrap” license or a license packaged with other services such as gmail. It pays to read the on-line agreement since clicking means that you have accepted the agreement. Even if you are not in a position to negotiate, you should know what you are getting into.

Cloud-services transactions are a new business relationship that has ancient roots. Contract law builds on old foundations: the concept of one party agreeing to safely hold the property of another in storage for a price is a common law legal relationship called a bailment. A traditional bailment keeps property safe for a limited period of time, but the bailor retains ownership and can demand return of the property. The bailee usually has no right to use or even access the property without the bailor’s authorization and must return physical possession upon demand.

The electronic nature of digital information has given rise to new bailment services, relationships, and concerns. As cloud services continue to expand to all sectors, vendors now offer management, sharing, backup, archiving, and remote access of files with secure encryption capability and other protections, along with support to help users from individuals to corporations and governments.

Agreements for providing services to a law firm for managing and storing lawyer and staff expense records package cloud services with other services, resulting in contracts that include data management and bailment with, for example, license and confidentiality agreements. In reviewing or negotiating such agreements, the “bailor” should not lose sight of the fact that a bailee is holding its data.

A cloud-services agreement, as with all agreements, allocates rights, duties, and responsibilities. Like energy services companies providing electricity, a cloud vendor may be “mid-stream” between the end-user and one or more “upstream” providers of data center storage services. In such a situation, when contracting with end-users, it would be subject to the limitations of its agreements with ultimate providers.

The basic elements of a cloud agreement should include:

•Specific identification of the data owner

•The purpose of storing the data and an explanation of what will be done with it following storage

• The metrics of transferring the data

•The specific requirements for accessing data and the time frames for doing so

• The term and termination covenants

• Types of security

• Breach elements and the breach notification process

•Information as to whether the vendor will use readily accessible programming language or a custom language

• The physical location of the data

 

The type of programming language can be important. Last year, Larry Ellison, Oracle CEO, criticized Salesforce.com’s Force.com platform as “locking in” customers by using custom programming languages such as Apex. While there may be advantages to custom programming, customers should also understand the risks as well.

The answer to the question of “where are your data?” can have significant consequences. The reality is that it may be difficult to identify the location unless the cloud services agreement identifies the geographic locations and/or countries in which your data are stored. If you create data such as a white paper or a design, which laws protect your intellectual property rights? Even if the cloud-services agreement provides for governing law and a jurisdiction for dispute resolution, the law of the jurisdiction in which the cloud vendor is physically located might not give effect to those provisions. Laws can vary significantly, and it is possible that the law of the country in which the data are stored may govern the disposition of the data. And, if dispute resolution is in a foreign country or a distant state, the proceedings could be costly.

A contract with a cloud vendor should provide for what happens if either party suffers a privacy breach and their respective liabilities to one another. It is advisable to look into insurance coverage for breaches. The contract should also address the duties of the vendor in the event a government or private entity seeks your stored data and should indicate what happens when the vendor is served with a subpoena. In such an event, the vendor should be required to timely notify the customer so the customer can object to disclosure prior to that disclosure.

A typical contract may appear to be one-sided from the viewpoint of the customer. For example, the damages may be limited to a single contract year’s cost. Of course, the vendor that includes such a provision is seeking to protect itself against open-ended liabilities. What customers may view as harsh contractual remedies for minor contractual breaches the vendor may see as necessary to protect the quality of service. There may also be provisions that a provider sees as providing flexibility and a customer may, conversely, see as threats to continuity such as a low barrier for the vendor’s suspension of services and no liability for unplanned interruptions.

The customer should pay special attention to the termination provision. Does the vendor have the right to terminate for convenience? Does the customer have that same right? A customer should check a proposed agreement to see if it is locked into the vendor’s service by a “hostage” clause for a specific period without termination rights and whether there is a fee for early termination. Check for a cooperation provision that requires the cloud vendor to provide reasonable assistance if the customer wishes to terminate and use another provider.

Regardless of the nature of the issue, in the event of a dispute, a customer’s data may be tied up during the dispute and resolution of such disputes can take time.

Further considerations from the customer’s perspective include assessment of risk of damage to data center, the risk of the cloud vendor going out of business, interruption of services due to from natural disasters, terrorist attacks, computer viruses, and the like.

Even though cloud services transactions, enabled by technology, appear to raise new issues, the law applicable to cloud transactions has ancient roots. This leads to an interesting application of the adage: Plus ça change, plus c’est la meme chose, or, the more things change, the more they are the same.