Cloud Services, especially for document management, present interesting legal and regulatory issues, such as national jurisdiction over the stored information. I’ve posted a few musings about the issues but I am not seeing obvious conclusions yet. Rather than posting minor comments one-per-link, here is my collection to date.
Other posts here on the topic
- Cloud Server or in thin air – Seized – legitimate users of megaupload.com may identify with this
- The question of Encryption
- Haziness of Ownership when it’s Cloud-Based Content
- SOPA and PIPA – the shut-down aspects
Links, with comments/excerpts
Interesting as I evaluate cloud providers for this blog and our corporate apps!
1) Data commingling and segregation
The use of shared virtual infrastructure may create data commingling and segregation issues. B-10 requires service providers to be capable of isolating an FRE’s data, records and items in process from those of other customers at all times. As a precondition of entering into a cloud computing arrangement which is subject to B-10, an FRE must therefore determine whether the cloud service provider can offer the service in a manner that permits proper data segregation.
2) Accessibility of confidential information
The nature of cloud computing – including the ability for multiple entities to access shared resources and the use of multiple locations across low cost regions – can create data security and privacy issues. B-10 requires the FRE to ensure that security and confidentiality policies of the cloud computing service provider are commensurate with those of the FRE, which should ensure that all necessary protections are in place to secure the confidentiality of the data provided to the cloud infrastructure. In particular, contractual provisions should clearly define who has responsibility for protection mechanisms, the information that is covered by such protections, the ability of either party to modify security procedures and requirements and notification obligations of the cloud service provider should any confidentiality or security breach occur.
3) Business continuity
The FRE’s business continuity plans must address all reasonably foreseeable situations in which a cloud service provider may be unable to continue to provide services at the required levels. Most importantly, in the context of any business interruption affecting the cloud service provider, the FRE should ensure that it has access to all necessary records to allow it to continue its business operations and meet any statutory obligations or other obligations to OSFI.
4) Data location
A cloud service provider’s infrastructure and software may be dispersed across multiple locations across the globe. This may be problematic for FREs since B-10 requires the contract governing the provision of the cloud services to identify the nature and scope of the services, including specification of the physical location where the services are being provided. While this may be possible at the outset of a cloud computing arrangement, the dynamic nature of cloud computing means that regular updates should be contemplated under the contract in order to address any shift in the location of the information technology infrastructure supporting the services. In addition, contractual provisions to address any deficiencies in legislated privacy protections and issues relating to access rights of foreign governments and their regulatory agencies should be considered.
Such a contract should include provisions governing the jurisdiction where information will be processed or stored, ownership and use of information, the level of privacy controls used by the service provider, access and correction procedures, audits, and deletion procedures. Lawyers must remember that they remain accountable for information transferred to third-parties for processing.
Lengthy exploration of cloud computing topics, plus ? tip sheet?
Good intro to Canadian Personal Info guidelines. The section on International touches on service providers outside the country.
location clause pulled from cloud-computing regulation – NC Bar Ethics on Cloud Computing | McGrath & Spielberger
NC is exploring some interesting areas… The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.
To The Cloud: A Primer for Law Firms and SMEs : Discover Canadian Lawyers : Lawyer & Attorney Directory & Referral Services
Once you selected a specific Cloud provider, you will review two critical documents that govern every Cloud relationship; the Cloud Contract, which sets out the terms of the relationship; and the Service Level Agreement (SLA). You must be fully aware of all the terms in each of these agreements and carefully consider how those terms impact your business.The following is a sample of issues to consider when reviewing the Cloud Contract…
Much muttering about this, but is there a clear guideline? This article from December 2010 might point at a direction:
Cloud computing offers many advantages, yet since some consumers and business executives remain wary of the privacy and security implications of storing personal information in unseen computer server farms, confidence in the cloud computing model is directly linked to assurances that real-space privacy protections continue to function in the cloud.
Canadian leadership in this area is evident in several respects. Privacy Commissioner of Canada Jennifer Stoddart and Ontario Privacy Commissioner Ann Cavoukian have been ahead of the curve on the issue with reports on the privacy implications of cloud computing.
Possible tax implications, especially for hosting within another country? Emphasis added, then quoting: “New York has been going after all manner of people who telecommute to businesses in New York, and after business who just have a “business nexus” (aka a rented warehouse or some other relatively minimal presence) to get corporate taxes and employee state taxes for work done on systems there, even remotely. …. in his opinion it is only a matter of time before New York (and other states are following suit by the way) started considering any electronic presence as a right to tax the business or individual.”