Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Legal concerns curb corporate cloud adoption

The first time a client brought intellectual property lawyer Janine Anthony Bowen a cloud computing contract to look over, her reaction was, essentially, "These people must be nuts."

"I read the clause saying the service provider would bear no liability for anything that went wrong with its service, and even if something did go wrong, my client would still be responsible," recounts Bowen, lead partner at Jack Attorneys & Advisors in Atlanta.

To recover any losses, her client would have had to bring suit, and the maximum recovery amount equaled no more than the fees paid for 12 months of service. That amount wouldn't even begin to come close to the value of a data loss. Bowen's assessment of the contract was blunt: "The terms were offensive," she says.

Tanya Forsheit, with whom Bowen shared the dais at a Practising Law Institute seminar on cloud computing in San Francisco last summer, says she has similar concerns. "The cloud providers try to convey a take-it-or-leave-it attitude for their contracts, expecting people to click through the 'I accept' options the way people click through the iTunes website," says Forsheit, a founding partner of InfoLawGroup who works out of the firm's Manhattan Beach, Calif., office.

Because of the take-it-or-leave-it approach of cloud providers, IT professionals are running into problems with the legal professionals charged with mitigating the risks that their organizations face. That's the case at the Port of San Diego, where Deborah Finley just began thinking about using a small vendor's cloud-based email archiving service.

"We're a medium-size organization without the leverage a larger organization might enjoy. The vendor's contract had a limitation of liability for the cost of the contract, while our legal department has standard language about indemnification," says Finley, the Port's director of business information and technology services. "To change that language, we would need board approval."

After some back and forth, Finley and the Port lawyers reached a compromise, but she's reluctant to go to the board every time she wants to sign a cloud computing contract.

For Finley and many other IT execs, the bottom line is this: Cloud computing is supposed to make things easier and cheaper for IT, but instead, it's turning lawyers and CIOs -- two groups with more common ground than they realize -- into adversaries, at least temporarily.

The lawyers, whose job is to advise the company on legal, risk and compliance issues, want to limit contracts that ignore or gloss over matters related to data loss, privacy, security and e-discovery. CIOs, whose job is to advise the company on technological issues, want to provide computing capabilities to business units as quickly as possible.

As cloud computing becomes more prevalent, the two groups can find themselves at loggerheads -- though both are striving to serve the business.

As an IT leader, how can you come to terms with your company's legal counsel? How can the two of you work together to make your company's transition to the cloud fruitful rather than fretful? The process is fairly simple, cloud pioneers say: Ask lots of questions and exercise a healthy dose of due diligence -- all of which can lay the groundwork for future teamwork in the cloud.

Why the Cloud Causes Trouble

Cloud computing is a relatively recent development and therefore an area where legal precedents are scarce. "People don't think about the legal issues because this is so new," says Barry Murphy, an analyst at Boston-based eDJ Group, a research firm that focuses on information governance and e-discovery. "There's no prescriptive case law, so there's a lot of trepidation" among lawyers anxious to both protect the company's data and remain on the correct side of government regulation, Murphy explains.

Case law is clear, however, when it comes to e-discovery in the cloud. "The courts say, 'If you're storing information, we expect you to produce it for litigation or compliance,' " says Murphy. "Most companies aren't smart enough to ask a service provider if they've mapped out a chain of custody for data. And a lot CIOs don't know the implications of privacy and transparency laws."

Legal questions about the cloud are becoming an issue now simply because enterprise adoption of cloud computing is growing. The small and midsize companies that pioneered the move to the cloud were less likely to have legal teams waving red flags, industry watchers say. For one thing, they didn't have a lot of leverage when it came to negotiating the terms of contracts with vendors the size of Microsoft, Rackspace and Amazon. Moreover, they may have been more willing to overlook legal and security concerns because they were eager to embrace a new computing paradigm that promised to help them get applications up and running quickly.

Now that larger companies are considering cloud services, corporate lawyers are getting involved -- and they're rejecting some of the more egregious clauses of standard service-provider contracts. Forsheit, for example, frequently tells service providers that her clients won't blindly sign away protection. "I'm not asking them for unlimited liability," she says. "But if they want our business, they have to compromise."

Martin Fisher isn't a lawyer. But as director of information security at WellStar HealthSystem, a five-hospital group in Atlanta, he's familiar enough with healthcare regulations such as HIPAA to recognize problems in cloud contracts. Fisher looked at one well-known vendor's cloud-based email system before realizing that, in order to comply with HIPAA, he would have to sign what's known as a "business associate agreement" with any other entity whose data resided on the same system. Fisher killed the deal and went with a remote-hosting arrangement, where WellStar's equipment sits in a third-party data center.

Legal, Your New Best Friends

The CIO and legal counsel must recognize that they're on the same team.

"Both sides have to think of things from the other party's perspective," says Paul Lewkowicz, an intellectual property attorney at Daly Crowley Mofford & Durkee in Canton, Mass. "IT has to think about what happens when everything goes wrong. The lawyers have to remember that IT is there to make the business run. [The lawyers] don't want to say no. They want to know what can make the contract more acceptable."

IT should ask counsel to handle contract negotiations. "Negotiating is an art form, and lawyers are trained to do it," Lewkowicz says. "IT people think of contracts as a couple of pages of specifics and then boilerplate. But it's that boilerplate that saves everybody's bacon when something goes wrong."

While it's important that the CIO and corporate counsel have a good relationship, it's even more important that they bring together a team to pore over the agreement and ensure that all issues are covered, says Thomas Trappler, a Computerworld columnist who teaches a cloud computing course at the UCLA Extension school. Admittedly, this may seem counterproductive, because one of the benefits of the cloud is to make IT deployments quicker and easier, but it's worth the time, Trappler insists.

After IT and legal work on a few cloud contracts together and get some experience hammering out terms, the process should get easier -- in theory.

Due Diligence

The Right Cloud Questions to Ask

"Lawyers balk at cloud computing contracts because they don't have all the facts. Until they have all the facts, the lawyer can't give you legal advice," observes "David Wells" (a pseudonym for a Fortune 500 corporate counsel who requested anonymity).

He notes that cloud questions should seek the same information journalists are supposed to gather: who, what, where, when, why and how? Wells and other lawyers suggest asking these questions:

• Why are we thinking of a public cloud? What are the trade-offs vis-a-vis storing the data on-site?

• What kind of data are we putting in the cloud? Is it personally identifiable or sensitive?

• Where are the servers located? What privacy laws govern those jurisdictions?

• How is the data stored and transmitted? Will it be encrypted?

• Who has access to the data? How is it physically protected?

• How quickly will we be notified if there's a breach?

- Howard Baldwin

Trappler says that one of the things he stresses in his classes is the importance of team building -- where the team includes the business process owner (the one who needs the cloud service), legal counsel, representatives of IT and people involved in procurement, risk management, vendor management and security. WellStar's Fisher concurs: "When IT and the attorney and someone from compliance all sit down and go through a contract, with give and take about what's best for the organization, you get a lot of goodness out of it."

Industry watchers say it's all a question of due diligence, of knowing what the risks are. There are risks in everything, even in managing data on your own premises. The biggest question is, How do you mitigate the risk? How do you protect yourself as best you can without stifling the business?

"David Wells" (a pseudonym for a Fortune 500 corporate counsel who requested anonymity) agrees that getting subject-matter experts into one room promotes understanding. Each person can address facets of the deal with his own expertise, which helps the group identify which issues are worth worrying about and which aren't. "Otherwise, you can have lawyers spinning scenarios and creating fear, uncertainty and doubt. If you can't get past FUD because people don't understand it, you'll either crater the deal or, worse, do a bad one."

How do CIOs and counsel start collaborating? By asking questions. Ideally, the CIO should know the questions to ask before the attorney even requests the answers, but that doesn't always happen. "That's why I ask the same questions over and over," says Wells. "My people finally know not to come to me without the answers to my questions."

Beyond that, lawyers suggest CIOs ask what clauses in the contract really mean. Wells says that service-level agreements drive him especially crazy. He sees contracts promising restitution for downtime, but the amount of payback is minimal. "If your lawyer's not paying attention, your remedy for downtime is actually pennies on the dollar, and you give up your right to sue for breach of contract by accepting it," he says. "If you have a service provider [whose systems are] chronically down, the lawyer should insist on the right to terminate for breach of contract."

E-discovery is another issue that lawyers tend to focus on more than CIOs do. Murphy notes that there are companies like Nextpoint and X1 Discovery that specialize in discovery in the cloud, but the issue is more complex than it appears at first glance.

Forsheit agrees. "In the cloud, data is being replicated, so it creates more data for discovery, including metadata," she warns. Federal rules require that you must know where the data is and ensure that e-discovery will find it. "But if there's a server in the cloud that nobody thought about," she says, "people can get sanctioned or jailed, and lawyers can be disbarred."

In the end, legal experts say, getting IT and legal to agree on cloud contracts comes down to a matter of careful communication. "They have to speak each other's languages," Forsheit says. "Counsel needs to understand IT and vice versa. Doing it another way is not an option."

Baldwin is a frequent contributor to Computerworld.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about cloud computing in Computerworld's Cloud Computing Topic Center.

Join the CIO newsletter!

Error: Please check your email address.

Tags data securitysecuritycloud securitydata protectioninternetcloud computing

More about Amazon Web ServicesCounselManhattanMicrosoftRackspaceTopicUCLA

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Computerworld
ARN
Techworld
CMO