Service Agreements Play Huge Role in Compliant Cloud Computing


We've talked about the compliance concerns cloud computing raises, but as prominent as the cloud has become, a refresher is never out of order. This week, Shari Claire Lewis, a partner at the law firm of Rivkin Radler, wrote on the subject in the New York Law Journal.


She writes:

Given the explosive growth of cloud computing, it should be no surprise that it presents numerous legal issues for businesses. Two of the most significant are privacy concerns and the implications of cloud computing for pretrial discovery.


Lewis cites the World Privacy Forum's report, "Cloud Computing and Privacy," for the proposition that any agreement a financial institution or health care provider enters into with a cloud service provider must be carefully crafted to cover requirements in the Gramm-Leach-Bliley and Health Insurance Portability and Accountability Acts, respectively. She notes that the cloud provider's geographic location will also largely impact the terms of its agreements with customers.


Particularly for litigators, the biggest compliance issues raised by cloud computing center around e-discovery. Lewis notes:

Generally speaking, pretrial discovery may be had of relevant documents that are in the "possession, custody or control" of a party.


But what if that party is using a cloud service to store documents? Are those documents in the party's control? And if they are, can the party prove they are reliable? After all, they have been in the custody of the cloud provider. Lewis concludes, again, that the answers to these questions can be determined by the contract terms betweeen the company that is the party to the lawsuit and the third-party cloud provider.


I made the same point in an article earlier this year: Cloud computing service agreements are crucial in determining rights and responsibilities of the parties in the event of litigation or regulatory audit. Relying on boilerplate SLA forms won't be enough.