Editor's Note: Missed the first installment of the article? Click here for Part I.

Major risks of cloud computing

So what are the risks involved in
cloud computing? These risks fall under four categories: (1) vendor lock-in
risks, (2) operational risks, (3) regulatory/governance issues and
(4) investigative/litigation issues.

  1. Vendor Lock-in
    Some critics, such as Richard Stallman, have called cloud
    computing "a trap aimed at forcing more people to buy into locked, proprietary
    systems that will cost them more and more over time." The fear is that once the
    cloud vendors have users hooked on cloud computing, they will price gouge them,
    in much the same manner that some think the telephone companies do. As proof,
    they point at the major class action suit that was once recently won against
    Verizon for systematically overcharging customers for Internet access fees and
    other costs. The phone company
    could overcharge its customers because they were captive to a subscription plan
    that was complex in its rate structure, and so it was easy to hide or
    misrepresent certain cost items. Likewise, cloud critics warn that once
    customers are bound to a certain application, platform or operating system, they
    are under the control of the cloud
    vendor — and also at its mercy.

  2. Operational
    Operational risks are a product of
    the fact that a cloud is located offsite and its structure is largely under the
    control of the vendor. Within this context, security is a big issue. What if
    your cloud vendor gets hacked? In the event of a security breach, what kind of
    investigative support will the vendor provide? What do you do if the Internet
    crashes? How is that risk allocated by contract? Obviously, no cloud vendor can
    offer a 100% guarantee; the most trusted and reliable vendor can still fail.
    Thus, for security, it is a good idea to replicate data and application
    availability at multiple sites.

    Along these lines, an airtight backup and data restoration
    plan is mandatory for disaster recovery. At present, however, there are no
    benchmark standards for service levels. Accordingly, it is always wise to contract
    with the cloud vendor to escrow data or application code in order to help cover
    potential damages in the event of a disaster. For that matter, it never hurts
    to be in a position to exert leverage over a cloud vendor. For instance, with
    respect to data retention issues, there are any number of legal and tax reasons
    that may require an organization to retain data longer than a cloud vendor is
    prepared to.

  3. Regulatory/Governance
    As it is with much new technology, our legal
    system has not yet caught up with cloud computing to the point where the law
    can effectively govern it. There are some regions, such as the European Union, that
    have stringent rules about moving certain types of data across borders, but cloud
    computing is not yet specifically regulated. Nonetheless, there is an abundance
    of regulatory rule sets that mandate compliance that cloud computing could fall
    short of achieving. The following list of legislative acts and regulations is
    not exhaustive:

    • Patriot Act/UK Regulation of Investigatory
      Powers Act

    • Stored Communications Act (part of ECPA)

    • ITARS, EARS, other export or trade can be stored
      and who can store it

    • Sarbanes-Oxley puts CEOs in jail

    • HIPPA (health-related information)

    • GLB (financial services industry)

    • FTC and state privacy laws

    • Fair Credit Reporting Act

    • Violence Against Women Act

    • Privacy Act (for federal agencies)

    Other problematic areas include video rental
    records, cable company customer records and National Security Letters.
    Regarding the latter, a cloud may be subjected to warranted (or in some case,
    warrantless) searches by police. The customer may not know of the investigation
    because the vendor is the party that holds the key to cloud access by third

  4. Investigative/Litigation
    Issues — Third-Party Access:
     Clearly, it is critical for a cloud computing customer to
    understand (and in some instances, negotiate) the legal issues surrounding
    third-party access to a cloud. Take
    subpoenas, for example. As implied above, the user may not even know about them
    if the vendor gets the subpoena. The same would go for government
    administrative searches and national security investigations. Events involving search warrants can
    lead to possible seizures of data.

    In the area of e-discovery, cloud user data must be
    well organized so as to minimize cost while facilitating efficient data search
    and retrieval. If a user either refuses to comply with the e-discovery process
    or for some reason simply cannot find the requested data, substantial fines can
    be levied by the courts. The federal government actually fined one noted mutual
    funds company $300 million for failing to comply with a request for several
    hundred thousand email messages during the course of an SEC investigation! So, in order to avoid committing regulatory
    infractions, the customer must have a clear understanding of what its cloud
    provider will do in response to legal requests for information. They must know
    how document holds are enforced, how metadata is protected and how information
    can be optimally searched for and retrieved.

The Nixon Peabody cloud

Since the legal issues are perhaps the most important of all
for customers to consider when making the decision to buy into a cloud
computing system, this article concludes with a checklist of the major issues
to consider when acquiring a cloud for organizational use. Such a list is found
in a publication by the law firm of Nixon Peabody, entitled
"Legal Issues Associated with Cloud Computing," by Laura
Mills, ©2009 by Nixon Peabody LLP, and is reprinted below:

  • Evaluate the financial viability of the cloud

  • Thoroughly understand the cloud provider's
    information security management systems.

  • Plan for bankruptcy or unexpected termination of
    the relationship and orderly return of/disposal of data/applications.

  • Vendor will want the right to dispose of your
    data if you don't pay.

  • Contract should include agreement as to desired
    service level and ability to monitor it.

  • Negotiate restrictions on secondary uses of data
    and who at the vendor has access to sensitive data.

  • Negotiate roles for response to e-discovery

  • Ensure that you have ability to audit on demand what
    regulatory and business needs require.

  • Companies subject to information security
    standards, such as ISO 27001, must pass to subcontractors the same obligation.

  • Make sure that cloud provider policies and
    processes for data retention and destruction are acceptable.

  • Provide for regular backup and recovery tests.

  • Consider data portability application lock-in

  • Understand roles and notification
    responsibilities in event of a security breach.

  • Data encryption is very good for security but
    potentially risky; make sure you understand it. Will you still be able to
    de-crypt data years later?

  • Understand and negotiate where your data will be
    stored and what law controls jurisdiction and possible restrictions on
    cross-border transfers.

  • Be prepared for third-party access issues.

  • Consider legal and practical liability for force
    majeure events. (Must be part of disaster recovery
    and business continuity plan.)

  • There is no substitute for careful due

So, is cloud computing the new paradigm for document
management? The answer is a definitive "Yes," but be careful what you wish for.

ARTHUR GINGRANDE [ arthur@imergeconsult.com], ICP, is co-founder and partner of IMERGE Consulting, a document-centric management consulting firm. Mr. Gingrande holds a Juris Doctor degree from the Massachusetts School of Law.