Editor's Note: Missed the first installment of the article? Click here for Part I.


    Major risks of cloud computing

    So what are the risks involved in
    cloud computing? These risks fall under four categories: (1) vendor lock-in
    risks, (2) operational risks, (3) regulatory/governance issues and
    (4) investigative/litigation issues.





    1. Vendor Lock-in
      Risks:
      Some critics, such as Richard Stallman, have called cloud
      computing "a trap aimed at forcing more people to buy into locked, proprietary
      systems that will cost them more and more over time." The fear is that once the
      cloud vendors have users hooked on cloud computing, they will price gouge them,
      in much the same manner that some think the telephone companies do. As proof,
      they point at the major class action suit that was once recently won against
      Verizon for systematically overcharging customers for Internet access fees and
      other costs. The phone company
      could overcharge its customers because they were captive to a subscription plan
      that was complex in its rate structure, and so it was easy to hide or
      misrepresent certain cost items. Likewise, cloud critics warn that once
      customers are bound to a certain application, platform or operating system, they
      are under the control of the cloud
      vendor — and also at its mercy.





    2. Operational
      Risks:
      Operational risks are a product of
      the fact that a cloud is located offsite and its structure is largely under the
      control of the vendor. Within this context, security is a big issue. What if
      your cloud vendor gets hacked? In the event of a security breach, what kind of
      investigative support will the vendor provide? What do you do if the Internet
      crashes? How is that risk allocated by contract? Obviously, no cloud vendor can
      offer a 100% guarantee; the most trusted and reliable vendor can still fail.
      Thus, for security, it is a good idea to replicate data and application
      availability at multiple sites.


      Along these lines, an airtight backup and data restoration
      plan is mandatory for disaster recovery. At present, however, there are no
      benchmark standards for service levels. Accordingly, it is always wise to contract
      with the cloud vendor to escrow data or application code in order to help cover
      potential damages in the event of a disaster. For that matter, it never hurts
      to be in a position to exert leverage over a cloud vendor. For instance, with
      respect to data retention issues, there are any number of legal and tax reasons
      that may require an organization to retain data longer than a cloud vendor is
      prepared to.






    3. Regulatory/Governance
      Issues:
      As it is with much new technology, our legal
      system has not yet caught up with cloud computing to the point where the law
      can effectively govern it. There are some regions, such as the European Union, that
      have stringent rules about moving certain types of data across borders, but cloud
      computing is not yet specifically regulated. Nonetheless, there is an abundance
      of regulatory rule sets that mandate compliance that cloud computing could fall
      short of achieving. The following list of legislative acts and regulations is
      not exhaustive:




      • Patriot Act/UK Regulation of Investigatory
        Powers Act

      • Stored Communications Act (part of ECPA)

      • ITARS, EARS, other export or trade can be stored
        and who can store it

      • Sarbanes-Oxley puts CEOs in jail

      • HIPPA (health-related information)

      • GLB (financial services industry)

      • FTC and state privacy laws

      • Fair Credit Reporting Act

      • Violence Against Women Act


      • Privacy Act (for federal agencies)





      Other problematic areas include video rental
      records, cable company customer records and National Security Letters.
      Regarding the latter, a cloud may be subjected to warranted (or in some case,
      warrantless) searches by police. The customer may not know of the investigation
      because the vendor is the party that holds the key to cloud access by third
      parties.





    4. Investigative/Litigation
      Issues — Third-Party Access:
       Clearly, it is critical for a cloud computing customer to
      understand (and in some instances, negotiate) the legal issues surrounding
      third-party access to a cloud. Take
      subpoenas, for example. As implied above, the user may not even know about them
      if the vendor gets the subpoena. The same would go for government
      administrative searches and national security investigations. Events involving search warrants can
      lead to possible seizures of data.



      In the area of e-discovery, cloud user data must be
      well organized so as to minimize cost while facilitating efficient data search
      and retrieval. If a user either refuses to comply with the e-discovery process
      or for some reason simply cannot find the requested data, substantial fines can
      be levied by the courts. The federal government actually fined one noted mutual
      funds company $300 million for failing to comply with a request for several
      hundred thousand email messages during the course of an SEC investigation! So, in order to avoid committing regulatory
      infractions, the customer must have a clear understanding of what its cloud
      provider will do in response to legal requests for information. They must know
      how document holds are enforced, how metadata is protected and how information
      can be optimally searched for and retrieved.




    The Nixon Peabody cloud
    checklist


    Since the legal issues are perhaps the most important of all
    for customers to consider when making the decision to buy into a cloud
    computing system, this article concludes with a checklist of the major issues
    to consider when acquiring a cloud for organizational use. Such a list is found
    in a publication by the law firm of Nixon Peabody, entitled
    "Legal Issues Associated with Cloud Computing," by Laura
    Mills, ©2009 by Nixon Peabody LLP, and is reprinted below:



    • Evaluate the financial viability of the cloud
      provider.

    • Thoroughly understand the cloud provider's
      information security management systems.

    • Plan for bankruptcy or unexpected termination of
      the relationship and orderly return of/disposal of data/applications.

    • Vendor will want the right to dispose of your
      data if you don't pay.

    • Contract should include agreement as to desired
      service level and ability to monitor it.

    • Negotiate restrictions on secondary uses of data
      and who at the vendor has access to sensitive data.

    • Negotiate roles for response to e-discovery
      requests.

    • Ensure that you have ability to audit on demand what
      regulatory and business needs require.

    • Companies subject to information security
      standards, such as ISO 27001, must pass to subcontractors the same obligation.

    • Make sure that cloud provider policies and
      processes for data retention and destruction are acceptable.

    • Provide for regular backup and recovery tests.

    • Consider data portability application lock-in
      concerns.

    • Understand roles and notification
      responsibilities in event of a security breach.

    • Data encryption is very good for security but
      potentially risky; make sure you understand it. Will you still be able to
      de-crypt data years later?

    • Understand and negotiate where your data will be
      stored and what law controls jurisdiction and possible restrictions on
      cross-border transfers.

    • Be prepared for third-party access issues.

    • Consider legal and practical liability for force
      majeure events. (Must be part of disaster recovery
      and business continuity plan.)

    • There is no substitute for careful due
      diligence.


    So, is cloud computing the new paradigm for document
    management? The answer is a definitive "Yes," but be careful what you wish for.


    ARTHUR GINGRANDE [ arthur@imergeconsult.com], ICP, is co-founder and partner of IMERGE Consulting, a document-centric management consulting firm. Mr. Gingrande holds a Juris Doctor degree from the Massachusetts School of Law.