Legal Risks in the Cloud: Part 1
I am sure that you are by now aware of the fact that there are many potential security risks associated with so-called cloud computing. Although we are still learning about the nature and extent of these risks, it is important to not focus so much on security risks that we overlook the legal risks that are also part of the cloud risk formula.
One of the most serious cloud legal risk issues is how to achieve compliance when you have lost full or partial control of your IT environment. Suppose, for example, that a company that takes in, processes, stores and transmits credit card data decides to move its credit card operations to the cloud. The cloud service provider (CSP) can provide every assurance of PCI-DSS compliance, but that does not relieve the company of its responsibility in safeguarding these data in a way that meets the provisions of the PCI-DSS standard. The company will undoubtedly breathe a sigh of relief if and when the CSP passes a QSA audit. Still, the direction of PCI-DSS is toward continuous, not once a year compliance.
A possible solution to this issue comes from MITRE, which has developed the Common Event Expression (CEE), a way of standardizing events produced by system logging and other output. CEE parses such output in a standard way, so that output generated by just about every operating system, network device and application becomes understandable. Some CSPs are willing to share system logging and other related data with their customers so that customers can get a better idea of how well the CSPs are fulfilling Service Level Agreement (SLA) and Statement of Work (SOW) statements related to security compliance. If so, CEE provides a straightforward way for customers to interpret the data that are sent to them.
Another cloud legal risk is in the area of electronic discovery (“eDiscovery”). Wikipedia defines electronic discovery as “discovery in civil litigation which deals with the exchange of information in electronic format (often referred to as Electronically Stored Information or ESI).” Electronic discovery is in and of itself normally a rather difficult issue–if served with an electronic discovery court order, an organization may have to search through its entire IT environment to produce the files, messages, and other electronic objects specified in the order. Now imagine electronic discovery in the cloud, where the customer typically does not know where–in what host, what database, what facility, and perhaps even what country– the CSP has stored customer data. At a minimum, the customer will not be able to respond as quickly as compared to when the customer has not outsourced data storage and processing functions to a CSP. The almost inevitable result is slower response times resulting in greater fines and penalties.
Dealing with eDiscovery in the cloud reduces to provisions in SLAs and SOWs with performance guarantees on the part of CSPs. So, for example, a CSP might sign an agreement to produce any customer file or message that the CSP has in its network within 48 hours of a request. Such an agreement would undoubtedly cost the customer considerably more than if the criterion time period were instead 96 hours. But whether the CSP can live up to the provisions of the agreement is another matter. For one thing, the CSP will have to index customer data if there is going to be any reasonable hope of finding it within the specified time period. But encrypted data cannot be indexed, forcing customers to choose between two evils, having cleartext data or not being able to fulfill eDiscovery court orders in a reasonable time period. Additionally, it is wise to have test eDiscovery drills (using non-production data) with potential CSPs before making any contractual commitments. Having periodic test drills after eDiscovery provisions are in place is very important, provided, of course, that the SLA/SOW includes this. Defining CSP penalties for failure to perform in accordance with eDiscovery-related contractual time provisions in an SLA or SOW can also help offset the cost of Federal Trade Commission (FTC)-imposed fines and penalties.
We’ve covered two cloud legal issues so far, but we have just scratched the surface. Stay tuned for more.