Cloud computing: Forecasting turbulence for IT operations
Cloud computing will transform how companies manage their information technology infrastructure. If a company is unaware of whether it or its vendors are engaged in the cloud, it is imperative that the company find out and prepare for the legal and regulatory turbulence ahead.
What is the cloud? In simple terms, cloud computing is the outsourcing via the Internet of information technology processes that were previously managed internally. The “cloud” is a network of computing assets managed by third parties in remote locations for the benefit of users.
An example of a cloud computing service can be found at Salesforce.com. Salesforce.com operates a Web-based customer relationship management (CRM) service through which businesses run their sales operations. All software, equipment, network, databases, data, help desk, and other operations are managed by Salesforce.com at its remote location. Business users access the service through the Web and store their data at the vendor’s remote data center. This type of cloud offering is also known as “software as a service.” There are other emerging cloud models known as “infrastructure as a service” and “platform as a service.”
Why use the cloud?
Businesses are moving to the cloud for two primary reasons. First, cloud services require very little investment in equipment, software, and staff. Users of the cloud typically pay monthly or annual service fees with little to no up-front capital expense. Second, the cloud vendor assumes responsibility for maintaining the service and typically provides more robust service level assurances (e.g., up times, fix times, updates, and new releases) than could be achieved internally by users. These business advantages are significant and will continue to drive users to the cloud.
Many companies rush into cloud computing without appropriately preparing for and managing the emerging risks. These risks include:
• Privacy. Mindful that a company’s data will be stored in the cloud, does the company know where its data is and how it is protected? The company is no doubt legally bound to maintain the privacy of most of that data. The legal obligation arises under confidentiality agreements, state privacy laws, and data breach notification laws enacted in each state and under consideration nationally. By placing corporate data in the cloud, a company will multiply its corporate risk of violating the privacy rights of third parties.
• Security. Is the data stored in the cloud secure from access by unauthorized third parties and protected from corruption, loss, or damage? Nearly every industry is now subject to regulations requiring that appropriate security procedures and protocols are implemented to secure data – especially data containing personally identifiable information of individuals (whether customers, employees, contractors, or others).
Companies that conduct business in the health care, insurance, or financial services industries, or are vendors to customers in those industries, are most certainly subject to heightened regulatory compliance obligations in this regard.
• Intellectual property. In storing data in the cloud, does the company know if it is compromising the trade secret status of key corporate assets from which it derives economic benefit? By placing these assets under the control of a third party, it may inadvertently compromise valuable trade secret protections. Similarly, is the company confident that the cloud provider has obtained all required intellectual property and related rights to provide the company with the cloud service? If not, its use of the service may infringe upon or misappropriate the intellectual property rights of others.
• Disaster recovery. Finally, what will happen if the cloud vendor becomes insolvent, goes bankrupt, or otherwise ceases to conduct business? Companies that outsource a significant business function to the cloud are at the mercy of vendors who may shut down service with the flip of a switch. Most users fail to consider whether they have an appropriate “Plan B” in place. It is important to build contractual protections into the service agreement with the cloud vendor to maximize the ability to continue business and minimize the disruption of downtime.
The cloud is here to stay and many companies will do well to transfer operations to this emerging model of service. Prior to doing so, they are advised to undertake an internal risk assessment to identify areas of exposure and to plan appropriate mitigations. These protections should include conducting appropriate due diligence of the vendor on the front end and negotiating appropriate contractual protections in the service agreement. Companies also should review their insurance programs and enhance coverage where necessary.
Attorney Andrew J. Schlidt is a shareholder with the law firm Whyte Hirschboeck Dudek.
Sign up for the free In Business Wisconsin Report – your weekly resource for local business news, analysis, voices, and the names you need to know. Click here. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.