Tuesday, December 28, 2010

Legal Challenges in cloud computing: Software Architect Perspective

Though Cloud gaining currency across the globe and across the industry. But if one carefully observe, he will find slow adoption of cloud in big enterprises. From a Software Architect perspective one should be aware of the legal challenges while evaluating cloud platforms for a solution.

1. Intellectual Property Rights
a. Is application and data protected under intellectual property rights?
b. If cloud provider gives access to your application, data, log etc to third party then what legal responsibility cloud provider assumes?
2. Trade Secrets
a. How secure are the trade secrets?
b. How far cloud provider can go to protect data, log, etc. in case of court summons and/or quasi legal requests/pressure?
c. How long cloud provider keeps application data and logs even after application is deleted from cloud and/or log deleted from cloud?
3. Privacy
a. What responsibility cloud provider assumes to protect Application Owner’s privacy?
b. What responsibility cloud provider assumes to protect Application users’ privacy?
c. Is there any liability coverage for privacy breach?
d. How behavioral tracking is maintained?
4. Data Centre
a. What legal responsibility does cloud provider assume in case of disaster?
b. What legal responsibility does cloud provider assume in case of hacking?
5. Jurisdiction
a. In case of any legal dispute which law apples – location of application provider, location of end user, location of cloud provider, location of server farm or any other?
b. In case of data breach who will send the notice of data breach – application provider or cloud provider?
c. How trans-border laws will be handled?
d. How do reputational risks covered?
e. How long data will be retained for legal and taxation purpose?
f. What is damage policy (say total dames are capped by amount of fee)?
g. Does the flow of data meet the regulatory requirements of each jurisdiction it flows through?
h. Does the cloud provider provides solutions for de-identifying data for transboarder data flow?
i. Where will the data and processes be stored? Can a commitment be obtained?
j. Are there multiple cloud platforms/parties involved?
k. Can the movement of data be controlled?
l. Should/can the data be encrypted?
6. Service Level Agreement
a. What are the SLA’s for cloud provider?
b. What matrices will be used to measure performance of cloud provider?
c. In case of dishonoring of SLA, what are the penalties and they will be enforced?
7. Licensing
a. Do libraries, components, services, servers, etc used in application creation, deployment, etc have cloud compatible licenses?
b. Do libraries, components, services, servers, etc used in application creation, deployment, etc licenses cover upgrade and maintenance as well?
c. How application’s license is structured for end users?
8. Physical Location of Data and processes
a. What is the location of data?
b. What is the location of processes?
c. Is any point of time, location of data and process be ascertained?
9. E-discovery
a. What are the evidentiary issues when client data is in cloud?
b. What are the SLA’s of e-discovery?
c. Who is responsible for e-discovery?
10. Termination
a. In case of contract termination, how data will be moved from cloud to in agreed upon format?
b. Who is responsible to move data?
c. If cloud provider goes out of business then how termination will be handled?
d. If application provider goes out of business then how termination will be handled – data, intellectual property.
e. Is there any lock in?
11. Change in Terms and conditions
a. How change in terms and conditions to be handled?
b. Does cloud provider change terms and condition by inserting URL?
12. Audit
a. Can application provider do audit of facilities and processes/procedures and how extensive are these audits?
b. Can application provider do audit of logs and how extensive are these audits?
13. Miscellaneous
a. What insurance cover cloud provider has?
b. In case of emergencies how data be accesses and who will be responsible?
c. Use of application provider’s name and logo for publicity by cloud provider?
d. Use of cloud provider’s name and logo for publicity by application provider?
e. How service renewal will be handled?

2 comments:

  1. Hi Tjain,

    Thanks for this informative list of legal issues. I am happy to see more people thinking through the legal questions that "the cloud" raises and generating ideas about how to answer those questions.

    As you have already probably concluded, each of the lowest-level points in your outline can be expanded in depth and breadth, and gives rise to even more questions. For example, if the history of the laws governing computers and the Internet serves as a reliable guide, issues about intellectual property, especially copyright, will probably generate many disputes and require changes to nations' copyright laws, and perhaps to copyright treaties among countries.

    Since I am currently writing a chapter about identity theft in relation to the new rules that take effect in the USA on December 31, I am glad to see that you have mentioned data breach in your outline, as well as trans-border data flows and the laws affecting them.

    While it's a little outside the scope of your outline, I think the issues about third-party liability will be complex and fascinating. Concerning such liability, the cloud metaphor itself is particularly interesting. For example, to what extent is the cloud a relatively stable aggregation of data (and perhaps processes, if we extrapolate the von Neumann architecture of memory to the cloud) that "floats," but remains distinct and identifiable, under most circumstances, in a larger "dataspace"? On the other hand, how much of the cloud is "mist" (similar to transient storage on IBM mainframe systems, among others) and a more ethereal substance?
    While premature, such distinctions may become important in determining the appropriate standards of care that will define the liability of cloud hosts, their customers, and third parties.

    Thanks for laying the groundwork for some interesting thought and discussion about the legal issues.

    ReplyDelete
  2. Hi Steve,

    I is a pleasant news that you are authoring a chapter on identity theft.
    I certainly intend to expand the bullet points in greater depth which in turn will raise new questions and of more complex in nature.

    I will be glad if you can share your thoughts on cloud and legal challenges in particular.

    ReplyDelete