2009年7月22日水曜日

Legal Technology - Cloud Computing Brings New Legal Challenges

Cloud Computingに関わる法的な課題の整理。 
データのセキュリティに関する各種法律と、Cloud Computing事業者がどのように対応すべきか、の確認が必要と 述べられている。 

In the early days of personal computing, users depended on "local" drives and stored their data on floppy disks kept in containers on desktops or in drawers. Applications from software manufacturers permitted users to create, manage and manipulate their business and personal information.

But in short order, software became more and more sophisticated and floppy disks were replaced by hard drives. Operating systems became faster, hard drives were developed with even more capacity and programs grew in size and scope.

Eventually the advent of networks allowed ever bigger programs to be shared among multiple users accessing ever-growing data banks. Nevertheless, networks remained largely tethered to the location of the users, who, at least theoretically, maintained both physical possession and control over the data.

The trend today is toward something different: Whereas companies may still prefer their employees to be in geographic proximity to urban centers of business and government, the cost of prime real estate, and the availability of fast online interconnectedness in many locations that would otherwise be considered remote, make cloud computing a viable and cost effective alternative. Accordingly, data and data applications that are kept in a cloud may be physically located in one or more remote servers but are nevertheless transparently available to company users.[FOOTNOTE 1]

Data kept in a cloud often is, or may be, shared among, or usable by, multiple parties. It can include information ranging from word processing documents and business presentations to employee or patient health information and tax or accounting records, to schedules, calendars and contacts. The key to cloud computing is the speed with which the data and applications can be accessed, rather than the capacity and speed of a personal computer's hard drive, as was crucially important in the past.

Even individual users are becoming more and more likely to be participants in the cloud computing phenomenon. For example, e-mail programs such as Google's Gmail, which stores users' e-mail on its own servers, is a perfect example of this growing development.

Given the explosive growth of cloud computing, it should be no surprise that it presents numerous legal issues for businesses. Two of the most significant are privacy concerns and the implications of cloud computing for pretrial discovery.

As with other forms of "outsourcing," businesses' duties to protect private or confidential data do not end with their transfer of the data to third-party vendors for storage or processing. A recent report from the World Privacy Forum, "Cloud Computing and Privacy," highlights a number of important privacy issues raised by cloud computing that corporate users of cloud computing should keep in mind.[FOOTNOTE 2]

For example, although the Gramm-Leach-Bliley Act[FOOTNOTE 3] permits financial institutions to disclose confidential consumer information to a third party such as a cloud computing service provider, the terms of any agreement between the financial institution and the provider must be carefully considered.

In addition, the Privacy Rule enacted by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act[FOOTNOTE 4] requires that covered health plans, health care clearinghouses and health care providers enter into "business associate agreements" with cloud providers (and, of course, other third parties) before turning over so-called protected health information.

There may be risks associated with using cloud computing providers to store confidential corporate information such as trade secrets without appropriate and specially negotiated agreements, as well.

What undoubtedly can complicate the privacy issues in these and other situations is that the governing law might change depending on the cloud provider's physical location. Different rules can apply if storage is in a European Union country, arguably subject to the EU's Data Protection Directive,[FOOTNOTE 5] in multiple states within the United States, or in multiple locations around the world. Accordingly, it is essential that the terms of contracts for cloud computing services must be negotiated keeping in mind the type of data to be stored, the location of the servers and the particular legal obligations of the business whose data it is.

While a business might be able to make a claim against a cloud server for escape of private data, the business may not be insulated by its claim that a privacy breach was the result of the acts by the cloud server.

PRETRIAL DISCOVERY

An issue raised by cloud computing that may be even more difficult to parse than privacy concerns is the implications of cloud computing on pretrial discovery in general and on electronic discovery in particular.

Generally speaking, pretrial discovery may be had of relevant documents that are in the "possession, custody or control" of a party.[FOOTNOTE 6] That means that a party is obliged to produce documents in its control, even if those documents are not literally in the party's possession when the demand is made.[FOOTNOTE 7]

Documents are under a party's control when it has the right, authority or practical ability to obtain them from a non-party.[FOOTNOTE 8] When a corporation relies on a cloud computing provider (or multiple providers), are those documents under its control? Even if they are, how can those documents be authenticated and proven to be reliable?

In Shcherbakovskiy v. Da Capo Al Fine, Ltd.,[FOOTNOTE 9] the 2nd Circuit U.S. Court of Appeals adopted the view that a party may be required to produce documents that it has the practical ability to obtain.

The circuit stated as follows:

Turning to the legal issues first, a party is not obliged to produce, at the risk of sanctions, documents that it does not possess or cannot obtain. See FED. R. Civ. P. 34(a) ("Any may serve on any other party a request … to produce … documents … which are in the possession, custody or control of the party upon whom the request is served …" E.E.O.C. v. Carrols Corp., 215 F.R.D. 46, 52 (N.D.N.Y. 2003); see also Societe Internationale Pour Participations Industrielles Et Commerciales, S.A. v. Rogers, 357 U.S. 197, 204, 78 S.Ct. 1087, 2 L.Ed.2d 1255 (1958) (acknowledging that Rule 34 requires inquiry into whether party has control over documents), Fisher v. U.S. Fidelity & Guar. Co., 246 F.2d 344, 350 (7th Cir. 1957). We also think it fairly obvious that a party also need not seek such documents from third parties if compulsory process against the third parties is available to the party seeking the documents. However, if a party has access and the practical ability to possess documents not available to the party seeking them, production may be required. In Re NASDAQ Market-Makers Antitrust Litig., 169 F.R.D. 493, 530 (S.D.N.Y. 1996).


Shcherbakovskiy did not define what established a "practical ability" to obtain documents, but courts have determined that the legal right to obtain documents or information from another may arise by contract[FOOTNOTE 10] or as a result of an agency relationship.[FOOTNOTE 11]

The Cloud Security Alliance, a not-for-profit association of cloud computing professionals, observed in a recent report, "Security Guidance for Critical Areas of Focus in Cloud Computing,"[FOOTNOTE 12] that cloud providers "have become custodians of primary data assets for which customers have legal responsibilities to preserve and make available in legal proceedings (electronic discovery), even if the customer is not in direct possession or control."

The report pointed out that cloud computing "challenges the presumption" that corporations and other businesses actually are in control of information or data for which they remain legally responsible.

Given the general principles governing pretrial discovery, and the Shcherbakovskiy ruling, cloud users should make certain that the contracts they enter into with cloud providers clearly explain the providers' responsibilities with respect to discovery and other litigation subjects.

Moreover, companies that face the prospect or likelihood of litigation should make certain that they choose cloud providers that are able to ensure the authenticity and reliability of the data they are maintaining, including metadata. Certainly, any "litigation hold" extended by a company as a result of anticipated or pending litigation must include company resources that are stored in cloud servers.

CONCLUSION

As cloud computing becomes more understood and more widely utilized, counsel will focus on both privacy and discovery issues to a greater extent than they are doing so currently, which will lead to negotiated resolution of issues and, on occasion, litigation and court decisions.

As with many issues of technology, counsel will need to understand not just the legal precedent concerning cloud servers, but also the particular facts concerning their business' use of cloud servers, the type of data that is stored in the cloud, and the location and document retention practices of the service provider.

Shari Claire Lewis, a partner at Rivkin Radler, specializes in litigation in the areas of Internet, domain name and computer law. She can be reached at shari.lewis@rivkin.com.

:::: FOOTNOTES ::::


FN 1. For a detailed explanation of cloud computing, see, e.g., Lamia Youseff et al., "Toward a Unified Ontology of Cloud Computing," available at http://www.cs.ucsb.edu/~lyouseff/CCOntology/CloudOntology.pdf.

FN 2. The report is available at http://www.worldprivacyforum.org/cloudprivacy.html. For additional discussion of privacy issues in the cloud computing context, see, e.g., Randal C. Picker, "Competition and Privacy in Web 2.0 and the Cloud," 103 Nw. U. L. Rev. Colloquy 1 (July 2008).

FN 3. 15 U.S.C. §6802.

FN 4. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html.

FN 5. See "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data," available at http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, and http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf.

FN 6. See Fed. R. Civ. P. 26(b) (1) & 34(a) (1).

FN 7. See Fed. R. Civ. P 34 (a)(1).

FN 8. See, e.g., Babaev v. Grossman, CV03-5076 (DLI)(WDW) 2008 U.S. Dist. LEXIS 77731 (E.D.N.Y. Sept. 8, 2008).

FN 9. 490 F.3d 130 (2d Cir. 2007).

FN 10. See, e.g., Anderson v. Cryovac Inc., 862 F.2d 910 (1st Cir. 1988) (requiring production where seller of real property had control of report prepared for purchaser and maintained in purchaser's possession by virtue of provision in sales contract requiring purchaser to make records available to seller).

FN 11. See, e.g., JPMorgan Chase Bank v. Winnick, 228 F.R.D. 505 (S.D.N.Y. 2005) (holding that administrative agent suing on behalf of holders of debt was obligated to produce documents and information in possession of holders to the same extent as if the holders had brought the suit).

FN 12. "Security Guidance for Critical Areas of Focus in Cloud Computing" (April 2009), available at http://www.cloudsecurityalliance.org/guidance/csaguide.pdf.