Storm Alert! Cloud Computing Risk Assessment - A Legal Perspective Update
Gregg Zegarelli Esq.
Managing Shareholder at Technology & Entrepreneurial Ventures Law Group, PC
If you store data in the cloud, or if your organization stores data in the cloud, please take a moment to read this update. Moreover, if you are the Chief Technology Officer, Chief Marketing Officer or other staff member responsible or designated for data warehousing and control, it is imperative to ensure your vigilance regarding the latest risks of cloud computing.
For your convenience, let me start at the end, with the resultant commandment: "Thou shalt not store any mission-critical data on the web, remotely, or otherwise in the cloud without a backup data repository over which you exert complete and unfettered control."
Thou shalt not store any mission-critical data on the web, remotely, or otherwise in the cloud without a backup data repository over which you exert complete and unfettered control.
I call this the "Possession Commandment." Yes, I admit that compliance with the Possession Commandment may seem to be basic or standard to the elite risk assessment and technology staff in the industry, but it's simply not so by common denominator, nor is the actual reason probably obvious to any non-attorney.
Indeed, at first blush, it may appear that the Possession Commandment regards the need for disaster-control backups and controlling sensitive data. But, those are simply corollaries to the Possession Commandment and not the point here.
The point here is to always have actual possession of your mission-critical data for the self-evidenced reason of simply possessing it. Not more, not less. How you actually possess your mission-critical data is a matter of judgment for your own context.
The point here is to have actual possession of your data for the self-evidenced reason of possessing it.
I can explain and tell you how I know, and how I've earned the right to speak. I have first-hand experience with remote data repository disputes, having litigated against Google and others in the United States District Court for the Western District of Pennsylvania, and the United States Circuit Court of Appeals for the Third Circuit.
Yes, cloud data storage can be a great thing. Storing data on the web allows multiple disparate devices to access the same data from different points of connection. And, the new flexibilities of mobility and virtual offices are generally a great thing. Virtuality of operations tends to improve our lives, or at least it provides us with operational options. But, that's the good part of it.
The reason why you must be increasingly vigilant regarding cloud data storage is because new cloud storage technologies are being driven from the top-down by vendors. Mission-critical accounting and billing packages are becoming particularly notorious for requiring exclusively cloud data storage on the vendor servers.
New cloud storage technologies are being driven from the top-down by vendors... Consumers are having less and less choices .
Entrepreneurs, consumers and enterprise businesses are having less and less choices as to cloud storage application program technologies and often cannot negotiate contracts. For example, let's say you want a vertical (industry-specific) office management package for your doctor's office, you may have very few real choices, and all the vendors may implement the same self-serving paradigm requiring you to store your data on their servers.
Here's the problem: Not all technologies have functionality for the backup or replication of your data in a manner that permits you to possess the data.
You've heard, "Possession is nine-tenths of the law." Well, let me tell you why. It's not magic, but it is the common sense we forget to consider: the guy with possession of your stuff can sit smugly holding the thing you want, and you need to file a lawsuit, probably pay big money to legal counsel, take the case to trial, and then win to get it back. The guy with possession has 9/10s of the advantage because the other guy has to use legal process to get the thing (back). Unless you pay for an early mini-trial for preliminary relief and win that up front (surviving all the legal and cost squeezes in doing so), you're just stuck. You're immobilized.
"Possession is nine-tenths of the law." The guy with your stuff can sit smugly holding the thing you want, you're stuck.
Let's say you want to bring a copyright infringement lawsuit claiming that the vendor is violating your rights. Copyright law allows significant plaintiff advantages. However, copyright law requires that you file your copyright application prior to filing the lawsuit. But, to file your copyright lawsuit, you need to deposit a copy of the work that you are copyrighting. So, without a backup, you don't possess the thing you need to possess to file your lawsuit. Catch-22.
But, let's make it even more basic. The vendor and you have a dispute over the billing, so the vendor shuts you off from the data. Once again, the vendor has 9/10s of the practical leverage. That's the bad of it, and it's very bad legally, as well as a practical matter. Possession being 9/10's of the law is now as it ever was; to wit, it used to be your horse or cow, now it is your data.
Possession being 9/10's of the law is now as it ever was. It used to be your horse or cow, now it is your data.
The bottom line is that you need to ensure that your software package has the functionality to allow you to possess your data by backup or otherwise in a catastrophic dispute with the vendor, or you need to be very careful to have contractual provisions, or data escrows, that provide you with the ability to get to your data pending any dispute. Also, importantly, keep in mind that having data, if it exists in a proprietary vendor format, is somewhat insult to injury, because even having the data (short of complex conversions) does you no good if you cannot access the program that the data requires.
Importantly, keep in mind that having data, if it exists in a proprietary vendor format, is somewhat insult to injury.
Legislation protecting the victimization of data owners by vendors has not caught up to reality—such as is usually the case. That is, injuries to society tend to precede the statutory fix. Sooner or later, I expect that Congress will revise the Copyright Act for the conundrum of the deposit requirement in the new virtual world and/or state legislatures will invalidate exclusive virtual data possession contract provisions as a matter of public policy, but not yet.
I've been on both sides of the table, representing countless vendors and purchasers of technology products. In this interdependent world where the same entity houses someone else's data, and someone else is housing the entity's data, clear fair industry standards are yet to be developed for the paradigm. This occurred similarly with the enforceablility of click-through licenses, electronic signatures, privacy policies, etc. It takes time, but you need to ensure you're not injured in the meantime. Reputable companies will likely manage the issue in a reputable way—as it is in their self-interest to do so—but not every company necessarily cares in the same way.
Take an inventory of the categorical tiers of criticality of your data, the practicalities of your context and contract terms with the respective vendors.
All in all, be vigilant to the issue and prudent with implementation of commercial reconcilations. Be wise to the forecast. The cloud can be a great thing, but I assure you that a storm is coming.
_____________________________________________`
Gregg Zegarelli is Managing Shareholder of Technology & Entrepreneurial Ventures Law Group, PC. Gregg is nationally rated as "superb" and has more than 25 years of experience working with entrepreneurs and companies of all sizes, including startups, INC. 500, and publicly traded companies. He is author of One: The Unified Gospel of Jesus, and The Business of Aesop™ article series, and co-author with his father, Arnold Zegarelli, of The Essential Aesop: For Business, Managers, Writers and Professional Speakers. Gregg is a frequent lecturer, speaker and faculty for a variety of educational and other institutions. © 2016 Gregg Zegarelli, Esq. Gregg can be contacted through LinkedIn.
#greggzegarelli #gregg #remotestorage #cloudcomputing #GRZ.41
Sales & Communications Coach, Trainer, Founder, Keynote Speaker
8yLove the line: The cloud can be a great thing, but I assure you that a storm is coming.