cloud computing » Digital Deep Dive

Home

Posts Tagged ‘cloud computing’

Is Your Business Ready for the Cloud? Thoughts on Small Businesses Using Cloud Services

Sunday, December 18th, 2011

Warning: trim() expects parameter 1 to be string, array given in /home/ebusine4/public_html/libraries/joomla/html/parameter.php on line 83

Warning: Parameter 2 to plg_ijseo_redirect() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentEmailCloak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentLoadModule() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentPagebreak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Over the weekend I read an interesting interview with security expert Jeremiah Grossman in MIT’s Technology Review “Being Smart About Cloud Security” (subscription required). The interview notes that “cloud computing” is often perceived to be a risky decision for many companies. Much of this perception has to do with storing customer and business information on third-party servers.

One point made in the interview, however, is that there are significant security advantages in using “cloud services” for businesses.

The average enterprise, whether you’re talking small, medium, or the largest of the large — they’re in their respective businesses. A bank isn’t in the business of technology. A retailer isn’t in the business of managing IT infrastructure … what you get from a cloud provider is the economies of scale — and somebody else to manage the problem [of security].

Based on my experience, I tend to agree with Mr. Grossman’s point that cloud computing services offer small to medium-size businesses significant security advantages. For example, a law firm where I formerly worked used a patchwork of security measures that were administered between an administrative assistant and a part-time third-party “everything-IT contractor,” e.g., web hosting, exchange server maintenance, IT sales, etc. To my knowledge, neither had any extensive training or experience in IT security.

Many small and medium-size businesses also rely on a similar IT security “solution.” The fact is, regardless of the IT security risks, most small and medium sized companies simply do not have the resources to dedicate to a full-time IT security expert.

Cloud Service Contracts and Legal Considerations

If your company is considering cloud computing services, either wholly to run the business or in part, there are numerous points that you should consider. A few are as follows:

Data Location, Location, Location: Knowing where your data is stored is critical. Where data is located will often determine legal obligations for both personal customer data and corporate information.
What Happens when the Lights Go Out: If your cloud service provider goes down, a business will lose access to its data. This often cuts into a company’s bottom line because the company will be unable to provide goods or services to their customers or lose productivity from employees. For this reason, it is important to learn about a cloud service provider’s reliability, service accessibility, and the overall performance. Cloud service contracts should also address when and to what extent a cloud user will be compensated for the loss of service.
What Data Should be Stored in the Cloud: It is also important for businesses to consider what data will be subject to a cloud hosting agreement. This is because regulations governing certain types of data, such as health information protected under the Health Insurance Portability and Accountability Act (HIPAA) place restrictions on the release of data to third parties. Additionally, many industries have regulatory obligations that require certain data, such as personally identifiable information, to be encrypted. A cloud service provider, however, may not permit a user to customize cloud storage encryption standards. Even if there are no requirements for data to be encrypted, it should be. One reason is because many data breach laws, including Michigan, contain specific exemptions and protections for businesses if there is a data breach of encrypted data.
Shifting Risks: Businesses that use cloud services are still responsible for their data, even after it is moved over to a cloud service provider. To the extent possible, it is important that businesses negotiate duties and responsibilities relating to service malfunctions or data breach notification duties. Even if there is no room to negotiate a cloud service contract, it is still important for businesses to understand their potential exposure for hosting data in the cloud.

Conclusion

As with most things in life and business, there are benefits to be had and risks to be addressed in relation to cloud hosting services.

Businesses using cloud services must understand that moving mission critical business and customer information over to a cloud service poses both operational and legal risks that must be addressed. Additionally, there are many complicated issues under the cloud service provider’s hosting contract that businesses need to consider. Failing to address these issues may sacrifice or impair a business organization’s ability to conduct business under normal conditions, as well as complying with obligations under extraordinary conditions, such as data breach or other applicable laws and regulations. Thus, it’s essential for businesses using cloud computing services to understand the scope and limitations of the services they receive, and the terms under which these services will be provided.

Feel free to contact Jason Shinn for more information about cloud service contracts and legal issues pertaining to data privacy protection.

Tags: cloud computing, Cloud Services, e-commerce, identity theft, Information Protection, privacy protection, website
Posted in Cloud Services | 1 Comment »

Court Ruling that Fourth Amendment Protection Extends to Email – What this Means for Cloud Services

Monday, April 4th, 2011

There are a number of questions that should be answered before a business moves to the cloud, i.e., storing data on remote computer servers and sharing and transmitting such information over the Internet. But recently an important question concerning privacy was answered from an unlikely source: A conviction of the former pitch man, “Bob” for the male enhancement product Enzyte.

Specifically, Warshak a/k/a “Bob,” was “living large” from the sales of Enzyte, which claimed to offer “natural” male enhancement. But these claims were false and Warshak and his mother (she worked at the company – you can’t make this stuff up) were convicted on various fraud charges. Warshak received a 25 year prison sentence.

Warshak appealed his prison sentence, which resulted in the significant ruling for cloud service providers and users of such services.

Specifically, the Sixth Circuit Court of Appeals (the Federal Circuit that includes Michigan, Ohio, Kentucky, and Tennessee) ruled in United States v. Warshack that e-mail stored with commercial Internet service providers (ISP) has the same Fourth Amendment protection and expectation of privacy as letters transmitted through the US Postal Service and phone calls. This portion of the decision arose from the government investigators’ actions in secretly subpoenaing the ISP that stored Warshak’s e-mail. With the subpoena, the government gained access to 27,000 of Warshak’s e-mails without his knowledge.

In other words, the Warshak decision unequivocally says e-mail may be private and constitutionally privileged. Given the routine use of e-mail in everyday life, this conclusion may seem absurdly obvious. But the law does not always keep pace with technology. In this regard, the court noted:

“[T]he Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish.”

In reaching this decision, the court ruled a portion of the Stored Communications Act unconstitutional. The unconstitutional provision of this Act provided that the government can access ISP stored e-mails older than 180 days with just an administrative subpoena or court order.

The Take away for Businesses

First, for businesses relying on cloud services to manage their operations, e.g. e-mail, CRM, etc. this case should offer a measure of comfort in that it will be harder for the government to go directly to a third-party service provider and gain access to company information without a search warrant. In fact, it levels the playing field between companies that have the resources to keep IT services in-house and those that must outsource to third party services, like Google Apps, gmail, Salesforce.com.

Second, for companies offering cloud services, they will need to carefully consider how they will respond to government requests for information. Certainly in the Sixth Circuit, cloud service providers should consider the potential privacy protections that clients have under the Warshak opinion before turning over data to the government. Prudent cloud service providers should hold out for a valid search warrant to support the request rather than turning it over in response to a subpoena. Of course, such decisions should be made with the advice and assistance of competent legal counsel.

Tags: cloud computing, Cloud Services, privacy protection
Posted in Cloud Services, workplace privacy | 7 Comments »

E-Business Counsel, PLC

Focusing on building the legal foundation to protect and achieve your goals

Legal Notices and Website Terms & Conditions