Why in-house counsel must be involved in decisions about cloud computing

Every pilot who's flown through clouds knows that, without proper training and instruments, there's high risk of a downward spiral straight into the ground. It's not so different for in-house counsel at the legal yoke of companies aiming to use online services to run their businesses and plunk increasingly immense amounts of sensitive data onto the cloud.

Do so without the right knowledge, check lists, technological and legal updates and, if needed, a good co-pilot, and it's possible that your data – even your company – can crash and burn with clients, consumers and regulators.

But for in-house advisors, most of whom wouldn't know a hadoop from a chukwa, resolving the legal implications of moving to the cloud, or living on it now, can be baffling. Tune in to recent news and you may begin to wonder if security on the cloud is as puffy and porous as, well, a cumulonimbus. How do lawyers keep up with things such as jurisdictional issues, privacy, what they need in service level agreements (SLAs)?

Well, lawyers aren't keeping up, says Dominic Jaar, Partner and National Practice Leader – Information Management, E-discovery and Forensic Technology, with KPMG LLP. Asked how high is the knowledge of Canadian in-house advisors about cloud computing benefits and risks, Jaar replies: “I would ask, how low? And I would answer, it's low. Lower than you'd think.”

For corporations, the big bait luring them to the cloudscape is the potential savings on IT costs. A 2012 KPMG report, The Cloud Takes Shape, surveyed 650 senior executives in 16 countries who adopted cloud technology at their companies. Seventy per cent agreed or strongly agreed the cloud had delivered significant cost savings. It's also a technology that can radically transform and improve how their businesses do everything from marketing to R&D. Still, 48 per cent of respondents worried about loss of control and data security. Their lawyers should be worried too.

The cloud was seeded about the turn of this century when a few major tech companies found they had excess computing infrastructure. Amazon, for instance, built extensive data centres to handle its huge annual Christmas spike in Internet orders. But the rest of the year, this expensive infrastructure went largely unused. The solution: rent out the processing and storage capacity to other businesses.

Hence, what begat the so-called Third Industrial Revolution, spawning a host of inexpensive, low-maintenance IT opportunities for the business world and a new lexicon of legal pitfalls for lawyers to figure out. There's SaaS (software as a service), PaaS (platform as a service) and IaaS (infrastructure as a service) to name the main ones.

But for companies using the cloud-computing horsepower and vast storage capacity, it means they don't have to buy and constantly upgrade their own batteries of servers, computers and networking infrastructure. They can pare down or eliminate their reliance on internal IT staff.

Another advantage for companies, explains Peter Wolchak, editor of Backbone, a Canadian magazine that covers the intersection between business and computer technology, “is you can scale up and down very quickly if you need it. Your company is doing a big research project, or your company just bought another company, and suddenly your computer needs go up. Because you are renting space, you can go to your provider and say, ‘Hey, we need more space in the next month, or for the next year.' And a good cloud provider could, with in half an hour, give you more access to computing facilities.”

KPMG's Jaar, based in Montreal, regularly consults with companies contemplating a move to the cloud for reasons of cost and efficiency. One problem for in-house counsel who must assess legal issues, he says, is that they can get isolated from the decision-making process. In part, that may be due to a lack of basic understanding about cloud technology. It can also be because the C-suite, other than the chief information or chief privacy officer (should the company have one), are as befuddled as most about the paradigm shift now happening in IT.

In many of these discussions about the cloud, contends Jaar, “legal is not invited. And when they are, often they are just clueless. I have seen a number of colleague lawyers sitting in these meetings and getting out after the meetings where important decisions were made, and asking, ‘What just happened?'”

Often, Jaar continues, the IT department goes to the C-suite, who – without properly knowing legal implications such as privacy obligations – makes a recommendation on a cloud provider based primarily on the lowest cost. Talking with IT at many organizations, he says, he's discovered many IT managers actually try to skirt the legal department. They fear they'll get a “no” on their hard-chosen cloud provider — disposing of the millions they might have saved.

A company can certainly save money in the beginning, but may well pay later for moving to the cloud. While not all cyberspace scandals are directly cloud-related, they nevertheless demonstrate the potential headaches for in-house counsel.

In July, in just the latest of a long spate of similar stories, US federal prosecutors charged a Russian and Ukrainian band of five men with the biggest cyber-crime in the country's history, a cutting edge hacking scheme that targeted companies including J.C. Penney, 7-11, Nasdaq OMX Group, JetBlue and Visa Inc., among others. The Internet thieves stole an estimated 160 million credit cards numbers and personal data, costing the affected companies more than US$300 million.

And, of course, there's whistleblower Edward Snowden, who dished on PRISM, an extensive top-secret spying program by the US National Security Agency on global phone and Internet traffic. The latest from Snowden: that the US government paid millions to telecom, Internet and tech companies like Google, Yahoo and Microsoft — some of them among the biggest players in the rapidly growing, $135-billion-ayear-plus cloud-computing industry. The NSA money was so that those companies, as PRISM data providers, could stay within the lines of the US constitution ordered by a secret US court in 2011, by complying with new certification demands on how they separated US from foreign data.

The largest cloud service providers, Amazon Web Service (AWS) and Micro-soft Azure, are based in the US, where a good chunk of their servers, hosting terabytes of corporate data from Canada and around the world, are also located.

That already made that data, under the USA PATRIOT Act, a legally accessible smorgasbord for American intelligence and law agencies to comb for potential terrorist activities. But Snowden's continuing leaks reveal that US agencies aren't particularly finicky about foreign privacy laws and they can – as sophisticated hackers or so-inclined foreign states for that matter – pretty much pick off any parts of the vast streams of data flowing over the Internet to the cloud, when they wish.

The problem with the jurisdictional storm surrounding cloud computing though is that for in-house lawyers it can mask wider dilemmas about technology. “It's not so much the cloud, as the cyberworld we live in,” says Richard Austin. Counsel to Deeth Williams Wall LLP in Toronto, Austin's practice includes outsourcing, privacy, international data flows, IT governance and regulatory compliance.

“If I were an in-house counsel,” Austin warns, “I would worry about things like lost laptops. I would worry about lost turbo sticks. I would worry about information going astray in many different ways. There are a series of cyber-liability issues that inhouse counsel should be worried about. And cloud computing is one specific aspect of that.”

The Snowden case, though, says Toronto lawyer Richard Fowler, “has everybody thinking about where [their data] is being kept, and who has access to it.” Formerly Senior Vice President of Legal Affairs & Operations for Alliance Films, Fowler advised the company on IT matters prior to its acquisition earlier this year.

“With the stories out there, you can't help but believe that, with so much data in the cloud right now, and the potential for issues like [Snowden] to arise, it certainly accentuates the importance of having as many protections as possible.”

Indeed, there's growing evidence of a rethink about the pros outweighing the cons of the cloud. A 2012 TELUS survey of IT managers revealed that 71 per cent of Canadian companies are shunning outsourced IT delivery nodes such as the cloud. “There is pushback,” says Backbone's Wolchak. “People worry about security. They worry about reliability. They worry that they don't have enough control.”

It's one reason Wolchak is starting to see large companies building their own private cloud systems, or collaborating with others in their industry to custom-build cloud architecture. For the Canadian banking industry, for instance, that might mean top-of-the-line (and therefore more expensive) data security, and servers located in Canada to mitigate the risk of having them in countries with differing privacy laws.

Security. Privacy Protection. Jurisdiction. Compliance. What to look for or insist on in SLAs with cloud providers. When to destroy data, or how to get informed consent from individuals went their data is stored by third-party providers. For in-house counsel, these are crux issues they must comprehend themselves – or prepare to get help with – when advising their executives about the wisdom of jumping onto the cloud.

“A generalist is going to struggle in trying to get his head around this,” says Calgary lawyer Tony Morris, a partner with Norton Rose Fulbright Canada LLP. Morris, who leads Norton Rose Fulbright's Calgary office in privacy law, has guided clients on electronic commerce, cloud computing, privacy and lectured regularly on privacy laws in Canada and Alberta.

A dozen or so years ago, he says, privacy law was a narrow and small field. “Now it is completely sustaining some people's practices, and nothing but. I went back to law school for a master's degree in e-business in 2003 and I can tell you, when I first left law school I couldn't imagine that there would be such a thing.”

For many in-house advisors, catching up with reality can be difficult. But there are ways to do it. Morris says lawyers can educate themselves in a number of ways. Organizations like the International Association of Privacy Professionals or the Canadian IT Law Association (IT.CAN) hold numerous conferences and seminars on related subjects. At a recent IT.CAN conference titled

The Third Industrial Revolution, speakers, including Richard Austin, covered critical subjects including the challenge of authenticating users in an age of cyber-crime, determining when personal information has been made anonymous, guidelines for destroying data, to name just a few. Most Canadian law schools, says Morris, now have distance programming and video conferences on IT law, opportunities that didn't exist all that long ago.

KPMG's Jaar was recently ranked by one legal publication as among the leading 26 lawyers in Internet, e-commerce and data-protection work. But Jaar is humble about the commendation, noting that “there are very few tech-savvy lawyers in the country” to compete with.

Indeed, Jaar is mystified more lawyers aren't making greater efforts to get up to speed on the legal implications of information technology. “One thing I always tell [lawyers] is, if you looked back 200 years ago, to be a lawyer you needed to be able to read when most of the people couldn't read. You needed to be able to write really well when most of the people couldn't write a thing. And you needed to be able to express yourself in a clear fashion, when people had only basic [language] skills. So how come, in 2013, we don't need to be more tech-savvy than the average person? That is beyond me.”

“We should be more tech-savvy than average, because we need to advise our clients on how to evolve in the world we live in, and how to comply with the law in a technological environment.”

Jaar says that might sound like a sales pitch, coming from a consulting firmlawyer like him, but in his days as in-house counsel at Bell Canada, “whenever I was out of my league, I would hire someone to help me — either an outside lawyer or consultant to sit with me during the meeting and translate for me to understand. And as much as it may be costly on day one, I think in the long run it saves a lot of money, it enables knowledge transfer. It enables you to reduce risk. And, as an in-house counsel, one of the risks you have is your own career.”

At Torstar Corporation, Lisa Dorning, who holds the position of Senior Legal Counsel, Chief Privacy Officer, Newspapers & Media, has not hesitated to reach out for help when needed. “I find it very helpful to discuss key issues and considerations with outside counsel, to get a feel for what others are considering and contemplating as they negotiate cloud agreements,” she writes in an email. “I also find it a helpful way to get a sense of the key sticking points with the various cloud providers, and what constitutes ‘industry norm' in respect of certain issues.”

There's someone else in-house advisors should talk to, adds Jaar: your IT guy (or gal). When he was at Bell and giving conferences, “I was telling everyone in the room, you should make friends with an IT guy and go out for lunch every month to learn about technology, hear about their concerns, hear about what they do, try to better understand what's a network, how files are being stored, what security looks like. I think it is part of the obligation of a lawyer in 2013 to understand the world we live in.”

IN HOUSE INSIGHT: GETTING YOUR HEAD INTO THE CLOUD

Cloud computing is a transformational technology that entails both great opportunity and great risk for corporations — and presents a legal Rubik's cube for their lawyers. Here's a primer on sorting out some bits and bytes.


1> DEALING WITH DATA destruction is as critical as protecting it, says Torys LLP partner Patrick Flaherty. When signing a service level agreement with a cloud service provider, ensure it complies with the same privacy laws that your company does. That means destroying personal information after a certain period or usage. “That's difficult in a lot of could contracts because they tend to comingle data from different sources.”

2> FUMBLING AROUND in the cloud? The BC Law Society has an excellent checklist on using cloud technology. Federal and provincial privacy commissioner reports are also valuable, and the SEC has guidelines on cyber-security best practices.

3> IT CAN BE “a more extensive undertaking than some clients want to hear about” to evaluate a potential cloud service provider, says Tony Morris at Norton Rose Fulbright Canada LL . But you'd better do your due diligence. Morris suggests working with consultants skilled in technology matters, doing site visits and being prepared to ask dumb questions. “Sometimes the best questions ever asked are the ones that seem ill-informed when first posed. If the client struggles with the answer, I know I'm on to something.”

4> WE'RE ALL CONSENTING adults here. Or are we? Under best practices and privacy laws, it's critical that lawyers at companies ensure there is proper consent for any data collected, says Dominic Jaar at KPMG. Then, if you host that data on the cloud, and it's personal or sensitive info, you need to inform and obtain proper consent from clients and consumers to do so.

5> IT'S OFTEN OVERLOOKED, but in-house counsel need to know how easy/difficult it is to retrieve their data should they need it for litigation or some other purpose, or their provider is acquired by a third party or goes bankrupt, suggests Jaar. With bankruptcies, trustees are focused on recouping money. “In most of these cases, what they want to do is sell the servers. And they don't care about the information that sits on these servers.”

6> LISA DORNING, Senior Legal Counsel at Torstar Corporation lists her important considerations when writing a cloud service contract. Prime among these are discussing with internal business clients the data type and sensitivity to be hosted on the cloud; what agreements concern data loss during the contractual term, or data improperly returned or in an unusable format on termination of the agreement; and jurisdiction, meaning both the location of the service provider and the data-hosting centres they use, and the relevant privacy and data-access laws where the data centre and service provider reside.

7> THANKFULLY, MOST CLOUD contracts aren't “full of technogeek stuff,” says Robert Fowler, formerly in-house advisor to Alliance films. Providers know who their audience is when it comes to contracts. Nevertheless, in SLAs, he looks for language that captures all applicable laws and regulations. Often, more technical schedules will be attached to SLAs.

8> EVEN THOUGH IT can be expensive, Richard Austin is a believer in cyber-insurance, especially since many insurers are inserting clauses in general-liability commercial contracts that exclude damages from hacking, viruses, privacy breaches or other cyber-incidents.