More companies are choosing to handle their computing needs in the cloud. It can often be cheaper for a company to outsource computing needs than to handle such needs in-house. For example, companies may choose to use a service like Gmail as their email service provider or may use a billing service in the cloud to bill their clients.

Although cloud computing makes sense for companies because it adds capabilities without requiring an increased expenditure on IT infrastructure, it also creates risks in the context of both e-discovery and data privacy. Being aware of such risks is critical if the company is to successfully navigate the landmine of regulatory and litigation issues that can arise in the cloud.

Sensitivity of Data

If a company chooses to use a cloud vendor to meet its computing needs, the company should first assess the sensitivity of data that is going to be stored in the cloud. Is the cloud vendor going to handle sensitive healthcare information, financial information, or other personal identifying information?

If the cloud vendor is going to handle certain types of sensitive information, it is important to consider applicable domestic regulations like HIPAA, the Gramm-Leach-Bliley Act, or even state privacy laws such as the Massachusetts data security regulations.

Where is the Data?

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

It is important for the company to assess where the information is going to be stored and processed. Where the data is stored and processed will impact the risk profile of the information and the regulatory analysis. For example, privacy laws are arguably more stringent in the European Union than they are in the United States.

A company using a cloud vendor that stores customer data within the European Union should be aware of the applicable EU laws and regulations as well as the data security requirements for the jurisdiction.

Provider’s Security

It is also important to assess the cloud provider’s security by addressing the following questions:

• What physical protections does the cloud provider have in place to protect physical security?
• Are employees subject to a background check?
• Is the data encrypted?

Strong physical and electronic safeguards should be in place to protect personal data.

Litigation Concerns

When utilizing a cloud vendor, it is important to consider placing provisions in a contract with the vendor that would protect the company in the event of litigation. For example, if the company is sued in litigation, a court may compel the company to produce information that is stored in the cloud. A court is going to be unsympathetic to a company’s explanation that it cannot produce relevant information because that information is held by its cloud vendor.

Federal Rule of Civil Procedure 34 provides that discovery may be had of documents that are in the “possession, custody, or control” of a party. A company subject to litigation can be charged with control of electronic data even where that company lacks legal ownership or actual possession over the data.

Given the risks that can arise in litigation, a company considering using a cloud vendor may also want to place an indemnification provision in its contract with the vendor or even require the vendor to carry cyber risk insurance to insure against the risk of cyber related losses.

Cloud computing is a revolution in the business world that helps companies use technology without having to add expensive infrastructure. While companies should continue to use cloud vendors to meet business needs, it is important for each organization to evaluate the applicable legal and regulatory framework and the security of the cloud vendor in order to mitigate the risks of cloud computing.