Welcome to the first in our series of blog posts on legal issues in cloud computing, with a focus in the United States and European Union. Today, we introduce the series, and then discuss the question “what is ‘the Cloud’?”
Cloud Computing Legal Issues
Computing in “the Cloud” has quickly become a fact of everyday life for many businesses, and everyone needs to know that it creates many legal issues that can lead to problems if not handled proactively. Legal standards, regulations, and norms relating to cloud computing are evolving rapidly in the United States, in Europe, and elsewhere. Businesses in industries including healthcare, software, financial services, and social media are offering cloud-based products and services to customers and clients that provide unprecedented convenience and mobility, but also create unprecedented risks. Nearly every business that uses computers is itself a consumer of cloud-based solutions.
Legal issues that can arise “in the cloud” include liability for copyright infringement, data breaches, security violations, privacy and HIPAA violations, data loss, data management, electronic discovery (“e-discovery”), hacking, cybersecurity, and many other complex issues that can lead to complex litigation and regulatory matters before courts and agencies in the United States, Europe, and elsewhere.
Whether as vendors or as consumers of cloud-based services, many businesses assume that other participants in the process are taking the necessary steps to ensure data security and otherwise address the many potential legal issues. Although it is widespread, that assumption can be dangerous if it leads businesses not to take adequate steps to protect themselves and their customers and clients.
In our upcoming series of blog entries, we will explore these emerging issues involving cloud computing. We will provide an overview of laws in the United States that govern data privacy and security, particularly in the cloud. Our focus will be on providing practical recommendations for handling data in the cloud under the European Union’s (“EU”) directive for data privacy and security and supply examples of when U.S. businesses may find themselves subject to EU law and the various mechanisms for authorized trans-border data movement. We will also give insights into the proposed EU data privacy and security regulations.
What is the Cloud?
The increased availability and use of relatively stable and accessible mobile connectivity platforms has led to a rapid explosion in cloud-based commerce. In order to take advantage of the cloud, companies must comply with the data protection regulatory requirements of multiple states the federal government and possibly the EU.
Stated plainly, cloud computing services allow customers to purchase computing resources, such as digital storage space or computing capacity, on an as-needed, on-demand basis, and where those purchased computing resources can, frequently, be accessed from almost any location. The National Institute of Standards and Technology (“NIST”) broadly defines “cloud computing” as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. The “as-needed” and “on demand” aspects are especially important keys to cloud computing’s ability to avoid the large upfront costs associated with traditional computing models. (When trying to buy a traditional computer server, one needs to anticipate how much storage or processing power he or she needs over the entire life of that server. In other words, one must have a server that will provide the maximum amount of storage and/or processing power that is needed during the server’s lifespan. Cloud computing, however, frequently provides the ability to purchase just the computing capacity one needs at that given point in time. As a user’s computing needs increase, the purchaser can purchase increases in computing resources as necessary.)
NIST also provides the following essential characteristics of cloud computing services:
- On-demand self-service: this allows a user to acquire more computing resources, as needed, without human interaction with the cloud service provider;
- Rapid elasticity: the ability of a user to quickly acquire and release computing resources;
- Broad network access: the ability for a user to access computing resources when, where and how (e.g., on a specific type of device, such as a smartphone) it wants it (frequently, this access is provided over the Internet);
- Resource pooling: The user is assigned computing capacity by the cloud provider from a set of computing resources, or “pool”, without the user having knowledge of how the pool is constructed and from where he or she is getting the computing resources; and
- Measure service: the cloud provider and the user can see the amount of resources being used by the user at “some level of abstraction.” (Note that the phrase “some level of abstraction” is a fairly big qualifier because it allows cloud providers to show users varying units of measure for a given service. For example, one cloud service that uses a “high” level of abstraction might track how many medical records are stored in a system, while another cloud provider might use a “low” level of abstraction and track how many raw gigabytes of data that are used on a given server.)
Cloud providers can provide those essential characteristics through different types of offerings, including:
- Infrastructure as a Service (“IaaS”): IaaS offerings give customers access to what many might think of as “traditional” computing resources, such as storage space, computer processing power, etc. Dropbox and Amazon are well-known providers that offer these kinds of services. Although these services allow end-users to leverage all of the characteristics of the cloud that are discussed above, they also leave the end users with the most responsibility. Similar to when one buys a physical computer that has certain storage space and computing power, when one buys infrastructure as a service offerings, he or she is often just buying space and computing power. In other words, he or she may still be responsible for licensing, updating, and patching (i.e., servicing and maintaining) any additional software that runs on the infrastructure.
- Platform as a Service (“PaaS”): PaaS involves providing a user some level of custom tools or functionality that can be used to build an application. One of the primary providers of this type of cloud computing offering is Oracle. Oracle provides infrastructure, similar to an IaaS offering discussed above, but it also provides access to versions of its database platform, and various other software, commonly known as “middleware,” that can help tie various parts of the cloud items together.
- Software as a Service (“SaaS”): In SaaS offerings, a customer accesses a cloud provider’s applications that are running on a cloud infrastructure. SaaS applications are frequently accessible through a variety of methods, whether that is a custom client that is installed on a user’s computer, via a web browser, or even on a cell phone. Most full featured EHR systems would fall into the SaaS category. Normally, in these types of offerings, the customer does not have access to the underlying details, like the servers themselves, file storage, the operating systems, etc. While some users (especially technologically sophisticated ones) may be disappointed with not having control of many of the technical details of the service, most users are actually happy to be free of the responsibly of monitoring and maintaining the resources that power their applications.
Cloud providers deploy these offerings several different ways, including the following:
- Public Cloud: the cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider;
- Private Cloud: the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers. It may be owned, managed, and operated by the organization, a third-party, or some combination, and it may exist on- or off-premise;
- Community Cloud: the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises;
- Hybrid Cloud: the cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability.