The Cloud’s Legal Lining

Everyone, it seems, is weighing in with opinions on how the evolution, or revolution, of cloud computing will play out, and attorneys are no exception.

Reed Smith, one of the nation’s largest law firms with more than 1,600 attorneys, is planning a series of white papers exploring legal and regulatory aspects of what will no doubt be a continuing explosion of cloud-based technology infrastructure capabilities. So far companies have barely scratched the surface of the opportunities that will come to handle computing workloads and host and develop applications more efficiently off-premises. With those benefits may come a number of legal and regulatory considerations, suggests Joseph Rosenbaum, a partner at Reed Smith and chairman of the firm’s Advertising Technology & Media Law practice.

Rosenbaum recently shared some of his views on cloud computing with CFO. An edited version of the interview follows.

Is data security the most important thing about the cloud, from a legal standpoint?

Everybody is talking about privacy and data protection, but I’m not sure the issues are all that different from those that apply to any outsourcing or hosting arrangement. And that’s not new. Going back to the late 1960s, there were time-sharing arrangements where companies would trust their IT operations in whole or in part to third-party providers.

I do a lot of work in the social-media space as well, and I tell clients, get a policy that says confidential information of the company is not to be disclosed to anybody, period. That doesn’t change because you decided to have a presence in social media or because an employee has a Facebook page. There may be some differences in the way you approach it, but the principle is the same. That goes for cloud computing, too.

Joseph Rosenbaum

What about the cloud should be of interest to a CFO?

There’s the whole area of pricing. I think there is going to be a growing body of aggregators. For example, Joe Rosenbaum doesn’t have much clout with a cloud-services provider to get a beneficial rate. But as a member of a law firm with 1,600 lawyers and 1,000 professional support people, I have more clout. Just as I’m able to get life insurance and health insurance [for less than I would pay] as an individual consumer, there will be intermediaries who will provide pricing benefits beyond what’s in the marketplace today.

Similarly, there will be a growing body of cloud-based commercial applications that will create a higher degree of competition. Just as third parties have created a huge number of apps for iPhones and add-ons for Microsoft Office, a whole industry of application developers will arise for the cloud. And there is no reason to think that the major cloud providers like Microsoft, Google, and Amazon.com, the global companies that will allow networks to robustly develop, will not develop suites of compatible applications. In some cases, they will be pretty standardized and available off the shelf.

Is there a legal aspect to that?

Yes. Who is going to be the licensee — the entity who will need to obtain a license to use the app in a cloud-computing environment? Will it be the cloud provider, who will license the app from the developer and then authorize you as the end-user or a sublicensee to use it? Or will you be able to create or license apps and put them in the cloud? It makes a difference, because different jurisdictions have different laws with respect to intellectual property, the use of proprietary data, and the transfer of information, whether personally identifiable or not.

Imagine I want to license an app and put it in the cloud. I don’t know where that app will actually reside. I may end up buying a lawsuit in some other jurisdiction where I am unaware of the laws. Or the cloud provider may ask me to sign an indemnity that says, we’re happy to put this in our cloud, but you’re going to be liable if we get sued because somebody alleges it’s their intellectual property, or because data about a citizen of one country was moved to some other country without permission.

How great is the need for global cloud-computing standards?

There is definitely a need. With phones, if you have a Verizon Wireless phone and I have an AT&T iPhone, there are interoperability agreements between the carriers that allow those interfaces to function seamlessly. Today there are no such standards in cloud computing.

If I go to a hotel in London, it may have signed up for a cloud-based WiFi service from company X, while Reed Smith may have an arrangement whereby, when I plug into the cloud on my laptop, my connection is through company Y. There would have to be an arrangement whereby my computer can access my Reed Smith cloud-computing services through some other carrier. That does not exist today.

From a legal point of view, there are competing interests here. Consumers and cloud providers both want their services to be accessible anywhere, anytime. But a cloud provider has to be a big global player, and so there’s concern over the barriers to entry. How do you make sure you aren’t creating an environment in which there are a few players that control the marketplace? The way these things usually resolve themselves is that in the short term, there is a cry for government regulation.