CIOs often focus on five legal issues that are inextricably linked to enterprise cloud computing

Senior Partner and Litigation Department of the patent Department of Proskauer Rose LLP in New York http://www.aliyun.com/zixun/aggregation/30485.html "> Nolan Goldberg, a member of the Electronic Evidence Task force, said that as a lawyer, his concern about cloud computing services was that cloud computing often shifted electronic data from the internal IT infrastructure to systems managed by third-party vendors. This shift in data custody and potential control has resulted in compliance issues.

From a legal point of view, these issues should appear in the planning phase of a cloud-based project.

1. What is the impact of cloud computing services on electronic evidence obligations?


　　

The
of litigation evidence involves the documents of the litigant's supervision or control. As a result, consumers of cloud computing services may need to keep, search, and collect data that is placed in cloud computing if the data file is still under the control of the consumer. But how do you know if the data is still under the control of that consumer? The court, in a similar context, stated that the service agreement was the starting point for determining whether data from third party supervision was under the control of the creator. Therefore, the service agreement is very important in determining the adaptability of a given cloud computing service.


　　


in the most commonly used cloud computing services, consumers retain control of their own data. Therefore, the scope of the electronic evidence obligation has not been affected. However, the application of cloud computing services can affect the ability of consumers to meet evidentiary obligations in a cost-efficient and accurate manner. For example, consumers will not have knowledge of how cloud services work as they know their own networks, which could reduce the speed of finding evidence and increase the cost of this work, and have a higher risk of error. Another example, the lack of direct access to cloud computing hardware and the lack of transparency in most cloud computing may make it more difficult to retain and gather evidence.


　　


If an institution is already in action or is expected to have a lawsuit in the future, the agency should be particularly cautious not to reduce the level of control over the litigation-related ESI (electronically stored information). Even if no specific litigation is expected, a cloud computing service consumer should determine the strategy of preserving, searching, and collecting such data in the process of choosing a cloud service provider. If necessary, the vendor's cooperation in these evidentiary tasks can be contracted in accordance with the service agreement and verify the costs involved.





Finally, any agency that has taken steps to reduce its burden of evidence through the development of a document retention plan should ensure that the cloud computing service supports these efforts. If the information that should not exist is still in cloud computing services, the agency's plan to cut costs will be undermined.


　　


2. Can litigants easily find our data in cloud computing?


　　


when an organization uses a cloud computing service, it may create an additional source of access to its data. In some cases, a counterparty might ask the cloud provider to provide the data directly to the organization (or information such as data on the document) as evidence. This requirement will be rejected in most cases because consumers of cloud computing services will be more appropriately treated. However, the direct evidence request or subpoena issued to the cloud vendor is the only way to obtain certain information. This information is not available to consumers through cloud computing services. For example, depending on the terms of the service agreement, some metadata relating to consumer documents may be under the control of the manufacturer rather than under the control of the consumer.


　　


consumers are able to entrust the manufacturer with a contract to notify the vendor of the request or summons to receive the consumer's data. Another good idea is to authorize vendors to directly reject requests for this data, give consumers a chance to reject the request, or at least submit the data in a confidential manner to protect the data.


　　


3. How to protect the value of information placed in cloud computing?


　　


in the absence of appropriate technology and contract control, the value of some data in cloud computing is reduced, leading to the illegal disclosure of data to third parties. Examples of such data include trade secrets and privileged communications. There must be a limit to the permissions of any data provider to the cloud computing vendor. Some of the lowest level of access is necessary so that vendors can operate cloud computing services. But beyond that range, the risk increases. Allowing vendors to access consumer data for their own purposes, such as publishing targeted ads, is inappropriate for applications that contain sensitive data.


　　


Some of the control measures used in the internal network should also be used in cloud computing services. These control measures include encryption and access control. Remember, however, that security in cloud computing is more complex than the internal network. The internal network only needs to defend against external attacks on the network. Cloud computing services must protect data security, both to prevent external access and to prevent other people and service providers of the service from accessing the data themselves.


　　


4. Is it a violation of privacy laws to consider using a cloud computing service?


　　

One limitation of
's data in cloud computing services is whether the service complies with the rules for handling, retaining, or transmitting data, as stipulated in the European Data Protection Directive. This rule applies to data that may be sent.


　　


Moreover, if the data were to be passed in countries with such rules, the operation of cloud computing services might inadvertently confuse data that did not handle the restrictions. The manufacturer should be prepared to find out where the data in its service is located and to establish some contractual restrictions to prevent the service from transmitting data in any way that is not required.


　　


5. What steps can be taken to further control risk after the selection of a service?


　　


Implementing a cloud computing project is a good reason to start a litigation preparedness plan if your organization didn't have it before. Data in the cloud should be included in an ESI directory (such as a data map). This prevents the database from being ignored in intense litigation and provides a convenient process to help search for data more efficiently and economically. For example, in addition to the existence of a cloud-computing library and its memory, the data map should contain specific measures to collect and store data in that service. ' If you follow my advice and figure out the problem before choosing a service, this step should be easy, ' said Goldberg. This data map should also contain a copy of the service agreement. This agreement will be at the core of the obligation to determine the proceedings. If there is an unexpected error in the collection of evidence, consumers can use the data map as a reasonable proof of their efforts to gather evidence, thus avoiding the most serious evidentiary penalty.

There are many different types of cloud computing services, and low price cloud computing services typically provide consumers with a lot of control over how to store and process data and where to store and where the processor only gives consumers little control. The best way to control institutional risk is to choose a cloud computing service that is appropriate to your own characteristics, to uncover the risks of compliance, and to provide a cautionary note that some information is not part of the cloud provider at all.

(Responsible editor: The good of the Legacy)