Legal and Regulatory Challenges
The legal and regulatory landscape around cloud computing is by no means static. There are new laws being proposed that could change the responsibilities of both cloud computing tenants and providers.
Cloud computing that employs a hybrid, community or public cloud model “creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios,” according to Glen Brunette and Rich Mogull of Cloud Security Alliance, in their white paper, “Security Guidance for Critical Areas of Focus in Cloud Computing.”
This creates practical challenges in understanding how laws apply to the different parties under various scenarios. Regardless of which computing model you use, cloud or otherwise, you need to consider the legal issues, specifically those around any data you might collect, store and process. There will likely be state, national or international laws you (or, preferably, your lawyers) will need to consider to ensure you are in legal compliance.
If the tenant or cloud customer operates in the United States, Canada or the European Union, they’re subject to numerous regulatory requirements. These include Control Objectives for Information and related Technology and Safe Harbor. These laws might relate to where the data is stored or transferred, as well as how well this data is protected from a confidentiality aspect.
Some of these laws apply to specific markets, such as the Health Insurance Portability and Accountability Act (HIPAA) for the health-care industry. However, companies often store health-related information about individual employees, which means those companies might have to comply with HIPPA even if they’re not operating in that market.
Failure to adequately protect your data can have a number of consequences, including the potential for fines by one or more government or industry regulatory bodies. Such fines can be substantial and potentially crippling for a small or midsize business. For example, the Payment Card Industry (PCI) can impose fines of up to $100,000 per month for violations to its compliance. Although these fines will be levied onto the acquiring bank, they’re likely to impact the merchant as well.
Laws or regulations typically specify who within an enterprise should be held responsible and accountable for data accuracy and security. If you’re collecting and holding HIPAA data, then you must have a security position designated to ensure compliance. The Sarbanes–Oxley Act designates the CFO and CEO to have joint responsibility for the financial data. The Gramm–Leach–Bliley Act is broader, specifying the responsibility for security with the entire board of directors. Less specific is the Federal Trade Commission (FTC), which just requires a specific individual to be accountable for the information security program within a company.
If you use a cloud infrastructure sourced from a cloud services provider, you must impose all legal or regulatory requirements that apply to your enterprise on your supplier as well. This is your responsibility, not the provider’s. Taking the HIPAA regulations as an example, any subcontractors that you employ (for example, a cloud services provider) must have a clause in the contract stipulating that the provider will use reasonable security controls and also comply with any data privacy provisions.
In the United States, both federal and state government agencies such as the FTC and various attorneys general have made enterprises accountable for the actions of their subcontractors. This has been replicated elsewhere, such as in the EU with the data protection agencies. As the use of cloud infrastructure becomes more prevalent, the risks of a third party accessing data illegally are rising as well.
Even with encrypted data, the third party might have access to keys and therefore have access to the underlying data. Often the risks are magnified, as there could be a number of third parties involved: the cloud provider; cloud support; operations; and management teams; plus others who manage and support applications. Contractors who work for any of those organizations could further compound the dissipation in control.
These are some of the issues you must consider at all stages of the contractual process:
- Initial due diligence
- Contract negotiation
- Termination (end of term or abnormal)
- Supplier transfer
Initial Due Diligence
Prior to entering into a contract with a cloud supplier, your enterprise should evaluate its specific needs and requirements. You should define the scope of the services you’re looking for, along with any restrictions, regulations or compliance issues that need to be satisfied. For instance, if you’re going to collect and store employee HIPAA data in the cloud, you must ensure that any supplier will meet the guidelines defined by the HIPAA regulations. Assessing the different laws and regulations your enterprise needs to abide by may well define what you can deploy in a cloud or which type of service you can use.
You should also rate any services you deploy to the cloud with respect to their criticality to your business. If you want to deploy a service that’s critical to the business or would cause a major disruption if it became unavailable, then you’ll need to factor this into your supplier evaluation.
As a number of suppliers are entering this market, it’s inevitable that some will fail or simply stop providing the service if they deem it isn’t profitable for them. Often, large companies will enter the market but leave it once the expected profit doesn’t materialize. If this is the core business of the cloud supplier, it might be willing to continue operating for longer with a smaller profit.
Questions that you should consider prior to evaluating cloud services providers include:
- Is this cloud service a true core business of the provider?
- How financially stable is the provider?
- Is the company outsourcing any aspect of the service to a third party, and if so, does the third party have the appropriate arrangements with the provider?
- Does the physical security of its datacenters meet your legal, regulatory and business needs?
- Are its business continuity and disaster recovery plans consistent with your business needs?
- What is its level of technical expertise within its operations team?
- How long has the company been offering the service, and does it have a track record with verifiable customers?
- Does the provider offer any indemnification?
Once your enterprise has performed such due diligence you can begin serious evaluation of providers. This will reduce the time you’ll spend overall in the negotiations and ensure that the correct level of security is in place for your particular needs.
You can’t expect your cloud supplier to know your business requirements in detail. It may well be unaware of the regulations to which it must adhere. If there’s a breach in regulations, it will be your enterprise that’s penalized and not your chosen cloud supplier. So choose well—but still do your homework.
As the Internet’s sphere of influence as a communications network widens to include commercial and other exchanges, legal authorities have become more interested in asserting authority over it and the activities of those who use it. The legal questions arising from the increasingly complex world of the Internet has raised questions about the role and the rule of law in this new domain. These concerns range from the nature of self-identity to national sovereignty.
The Rule of Law and the Internet
As technology grows by leaps and bounds, the laws have to be made more responsive to changing times. The lack of a legal framework, in many jurisdictions, to address problems of validity of electronic transactions is a significant barrier to the growth of e-commerce. For one thing, while there are laws on contracts and other business transactions, these require written, signed, or so-called “first” documents. In e-commerce transactions, however, electronic data or documents or digitally signed contracts make up the whole transaction.
To address this conundrum, the United Nations Commission on International Trade Law (UNCITRAL) has drafted a model law on e-commerce that can serve as a guide for governments when they draft their own e-commerce laws.
What principles underpin the UNCITRAL Model Law?
The UNCITRAL Model Law operates on the following principles:
- Equivalence - Electronic communications shall be the functional equivalent of paper-based documents. Given proper standards, electronic documents can be treated and given the same value as paper documents.
- Autonomy of contracts - Contracts may be in the form of electronic documents. However, this should not result in a change in the substantive terms and conditions of a transaction.
- Voluntary use of the electronic communication - Parties may choose to enter into an electronic transaction or not at all. It is not mandatory.
- Solemnity of the contract and the primacy of statutory requirements respecting formalities of contracts
- The requirements for a contract to be valid and enforceable, such as notarization, remain the same.
- Application to form rather than substance - The law should be applicable to the form rather than the substantive terms of the contract. Whatever statutory elements are required to be present must still be present, e.g., consent freely given, an object, cause or consideration.
- Primacy of consumer protection laws - Consumer protection laws may take precedence over the provisions of the Model Law.
What kind of protection does the Model Law seek to provide?
The Model Law hopes to provide adequate legal protection for those who wish to engage in e-commerce. It ensures that electronic transactions are legally recognized and that a course of action, if necessary, is available and may be taken to enforce transactions entered into electronically.
When is there conflict of laws?
A resident of Manila who decides to file a malpractice suit against a Manila-based doctor who had done her an injury may do so in a Manila court. The Manila courts have jurisdiction over the doctor. But if the injured person later on moves to Hanoi, and decides to file the case there, the doctor in Manila will surely object-and validly-that no Hanoi court can have personal jurisdiction over him. That’s an easy case.
Consider a Web site selling pornographic materials set up in Hong Kong, hosted in the Caribbean, with a Web master residing in the Netherlands and owners who are British nationals, and broadcast throughout the world? If a complaint for pornography were to be filed, whom do you sue and where do you sue them?
For our third case, suppose A, in Hanoi, enters into a contract for the delivery of heavy machinery with B, in Yangon. If B fails to deliver the goods, where does A file the case? If A files the case for breach of contract in a Hanoi court, how does the Hanoi court acquire jurisdiction over B?
These examples show that jurisdiction is not straightforward in the Internet.
How can jurisdiction be asserted or acquired?
In the United States, there are ways by which courts are able to acquire jurisdiction over Web-based activities:
Gotcha. Where the court obtains jurisdiction over an out-of-State defendant, provided that when he visits the State, that person is served with a summons and a complaint (documents that give the person notice of the lawsuit). This was applied to the case of the Russian programmer sued by the publishers of e-book (Adobe). While attending a convention in Nevada, he was served with a notice and was subsequently arrested.
Causing an injury within the State. An Internet business can also be subject to jurisdiction for purposefully causing an injury in another state. This principle derives from a series of cases where courts of another State acquired jurisdiction over non-residents who entered the State, caused an accident and left. If someone uses the Internet to cause an injury in one State, the person causing the damage may be hauled into court in the State where the injury occurred. In cases where the connection between the activity and the injury is not clear, courts also look for evidence that the activity was “purposefully directed” at the resident of the forum State or that the person causing the injury had contacts with the State.
Minimum contacts. A business or person with sufficient contacts with a particular State can be hauled to court even if he/she does not live or has a business in that State. Usually, the basis is the regularity of solicitation of business, derivation of substantial income from goods or services sold in that other State, or engaging in some other persistent course of conduct there. For example, passive Internet sites, which merely advertise but do not really offer to sell goods or services, may be said not to have achieved the required minimum contacts for courts to acquire jurisdiction over them. But with Web sites that actively offer to sell and then subsequently take orders from that State, it can be said that the minimum contacts have been satisfied for purposes of acquiring jurisdiction.
Effects. When one’s conduct in cyberspace though emanating from another State creates or results in an injury in another, courts in the latter State can acquire jurisdiction over the offender. To illustrate: A case was filed by the DVD Copy Control Association against the creator of DeCCS , a software that decrypts the copy-protection system in Digital Versatile Discs (DVDs) to allow ordinary CD-ROM drives to play or read DVDs. An issue in the case was whether the courts of California had jurisdiction over the person, who was a student in Indiana when the suit was filed and who later on moved to Texas. The court said that the California courts had jurisdiction, citing a 17-year-old US Supreme Court case involving defamation, because the California movie and computing industry was affected by the “effects” of the defendant’s conduct in Indiana. This decision signals an expansion of personal jurisdiction in cyberspace. If other courts chart their course by California standards, any Web publisher could be hauled to court wherever its site has an effect. The attorney general of Minnesota has issued this statement of caution: “Warning to all Internet Users and Providers: Persons outside of Minnesota who transmit information via the Internet knowing that information will be disseminated in Minnesota are subject to jurisdiction in Minnesota courts for violations of State criminal and civil laws.”
Why is it necessary to establish laws governing jurisdiction?
Due to the global nature of the Internet, it is important to establish which law governs a contract formed, perfected, or conducted online. Without an express choice of governing law, complex and difficult issues can arise. For the time being, it may be prudent for businessmen to determine which existing law and regulations apply and ensure that they are well versed in the local laws of the areas where they wish to set up their Web presence. This is to avoid unexpected liabilities that may arise as well as possible un-enforceability of contracts into which they enter. Better still, when they conduct transactions online, parties must first agree on the legal regimes under which they may operate, so that when a dispute arises, the questions of jurisdiction-what law and what courts-would have already been settled.
Legal Recognition of Electronic Documents and Electronic Signatures
In an APEC seminar on electronic commerce in early 1998, the uncertain policy environment, among other things, was cited by those from the Asia-Pacific region as a major inhibitor to the growth of electronic commerce. Of particular concern was the uncertainty resulting from the fact that laws are rooted in the paper world, requiring writing, manual signatures, and the creation and retention of original documents using paper.
Take the case of Philippine rules on formation and perfection of contracts. The Philippine Civil Code, enacted in 1950, says that a contract is a meeting of the minds between two persons whereby one person binds him/herself to the other to give something or to render some service. What happens then if one person programs a computer to make successive bids for himself, say on E-bay? As the bids for a particular item goes higher and as his or the Web site’s computer makes bids for him, as programmed, will the successive bids be binding on him, when he had did not commit what in law is referred to as contemporaneous interventions at that time? Would there be a valid meeting of the minds in this case? Assuming that the contract between E-bay and the person is valid, will it be enforceable?
Another problem is the provision called Statute of Frauds, which was adopted from United States rule. The Statute requires that certain contracts, such as an agreement for the sale of goods at a price of no less than five hundred pesos (or about $10.00), or, inter alia, an agreement for the leasing for more than one year or the sale of real property, be made in writing. Unwritten contracts, though valid, cannot be enforced in courts. The Rules of Court also require paper-based documents and not electronic ones.
Clearly there is a need for a change in the legal framework that would not only allow the recognition of electronic documents and/or signatures, but also provide an assurance that the courts will allow these into evidence in cases of disputes.
What Asian countries have enacted e-commerce rules/laws?
In East Asia, Hongkong has enacted the Electronic Transactions Ordinance (effec-tive April 7, 2000; enacted January 7, 2000.), which covers electronic and digital signatures and electronic records. This act is generally applicable to all communications. Japan’s Law Concerning Electronic Signatures and Certification Authorities (effective April 1, 2001; enacted May 24, 2000.) is about digital signatures and is generally applicable to all communications. South Korea’s Basic Law on Electronic Commerce also covers digital signatures and is generally applicable to all communications.
In Southeast Asia, Malaysia has its Digital Signature Bill of 1997, which became effective on October 1, 1998. Singapore’s Electronic Transactions Act of 1998 (enacted June 29, 1998) covers digital and electronic signatures as well as electronic records, and is generally applicable to all communications. Similarly, Thailand’s Electronic Commerce Law (which passed second and third readings in October 2000) covers electronic signatures and is generally applicable to all communications. In the Philippines the Electronic Commerce Act of 2000 (enacted June 14, 2000) encompasses electronic signatures, electronic transactions, and crimes related to e-commerce. The Electronic Transactions Order of Brunei (enacted November 2000) covers electronic contracts, as well as digital and electronic signatures.
India’s Information Technology Act of 2000 (Presidential Assent June 9, 2000; passed by both Houses of the Indian Parliament May 17, 2000; implemented in October 2000) covers digital signatures and electronic records, and is generally applicable to all communications.
Regulators in newly competitive, liberalized and privatized environments might wish to consider the following general principles as a guide, as they face the many complex and difficult issues ahead:
Encourage Private Investment, Innovation and Infrastructure Buildout
Governments cannot fund the tremendous investment needed to expand network infrastructure. Thus, encouraging and allowing private investment, both domestic and foreign, is critical. Government processes are not always able to keep up with the pace of technical change. Deferring to competitive markets tends to maximize technical and allocative efficiency. By focusing on lifting barriers to entry, and restraint in the imposition of unnecessary regulation, government gives private investors incentives to invest.
Promote Fair Competition
By promoting competition in all sectors, the regulator ensures that innovative and cost- efficient services will be provided by a diversity of entities.
Manage Scarce Resources Efficiently
The regulator should develop spectrum management policies that permit open entry and competition, allow maximum flexibility, encourage technical efficiency and innovation, and facilitate seamless networks.
Promote the Public Interest Where the Market May Not
The regulator has a role to play when market forces alone may not best further the public interest. The regulator should ensure that universal service mechanisms are transparent, efficient, and competitively neutral. Furthermore, it is often up to the regulator to ensure that telecommunications services are available to the disabled community, and that networks serve public health and safety, and do no harm to the physical environment. While encouraging the private sector to take the lead, the regulator must also ensure that networks are reliable and interoperable.