Outrun the lions: a practical framework for analysis of legal issues in the evolution of cloud computing.

• Author: Rashbaum, Kenneth N.

Every morning in Africa, a gazelle wakes up. It knows it must run faster than the fastest lion or it will be killed. Every morning a lion wakes up. It knows it must outrun the slowest gazelle or it will starve to death. It doesn't matter whether you are a lion or a gazelle. When the sun comes up, you better start running. (1) Introduction

There is something about Cloud Computing that is fundamentally different. But is there a significant difference in the laws that govern it, or do we merely need to look at already established legal principles that govern it in a more holistic way? True, cloud technology has changed the way we interact with each other. We communicate, socialize, work with, sell to, and buy from each other in ways unimaginable a generation ago, due in large measure to the advent of the Internet or, more colloquially, the Cloud. The impact of the Cloud cannot be overstated. For example, most social media are based in Cloud technology. Social media have changed the paradigm of interpersonal communication, to sharing thoughts and activities in ways previously impossible and, not so long ago, impolite; to their uses in organizing movements that have toppled governments, such as in Egypt and other countries during the "Arab Spring"; (2) to securing the assistance of the public for law enforcement to such an extent that the suspects of the Boston Marathon bombings in April 2013, were apprehended within days because the requests for videos and photos that could depict the identities of the suspects--many such images were, in fact, posted on social media--were sent to millions within minutes on social media sites, using Cloud technology. (3)

Indeed, law is fundamentally society's commentary on interaction; it rewards reasonable conduct and punishes unreasonable conduct. But, for the most part, a legislature or court does not comment on a particular type of interaction until it has already occurred and its consequences have played out. Many types of interactions that have sprung from the Information Age are new in degree and sometimes in kind, and so there is often little or no law to guide those interactions. For every advantage Cloud Computing offers--such as cost-efficiency, flexibility and scalability--there are risks associated with legal and regulatory compliance, data control, security, privacy, legal ethics, and determinations of reasonableness of the utilization of Cloud services. Contrary to the belief of many, it is well within our capabilities to analyze these legal quandaries and counsel clients appropriately in the Age of the Cloud--even without established case law or statutes--as long as we know, like the gazelle and the lion, that we have to run to succeed. And like the lion and the gazelle, we must rely on instincts to do so. For lawyers, this means applying established legal principles in new ways.

We live in an age of marvels, but we see them through frames of reference that were constructed over many years and, as a result, we typically do not quite run fast enough to keep up with the pace of technological advances. The digitization of information and the development of the infrastructure to largely decentralize and widely distribute it through the Cloud, have given rise to an age that has changed the way we interact with each other in new ways. Yet, the fact that there may be little or no law regarding some of these new interactions does not mean that there is no guidance on how to conduct oneself. Every time a new kind of technology fundamentally alters our interactions, society has to sort out how to deal with them, and develop laws governing them. Some examples include the advent of the telegraph replacing the pony express, the telephone replacing the telegraph, the rise of locomotives and automobiles, and the widespread use of electrification. Each of these technologies or applications of technology changed how we interacted and the law developed to reward the "right" kinds of interaction and punish the "wrong" kinds.

Accordingly, in order to provide effective counsel and thereby avoid being "eaten" like the gazelles in the African proverb above, in such times of change, lawyers better start running. Where do they start, and how? They can start their analysis at the beginning, of course. How did the laws governing new interactions develop, and how can counselors keep up by providing guidance to those entering the new frontier? Lawyers can, and should, fall back on key principles of the laws of human interaction. For example, when the telegraph was invented, a signal was sent across a wire, and thus could be intercepted along its way. This was a new kind of intrusion that the law had not specifically encountered before. But it did have experience with certain corollaries, such as the theft of a letter in transit in the post, or eavesdropping outside an open window. Thus, by applying the already developed norms for dealing with human interaction, and extrapolating them to the new forms, successful lawyers were able to provide cogent counsel to their clients.

This Article outlines a practical framework for analyzing legal issues potentially arising from ownership, use, and disclosure of data in the Cloud, leveraging existing principles to guide practitioners and the bench in this evolving technology. The framework approach was selected because of two factors: the nascent state of the case law and the evolving nature of Cloud technology. A framework for analysis, then, in which the steps to analyzing a particular legal issue are discussed, was deemed of greater utility than a set of principles, which may become outmoded quickly as the case law develops and technology evolves.

The authors suggest the following framework for analyzing cloud legal issues.

A PRACTICAL FRAMEWORK FOR ANALYSIS OF LEGAL ISSUES IN THE EVOLUTION OF CLOUD COMPUTING

Understanding Cloud Data from an Information Governance Perspective: Considerations for Decisions to Send Data to the Cloud, Get It Back Again and Use It

1. The Character of Cloud Data

   1. Cross-Border Concerns: Storage and Transfer of Cloud Data

   2. U.S. Privacy Considerations

2. Physical Possession: Who Has Control and Access, and How is the Data Controlled/Accessed by the Cloud Customer and Cloud Service Provider (CSP)?

3. Subpoenas, Government Agency Demands and Civil Discovery Requests

   1. Subpoenas Served on the Cloud Customer

   2. Subpoenas Served on the CSP

4. How is Discovery of Cloud Data Obtained?

   1. Can Cloud Data Be Preserved As Required By Law? Information Management, Identification and Preservation, and Legal Holds

   2. Spoliation and Sanctions--Does Data in the Cloud Have an Impact?

   3. How Is the Data Collected from the Cloud? Data Export: Application Programming Interfaces (APIs) and Other Cloud Tools

      1. Searching Cloud Data

      2. Collection and Production of Cloud Data

      3. How Can Cloud Data Be Used As Evidence At Trial? Rule 26(b)(2)(B) and Admissibility Information Collected from the Cloud

   4. Admissibility--Authentication and Other Foundation Issues for Cloud Data

      1. UNDERSTANDING CLOUD DATA FROM AN INFORMATION GOVERNANCE PERSPECTIVE

      Information, especially electronic information, is a vital corporate asset. Its creation, use, maintenance, disclosure, and disposition is at the heart of Information Governance, and Information Governance principles, in turn, dictate what data will be sent to the Cloud and why. (4)

      We use the term Information Governance very purposefully and differentiate it from mere information management. Information management fundamentally encompasses how information is created and flows through an organization. It is concerned mainly with infrastructure, applications and storage. Information Governance, on the other hand, concerns itself with why the information is created, used, and disposed of in the first place. Effective Information Governance requires an analysis by an organization to determine what information it needs to accomplish its objectives, the value of that information, and the period of time it will remain valuable.

      Cloud Computing does not drastically change the principles of information governance, but it does add a layer of complexity. When an organization considers moving some or all of its information to the Cloud, it should consider all aspects of governance related to the collection, use, disclosure, transfer, modification, and disposition of that information, including:

      * Data Creation: Create only information that is of value to the organization when weighed against any associated risk;

      * Data Use: Ensure the availability of the information to those who need it;

      * Data Security and Access: Secure the information from unauthorized access by those who do not need it; and

      * Compliance Issues: Establish mechanisms to satisfy legal or regulatory obligations.

      This may sound like a daunting task--and it does require assembling a consensus of disparate functional stakeholders--but an organization may find moving to a Cloud Computing environment provides an opportunity and incentive to enhance existing information governance policies and practices and to leverage newer technologies that may be available more economically in the Cloud than within a given enterprise. At the most fundamental level, an organization's data is a significant asset and should be managed like other important assets, pursuant to a governance structure, policies, and procedures aligned with the organization's objectives. But, as always, any such benefits should be appropriately weighed against the attendant risks addressed in this article and elsewhere.

      A proper Information Governance structure requires an organization to solicit the perspectives of key functional stakeholders in the organization, including business leaders, legal, risk, compliance, human resources, records management, and IT. Each of these functional stakeholders brings valuable insight into the organization's objectives, duties and risks. The key to a...