If you represent clients in business transactions and/or intellectual property matters, you know that agreements to purchase hosted, managed or "cloud" computing services are becoming very common in today's business world. More and more companies (and law firms for that matter) are outsourcing all or a portion of their information technology (IT) functions to third parties.
The upside of cloud-based IT is well known: Companies can often save significant money and management time because they don't need to maintain as much IT infrastructure (hardware, software and personnel) in-house.
Lawyers advising clients in this area need to focus clients not only on the business deal (fees, the services provided, risk allocation, etc.), but also on the often complicated operational issues that can give rise to intellectual property concerns (both directly and indirectly).
What follows is a description of some of the more common IP issues that arise in cloud deals.
By definition, cloud computing raises confidentiality issues because your client's data, documents and proprietary information/trade secrets will be in the hands of a third party.
Some key questions to ask the service provider include: Will my client's data be stored on dedicated pieces of hardware (i.e., will there be servers or other storage resources devoted just to my client's information?) or will the data be commingled with that of other customers? What types of service provider personnel will have access to my client's data employees only? Employees and contractors?
Does the service provider bind all employees and contractors to nondisclosure agreements? Will my client's documents and data physically reside at a facility operated by the service provider itself or will they locate at a third party data center? (Often, the answer is both, because cloud computing companies usually use third-party data centers for backup and redundancy.)
If your client collects data as part of its operations that must be used and stored in compliance with state or federal privacy regulations (e.g, patient information generated by a health care client, credit card information generated by a consumer products client), does the cloud computing service provider have experience with other clients in the relevant industry? Will the arrangement comply with the applicable statutes? Does the service provider make any warranties about assisting with or maintaining such compliance?
If third-party data centers will be used, find out how they are classified in industry parlance i.e. Tier 1, Tier 2 or Tier 3. These different levels are based on industrywide standards and can be a handy way of determining how secure your client's data is.
Each tier is defined by the data center's infrastructure (e.g., the redundancy of its various telecom and utility services) and its security and access procedures. If your client handles particularly sensitive information, you may want to consider a requirement in the deal documents that all data centers used not be below a certain tier.