By Richard P. Goldberg

      As cloud computing becomes more prevalent, security is losing ground to marketing. Cloud computing may be the future; but with it come serious, non-obvious security, privacy, and legal problems. And in the rush to adopt and adapt, it seems that CEOs (and a disturbing number of CIOs) don't know what these issues are; marketing people don't care; information security people have a good handle on most of the security issues, though they don't yet know how to fix them; and nobody is talking about the legal issues. These legal issues can create security vulnerabilities, and the security issues can create legal vulnerabilities. It's a mess.

      Although there is disagreement about what constitutes true "cloud" computing, and there are legitimate gray areas, these distinctions do not matter. The things that are cloud computing, and the things that just look like cloud computing, are all subject to the same basic risks, which stem from a combination of two essential characteristics of cloud computing: (1) multitenancy; and (2) third-party access and control. This is a potentially dangerous combination.

      While many organizations see cloud computing as a seemingly simple, low-cost alternative for storing, protecting, and providing access to their most important information, the security concerns created by applying otherwise conventional legal constructs are largely being ignored. This talk addresses the following questions, among others: What legal risks are created when your data is located "elsewhere"—and you don't know more than that? What are the implications for cloud computing of federal, state, or international data-privacy laws and regulations? What happens when traditional legal maneuvers meet cloud computing? Can you do everything right and still create unreasonable risks to your organization? Who will be responsible if—or, more likely, when—something goes wrong? What precautions can you take to solve these problems? And will that be enough?

      This talk is a discussion of both the straight-forward and less-obvious legal risks companies face when storing data in the cloud, designing cloud architecture, or providing cloud services. It explores the legal ways in which data can fall into the wrong hands, adherence to existing privacy policies and privacy laws, risks that can be mitigated and those that cannot, legal responsibility for failures and data breaches, and potential legal precautions—and whether any of that will be enough. The talk focuses on real-world problems, like the effects of search warrants and subpoenas, what provisions are buried in cloud provider agreements, and solutions, if any. Attendees should leave with a greater understanding of the relevant issues, legal risks, and potential solutions, as well as which problems do not have solutions, so they can make informed business decisions, whether they are creating or migrating to cloud infrastructure.

      The slides can be downloaded here. More information about the rest of the conference is available here.

      Attorney Advertising: This material has been prepared for general informational purposes only and is not intended as legal advice.