(Disclaimer: The advice and information offered in this chapter is intended to provide a useful guide to complex legal issues surrounding doing business as a SaaS firm. Do not rely upon this chapter for formal legal advice regarding the different issues being discussed. It is not intended as and should not be taken as legal advice. To obtain that, we recommend you contact an attorney who specializes in issues and operations of particular interest to you and your company. The Resource section of this book provides legal contacts experienced in SaaS issues.)
Ambulance chasing: A derogatory phrase sometimes used to describe the conduct of trial lawyers who specialize in representing accident victims. It typically refers to attorneys soliciting business from accident victims or their families at the scene of an accident or disaster (or immediately thereafter).
That, of course, is ambulance chasing in the traditional sense. In the high-tech world, there’s a much more refined version of ambulance chasing going on. It involves lawyers latching onto a new technological development and scaring the wits out of everyone about the legal hazards that the technology supposedly presents. The subliminal message is this: hire my law firm, and we’ll protect you from the legal dangers of the new technology.
Cloud computing, being the ‘new new thing’ in the tech world, is particularly susceptible to this kind of scare mongering. (No one can actually agree on exactly what Cloud computing is, but that’s another issue.) Put ‘Cloud’ and ‘legal issue’ into a Google search and you will see what we mean.
There are three major legal challenges that many lawyers claim the Cloud poses. Let’s attempt to separate fact from fantasy.
The first claim is that the Cloud raises novel data protection/privacy concerns. It is true that whenever data is stored remotely, as it is with SaaS applications, data protection and privacy issues are going to appear. But remote storage of data is hardly something new. In fact, it was becoming the norm long before people were thinking in terms of data clouds.
The irony is that data, both business and personal, is probably safer with a SaaS service provider than it is behind most corporate firewalls. Think about this as an example: for a SaaS company to attract customers, it has to demonstrate that it offers iron-clad protection against data leaks. If there is one publicized failure of that protection, its reputation will be ruined and its business will sink into the toilet. Only infrastructure/cloud companies taking extraordinary measures to safeguard data will thrive. So it is only logical to assume that the best place to store data is with a proven, reliable SaaS service provider. Naturally, customers of Cloud services should demand that strong data protection promises be written into their service contracts. Customers will rightfully insist that the service providers accept full liability for any data breaches. Service providers may resist accepting that liability, but it comes down to a question of which party is in the best position to avoid the risk of data loss: the one supplying the data, or the one storing it? Obviously, the latter.
This issue is presented under a number of guises: data protection, privacy, security and so forth. They all amount to the same thing. Whether the data is comprised of business trade secrets or personal information, is this information secure? These concerns did not arise with the Cloud, although the Cloud has heightened the risks exponentially by increasing the number of players with data protection responsibilities.
The second claim is that the Cloud creates jurisdictional uncertainty and confusion. In other words, just where is the Cloud located? From a legal perspective, that is not a philosophical question. In the event of a legal dispute between the parties or a legal enforcement action by a public authority, it has to be determined what law will apply and what courts will have decision-making power. The Cloud subscriber may not even know where the data is being stored, and the same data may be stored in multiple locations at the same time. In theory, this could lead to a jurisdictional tug of war.
However, this challenge is more an issue of perception than reality. Any competently written contract between Cloud subscriber and service provider will specify exactly what law and court jurisdiction will apply if legal issues arise. Furthermore, the Cloud service provider can be contractually prohibited from any storage or transfer of data in violation of any state, federal or overseas law (e.g., the EU Data Protection Directive restricting the transfer of the personal information of EU residents). Similar clauses prohibiting exports in violation of legal prohibitions are standard in most tech- and software-related contracts.
A related concern involves what happens when a third party claimant or government enforcer comes armed with a subpoena to seize data in the Cloud. The Cloud service provider may not be as adamant as the data owner in resisting such seizure attempts. Once again, a well-written contract comes to the rescue: the service provider can be required to notify the data owner of any claims on the data and provide the data owner a chance to intervene with any defenses to such claims.
The final claim is that the Cloud poses daunting regulatory hurdles. More to the point, existing regulations have to be interpreted in light of the Cloud. For example, health records are subject to the Health Insurance Portability and Accountability Act (HIPAA). Student records are subject to the Family Educational Rights and Privacy Act (FERPA). Parallel legislation governs release of data relating to private records in the finance, securities and other industries.
But the Cloud did not create these hurdles; it just complicates the task of compliance. The first obvious step for the Cloud customer is to perform thorough due diligence on the Cloud owner. If you are a SaaS firm offering student-related services such as Blackboard Inc., you must be able to demonstrate that you understand and comply with FERPA. Standardization of data protection measures in certain industries, and certifications such as SAS 70 Type II (now SSAE 16), will become methods with which Cloud service providers can distinguish themselves from the competition. In short, the market will provide.
While the law will always struggle to keep up with evolving technology, the Cloud has not resulted in a new legal minefield through which subscribers and service providers must tiptoe in order to avoid being blown to smithereens. There is certainly nothing to justify the emergence of a new breed of ambulance chasers in pursuit of Cloud clients.