The Cloud – Heaven or Hell? – Part 2

Yesterday’s blog opened my contrarian view on the Cloud. To be fair, there are instances where the Cloud makes sense. There are many different ways to participate in the computing continuum of the Cloud and many of them are heavenly. Perhaps you enjoy the freedom from Microsoft-Office via Google Apps or smile from the near effortless on-line backup services provided by the Cloud. But, once you look at the enterprise level and contemplate the full impact of the implications of a full embrace of what is being pitched, you may realize that Cloud nirvana is anything but.

Today, a company’s data is the king or queen of the corporate kingdom. The Cloud may “talk” a good story about corporate data, but the corresponding contractual “walk” is as etheral as the wisps of a cirrus cloud. For all of its prospective luster, there are significant issues that buyers must be aware of to avoid an “eyes wide shut” disaster. These issues condense around two distinct risks. The first relates to litigation, specifically litigation-related preservation (a.k.a the “litigation hold”), and the second to data-breach related issues.

The Litigation Hold

It is ultimately not surprising that the merits-of-the-Cloud discussions do not cover the “arcane” topic of a litigation-hold, i.e. the preservation of potentially case-relevant data. This topic is arcane because a litigation hold is on the mind of very few IT personnel, let alone those C-level folks who should care. Certainly any CIO or IT manager, one who has had a litigation-hold go badly, only wishes in retrospect that they had more foresight into the dangers of a poorly managed litigation hold.
To some, what a “litigation hold” means in a Cloud environment is anyone’s guess. In truth, there is no guessing – the entity providing the Cloud-based service will have no liability in a litigation hold. If you have any doubts, simply review the limits of liability in a Cloud-related contract. Do you think any 3rd party Cloud entity is going to accept the contractual responsibility of a litigation hold and its potential sanctions? You will be in a relative sea of flames in corporate purgatory should your contract reveal its shortcomings in a failed litigation-hold scenario.

The Data Breach

Just like the liability arising from a failed litigation hold, today’s Cloud providers are not in the position to represent or warrant against a data breach, let alone backstop the resulting liability. Let’s say you are a large health-care servicer, an entity handling hundreds of thousands of HIPAA records and these records are hosted by a Cloud provider. Who has ultimate responsibility if a breach occurs? More importantly, who backstops the full range of liabilities that arise from such a breach? I can more or less guarantee you that the Cloud provider will not be liable in such situations and your enterprise will be left holding the proverbial bag. Nothing says “career ending move” like being the signatory on a Cloud contract that costs the organization hundreds of thousands of dollars in data-breach penalties, turning the illusory heavenly Cloud experience into one from Dante’s inferno.
I am sure there will be some interesting case law on these various issues. I admire those who boldly venture into the Cloud, because it will be from their costly mistakes that the rest of us ultimately benefit.