Technology and law are two things that can never seem to get on the same page. Technology moves at such a rapid pace that the law can never seem to catch up. Now, mix in the advent of cloud storage and the complexities begin to mount. Cloud storage has spurned a global phenomenon where your client’s data can be housed anywhere in the world. Without even knowing it, your client’s data stored in the cloud can be subject to local, national, and even international laws.
Having a number of law firms as clients I have been privy to some pertinent information regarding cloud and jurisdiction. There are ways to tip the legal scale to your benefit, but as with anything it starts with asking the right questions from your cloud service provider. If you never ask, you will never know.
Finding out the answers to the following questions will give you a clear view on your cloud provider and how jurisdiction may affect your clients:
- What is the content of the cloud data? Depending on the nature of the data that you are storing, there could be a legal obligation that takes precedence and immediately forces your cloud data to be part of your local jurisdiction. Two industries where this applies are healthcare and finance. These industries are heavily regulated and it is your job to make sure that the cloud provider that you use can comply with the regulations in place.
- Are there any mutual legal assistance treaties (MLATs) in place? An MLAT is an agreement between two countries that creates international legal obligations to assist each other in prosecutions. Depending on the location of the physical servers where you are storing your client’s data, that country may be legally obligated to hand over data if requested.
- In which country is the cloud provider based? The location of the headquarters of the cloud provider can play an even bigger role than where their servers are located. In the United States there is an ongoing battle between a major corporation and the U.S. Government. The issue is that the government has requested specific data stored in the cloud provider’s data center on servers located in Ireland. Handing over this data would cause the cloud provider to violate the data privacy laws in Ireland and not providing it will cause them to be in contempt of court of a U.S. court ruling.
- How many data centers are there and where are they? Cloud providers tend to replicate data across multiple data centers in different geographical locations. If your provider is offering this “feature” you are potentially exposing yourself to multiple jurisdictions, each with their own set of laws.
- What happens if there is a data breach? If there were to be a data breach, what law applies? Would it be the law where the customer, cloud provider or server is located? The standard practice in the U.S. is to notify all customers of a data breach. If your cloud provider is located elsewhere are they legally obligated to notify you?
Being in technology we accept the fact that there are inherent risks that cannot be avoided. But you have the ability to mitigate some of them to the benefit of your clients. Jurisdiction as it pertains to cloud computing is still “cloudy” to say the least, but by asking the right questions you can get a clearer picture. Data that may be secure in one jurisdiction may not be secure in another. Always be aware of your client’s individuals needs when it comes to what they need out of a cloud provider, but also be mindful of the local laws that still govern them, even while utilizing cloud providers.
Originally published on Business Solutions Magazine