How could a legitimate Megaupload customer have avoided getting caught up in this? Thoroughly vetting a cloud provider's background and business practices before using its service would be a good first step in most cases. Additionally, you could ensure that your contract obligates the cloud provider to effectively partition customer data. That way, there's at least a chance that law enforcement could seize a bad guy's data without touching yours.
The cloud also complicates things if your own data is subject to some legal action. If your data is subjected to a subpoena or other legal request for access, you have more direct control in managing its release if you are running in-house IT systems, because there is no one involved but you and the requestor. But if your data is in the cloud and the same situation comes up, the subpoena could be issued directly to the cloud provider and your data could be released without your knowledge.
To reduce the risks that come with this decreased control, it's important to determine in advance what your cloud provider's standard policies are regarding such legal requests. If the cloud provider does have such a policy in place, and it aligns with your needs, then negotiate to have that policy codified in the contract.
Your contract should also specify what the provider needs to do if any of your data becomes the subject of a subpoena or other legal or governmental request for access. For example, the contract should state that the cloud provider should:
- Notify you as soon as it receives any subpoena or legal request, ideally before it provides access to any of your data. (Be aware, though, that this may not always be possible in situations where the Patriot Act comes into play.)
- Cooperate with your efforts to avoid, limit or otherwise appropriately manage the release of your data.
- Limit any release of your data to the maximum extent legally possible.
- Provide you with a copy of any response it makes to any subpoena or legal request involving access to your data.
If you're interested in learning more about cloud computing risk mitigation via contract negotiation and vendor management, then please save the date for July 16-17, 2012, when I'll again be presenting my UCLA seminar Contracting for Cloud Computing Services.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.
Read more about cloud computing in Computerworld's Cloud Computing Topic Center.