August 31, 2013

A Board’s Legal Obligations for the Cloud: You Have to Carry an Umbrella

John P. Tomaszewski

Every day the news produces yet more articles on the vulnerability of businesses to cyberattacks. A recent Google search returned over 16,000 entries for news articles discussing how cyberspace is the new vector for attacking a company. Information security and privacy concerns are consequently some of the most heavily reported issues in the media today. With this level of coverage and reporting, what pressure is there on a company and its board of directors to mitigate the risks associated with cyberattacks? Can officers and directors of companies continue to relegate information security and data protection to the back burner? Or is data protection becoming as much an immediate responsibility of a board as financial reporting?

The above questions are important because in the modern era of process efficiencies, business improvement, and information management, businesses are frequently turning to outsourcing as a means to increase efficiency, decrease costs, and improve the bottom line. The natural evolution of outsourcing has created what has been called the “cloud computing” revolution. This of course begs the question, where do legal risks arise with regard to a business’ use of cloud services; or for that matter, any outsourced services? Whether it is a cloud-based service, or a more traditional outsourced arrangement, many businesses simply start using the services and worry about the risk later. I would offer this is a somewhat risky proposition, as there are a number of fundamental legal and reputational risks which arise when using any type of outsourcer. However, these risks become even more immediate and obvious when using cloud services. Outsourcing business processes to the “cloud” can create fiduciary risks for the corporate boards that ignore their responsibility to properly oversee the outsourced operations. 

Cloud Services 

So, what is a “cloud service”? According to the official National Institute on Standards and Technology (NIST) definition, "cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." Unfortunately, this definition does not help us truly understand the idiosyncrasies of cloud computing. This is partially intentional. The reason is that there are a number of different service provisioning models available for outsourcers to take advantage of. Specifically, you can have a public cloud, a private cloud, or a hybrid of the two. 

A public cloud is where the services are generally open to anyone who wishes to use them. The service provider does not impose any limitations on who can participate within the cloud infrastructure. This is also the most complex cloud space as it has the highest number of layers in the services “stack.” 

By the “cloud stack,” I am referring to the different layers of service which can be offered by different providers. More specifically, a user engages with a portal (layer one), which opens a piece of software (layer two), operating on a platform which has multiple applications and functions (layer three). Any of the above layers can leverage storage (layer four) from anywhere, which runs on top of an infrastructure base (layer 5). This specific example includes five separate layers in the stack: portal, software, platform, storage, and infrastructure. In each one of these layers, there may be a different service provider with whom the end users engage. 

In the event that the services are fungible, or provided in real time, the end user may not even know which service provider he or she is using; because the service providers change depending on who has the most bandwidth available to provide the service. This leads to the additional challenge of the company not knowing where its data is at any given point in time. In fact, a company’s data may be mirrored across multiple sites in multiple geographies to take advantage of economies of scale and processing. 

A private cloud is less complex, but can include the same number of participants in the stack. The primary difference between a public cloud and a private cloud is that the private cloud restricts the number of participating entities. The end users are limited, and the service providers are limited. As a consequence, there is a higher level of understanding with regard to all the participants in the ecosystem. With increased understanding, increased control can be imposed. One sees private cloud infrastructures used where the data being managed is highly valuable (e.g., government, banking, healthcare, and national security). 

One of the challenges between public and private cloud delivery models is cost. Public clouds require less time, energy, and effort for an end user to get up and running. Private clouds, however, require more planning and thoughtfulness. As a consequence, speedy deployment is decreased, and cost deployment is increased. 

These are not the only two ways of deploying cloud services. Due to the flexibility of the ecosystem, one can mix and match deployment models depending on one’s need. Not all data requires the same level of protection and control. This is true for any company, and as a consequence it may be more effective and efficient to use a service delivery model more appropriate for the sensitivity of the data flowing throughout that model. 

Because using “cloud services” is rather an ambiguous concept, I will be focusing on the legal risks which will arise regardless of the service delivery model deployed by the cloud services provider (i.e., public, private, or hybrid clouds). These are fundamental questions which need to be answered in determining what the risk profile is of a business using cloud services. 

Source of Director Liability 

While many approach the risks associated with using cloud services from a purely regulatory perspective, I would offer that there are more fundamental sources of liability in using cloud services beyond violating a particular regulation or statute. In California, for example, every officer or director has a statutory duty to exercise what is known as “due care.” Specifically the California Corporations Code requires that a director perform duties in good faith and in a manner that he or she believes to be in the best interests of the corporation and its shareholders. The director is also obligated to perform these duties with such care, including reasonable inquiry, as an ordinary prudent person would use under similar circumstances. While seemingly broad and innocuous, this obligation of due care becomes much more real when a business is outsourcing many of its critical functions to cloud providers. 

The fiduciary duty of care requires a board of directors to make sure that management implements systems and controls necessary to be aware of risks to the business, and address those risks in a reasonable manner. Now, this does not require every single risk to a business to be overseen by the board. However, significant risks to a company’s operations or stock price do require at least board awareness, if not direct oversight. One of the more obvious examples of this requirement occurred in 1996. In In re Caremark Intern. Inc. Shareholders Litig, 698 A.2d 959 (Del. Ch. 1996), the court discussed this duty of care, and found liability where an “. . .<br>
[u]nconsidered failure of the board to act in circumstances in which due attention would arguably, have prevented the loss.” While the court recognized that the duty of care is usually fulfilled under the business judgment rule, that does not foreclose board or management decisions from judicial review in toto. Specifically, the court stated that “. . . while this is . . . [p]ossibly the most difficult theory in corporation law upon which the plaintiff might hope to win a judgment . . . a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that a failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards.” In short, there is an affirmative obligation on behalf of management and the board to make sure that adequate controls are in place to avoid significant risk to the business. 

A later case in Arizona, Baca v. Crown, 2010 U.S. Dist. LEXIS 84724 (D. Ariz. Jan. 8, 2010), extended this obligation beyond mere failure to implement reporting or information system or controls. The court in Baca also required management and the board to consciously and consistently monitor its operations. Therefore, if a board or management has implemented such a system or control, as required by Caremark, and consciously fails to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring the board or management’s attention, liability may attach. Interestingly enough, this description of “duties” tracks very closely to best practices in the security domain. 

All of this, of course, begs the question of where does the risk in using a cloud service provider arise? Quite simply, the fundamental source of risk in using any service provider (whether cloud or otherwise) is a business’ loss of control over its operations. In the information age, this is a much more prevalent risk because the nature of most businesses is the use and monetization of data. If a business is outsourcing its data management practices, it is effectively outsourcing its core critical business processes to a third party. Thus the business has ceded some level of control to all of its core business practices. Needless to say, this is a significant risk to the company. Such a risk should easily trigger a board’s fiduciary duty of care. 

Still, boards of directors and executive management are given wide leeway under the business judgment rule in how they manage daily operations. As was noted earlier, the courts are loath to impose liability, or “step in the shoes of” management in determining whether or not sufficient care is made in managing the day-to-day operations of the business. Consequently, it becomes important to understand where the standard of care arises that might trigger the fiduciary duty to engage in activities supporting the standard. A good source for a given standard of care can be found in the rules and regulations governing a particular industry. Not all industries require the same standard of care. However, all businesses require some standard of care. The wholesale delegation of core business practices and assets to third parties with no oversight and no plan around security or business continuity could hardly be seen as a fulfillment of a fiduciary duty adhering to any standard of care. 

Additionally, businesses that outsource core practices may end up being vicariously liable to third parties based on the actions of their cloud service provider. Under agency law, a principal is liable for the acts of his or her agent where the agent is performing activities within the scope of such agency. Unlike the risk described above, which was between the board of directors, management, and company shareholders, this point of liability arises when a third party’s rights are violated. Again, we see the risk of ceding control to a third party for business operations. In the event a cloud services provider violates a third party’s rights (e.g., misusing personal information, suffering a security breach, or directly violating an applicable statute), the cloud service provider’s “bad acts” may well impute liability onto the business using such a provider. Of course, such liability would also damage the value of the business, thus triggering a violation of the fiduciary duty of due care discussed above. 

Depending on which function the service provider is used for, a different regulatory requirement may apply. For example, employee background checks, address verification, storage of credit card data, shopping cart checkout services, warranty management on automobiles, payroll, employee training, off-line marketing, online marketing, telephone marketing, and tracking of online behavior, all have statutes and regulations governing them. For example, in California alone, there are over 40 California privacy-related laws governing activities which businesses can outsource, but which the businesses are still going to be liable for in the event that there’s a violation of the statute. 

There are also federal laws and regulations depending on which regulated industry (e.g., teleco, banking, or healthcare) a business participates in. Further, if the business is publicly traded, Sarbanes-Oxley requirements will apply. This regulatory regime imposes particular obligations on any business that wants to outsource any component of its financial reporting. 

Obviously, the obligatory environment imposed upon businesses is far ranging and complicated. Add to the equation the variable of loss of control, and you end up with even more uncertainty. Compounding such uncertainty is the services delivery model. As noted above, in some instances, the business does not even know the location or the processing center which is being used to manage its corporate function. Even if it did have this information, processing and storage change depending on what elements of the infrastructure have available resources. This is an intrinsic feature of any modern outsourcing services that use the cloud – enabling reductions and expense, increases in efficiency, and speeding scalability – all of which are excellent business reasons to use such outsourcing for core business processes. 

Conclusion: Overseeing Outsourcing to the Cloud 

Fortunately, most of the regulatory regimes under which businesses operate contemplate the concept of outsourcing. All businesses need to engage in due diligence with regard to any of their vendors. In the information age, this means an understanding of how your service providers are going to deal with data segregation recoverability and or reliability. These are not new concepts. What can become more challenging are the requirements around auditability and challenges around terminating a vendor. The specific benefit of the cloud makes auditing challenging. This is because auditing an environment which is highly volatile and can change rapidly due to the needs of the network, or the needs of the business, does not lend itself to traditional modes of auditing. One is never quite sure where to go to perform the audit. Similarly, terminating the relationship with a vendor where you are not sure of the location or processing of your data could result in challenges in recovering that data from the vendor. Finally, the tactical logistics of dealing with multiple vendors, some of which you may not know (because they are some of the processors within the cloud stack of your cloud service provider), requires a skill set and technology tools that most businesses have neither thought about nor implemented. 

None of this is to say that cloud computing should not be used as a means of driving efficiencies and business. Merely, the use of cloud computing as an outsourcing platform requires a level of business discipline regarding due diligence and ongoing vendor management which historically has not been seen in many small to medium enterprises. Unfortunately, between a director’s duty of care and the myriad of data protection laws at both the state and federal level, failure to engage in this kind of vendor management may subject not just the business to unwanted liability, but also, individual directors and management. 

In conclusion, businesses that decide to use the cloud, regardless of the delivery platform, should engage the board in the decision making process, allowing the board to establish systems for evaluating and addressing risks that arise when business operations are outsourced to cloud vendors. Most of the risks that have been identified above can be effectively mitigated, but only if the business and its counsel know that those risks are present. A board that fails to oversee the process and ensure that appropriate advance risk assessment occurs runs the risk of liability when problems subsequently arise. Soliciting input from attorneys who understand not only the business’ traditional operational risks, but also the unique risks associated with use of the cloud for outsourcing, will play an essential part of their process.

Additional Resources

For other materials on this topic, please refer to the following.

ABA Web Store

Cloud Computing for Lawyers and Executives: A Global Approach, Second edition (Available August 23, 2013) 

There are significant risks involved in the use of cloud computing for organizations, including legal and business risks. Executives, and the lawyers and risk professional who advise them, must understand how to identify, assess, and respond to these risks in their own organizations and in cloud service providers and do so in a globally-aware manner.

This important resource introduces cloud computing, not only what it is but when to use (or not use) it and the financial implications to consider. It covers the applicable statutes and regulations that affect organizations using the cloud, including privacy, information security, breach notification, cross-border data transfers, blocking statutes, and cloud-specific laws, cases, and activities.

John P. Tomaszewski

John P. Tomaszewski is senior counsel at Seyfarth Shaw in San Francisco.