 |
| Image courtesy of lennysan |
Litigation issues are often not given the consideration they deserve when negotiating the terms of cloud service provider agreements. Perhaps this is because negotiation is often undertaken by commercial managers and technical staff to the exclusion of the legal team, or because no-one likes to think they'll end up in litigation. Even when the legal team is involved, the focus tends to be on regulatory compliance, privacy and data security issues, rather than dispute resolution or litigation.
The recent introduction of civil dispute legislation at the Federal level (the Civil Dispute Resolution Act 2011 (Cth)) and Victoria (Civil Procedure Act 2010 (Vic)) - with similar legislation expected to be introduced in other Australian jurisdictions - provides a timely reminder of the importance of considering the impact that storing data in a cloud might have on any litigation in which the owner of the data is involved.
The legislation aims to encourage the early resolution of disputes and, to that end, the early identification of the real issues in dispute.
At the Federal level, the Civil Dispute Resolution Act obliges an applicant to inform the Court (via the filing of a 'genuine steps statement' when proceedings are issued) of the steps taken to resolve the dispute. The Act provides, as an example of what might constitute a 'genuine step', the provision of documents to the other person to enable them to understand the issues involved and how the dispute might be resolved.
In Victoria, the Civil Procedure Act applies when proceedings are on foot, and obliges parties to a proceeding to comply with certain 'overarching obligations', including an obligation to disclose critical documents at the earliest reasonable time after the relevant party becomes aware of their existence.
What this means, on a practical level, is that a litigant needs to ensure that it has ready access to its documents, including those stored in the cloud: being able to access and retrieve data quickly and in an admissible form will best position a party to pursue, or defend, any claim, as well as meet any disclosure or discovery obligations it needs to meet should litigation ensue.
Of course, quick access to documents is generally desirable should a person be involved in litigation, irrespective of the application of the recent legislation. For example, notices to produce might be issued on short notice, or a party might be involved in litigation with an expedited timetable so that discovery might need to be completed within a short timeframe. If documents are stored in the cloud, the party's ability to comply at short notice might be impeded, absent any contractual 'safeguards' with the cloud service provider.
Cloud computing arrangements, while various in nature, typically involve the cloud service provider receiving, processing, holding and storing client data at a location separate from the client (and sometimes overseas). As the client generally does not have possession of the data or documents (but does have 'control' of the data or documents in the sense of a legally enforceable right to call for production), several key issues arise when litigation looms, including data access, retrieval and integrity. These issues need to be carefully considered at the time of negotiating a cloud service provider agreement.
Data access and retrieval
The timely retrieval of data will be pivotal in determining a client's ability to pursue or defend any litigation, or comply with any subpoenas to produce (failing which the client will be in contempt of court).
For this reason, provider agreements should expressly address service levels, data availability and turnaround times for requests for access to or the return of data. As soon as proceedings are issued, the client should think about what data might need to be reviewed (and retrieved), and make an early request from the cloud service provider for the retrieval of the data. Enquiries should also be made of the cloud service provider before agreeing to any discovery timetable as this will be relevant to the client's ability to comply with any timetable set by a court. If possible, a contractual indemnity should be obtained from the service provider, so that it is obliged to indemnify its client in respect of any loss occasioned as a result of delays (such as costs associated with a court hearing in relation to non-compliance with a discovery timetable).
Integrity
A client might wish to ensure that its data is stored separately from that of others (eg, if privacy or confidentiality issues are of concern), and that only designated people or groups have access to the data. The issue of ownership might be particularly important if the cloud service provider becomes insolvent.
Contractual protections should also include prohibitions against altering or modifying the data (other than as agreed), as this might raise questions about ownership (including of intellectual property rights) in relation to the modified version of data and, importantly, the integrity and therefore admissibility of the data should the client become involved in litigation and the data is required to be produced to the court or tendered in evidence.
In this regard, whilst the Uniform Evidence Acts contain provisions directed towards facilitating the admissibility of electronic data or documents, it might be prudent to impose a contractual obligation on the cloud service provider to provide all necessary assistance in relation to legal proceedings in which the client is involved, including an obligation to provide evidence as to the manner in which the data has been stored and retrieved should data integrity become an issue on a challenge to admissibility.
Other matters
Cloud service provider agreements should also address the client's rights and obligations in the event that the agreement is terminated by either party, where the agreement naturally comes to an end, or where the cloud provider becomes insolvent.
The location of the data and the cloud provider are also very important. A client should be mindful of the potential application of foreign laws, for example the application of foreign insolvency laws on the insolvency of the cloud service provider, or the application of general laws of the jurisdiction entitling a third party to access data within its jurisdiction (eg, the USA PATRIOT Act).
Other jurisdictional issues relate to the proper law of the service agreement; the service of proceedings should the client wish to issue proceedings against the cloud service provider for breach of the service agreement; and the enforcement of any judgment in the client's favour should it succeed in any proceedings.
Some more general issues relating to the use of the cloud are canvassed in AGIMO's paper, 'Negotiating the cloud - legal issues in cloud computing agreements', released earlier this month.
Partner: Paul Kallenbach
0 comments:
Post a Comment