Q&A: cloud computing law in USA

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognized and provided for in your legal system? If so, how?

In the United States, a cloud computing services contract is largely treated, from a legal perspective, like any other service or commercial contract. Accordingly, cloud computing services contracts are, in the main, governed by state (and not federal) law, with some federal overlay based on the subject matter of the specific contract.

The federal laws and statutes that are commonly implicated in cloud-based services contracts range from data privacy and security laws specific to financial transaction information, healthcare information and the like. These include:

  • the Gramm-Leach-Bliley Act, which applies to financial services;
  • the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which apply to protected health information;
  • the Family Educational Rights and Privacy Act (FERPA), which applies to educational institutions and their vendors; other
  • federal and state laws and regulations that apply generally to third-party service providers in given industries, such as:
    • third-party risk guidance for the financial services industry from the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Financial Industry Regulatory Authority (FINRA), the New York State Department of Financial Services (NYDFS), and others regulatory agencies; other
    • FERPA, which in addition to governing data privacy, also governs the scope of permitted outsourcing in higher education.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Not specifically, no.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

There are numerous federal and state laws and regulations that may indirectly impact the use of cloud computing applications and use cases. For example, there is a patchwork of federal and state privacy laws that may impact the application of cloud computing. At the federal level, the Gramm-Leach-Bliley Act applies to financial services, HIPAA and the HITECH Act apply to protected health information, and FERPA applies to educational institutions and their vendors, along with their implementing regulations, are the most frequently implicated.

Data security and protection requirements at the state level vary significantly, with breach notification laws in all 50 states and some of the more protective privacy regimes existing under the California Consumer Privacy Act, the Virginia Consumer Data Protection Act, the New York SHIELD Act, the Colorado Privacy Act and the NYDFS cybersecurity regulations.

Finally, US customers with international operations remain subject to international privacy laws like the European Union’s General Data Protection Regulation (GDPR).

In addition to the data privacy regulations there is third party risk guidance (from the Federal Reserve, OCC, FINRA, and the NYDFS and other regulatory agencies) that may apply to the use of cloud computing in the financial services industry, and the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) permits federal authorities to compel US-based companies to provide access to data that may be stored on servers in the United States and in other jurisdictions, will also indirectly impact cloud computing, including the offshore storage of data.

In the public sector, the Department of Defense, General Services Administration and NASA jointly issued the Federal Acquisition Regulation (FAR) for use by executive agencies in acquiring goods and services, part 39 of which describes the terms of acquisition of IT, including cloud computing .

The procurement of goods and services by state and local governmental bodies is governed by the procurement laws of the state in question, and, for some municipalities, by applicable municipal codes, some of which may indirectly impact the use and acquisition of cloud computing, especially as the code relates to offshore services.

Breach of laws

What are the consequences for breaching the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

There are generally no laws directly applicable to cloud computing. With regard to those laws that may indirectly impact the use of cloud computing, a breach of such laws can result in a variety of consequences. In many cases, violations of these laws result in fines and penalties, and some entities may subject to enforcement actions resulting in consent orders or others settlements. In a few instances, there may be private rights of action related to breaches of these laws.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

There are generally not any consumer laws that are directly applicable to cloud computing. Instead, consumer protection measures are directed at the uses and applications of cloud computing services. For example, in the sales of goods and services to consumers, certain implied warranties will apply and restrictions on exclusions of liability, jurisdiction requirements and other measures may apply.

The sale of goods and services is typically governed by state law, and different states will apply additional consumer protections. At the federal level, there are a number of laws that offer consumer protection measures, including:

  • the Magnuson-Moss Warranty Act;
  • the Federal Trade Act;
  • the Fair Credit Reporting Act;
  • the Gramm-Leach-Bliley Act;
  • the Children’s Online Privacy Protection Act;
  • the Telephone Consumer Protection Act; other
  • the Fair Debt Collection Practices Act.

At the federal level, these laws are typically enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau, but many of these laws also permit private rights of action, enabling consumers to bring direct claims and, in some cases, class actions.

In addition, the data privacy laws and regulations serve as consumer protection measures related to the use and disclosure of personally identifiable information, with enforcement by the FTC at the federal level and by various state entities at the state level.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

Generally, the laws and regulations that impact cloud computing are sector-specific. For example:

  • in the financial services industry, the Gramm-Leach-Bliley Act, third-party risk guidance from the Federal Reserve, OCC, FINRA, and the NYDFS and other regulatory agencies may apply;
  • in the higher education industry, FERPA will govern the scope of permitted outsourcing; other
  • in the healthcare sector, HIPAA and the HITECH Act along with their implementing regulations will be applicable to the protection of health information.

The type of services also may implicate additional laws.

In addition to sector-specific federal laws related to data protection, data security and protection requirements at the state level may apply and vary significantly. Finally, US customers with international operations remain subject to international privacy laws such as the EU’s GDPR.

In the public sector, the DoD, GSA and NASA jointly issue the Federal Acquisition Regulation (FAR) for use by executive agencies in acquiring goods and services, part 39 of which describes the terms of acquisition of IT, including cloud computing.

The procurement of goods and services by state and local governmental bodies is governed by state procurement laws of the state in question, and, for some municipalities, by applicable municipal codes, some of which may indirectly impact the use and acquisition of cloud computing, especially offshore services.

insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

While we are not aware of any US insolvency laws that apply specifically to cloud computing, there are relevant considerations of general US insolvency law in the cloud computing context.

The enforceability of a license to intellectual property may be impacted by US bankruptcy laws. However, there are provisions in the bankruptcy code (section 365n) that can be leveraged to permit a licensee to continue using the services or other IP in the event of licensor/service provider bankruptcy. The provisions in the service arrangement must be specifically drafted to take advantage of these bankruptcy provisions (including a present grant of a license to the service or other IP, including any access to source code pursuant to a source code escrow provision).

Termination clauses that permit a party to terminate a cloud contract for the insolvency of the other party may be frustrated by section 365(e) of the US bankruptcy code.

The ability for a customer to retrieve or remove their data from a cloud provider’s system may be limited or require leave from the bankruptcy trustee if the cloud provider files for bankruptcy. The reverse would also be true if a cloud provider were to try to remove the data of a customer who had filed for bankruptcy from its systems.

If insolvency of either or both parties is a foreseeable concern, these matters can and should be dealt with proactively in the drafting of the contract.

.

Leave a Reply

%d bloggers like this: