Presented at the 2013 Pennsylvania Bar Institute as an edition in an annual series on legal concerns around cloud computing ,. This one covers how technology overlaps and where the risk needs to be managed in between systems.

1. Amy Larrimore, The Empire Builders Group
Kathryn Legge, Esq., Griesing Law, LLC

2. Kathryn Legge, Esq.
Kate Legge was
part of the founding
team of Griesing
Law, LLC. Prior to
working at Griesing
Law, Kate worked
at two AmLaw 100
law firms. She
successfully
represents both
Amy Larrimore
public and closely held companies, locally
and nationwide, in complex commercial
litigation, business counseling, intellectual
property and new media matters, including
trade secret, copyright, unfair competition
and trademark-related disputes. Kate has
represented multiple clients in high stakes
litigation on a range of legal issues and
helps both large and small companies
protect their valuable intellectual property.
Amy is the
managing partner
at The Empire
Builders Group,
which focuses on
empowering
business to excel
in the strategic
growth and
operational areas
She specializes in putting the
systems, technologies, and business
processes in place to help companies
succeed. These areas include
information systems
management, technology management
related to compliance and data
analysis, development and support of
strategic marketing and sales objectives
using technology (including CRM
selection and deployment).

3. The Franklin Investment Group (FIG) owns
and operates a group of companies that
puts on conferences and trade shows.
The study highlights the complexities added
to the management of cloud computing in
a complex technology architecture.
Case Study

4. You are negotiating the wrong things at contract
close – SaaS doesn’t negotiate
•Location
•Protections
•Notifications
The cloud represents less RISK even without
preferred terms.
Choose Your Battles

5. SaaS forces the user to agree
to terms as a point of user
experience, not as a construct
of contract negotiation.
How could this possibly be an
agreement in good faith?
The Myth of Opt In

6. The risk management
challenge is centered in
the fact that many
different terms of service
comprise one workable
technology “system”
If it was only one…

8. Where exactly is our website?
• There are no international rules governing
cloud related concerns.
• The EU Data Protection Directive provides that
transfer of personal data may be made only to
member states and to jurisdictions with
adequate data security standards.
• The US is NOT currently deemed to have
adequate data security standards.

9. Jurisdiction
• Courts are wiling to recognize
personal jurisdiction based on
location of cloud computing
services.
Forward Foods LLC v Next Proteins, Inc., 2008 BL
238516 (N.Y. Sup. 2008)
• In some jurisdictions when
weighing convenience of a
forum, physical recordkeeping
takes precedence.
Gelmato S.A. v. HTC Corp., 2011 U.S. Dist. LEXIS
133612 (E.D. Tex. Nov. 18, 2011)
• Compliance department requires
instruction on these issues.
Which applies to
the FIG
Architecture?

10. A well done user experience
(UI or UX) should seamlessly
hide the transfer between
systems.
How could a user possibly
know which terms of service
apply?
The Myth of Opt In

11. The Mask of User Experience

12. The Mask of User Experience

13. A well done user experience
(UI or UX) could
simultaneously show content
from many systems.
How could a user possibly
know which terms of service
apply?
The Myth of Opt In

14. The Jigsaw Display

15. Privacy, 4th Amendment and
Stored Communications Act
• Courts are moving in a more protective direction when it
comes to the Fourth Amendment and electronically-stored
information
• Privacy rights in electronically-stored information are not
lost solely because that data is stored in a medium owned
by another.
• The SCA provides a potential loophole in most
jurisdictions that may allow the government to issue a
subpoena not just for past emails in the possession of the
service provider but also future emails.

17. Data Breach
• Most courts find that a data breach without
subsequent identity theft resulting in
pecuniary loss is not sufficient to confer
standing.
In re Sony Gaming Networks and Customer Data Sec. Breach Litig.,
No.11md2258, 2012 U.S. Dist. LEXIS 14691 (S.D. Cal Oct. 11,
2012); Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir.
2011); Resnick v. AvMed Inc., 693 F.3d 1317 (11th Cir. 2012)
• Where there is actual evidence of identity
theft or use of any compromised
information, the case is more likely to
survive dismissal

18. Protection of Trade Secrets
• CFAA: Computer Fraud and Abuse Act
• What is unauthorized access?
• Employees, Third Party Providers, Social Media
• Importance of policy vs. hardware controls
U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012)
• Social media
• Use or Excessive Use
• Social Media Policy

19. Issues in E-Discovery
• Parties that store third party data should not expect
to be shielded from discovery rules
Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 2007)
• FRCP require production based on “possession, custody
or control”
• If responding party has the ability to obtain data, it may be
compelled to do so
• Discoverable information is still protected by
privilege, wherever it exists
Tomlinson v. El Paso Corp.,245 F.R.D. 474 (D. Colo. 2007)

20. Best Practice Recommendations
• Use experts to help put in good practices – we are finding
that most exposures are easily preventable
• Legal should request a technology architecture, data flow
and labor access points from the technology group
• Technologists should request executive summaries on
legal risk around the project
• Legal should choose their battles, knowing that lack of
action is critically risky

21. Kathryn Legge, Esq.
www.griesinglaw.com
215-732-3924
klegge@griesinglaw.com
Amy H. Larrimore
The Empire Builders Group
www.empirebuilders.com
267-825-7311
me@amylarrimore.com