The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

The Cloud Computing Act of 2012 is Introduced

Leave a comment

Senator Amy Klobuchar [D-MN] introduced on September 19 a bill, S.3569, the “Cloud Computing Act of 2012”, which is “[a]bill to improve the enforcement of criminal and civil law with respect to cloud computing, and for other purposes.” Senator John Hoeven [R-ND] co-sponsored the bill, which has been referred to the Committee on Commerce, Science, and Transportation.
The Act would amend the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, which incriminates access to computers without authorization or by exceeding authorized access, to obtain information considered to be protected data, or anything of value. It also incriminates transmitting a program, information, code, or command, which, as result causes damage to a protected computer.
Defining Cloud Computing
The Cloud Computing Act would make each instance of unauthorized access a separate offense when the protected computer is part of a cloud computing service.  The Act defines ‘cloud computing service’ as:
a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by he provider.”
Isn’t the life of a cloud computing service customer great? The service is “convenient”, the access “on-demand” and all of this service involves “minimal management effort.” Where do I sign? I am writing this only half in jest, but if I would ever represent a cloud computing service company sued under the Cloud Computing Act of 2012, I would make sure that the judge is convinced that my client runs an inconvenient service, whose access is spotty at best, and involves great management effort.
Defining what is cloud computing in a somewhat more neutral way is apparently a difficult exercise, and the author of the bill probably took inspiration from the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, which defined cloud computing in a paper published last May as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
How the Act Would Calculate Damages
Violating the CFAA is punishable under 18 USC § 1030(c)(2) (B) (iii) by a fine or imprisonment for not more than 5 years, or both, if the value of the information obtained exceeds $5,000. Under the Cloud Computing Act, the value of the loss of the use of a protected computer that is part of a cloud computing service, the value of the information obtained, and the value of the aggregated loss would be the greater of either the value of the loss of use, information, or aggregated loss to one or more persons, or the product of multiplying the number of cloud computing accounts accessed by $500.
Therefore, if the number of cloud computing accounts is at least 11, plaintiffs could prove the value of their losses met the threshold for punishment under the CFAA. This is welcome, as plaintiffs often fail to prove that they have suffered more than $5,000 in damages.
For instance, in In re Doubleclick Inc. Privacy Litigation (S.D.N.Y. 2001) plaintiffs claimed, inter alia, that by placing cookies on their computers, DoubleClick had violated the CFAA. Defendant did not contend that plaintiffs’ computers were not “protected" under the CFAA, nor that their  access was unauthorized, but rather argued that their losses did not meet the $5,000 threshold set by the CFAA. Plaintiffs had claimed invasion of privacy, trespass to their personal property, and misappropriation of confidential data, but failed to prove that this represented a loss of more than $5,000.
Promoting Interoperability with Foreign Laws
The Act would also suggests that there should be work at the international level, including consultations between the United States and the European Union, in order to ensure that the Act is interoperability with foreign laws. This is certainly welcome, as data in the cloud often resides on servers located in foreign jurisdictions.
It would also direct the Secretary of State to conduct each year, for four years, a study on international cooperation regarding data privacy, retention, and security. The study would include recommendations for best practices.
Advertisements

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s