Look at almost anyone’s workstation these days and you’re sure to see their computer connected to a battery backup, or UPS (uninterruptible power supply).  The concept is simple: maintaining continuity directly after an unexpected and unavoidable event.  With a UPS, the idea is that in the event of a power outage, the user would have enough time to save their work and safely power down their system, so once power is restored, they can resume from right where they left off, without having to redo or recreate lost work.  Think of how a similar concept could play out in the context of disaster planning in connection with a Florida condo association’s official records, with these two hypothetical examples:

Example 1: The property manager for our hypothetical association works out of a small room in the security guardhouse on the property.  A hurricane hits and completely destroys the guardhouse, along with all of the documents stored there.  Among the lost documents are all of the association’s official records required by statute.  Among the damaged property is the single computer system that the property manager worked from, along with all of the association’s data.  All of the association’s official records are lost, along with financial information needed to see which homeowners have delinquent assessment balances, vendor contracts, invoices, and much more.  The effects are both devastating and embarrassing.  To the extent possible, the association tries to obtain records from third parties (such as bank statements, etc.) to begin rebuilding what it lost, but it is unlikely that many of the association’s internal records will be recoverable.  Essentially, the association has to start from scratch; something that would severely impair the operations of an established association with outstanding receivables, open contracts, and the like.

Example 2: Same association.  Same property manager.  Same office.  Same hurricane.  This time, however, the association’s records were scanned into electronic files and were backed up in the ‘cloud’ (more on that term later).  Once the hurricane passes and normal association operations resume, the property manager downloads all of the lost records from the association’s online document repository, gets them printed out, and the association is back in business.  All of the data on the property manager’s computer is likewise restored from the online backup, and the association is up and running again, as if nothing had ever happened, in a matter of days.  Sound impossible?  Read on.

What is cloud computing?

Generally, ‘cloud computing’ (sometimes used in conjunction with the term ‘hosting’) is a service where one party entrusts the storage and provision of its data to a third-party provider. In some instances, the data resides on servers controlled, operated and maintained by the third-party provider. In others, the provider itself may outsource some or all of those functions. The core concept with a cloud-based or hosted service is that the end user can simply access its data without having to worry about maintaining the underlying infrastructure.  Hosting comes in several forms, such as storage hosting (like an online disk where users can upload and access their data), and application hosting (where an application is delivered online via a web browser, and the application and the data is stored with the provider).  This latter form of hosting is commonly referred to as Software-as-a-Service (SaaS). There are other forms of hosting as well, including platform and infrastructure hosting, both of which are beyond the scope of this post.  Consumer end user are primarily focused on storage hosting (online disks) and SaaS.

Selecting a hosting provider.

There are many factors to consider in selecting a hosting provider.  Selecting a provider is in many ways like selecting a bank (except you don’t get the added protection of the FDIC). Usually you are trusting critical business assets with the provider, and it is important to select a provider that is financially stable, reliable, and able to deliver the service and support that you need. Service providers should be willing to answer questions about their company’s strength, and provide information about their storage and security practices. Providers should also be willing to allow customers (and potential customers) to tour their facilities, so end users can see exactly where their data will be housed. If you get a bad vibe about a specific provider, ask questions until you are satisfied. If you don’t feel comfortable with a specific candidate, move along.

The hosting agreement.

A hosting agreement (or the terms of service) is the written contract that governs your relationship with the provider. Much like any other agreement, this is where the terms of the relationship are set out. Since many providers offer online sign-up, the hosting agreement may be presented to you online, and the provider may ask you to agree to them before setting up your account. In almost all instances I have seen where sign-up is online, the provider will not process your order unless you acknowledge your agreement to their terms and conditions. Don’t just click “Accept.” Read the terms of service thoroughly and familiarize yourself with them completely. If you don’t agree to something (or something isn’t clear), call or email the provider and see if the terms are negotiable. If not, you may have to go elsewhere. As when entering into any other agreement, consultation with an attorney is strongly encouraged.

Service level agreements.

A service level agreement (SLA) is an agreement pertaining to how often the service will be available to the end user. An SLA is sometimes referred to as an uptime agreement. It may be either a standalone agreement, or incorporated into the hosting agreement. It is important to make sure that the SLA is consistent with the provider’s marketing. For example, make sure that if a provider markets itself as providing 99.99%, 99.999%, or even 100% uptime, those terms are clearly outlined in the SLA. Check to see how downtime is measured, if there is a cure period that would allow a provider to repeatedly violate the SLA over the course of small periods of downtime, and what end users are entitled to if downtime exceeds agreed-upon thresholds. This language is one of the most important areas to review. Review it closely and carefully.  This is especially important if an association plans to provide online access to its data, as when fulfilling certain requests under, for example, Section 718.111 of the Florida Statutes.  Again, consultation with an attorney is strongly encouraged.  Keep in mind that there will always be planned service interruptions (a.k.a. planned maintenance), which are intentional periods of downtime which are necessary to provide periodic maintenance to the provider’s infrastructure. It may include anything from an operating system or application upgrade, to physical plant maintenance which requires that systems be brought offline. Check with the provider to see if planned service interruptions are included in the SLA, or if those are separate. If separate, your SLA might not reflect true system availability.

Where is my data stored?

The hosting agreement should outline where your data will be stored. If the provider is going to outsource this function, it should clearly be disclosed in the hosting agreement, and your provider’s provider should be clearly identified. Keep in mind that if your provider outsources this function, it likely has a separate hosting agreement with its provider, and those terms may ultimately affect you. Also keep in mind that where your data is stored may implicate data, privacy, and other laws of both yours and different jurisdictions.  This post only applies to official record backups — not to the online storage of official records in lieu of keeping paper records altogether.

Data protection and confidentiality.

The hosting agreement should outline how your data will be protected (in some detail, but not enough as to compromise security), and should place on the provider certain responsibilities with respect to data security, access control, and antivirus measures.  The hosting agreement should also outline confidentiality of your data. Some agreements might simply restrict the provider’s ability to disclose your data to third-parties (except in cases where necessary to provide the service or as required by law). However, consider looking or asking for an agreement which restricts the provider’s right to view the data itself (while the provider will likely except from this technical support requests, this is a reasonable request). Overall, look for the language which best protects your data from being viewed and disclosed.

Unattended access to data at any time.  Proprietary formats.

Having unattended access to your data is very important. It will allow you to keep an updated copy of the data in-house, should it ever be needed and unavailable from the provider. Being allowed access to your data only upon request to the provider is very different from having unfettered FTP or web-based download access (e.g., imagine having a bank account without ATM access; see the difference?).  Mainly an issue with application hosting (but may also be implicated with traditional data hosting and online backup providers), consider that many applications store data in proprietary formats, which render the data inaccessible unless being read by that specific application. Make sure that not only is your data accessible, but that it is in a readable format even without the application. If the raw data is proprietary, make sure that it can be exported and made available in a non-proprietary, readable format, such as CSV or XML. After all, having access to your data is meaningless if you can’t do anything with it.

Data escrow.

Data escrow is relatively simple, and works essentially the way you would expect any other escrow arrangement to work. With data escrow, the hosting provider is typically required to mirror the data you store with it (at an agreed-upon frequency) with yet another third party, the data escrow agent. The data escrow agent then holds a copy of the data, should access to it ever be necessary. Both the agreement with your hosting provider and the escrow agreement with the data escrow agent should address in detail who can access the data, when, and under what terms. It is important to make sure that the agreements allow you immediate access to your data upon request to the data escrow agent. Language that requires both parties to agree before the data is released may seem fair, but when disputes arise, it may also mean a long delay before you are actually able to get your data. Be careful with data escrow companies that are affiliated with or are operated by the same company as the hosting provider, as this does not offer a true escrow.  If your provider will not cooperate or work with an escrow provider, be careful.

Service cancellations.

Make sure that the hosting agreement expressly covers this, and clearly addresses who can terminate, when, under what conditions, at what cost, and how the data is returned to you. Make sure you are comfortable with the language, and always make sure the agreement provides that your data is returned to you in a timely fashion, and in a readable format.  Some providers may actually facilitate a move to another provider in the event you discontinue your service. Check with them in advance if this is something that is important to you. Make sure whatever you are told is ultimately incorporated into the hosting agreement.  As with anything else that is agreed to, get it in writing by someone who is authorized to act on behalf of the provider.

Used properly, cloud computing can be an important tool in the association disaster planning and preparedness toolkit — and can have a profound impact on business continuity after a catastrophic data loss (whether by hurricane, fire, theft, or otherwise).

I originally wrote the following post as a FAQ for Legal OnRamp.  As hosted computing, cloud computing, and online storage become more and more popular, it is important to take a few moments to discuss something that many people may overlook: the hosting agreement.  Hosting agreements take many forms, and may come to you as a benign-looking “terms and conditions” page on a website, that you are asked to click through in order to proceed.  This post examines several (but not all) issues that pertain to hosting agreements.

1. What is hosting?

Generally, ‘hosting’ (sometimes used in conjunction with ‘cloud computing’) is a service where one party entrusts the storage and provision of its data to a third-party provider. I some instances, the data resides on servers controlled, operated and maintained by the third-party hosting provider. In others, the hosting provider itself may outsource some or all of those functions. The core concept with a hosted service is that the end user can simply access application data (and possibly even the application itself) without having to worry about the underlying infrastructure.

2. What different types of hosting services are there?

Providers may offer different types of hosting. Some providers offer only storage hosting, such as an online disk where users can upload and access their data. Other providers offer application hosting, a service where an application is delivered online via a web browser, and the application and the data is stored with the provider. This latter form of hosting is commonly referred to as Software-as-a-Service (SaaS). There are other forms of hosting as well, such as platform and infrastructure hosting. End users though are primarily focused directly on SaaS.

3. How do I select a hosting provider?

This is a very difficult question to answer, and there are many factors to consider. Selecting a hosting provider is in many ways like selecting a bank (except you don’t get the added protection of the FDIC). Usually you are trusting critical business assets with the hosting provider, and it is important to select a hosting provider that is financially stable, reliable, and able to deliver the service and support that you need. Service providers should be willing to answer questions about their company’s strength, and provide information about their storage and security practices. Providers should also be willing to allow customers (and potential customers) to tour their facilities, so end users can see exactly where their data will be housed. If you get a bad vibe about a specific provider, ask questions until you are satisfied. If you don’t feel comfortable with a specific candidate, move along.

4. What is a hosting agreement?

A hosting agreement (or the terms of service) is the written contract that governs your relationship with the hosting provider. Much like any other agreement, this is where the terms of the relationship are set out. Since many service providers offer online sign-up, the hosting agreement may presented to you online, and the provider may ask you to agree to them before setting up your account. In almost all instances I have seen where sign-up is online, the provider will not process your order unless you acknowledge your agreement to their terms and conditions. Don’t just click “Accept.” Read the terms of service thoroughly and familiarize yourself with them completely. If you don’t agree to something (or something isn’t clear), call or email the provider and see if the terms are negotiable. If not, you may have to go elsewhere. As when entering into any other agreement, consultation with an attorney is strongly encouraged.

5. What is a service level agreement?

A service level agreement (SLA) is an agreement pertaining to how often the service will be available to the end user. An SLA is sometimes referred to as an uptime agreement. It may be either a standalone agreement, or incorporated into the hosting agreement. It is important to make sure that the SLA is consistent with the provider’s marketing. For example, make sure that if a provider markets itself as providing 99.99%, 99.999%, or even 100% uptime, those terms are clearly outlined in the SLA. Check to see how downtime is measured, if there is a cure period that would allow a provider to repeatedly violate the SLA over the course of small periods of downtime, and what end users are entitled to if downtime exceeds agreed-upon thresholds. This language is one of the most important areas to review. Review it closely and carefully.

6. What are planned service interruptions?

Planned service interruptions (a.k.a. planned maintenance) are intentional periods of downtime which are necessary to provide periodic maintenance to the provider’s infrastructure. It may include anything from an operating system or application upgrade, to physical plant maintenance which requires that systems be brought offline. Check with the provider to see if planned service interruptions are included in the SLA, or if those are separate. If separate, your SLA might not reflect true system availability.

7. Where is my data stored?

The hosting agreement should outline where your data will be stored. If the provider is going to outsource this function, it should clearly be disclosed in the hosting agreement, and your provider’s provider should be clearly identified. Keep in mind that if your provider outsources this function, it likely has a separate hosting agreement with its provider, and those terms may ultimately affect you. Also keep in mind that where your data is stored may implicate data, privacy, and other laws of different jurisdictions.

8. How is my data protected?

The hosting agreement should outline how your data will be protected (in some detail, but not enough as to compromise security), and should place on the provider certain responsibilities with respect to data security, access control, and antivirus measures.

9. What about confidentiality?

The hosting agreement should outline confidentiality of your data. Some agreements might simply restrict the provider’s ability to disclose your data to third-parties (except in cases where necessary to provide the service or as required by law). However, consider looking or asking for an agreement which restricts the provider’s right to view the data itself (while the provider will likely except from this technical support requests, this is a reasonable request). Overall, look for the language which best protects your data from being viewed and disclosed.

10. Will I have unattended access to my data at any time?

Having unattended access to your data is very important. It will allow you to keep an updated copy of the data in-house, should it ever be needed and unavailable from the provider. Being allowed access to your data only upon request to the provider is very different from having unfettered FTP or web-based download access (e.g., imagine having a bank account without ATM access; see the difference?).

11. How is my data stored? Is it kept in a proprietary format?

This issue mainly comes into play with application hosting, but may also be implicated with traditional data hosting and online backup providers. Many applications store data in proprietary formats, which render the data inaccessible unless being read by that specific application. Make sure that not only is your data accessible, but that it is in a readable format even without the application. If the raw data is proprietary, make sure that it can be exported and made available in a non-proprietary, readable format, such as CSV or XML. After all, having access to your data is meaningless if you can’t do anything with it.

12. What is data-escrow?

Data escrow is relatively simple, and works essentially the way you would expect any other escrow arrangement to work. With data escrow, the hosting provider is typically required to mirror the data you store with it (at an agreed-upon frequency) with yet another third party, the data escrow agent. The data escrow agent then holds a copy of the data, should access to it ever be necessary. Both the agreement with your hosting provider and the escrow agreement with the data escrow agent should address in detail who can access the data, when, and under what terms. It is important to make sure that the agreements allow you immediate access to your data upon request to the data escrow agent. Language that requires both parties to agree before the data is released may seem fair, but when disputes arise, it may also mean a long delay before you are actually able to get your data. Be careful with data escrow companies that are affiliated with or are operated by the same company as the hosting provider, as this does not offer a true escrow.

13. Will my provider cooperate with a data-escrow provider?

Ask. If the answer is no, be careful.

14. What if I want to cancel my hosting service?

Make sure that the hosting agreement expressly covers this, and clearly addresses who can terminate, when, under what conditions, at what cost, and how the data is returned to you. Make sure you are comfortable with the language, and always make sure the agreement provides that your data is returned to you in a timely fashion, and in a readable format.

15. What if I want to switch to another provider?

Some providers may actually facilitate a move to another provider in the event you discontinue your service. Check with them in advance if this is something that is important to you. Make sure whatever you are told is ultimately incorporated into the hosting agreement.

16. Are these types of agreements with the provider even negotiable?

That depends. It probably comes down to the size of the provider and the size of the account you represent. If you are interested in negotiating the terms of the hosting agreement, ask to speak to someone in the provider’s legal department. And whatever is agreed to, get it in writing by someone who is authorized to act on behalf of the provider.

In recent years, social media sites, as they are known, have become increasingly popular. Facebook (www.facebook.com) is a prime example of a ‘social media’ site. Others are Twitter (www.twitter.com), LinkedIn (www.linkedin.com), and MySpace (www.myspace.com). The concept of most of these sites is rather simple: a user registers for a profile on the site, and inputs certain information about themselves. Sites like LinkedIn are geared more towards professional networking, so the information focus is more along the lines of education, positions held, speaking engagements and published works, and the like. Sites such as Facebook and MySpace seem to be more personal in nature, focusing more on friendship and family. On Facebook, after registering for a profile, a user can then locate people that he or she knows who may also have a profile on the site. Depending on that person’s privacy settings, the user most likely has to “invite” the other person into their network, or ask to become their “friend.” If the recipient accepts the request, the two become connected. Typically, from that point forward, each of them can then view whatever has been posted to each other’s profile, which may include text, pictures, videos, or comments from that person’s other “friends.” On Twitter, however, “following” someone doesn’t automatically mean that the other person is “following” you. That person would have to specifically follow you in return in order to view your “Tweets,” because the connection is not automatically reciprocal.

Although these sites are only viewable online via an internet-connected computer or device, what some people (at least in my opinion based on my participation on such sites) don’t seem to understand (or care about) is that posting content on these sites, without the proper precautions and common sense, is no different that standing on the 50 yard line at halftime around a packed crowd, broadcast cameras running, and saying the same things. In other words, everyone’s watching. What’s more? The internet never forgets. Once you post it, consider it irrevocably out there for everyone to see. Even if your posts are restricted to only those with whom you are “friends” (a very loosely used term, since on some profiles I’ve seen people amass thousands of “friends”) they can still see it, print it, or “retweet” (on Twitter) it to others. For sites crawled and indexed by Google, once it’s indexed, it may even be available online even after the original post is gone, depending on when and how often Google indexes and caches that specific site.

At a recent industry group seminar that I gave, I outlined several examples of social media use gone awry. Here is a small sampling, all from a brief search on Google:

• In September 2004 a Delta Airlines flight attendant was fired just weeks after she posted allegedly inappropriate pictures of herself (in uniform) to her blog site.

• In February 2009 a juror in Arkansas posted comments about one of the parties, a building materials supplier, to Twitter using his cell phone. The Court was asked to overturn the $12+ million judgment against the company due to the juror’s posts. The Court denied to overturn the verdict, but the case is now up on appeal because of the juror’s “Tweets.”

• In March 2009, a defendant was acquitted on a weapons possession charge after the police officer who chased him down (and who the defendant accused of planting the weapon on him) posted certain comments on Facebook.

• In June 2009 an Indiana State Police Trooper resigned after being investigated for using Facebook to publicly brag about heavy drinking, and after posting photographs of not only a banged-up police car, but also a fellow officer holding a gun to his head.

I’m sure if you scour the internet you can find more and more examples of these types of situations. What people need to consider, and be keenly aware of, is the medium being used and the widespread reach of the content. On blog sites in particular, content is usually available online immediately after posting, totally unrestricted, and quickly indexed by the search engines.

As a general rule, Florida companies and organizations should implement acceptable use and online social media policies, and should closely monitor official company groups set up on social media sites.

Ultimately, individuals should be aware of time, place, and manner considerations in their posts, and think twice before pressing that submit button. After all, the use of common sense should go a long way.

« Please note: The foregoing is for informational and educational purposes only, and is not intended to apply to any specific legal situation. You should not rely on any information appearing herein to make any decisions pertaining to any particular legal matter. No legal advice is being given by this material, and no attorney-client relationship is created by this material. »

Welcome to our Florida Internet Technology Law section! This topic thread is intended to cover many issues pertaining to internet technology law in Florida, including the following:

• Data policies, procedures, and protocols, such as:
  • acceptable use policies
  • compliance protocols
  • data retention policies
  • electronic file policies and disclosures
  • privacy policies
  • terms of use

• Information technology agreements, such as agreements pertaining to:
  • acceptable use
  • confidentiality/non-disclosure
  • connectivity
  • consulting
  • hosting
  • storage
  • support & maintenance