The controversy over Prism and related revelations of the last few days regarding government access to cloud data serve to highlight the importance of addressing the question of “who has access to my cloud data?” in your cloud contracts.
Every cloud agreement should include a provision requiring the vendor to place the customer on notice when it receives any legal request for production or access to the customer’s data (unless the legal request expressly precludes that notice). While this seems a fundamental concept and a reasonable one, many cloud contracts lack this protection. Customers should insist on its inclusion. By requiring notice, the customer may elect to intervene in the legal action to limit production of its data, better ensure its confidentiality, etc.
Since some legal requests specifically prevent the cloud provider from providing notice to the customer, customers must take this possibility into account in deciding whether to place certain data in the cloud. Doing so may mean the customer’s data could be made available to a governmental entity without any notice or opportunity to object.