Heads in the cloud

Heads in the cloud

Cloud computing is exciting for CIOs who manage huge amounts of data on a restrictive budget. But what are the legal ramifications?

Cloud computing is all about the data. The essential issues are who owns it, who holds it and who has access to it?

As I understand it, cloud computing is still nascent. Data management

by way of the internet means taking information off data storage

devices owned by your business (such as PCs or laptops) and placing it

into giant data-retention centres owned by entities like Google. As an

evolving concept it will grow in profile for both private and

commercial uses (and users) of computers.

At a quick glance it looks like the perfect data-storage solution.

Another business will store your data on its hardware in

purpose-built, physically secure "server farms". Those server farms

will be backed up and provide a comprehensive data-protection

solution, at least in theory.

The prospective business benefits of cloud computing are massive.

Large and complex IT management systems can be dispensed with. Costs

of continuing development, refinement and acquisition of hardware and

software may drop significantly. Someone else will be taking care of

one of the less attractive parts of information management - data

storage and retrieval.

There will be immediate and massive portability of data. As long as a

registered and verified user can log onto the relevant host program,

all of the company's data for which the user has clearance can be

accessed, from anywhere in the world, at any time. In a globalised

economy, this has potentially huge practical benefits.

However, there are a number of significant risks in relation to cloud

computing that need to be considered. These revolve primarily around

data security issues. Is it practically possible for data to be lost

by the service provider? Who also has access? Who owns the data? What

are the catastrophic circumstance disaster-recovery strategies?

These are all unanswered questions that need to be considered and

addressed comprehensibly in any service contract between your business

and the service provider. In particular, the warranties and

indemnities offered by the data-storage provider would need to be

wide-reaching to cover your business risk, without crippling the

data-service provider generally.

Sensitive information

If cloud computing has one vice from a business perspective, it

appears to be dependence. All your data storage is reposing in another

entity. This requires requisite levels of trust and confidence, along

with skill and foresight, to secure your data so that it will always

be available. Another concern is privacy. In a competitive business

context, much of the data being stored by the service provider would

be commercially in confidence. You definitely would not want your

competitors to have access to this information and use it as a

springboard. It would be unacceptable for them to use your information

to compete with you and, in the worst-case scenario, steal competitive

business ideas.

A hack-proof computer system is a challenge no one can yet meet. This

raises the question of industrial espionage and the extent to which

competitors, through a cloud platform, could misappropriate

confidential business information.

Legally, there are two main categories of liability. First, is your

liability to customers or those for whom you hold data as part of

providing your goods or services. Consideration of your prospective

liability catches within the net are wide and diffuse a range of

potential legal risks. The most sensible way to manage this would be

for your contracts to contain acknowledgements that customer data will

be stored on a cloud platform.

The downside is that this is commercially unpalatable. An astute

client may be spooked by the potential risks to which their personal

data is exposed. Where the information is sensitive, your clients may

prefer one of your competitors who do not use this platform.

Again, this gets back to the overarching question of dependence - can

your competitor provide greater security not using cloud computing?

This issue needs to be closely risk managed in the context of the

nature of your business, the nature and sensitivity of information you

hold about your customers and the likely commercial damage your

customers would suffer if, for some reason, that information came into

the public domain.

The second category of liability is for the cloud computing service

provider, with primarily four matters of high significance in your

negotiations: indemnities, warranties, guarantees and termination. The

indemnities would generally cover any loss you suffer as a result of

the service provider not fulfilling their obligations under the

contract. Warranties would relate to the security of the data-storage

management system and other factual matters. Guarantees would come

from other parties so as to secure the obligations of the service

provider in the event of insolvency. Termination would address grounds

on which the contract could be ended, consequences for return of data

and destruction of copies or images by the service provider so no

permanent record was held.

In addition to required orthodox contractual considerations, this

would be the best way to manage liability. Likely to be a contentious

and lengthy negotiation given the range of direct and indirect issues

and questions on potential problems and liabilities, ownership of

information is also a critical component. The contract must be

transparently clear so you retain ownership of the data; the service

provider simply provides a storage facility. As set out above, stored

data is likely to have commercial value, so it is important to be

clear about that value remaining in your hands.

The legal questions in relation to managing risk under cloud computing

are complex and numerous, with no easy solution.

You must have a tight contract and be sure the data service provider

is able to meet any claim you have if there is catastrophic failure.

For instance, if the provider suffers a failure that disables the

whole network and causes data loss, it would be reasonable to expect

alleged claims for damages.

Should these claims be high, there is a real possibility of insolvency

for the service provider, which may mean no recovery of damages for

breach of contract. This is where the guarantees become important.

Ultimately, I suspect, it will be a cost-benefit analysis. How do the

benefits of external data storage, immediacy of access and portability

weigh against the potential risks of data loss, breach of privacy and

legal liability, to customers and third parties?

This question is likely to have a different answer for each business.



Damian Ward is a partner with HWL Ebsworth Lawyers and

specialises in technology law and intellectual property. He is author

of the Contract Negotiation Handbook. Questions can be sent to:

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

Tags Utility Computingstoragesecuritycloud computingSoftware as a service

Show Comments