Cloud computing is all about the data. The essential issues are who owns it, who holds it and who has access to it?
As I understand it, cloud computing is still nascent. Data management
by way of the internet means taking information off data storage
devices owned by your business (such as PCs or laptops) and placing it
into giant data-retention centres owned by entities like Google. As an
evolving concept it will grow in profile for both private and
commercial uses (and users) of computers.
At a quick glance it looks like the perfect data-storage solution.
Another business will store your data on its hardware in
purpose-built, physically secure "server farms". Those server farms
will be backed up and provide a comprehensive data-protection
solution, at least in theory.
The prospective business benefits of cloud computing are massive.
Large and complex IT management systems can be dispensed with. Costs
of continuing development, refinement and acquisition of hardware and
software may drop significantly. Someone else will be taking care of
one of the less attractive parts of information management - data
storage and retrieval.
There will be immediate and massive portability of data. As long as a
registered and verified user can log onto the relevant host program,
all of the company's data for which the user has clearance can be
accessed, from anywhere in the world, at any time. In a globalised
economy, this has potentially huge practical benefits.
However, there are a number of significant risks in relation to cloud
computing that need to be considered. These revolve primarily around
data security issues. Is it practically possible for data to be lost
by the service provider? Who also has access? Who owns the data? What
are the catastrophic circumstance disaster-recovery strategies?
These are all unanswered questions that need to be considered and
addressed comprehensibly in any service contract between your business
and the service provider. In particular, the warranties and
indemnities offered by the data-storage provider would need to be
wide-reaching to cover your business risk, without crippling the
data-service provider generally.
If cloud computing has one vice from a business perspective, it
appears to be dependence. All your data storage is reposing in another
entity. This requires requisite levels of trust and confidence, along
with skill and foresight, to secure your data so that it will always
be available. Another concern is privacy. In a competitive business
context, much of the data being stored by the service provider would
be commercially in confidence. You definitely would not want your
competitors to have access to this information and use it as a
springboard. It would be unacceptable for them to use your information
to compete with you and, in the worst-case scenario, steal competitive
A hack-proof computer system is a challenge no one can yet meet. This
raises the question of industrial espionage and the extent to which
competitors, through a cloud platform, could misappropriate
confidential business information.
Legally, there are two main categories of liability. First, is your
liability to customers or those for whom you hold data as part of
providing your goods or services. Consideration of your prospective
liability catches within the net are wide and diffuse a range of
potential legal risks. The most sensible way to manage this would be
for your contracts to contain acknowledgements that customer data will
be stored on a cloud platform.
The downside is that this is commercially unpalatable. An astute
client may be spooked by the potential risks to which their personal
data is exposed. Where the information is sensitive, your clients may
prefer one of your competitors who do not use this platform.
Again, this gets back to the overarching question of dependence - can
your competitor provide greater security not using cloud computing?
This issue needs to be closely risk managed in the context of the
nature of your business, the nature and sensitivity of information you
hold about your customers and the likely commercial damage your
customers would suffer if, for some reason, that information came into
the public domain.
The second category of liability is for the cloud computing service
provider, with primarily four matters of high significance in your
negotiations: indemnities, warranties, guarantees and termination. The
indemnities would generally cover any loss you suffer as a result of
the service provider not fulfilling their obligations under the
contract. Warranties would relate to the security of the data-storage
management system and other factual matters. Guarantees would come
from other parties so as to secure the obligations of the service
provider in the event of insolvency. Termination would address grounds
on which the contract could be ended, consequences for return of data
and destruction of copies or images by the service provider so no
permanent record was held.
In addition to required orthodox contractual considerations, this
would be the best way to manage liability. Likely to be a contentious
and lengthy negotiation given the range of direct and indirect issues
and questions on potential problems and liabilities, ownership of
information is also a critical component. The contract must be
transparently clear so you retain ownership of the data; the service
provider simply provides a storage facility. As set out above, stored
data is likely to have commercial value, so it is important to be
clear about that value remaining in your hands.
The legal questions in relation to managing risk under cloud computing
are complex and numerous, with no easy solution.
You must have a tight contract and be sure the data service provider
is able to meet any claim you have if there is catastrophic failure.
For instance, if the provider suffers a failure that disables the
whole network and causes data loss, it would be reasonable to expect
alleged claims for damages.
Should these claims be high, there is a real possibility of insolvency
for the service provider, which may mean no recovery of damages for
breach of contract. This is where the guarantees become important.
Ultimately, I suspect, it will be a cost-benefit analysis. How do the
benefits of external data storage, immediacy of access and portability
weigh against the potential risks of data loss, breach of privacy and
legal liability, to customers and third parties?
This question is likely to have a different answer for each business.
DISCLAIMER: THE INFORMATION IN THIS ARTICLE SHOULD NOT BE RELIED UPON
AS A SUBSTITUTE FOR DETAILED ADVICE AS A BASIS FOR MAKING DECISIONS.
Damian Ward is a partner with HWL Ebsworth Lawyers and
specialises in technology law and intellectual property. He is author
of the Contract Negotiation Handbook. Questions can be sent to: firstname.lastname@example.org
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.