Search News & Insights
Cloud Computing - Legal Issues Lost in the Mist?
PRACTICE AREA GROUP: Technology and Innovation
Cloud computing is generating much hype. IDC recently reported that worldwide IT spending on cloud services will reach €42 billion by 2012. There is little really new in terms of legal issues presented by cloud computing; it is not likely to trigger a raft of reactive legislation. But legal issues do lurk in the clouds.
Two reasons often given for the failure of IT projects are over expectation and under delivery. Although cloud computing is in its infancy, expectation is certainly high in relation to it. However, the customers should employ the usual degree of diligence as it would to any IT procurement if they are considering a move to the cloud. Suppliers would do well, in terms of long term reputational investment, to adopt a considered approach to customers' concerns. This article considers a few practical steps that should be considered.
Large scale processing power, storage capacity and sophisticated SaaS models capable of competing with current market standard technology are, by their nature, currently available only from a small number of bigger players. As a result, contract terms available to customers can, on the face of it, appear to be standard offerings; not really negotiable.
By contrast, companies have very specific requirements and obligations in relation to how they control and manage their most valuable asset, their information, and CTOs often have direct responsibility for data risk. It is reasonable for customers to expect some degree of bespoke contract discussion and the sophisticated customer would look for the following:
Audit: provisions should be included to counter the lack of transparency and control that is an inevitable feature of cloud computing. Despite often being perceived as a little used tool, audit provisions can give customers significant leverage in the relationship and at a minimum they should enable the cloud computing customer to:
(a) get information on the location of its data at any time and any risks to it, actual or perceived;
There is a well established body of law at European and local level setting out the obligations of companies in relation to personal information they control and process. Where the cloud computing model involves entrusting this information to a third party, the Data Protection Acts 1988 and 2003 prohibit companies from doing so unless there are adequate measures in place to protect that personal data. One of the obvious issues for the cloud computing customer is that many of the data centres that are being used to host the services are located outside the European Economic Area. It is illegal to transfer personal data to those providers in those locations unless certain strict conditions are met. This is one reason why some providers are now publicising their moves to establish data centres within Europe as this would ease the data protection compliance burden for customers.
Data protection regulators have up to now identified cloud computing as, to borrow a phrase from the UK Information Commissioner’s Office, an “over the horizon” topic. If industry trends are anything to go by, those regulators will find themselves over the horizon imminently so we can expect a greater level of scrutiny in the short to medium term.
(b) get information on the personnel with privileged user access to information and how that access is secured, monitored and controlled;
Availing of the benefits of leveraged infrastructure and storage capacity carries with it the inevitable risk of unauthorised access to and cross-contamination of data. Specific ongoing assurances regarding inbuilt encryption security and other practical measures are essential. It is worth noting that failure to implement such measures could result in the customer being in breach of the legal obligation to have appropriate technological and organisational measures in place to safeguard the integrity of personal data which it controls. A regulator will ask the cloud computing customer, not necessarily the provider, what steps it took to get comfortable with the data processing arrangements. It is incumbent on the cloud computing customer to have the answers.
Bespoke Service Levels: if there is no service level agreement, customers should insist on one. If the service level agreement is available but not negotiable, customers should consider another provider. If a service level agreement promises 99.7 per cent uptime, carefully consider how absolute the contractual obligation to meet that level of uptime actually is. As anyone familiar with negotiating ‘conventional’ IT contracts will know, there are many ways to skin the service level cat! In addition to qualified definitions of uptime, mechanisms such as allowable downtime, no-fault downtime, eligibility for service credits subject to conditions, minimum threshold blocks of qualifying downtime, realisation of credit only at the end of a lengthy period and onerous notification terms, are not uncommon. Perhaps more crucially, there are contractual ways to ensure that the provider will only ever be exposed up to a relatively low limit. The words “sole and exclusive remedy” should also raise a flag for customers because it could mean that apart from a limited service credit some time in the future, the customer has little or no other recourse to the supplier where the service level breach causes real damage. So, while on the face of it, there is not much ‘bespoke tailoring’ to be done to a 99.7 per cent uptime assurance, there may be plenty of bespoke tailoring to be done to the language that determines exactly what that means.
Crisis management and mitigation: No supplier will be immune from unplanned downtime. However, it is important that steps are taken to mitigate the downtime risk and manage the impact if the risk materialises and that these are, where appropriate, built into the contract. There is also a risk that if data is deployed to a particular provider, for contractual or technical reasons, it will be difficult to move it to another provider, or more significantly to recover it at all without additional cost and delay to the customer. The industry is tuned into the issue of data portability and it is encouraging to see industry bodies such as the Cloud Computing Interoperability Forum being established to try to set common standard to enable information exchange across cloud platforms. It would be useful starting point for customers to check that its provider plays a part in such not for profit industry networks and that this is reflected in their terms of business. Availing of these optional extras will require due diligence (and no doubt some added cost) but could prove useful additions to standard contract terms. Building in a back-up or clear exit option and ensuring there are terms and conditions included to assist with investigative support and which to not inadvertently obstruct the customer in dealing with a crisis are essential.
This article was first published in Computerscope, May 2009