peshkova - Fotolia

CW500: The legal risks of migrating to the cloud

Experts from the public and private sectors discuss the legal challenges of moving to the cloud

The past 12 months have seen an acceleration in the take-up of cloud computing.

A year ago 45% of senior executives had no interest in the topic, according to research by analyst group IDC.

Today half say their companies are actively using or implementing cloud computing.

Initiatives such as the government's G-Cloud are helping government buy cloud services cheaply and easily, saving millions in procurement costs.

And in the private sector, businesses are turning to the cloud to upgrade their IT systems without incurring high upfront capital costs.

But as with any new technology, cloud computing is posing new challenges to businesses and the public sector.

In particular, migrating to the cloud poses legal challenges that can trap the unwary, leading experts told senior IT professionals at a meeting of Computer Weekly’s 500 Club.

“The technology moves much faster than the law makers and regulators can, so we are always playing catch-up and the laws are always behind,” Alistair Maughan, partner at law firm Morrison & Foerster, told the group.

He was speaking with Spencer Izard, research director of IDC and Mark Craddock, CloudStore lead for the G-Cloud programme.

The worst cloud terms and conditions

  • The service provider can suspend your right to use the service or terminate the agreement of any reason or for no reason within 60 days notice;
  • In the event of a suspension of service the service provider won’t intentionally ease your data but it won’t actually preserve it;
  • The service provider can change the terms of service at any time without notice;
  • Access to services may be suspended without notice. The service provider has no liability for the downtime;
  • The customer bears sole responsibility for adequate security and back-up of data, even though it had been hosted by the service provider.

Source: Mofo

Cloud contracts

One of the problems faced by organisations is that it is almost too easy to sign up to a cloud-based service – all it requires is a corporate credit card.

“In the old days, if you were signing up with a service provider, you got your fountain pen out and someone was authorised to sign the contract. There was a sort of process about it,” said Maughan.

There is a danger now that anyone in the organisations clicking the boxes to accept all sorts of terms and conditions, he said. And some of them can leave the business in a very exposed position, (see panel, right).

For example, Izard told the group he discovered that one department in a company he worked with had bypassed IT to buy in its own cloud service.

What they hadn’t realised was they had signed a contract that exonerated the supplier for any service failure, unless they could prove the supplier’s software had been at fault.

Evaluate terms and conditions

It may sound obvious, but Maughan advises businesses to set up formal processes to evaluate contracts before they sign up to cloud contracts.

“Know what you are signing up to. Pay attention to service level agreements and data storage provisions. Use a Request for Proposals (RFP) or some kind of evaluation tool to compare different alternatives,” he said.

Very often cloud contracts are spread over a host of different terms and conditions documents and acceptable use policies.

“Its important to understand all the terms and conditions, to know where they all are – not just look at one and ignore the hyperlinks to the other documents,” Maughan said.

For large organisations, it is often worth negotiating with cloud suppliers for better terms and conditions.

Although a small and medium sized company is unlikely to get very far with Amazon, for example, a company the size of Barclays Bank or Marks & Spencer’s is likely to have more success, Maughan told the meeting.

The City of Los Angeles, for example, successfully negotiated a better contract with Google after opting to buy Google’s services through a services company.

“If you can go in through a reseller or a big service provider as a interim to going into the cloud, they will either be able to negotiate for you, or put a wrapper around the service," he said.

“If backing up or encrypting data is something you need, that is something they are likely to do for you, even if the cloud service provider won’t do it for you.”

G-cloud imposes terms and conditions on suppliers

Alistair Maughan, partner at law firm Morrison & FoersterAlistair Maughan, partner at law firm Morrison & Foerster

G-Cloud – the government’s electronic market place for cloud services – aims to simplify some of these concerns for public sector organisations.

The service, now in its second year, is helping a wide range of government organisations save money on IT services contracts, securing over £2.6m of deals so far.

However to use the service, suppliers must agree to comply with standard terms and conditions that replace their own.

“We have insisted in the contract that suppliers must tell us the cost of getting into the service, how to exit the service and the cost of exiting the service," Mark Craddock told the meeting.

“They must tell us how to get the data back, in what format it comes back in. And they must tell us where the data is held, whether it is in the UK,” he said.

Geographical differences in privacy and compliance

The virtual nature of the cloud means cloud service providers can host customers' data anywhere.

The downside for businesses is that they need to be aware of the differences between data privacy regulations in different parts of the world.

“This is probably the biggest area where there is divergence between countries and different rules to comply with,” said Maughan.

For example, in South Korea, it is almost impossible to do anything with personal data without the specific consent of the person concerned.

In the USA there is no overarching data protection legislation, but there are separate regulations for sectors such as health and finance.

“It is important to understand what data you are going to have to put into the cloud, because different rules might apply to it,” said Maughan.

In the US, data laws can also vary from state to state. Most states now have data breach notifications, which require companies to notify customers if data is lost or compromised.

“You have to work out if you have US regulated data or data on US citizens in the cloud and whether you can comply with US data breach notifications if data goes missing,” said Maughan.

In Europe, companies may need to jump through regulatory hoops if they are transferring personally identifiable data from country to country.

It is important for organisations to know where their data is stored, if they are going to keep within the law.

One option is to negotiate an agreement with the service provider to keep data in the European Union.

This means that companies don’t have to go an extra step to show they have complied with regulations preventing data transfer.

Cloud data security issues

Concerns over security issues are one of the biggest deterrents to moving data out into the cloud.

However, most of the big cloud suppliers – such as Oracle and Microsoft – offer highly secure cloud services, Spencer Izard, analyst at IDC, told the meeting.

“They have better security solutions built into their cloud services products than most organisations can build for themselves,” he said. “Some of the big organisations are actually credible in this space.”

Maughan agrees, but nevertheless advises organisations to think carefully which data they want to store in the cloud.

“Work out what security you need according to the data you are going to put into the cloud. And make sure you have gone through a clear process and that the cloud solution is actually appropriate for the type of data you are going to put in,” he said.

Encryption, he suggests, should almost be a requirement if you are moving data into the cloud.

Patriot games

Data protection and privacy laws are not the only legal hurdles facing organisations as they move into the cloud.

The US Patriot Act is one consideration for any organisation hosting personal data in the US.

It gives the US government the right to subpoena data held by US companies.

The Patriot Act has raised legal issues for European companies considering doing business in the USA, said Maughan.

In one case, a German utility company had to decide whether it was willing to do business in the US, given the requirements of the act.

Some big suppliers have made it clear that, if the US government requests their data, they will have no choice but to hand it over.

“Microsoft has come out and said if there is an issue between the contract we have got with the customer and what the US government wants – no surprise – we are going to do what the US government wants," said Maughan.

Playing Soca

One potential concern for businesses in the UK is the risk of enforcement action by the Serious Organised Crime Agency (Soca), for example, if they believe that illegal material may be held in a cloud-based datacentre.

Soca has not given any clear guidance how much of a datacentre they would seize during a criminal investigation, for example if illegal pornography were discovered in the cloud.

Investigating such occurrences can be difficult, particularly when cloud service providers distribute data across multiple servers or even multiple datacentres.

Spencer Izard, research director for IDC, said Google spreads the data stored in an individuals email across all its datacentres, so that it is not possible to say where the email box, or even an individual email, is physically stored.

In practice there is very little companies can do to plan ahead for business disruption caused by a law enforcement investigation, said Maughan.

“You just have to try and be nimble at the time, and try and keep the flexibility with the service provider. Presumably there would be some negotiation with Soca for ringfencing what they are going to take,” he said.

If companies break the acceptable use policy of their cloud service provider, whether deliberate or not, they are going to face problems, Maughan warns.

“You can be in breach of the whole agreement, and then not only have you got a Soca problem, you have a problem that the service provider can terminate your whole arrangement or suspend your service on no notice,” he said.

European legislation

Video interviews

  • Alistair Maughan, partner Morrison and Foerster
  • Spencer Izard, research director of IDC

Europe is lagging behind the US when it comes to giving guidance to organisations about how to store data in the cloud.

For example, US financial services regulators have published guidance on how companies should approach the cloud, but there is no equivalent in Europe.

The Markets in Financial Instruments Directive (MiFiD), which is coming into force in the EU, is likely to deter European financial services companies from moving rapidly into the cloud, said Maughan.

It requires companies to have clear audit trails and clear knowledge of how data is being processed, which could prove difficult in a cloud service.

“I think financial services companies have been much slower to go to cloud than non-financial services companies, for that reason,” he said.

Getting data out of the cloud

Choosing what data to put into the cloud is one thing, but making sure you can get the data back out again is crucial.

“Some people say that when you put services into the cloud, it’s a bit like the Hotel California – you can check in but you can never leave,” Mark Craddock, told the meeting.

One solution is to duplicate the data in more than one cloud service. The savings that some public sector organisations are so great through cloud, Craddock told the meeting, that this is a feasible option.

“I very rarely speak to anyone who knows how they are going to get their data or their intellectual property out of the cloud service after they have put it in,” said Izard.

That’s all very well until something goes wrong and you need to pull out of the contract.

“You need to know how to get the stuff out that you put in, and how quickly you can do it, and that is essential,” he said.

Phased roll-outs

When it comes to rolling out a cloud project, Izard says it is crucial to work in phases rather than in a big bang.

It should be possible for to end the project after each phase and still add value to the organisation, said Izard.

“I have seen too many 5 and 10 year ERP solutions with scope creep,” he said.

In one company, it took so long to roll out a SAP project that the hardware had to be upgraded before the latest version of SAP would run.

As the cloud becomes more prominent, IT organisations need to adopt more of a service provider mind-set, he says.


Most IT departments have tried chargeback schemes in which they pass the cost for IT services back to the rest of the business.

It is often met with resistance from the CEO and the rest of the board.

But show-back, in which IT departments show the pattern of IT use to the business without actually charging for it, is becoming increasingly popular.

“You can start to show for the impact that a line of business function adds to an organisation, how much IT it is using and whether that is proportionate,” said Izard.

That in turn can change the dynamics of the conversation between the CIO, the CFO and the CEO, away from simply cutting the IT budget, to using IT to add value to the business.

“You are going to need to do quarterly service reviews and use tools and analytics for service management,” he said.

That way organisations can measure whether their IT provider is giving the performance they need – and if not, it will provide hard evidence to justify a change of supplier.

IT departments will ultimately become gate keepers between the business and the cloud, he says.

“Overtime that will bring more credibility to the IT department.”



Read more on Data protection, backup and archiving