Cloud hosting providers are gaining traction, but the trend has raised a new set of concerns over cloud computing legal issues. Many customers are reluctant to commit without knowing where they stand legally, but what's more alarming is that just as many businesses are unaware of cloud-related legal issues before they sign on to the service, according to Mark Weston, principal at law firm Matthew Arnold & Baldwin LLP. In this tip, Weston discusses how to avoid backing yourself into a legal corner when opting for a cloud provider to host your company's IT services.
There will, out of necessity, be changes to the risk profile and management of organisations using cloud services.
Surprisingly, cloud computing security is a practical concern rather than a legal one. It is true that the law already provides some options. There will be a contract with the usual stipulations. There is a plethora of rules on data, negligence, and more. Cloud computing legal issues also revolve more around practical concerns: Can you prove that something has gone wrong? Do you have the evidence? The chances are that you do not, and that you will not be able to prove your case.
In the physical world, a stolen laptop quickly comes to light. However, a rogue agent siphoning data from a cloud resource will not necessarily be apparent to the customer who owns that data. Accordingly, there is a heavier reliance on the service provider's due diligence than there has been in the past. There will, out of necessity, be changes to the risk profile and management of any organisation using cloud services as well as the audit and responsibility chains within an organisation.
It is this author's experience that, unfortunately, few who choose cloud services ask the full set of necessary questions before signing up.
A series of due diligence checks will need to be made. Ensure that you ask the following questions, among others not listed here.
- Where is the data stored?
- Is data replicated? (This may actually be desirable so there is backup within the service provider, although this adds to expense of the service and leads to data retention issues if the customer deletes data.)
- What happens to data when it is deleted?
- What happens to hardware used in the cloud (e.g., trailers of servers) when that hardware reaches its end of life and is replaced?
A cloud computing risk strategy
The law provides protection as long as you can prove your case. But, as has been set out above, proving any case and getting the evidence will be difficult. For this reason, and to manage the business risk without resorting to law, it is far better to adopt suitable risk management tools and avoid having 'a case' in the first place.
Step 1 should be risk analysis and due diligence. Only after that has been done should step 2, contractual legal protections (such as strong contracts, service-level agreements, robust remedies, etc.) be put in place.
It is worth noting that as cloud services become commoditised and provided by a few big players such as Microsoft and Google, the ability to dictate strong terms will be practically nonexistent (in the same way trying to negotiate a strong BT service level for your phone lines is well-nigh impossible). So step 2 may prove to be illusory, meaning even greater reliance must be placed on step 1.
There are numerous questions that should be asked and clarifications that should be requested. For more advice in this area, read our checklist that covers cloud computing legal issues.
Cloud computing legal concerns: Final thoughts
A customer of cloud services should go into the deal with its eyes open, aware of cloud computing legal issues. The law may provide a remedy, but it will be subject to the cloud computing contract terms, which the customer may have little freedom to negotiate -- assuming that a customer can rely on this by proving its case, which often it cannot.
The law is more than ready to cope with yet another contracted service -- cloud computing. However, the difference this time around is that proving something has gone wrong, so as to take advantage of the remedies the law provides, will be difficult. Due diligence will help by avoiding the problem in the first place.
Mark Weston is a Principal at Matthew Arnold & Baldwin LLP and a contributor to SearchVirtualDataCentre.co.uk