Everyone is talking about cloud computing as the present and future for information and communications services in a sustainable digital economy.
Cloud computing can help organisations cut their business costs. For example, by: removing the need to invest in hardware or other physical infrastructure; storing your data in a secure place; and by giving you the option to pay only for what capacity you use.
There is no licensing fee associated with cloud computing.
So what exactly is cloud computing?
Cloud computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, instead of on a local server or a personal computer.
Cloud computing (sometimes known as 'the cloud') describes computation, software, data access, and storage services not requiring end-user knowledge of the physical location and configuration of the system that delivers the services. Cloud computing brings many opportunities for today's online business but knowing how to balance opportunity and risk associated with 'The Cloud' is challenging.
This article discusses some of the legal and regulatory issues organisations are facing when considering and implementing a cloud computing strategy.
Legal issues with cloud computing
But what are the cloud computing legal issues that business owners and top managers need to consider when implementing a cloud computing strategy?
1. Physical place of data
Your organisation must always stay in control of its own data and information. They are valuable to you, your competitors and cyber criminals. You're also liable if you 'lose' personal information! Under Data Protection law your organisation remains responsible for any personal data it processes. Even if the data is held on a third-party server.
2. Data storage
Your organisation's data could be stored in a data centre in any country world-wide - you may not know where. The data centre's physical location raises a question about legal governance over data and data storage. Be clear about prevailing law and make sure that you write proper protections into the Service Level Agreement (“SLA”) with the vendor.
e-Discovery (electronic discovery) - having data available for any potentially legal proceedings - may become more complicated if your cloud server is abroad. It most likely is!
This distinction becomes potentially blurred where you use public clouds, such as those provided by Yahoo, Google or Amazon. These providers offer public clouds globally to all sorts of people and organisations. They have servers located throughout the world. With public clouds there is a real risk of client data leaving the EU and not subject to adequate protections. It is therefore essential that your cloud services provider is willing and able to give transparency to allow you to make correct decisions.
For these reasons it is best practice for law firms in the UK to check that their cloud hosting provider is storing their data within the UK or, at the very least, solely within the EU.
4. Conflict of laws
If a dispute arises between the customer and cloud vendor, you must know which country's courts and laws apply to bring about a quickly settlement of any disputes. A warning for smaller businesses that they may not necessarily have the legal, financial or management resources to fight a legal challenge in a foreign country. Be extra vigilant when setting out the terms of the contract.
5. Data responsibility
What happens if the data centre is hit by a natural disaster? What Business Continuity plans have you put in place? Systems and networks are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm them. The question is not whether you are just indemnified by the insurance company for the loss of your business. But, also whether you would be able to re-establish a business after the loss.
Business continuity includes physical provisions. These include a secure facility managed and monitored 24/7/365 with strict physical access controls to their data centre. Ensure the data centre is resilient, with fire suppression, environment monitoring, platform monitoring, backup power supplies or generator, dual independent network path, dual independent Internet connection and two of everything to make sure that there is no single point of failure within the system. Backup data centres will give you peace of mind. If a total catastrophe occurs to the main data centre does your cloud hosting provider have a backup data centre? How quickly is this available allowing you to use your applications and data? Check what your cloud hosting provider offers in terms of resilience services.
6. Data Protection
EU Data Protection legislation (Data Principle Eight) requires you to make sure that any personal data transferred outside the European Economic Area has adequate protection. You need to make sure that without an international agreement on the transfer of personal data between the European Union and the country where you can find the data centre, you will have to make your own agreement with the cloud vendor. Include 'an adequate security' clause.
If a privacy breach occurs due to a fault of the cloud vendor, is there any liability coverage policy taken up by the vendor? The scope of breach of privacy has widened considerably over the years in the field of cyber insurance. Some insurance carriers offer coverage even for breach of minor information and they compensate the customer for the cloud vendor.
7. Security breaches
Though all cloud vendors try their best to fend off hackers, don't assume that security settings are foolproof. If the data centre gets hacked, can you move against the vendor for claiming lost profits?
8. Intellectual property rights
Is yours or your organisation's data protected under the intellectual property laws of the country in which the provider has installed the data centre? What are your means for redress if someone infringes these IP rights?
How secure are your trade secrets? You must protect data stored in the ‘cloud’ which contain trade secrets or privileged information. Especially true if under a lawyer-client relationship. How secure will such information be in hands of the cloud vendor? Consider a reverse situation. If you leak out a trade secret of another organisation, how far will your cloud storage provider go to protect your data when a court orders them to hand over all your stored data, access logs, etc.
9. Third party access
The vendor may grant some privileged third parties access to your stored data on the cloud. The provider must give customers details of third parties. Here, the third-party could be a legal authority or even an internal employee. The customer should always be informed before the vendor allows third parties to get access to the stored data.
To protect your business interests, read the contractual the terms and conditions meticulously before signing up for a cloud based services. If the vendor provides a standard form of contract (which is a general practice), be fully aware of all the terms and conditions. It will save you from nasty surprises and you will be financially, mentally and legally ready to save your business from unfavourable consequences of cloud computing. You might even wish to engage the services of a professional law firm.
10. Security policy
Does your organisation use a defined security policy?
Secure your organisation's data from any threats of unauthorised access in every way possible. Pay particular attention to password management and tell workers not to write them down. Encourage use of strong passwords with
- characters and numbers and other symbols (!”£$%^&*<>;:)
- at least 8 characters in length
- a mix of upper and lower case letter
- a change cycle of no more than 60 days
11. High-risk behaviour
Always watch and try to avoid high risk behaviours. These include: downloading unauthorised applications and documents; browsing potentially dangerous websites; using an unauthorised email service, responding to phishing e-mails with confidential information; or transferring confidential information via a USB memory stick, or other storage device.
Update all anti-virus and malware protection products regularly on all devices in the office. Today, these are now included in Microsoft Windows and you can buy others. Switch them on and configure them to automatically update themselves and scan your computer every day. If regular security updates are not installed as soon as they become available, you may compromise your business and customer data by making them vulnerable to security breaches.