Traditionally, expanding business IT solutions has required investment in servers and software. Now, an increasing number of suppliers are offering IT solutions as a service instead. Companies such as IBM, Amazon, Google, Microsoft and Yahoo!, as well as a host of smaller providers, are offering a variety of “cloud computing” services to tap into this developing market.
Cloud computing offers companies the ability to store and process their software and data on the supplier’s servers on a flexible basis. This removes the need to buy and maintain banks of servers and allows the information to be accessed from any computer with an internet connection.
Using the cloud (i.e. the internet) is intended to offer speed, efficiency and reduced cost and also allow businesses to flex their computing storage and processing requirements more easily as the demands of the business change. However, this technology raises a number of important legal and business issues that should be carefully considered before launching into the cloud.
Checking the terms and conditions
Currently cloud computing services are generally offered on the supplier’s standard terms and conditions with limited opportunity for negotiation. As would be expected, the terms and conditions tend to favour the supplier and, unless a better position can be negotiated, may expose customers to some significant risks.
If there is a major outage, there will obviously be a substantial impact on the customer’s productivity and ability to service its clients. Although the outage is unlikely to have been the customer’s fault, the contract may offer only limited recourse. Some questions that a customer should consider are:
- What type of service level agreement is provided? Does it set out the required level of service performance and availability with an associated service credit regime to compensate for any shortfall in service?
- If the supplier excludes liability for consequential losses or lost business/profits resulting from an inability to access systems or a loss of data stored in the cloud, what alternative precautions are in place?
- What form of business continuity plan will the supplier implement?
Before signing up, it is also important to clarify the exit strategy and avoid becoming locked into one supplier. How easy will it be to retrieve the customer’s software and data and take the service back in-house or move to another supplier?
Traditionally, large suppliers have been reluctant to amend their standard terms when licensing their software. It will be interesting to see whether the market will prompt cloud computing suppliers into adopting more performance commitments and risk-sharing as cloud computing services are rolled out more widely.
Protecting your software and data rights
Before placing any third party software in the cloud, businesses should ensure that their existing licences permit this; some licences may require the supplier’s consent or an additional fee for an extension.
It is also worth clarifying that the company’s rights in its data are preserved effectively when held in the cloud.
How secure is your data?
Security of information stored in the cloud, whether proprietary or personal information, will be one of the primary concerns for any potential customer. In some instances, however, customers may feel that large technology brand names such as Microsoft and Google may be in a better position to manage the security of their data than the customer itself.
Nonetheless, it is important to mitigate the data security risks by carrying out due diligence on the supplier as well as, where possible, securing a contractual right to audit the supplier’s security controls.
Some products offer the ability to encrypt the customer’s data, although this is not always possible. Indeed, where the “cloud” product includes a level of processing the data will be unencrypted during processing.
Ensuring data protection compliance
Where the information stored in the cloud contains personal data – employee lists, customer records etc - organisations established in the EU must consider the potential data protection implications.
Responsibility for data protection compliance typically rests with the customer as the “data controller”. The data controller cannot outsource this responsibility and must ensure that the use of personal data in the cloud is in accordance with data protection law.
The written contract with the supplier needs to include commitments to apply certain technical and organisational security measures as well as assurances that data will only be used in accordance with the customer’s instructions. These do not currently appear in many cloud computing standard terms and conditions, which often exclude liability for loss of data.
EU data protection legislation also places restrictions on international transfers of personal data. As many of the providers use data centres based in the US, customers will have to review whether the supplier has signed up to the US “safe harbor” scheme or whether one of the legal “gateways” permitting international transfers of data is applicable.
In some jurisdictions local legislation permits law enforcement agencies to access the information stored on databases and servers in the cloud. This is a particular issue under the US PATRIOT Act or the Regulation of Investigatory Powers Act (RIPA) in the UK and may equally be a concern under interception laws in other countries. These issues led to French civil servants being prevented from using BlackBerries with servers located in the US.
Cloud computing seems likely to grow as businesses take up the opportunities for operating more flexibly. As ever, customers should review the product terms and conditions carefully and consider how best to manage the key legal and business risks effectively.