One of the biggest developments in recent years has been the stratospheric rise of what has been termed “Cloud Computing,” sometimes also referred to as “software as a service” (SaaS). Enticed by the prospects of increasing accessibility while significantly lowering their IT hardware, software and infrastructure costs (among other things), numerous companies either have taken the leap into the clouds or are seriously considering doing so. Some organizations may be thinking of embracing Cloud Computing following recent industry developments such as the 2009 Health Information Technology for Economic and Clinical Health Act, which encourages health care providers to adopt electronic medical records.
To be sure, Cloud Computing offers significant economic benefits and competitive advantages to those who employ it. However, Cloud Computing is not for everyone or everything. While the benefits may seem compelling, there are certain risks that all would-be cloud dwellers potentially face which should be thoroughly assessed and addressed.
- Control: Residing among the clouds necessarily means relying on a third party to maintain and control your data. It is therefore critical to understand the implications of moving your data to the cloud. Once there, who has access to it and under what circumstances? Who can alter it? How will system outages and service disruptions be rectified? What if the provider fails or departs the business?
- Security: The very idea of handing over important and potentially sensitive or proprietary data to another company understandably worries many people. Clients should ensure that cloud service providers have adequate encryption and other security controls in place that are regularly audited.
- Privacy: If someone can log in from anywhere to access data and applications, it is possible that your privacy could be compromised. That may pose a headache for highly regulated industries. In some cases, regulatory compliance may be impossible if your data is subject to any geographical storage restrictions, such as the European Union Data Protection Directive.
- Preservation: Parties have a duty to preserve evidence in their custody and control where it is foreseeable that the evidence may be relevant to threatened or pending litigation, as well as third-party subpoenas, investigations or regulatory requests for information. If your data is no longer in house, will cloud computing providers be able to implement your company’s document retention policies as well as litigation holds?
- E-Discovery: Cloud computing business models challenge the assumption that a company possesses, or even controls, all of the electronically stored information the law may impose duties to preserve and produce. Consequently, companies face substantial barriers to implementing cloud computing solutions if their compliance capabilities are compromised as a result. Conducting forensic examinations or establishing the authenticity and admissibility of “clouded data” can also pose unique problems.
Most of the challenges presented by moving to the cloud can and should be addressed in well-drafted service-level agreements with third parties that provide business processes, products and services. As importantly, due diligence should be performed on the service provider’s internal privacy and information protection controls, as well as assurances that it does not process, store or transfer information through jurisdictions whose laws do not provide for adequate information protection. This may become a frequent exercise, as it is not uncommon for clients to move from one cloud service provider to another as contracts expire and more favorable terms become available.
A more in-depth discussion of the benefits and challenges of Cloud Computing can be found here, in our recent white paper on the subject, co-authored with UHY Advisors FLVS, Inc.