Increasingly businesses are outsourcing data storage and IT services to cloud computing hosts. Whilst the cost and flexibility benefits of cloud computing are attractive, the risks to companies and to their insurers are significant. This article will look at some of the potential risks and regulatory issues associated with cloud computing

What is cloud computing?

Cloud computing is the use of IT services such as data storage, software applications and IT processes provided by a host service accessed via the internet. Major IT companies provide 'cloud services' using servers located with the cloud host, frequently outside of the UK. The customer avoids the need to buy, maintain and update their own servers, plus the costs of software licensing and support services. Companies can access IT services and their data via PCs, laptops or mobile PDAs, such as iPhones or BlackBerrys from anywhere with an internet connection.  

Outages  

Like any service provided through the internet, cloud computing services are subject to interruption or outages, where the service is offline for an extended period of time. A database of outages is maintained by the Cloud Computing Community (an unofficial virtual community designed to promote the interests of cloud computing) which records that in 2008 there were 14 recorded outages, instances of lost data or security issues. This was up from only one outage recorded in 2007. Of the incidents marked 'critical', one outage resulted from an engineer accidentally deleting a cloud, leading to the service being offline for several days. Outages have occurred to services provided by the major cloud computing providers. One cloud computing host went out of business after experiencing outage problems that reportedly led to a significant amount of customer data being lost.  

A company choosing to use cloud computing may be in breach of obligations to their customers/clients where data held by the cloud host is not available during an outage or, in extreme cases, is lost. This provides a risk of claims against the company which could be passed on to insurers. Where services are interrupted or lost, the company or their insurer will look to the contract with the provider to see what remedies are available.  

Terms and conditions

Many cloud computing companies provide services subject to their standard terms and conditions which are, in principle, non-negotiable and heavily weighted in favour of the providers. It is usual for there to be an exclusion of liability for damages including direct, indirect, special and consequential damages. Some terms state that services may be suspended for the duration of any unanticipated downtime or unavailability and no warranties are provided that the system will be uninterrupted or error free. It is common for such terms to state that the system may contain bugs, defects, errors and that the system is provided "as is" and therefore at the customer's own risk. Further, some conditions expressly state that no warranties are provided that data stored will be secure and will not be lost or damaged.  

Such one-sided terms do not appear reasonable under the Unfair Contract Terms Act (UCTA). However, major cloud computing providers are usually based in the US and the terms and conditions are subject to US law and the jurisdiction of the US courts.  

Although these contracts may be subject to US law, it is possible that certain mandatory laws of other countries will remain applicable under principles of private international law. A mandatory rule is one that cannot be derogated from by contract. In England, UCTA is a mandatory rule which expressly applies if a party deals as a consumer or where a choice of law has been used to avoid the operation of UCTA. Effectively the choice of foreign law remains, but the operation of that law is subject to the effects of UCTA. However, a party seeking to rely on UCTA will also have to establish that aside from the choice of US law, all other elements relevant to the situation at the time of the choice are connected with another country. A company based in the UK accessing the cloud services from the UK will argue that all elements relevant to the service are in the UK, the exact location of the data not being a relevant element of the contract, particularly where the host has the right under their terms to store data in any country they choose. The absence of case law on this issue makes it difficult to predict how successful this argument would be.  

Further, arguments that UCTA will apply to the contract and exclusions of liability are unreasonable would need to take place before the US court. It is not known how the US courts would deal with reasonableness under UCTA. Accordingly, recourse against the cloud computing provider, by the company or their insurer, may only be available in very limited circumstances and could be expensive and difficult to pursue.  

Data Protection Act

Data held by companies that choose to store it with a cloud computing provider, raises issues under the Data Protection Act (DPA). The seventh principle of the DPA provides that a data controller must ensure a level of security appropriate to the harm that may result from accidental loss, destruction or damage of data. If the processing of data is delegated the data controller must use a processor who provides "sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out".  

If a company decides to store personal data with a cloud computing provider who will not guarantee that data is secure, it is likely that they are breaching their DPA requirements by not ensuring an appropriate level of security. The Information Commissioner has recently been given tougher powers to enforce the DPA. These increased powers follow high profile data loss cases in recent years with the number of data breaches reported to the Information Commissioner's Office soaring in the last year.  

In addition to the requirements under the DPA, companies regulated by the FSA are required to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems in place. The use of cloud computing services may breach this requirement. The FSA has considerable power to impose fines for breach of its principles.  

Comment  

Although the cost benefits and flexibility of cloud computing may be attractive to many companies, assessment of the risks will need to be considered carefully.  

Insurers may provide liability cover for documents and data owned or held by the insured. There is also a growing market in first party 'cyber risks' covers. Insurers in either case may want to establish whether an insured is using cloud computing services which increase the risk of loss, where recovery against the cloud computing supplier may not be straightforward.