October 2009

01 Oct 2009

Legal Issues in the Clouds

The cloud computing industry has been the subject of much debate recently, having experienced a rapid increase in popularity in a relatively short space of time. In this article, we discuss what is cloud computing, why it is currently popular and examine the likely legal issues that businesses should consider before they place their valuable data in the clouds.

What is Cloud Computing?

Cloud computing services typically involve the supply of computer software, platforms or infrastructure by service providers to their customers over the internet, and generally have the following characteristics:

• the customer's data is held by the service provider, and accessed by the customer, remotely;
• resources are shared between customers, rather than each customer having its own dedicated resources (as is the case with a dedicated in-house resource, or where a customer uses a traditional outsourcing model); and
• the services are charged to customers according to their usage.

Why is Cloud Computing Popular?

Cloud computing has become popular for a number of reasons, with perhaps the major ones being:

• a customer only pays for the services that it requires during the period that it requires them (so it does not waste resources);
• a customer can easily increase (or decrease) the amount of services that it requires;
• a customer is not required to make any capital expenditure, and then pay maintenance or upgrading costs, for the IT infrastructure; and
• some customers consider that their data is more secure, as service providers generally maintain copies of the data in multiple locations.

These can be very attractive and persuasive reasons in favour of signing up for cloud computing services. However, as with any arrangements involving the use, management and storage of business data, customers should ensure they are comfortable that key legal issues have been adequately addressed by their proposed service provider before they sign up.

Legal Issues

Security 

Data storage and email outsourcing are two of the most popular cloud computing services. Security in relation to the transfer, storage and access to customer data is critical and it should be one of the key issues a customer ensures is addressed in its arrangements with its cloud computing service provider.  

This is because, by transferring its data to a service provider, the customer hands over the control of its data to that service provider, and the result of any breach of security by the service provider could be potentially disastrous for the customer, leading (for example) to data loss, data corruption and data theft issues.

To mitigate against this, the customer should take appropriate operational steps to reduce any risks (for example, by ensuring that any particularly sensitive data that should not leave a business does not do so). In addition, it should ensure that adequate safeguards are placed in any agreement with the service provider in relation to the storage, control and access of the customer's data. This includes the service provider committing to specified security measures and practices and giving appropriate undertakings and warranties to support those commitments. A customer may also want assurances regarding the service provider's disaster recovery procedures.

Privacy

Customers should be aware of the potential privacy issues that may arise in relation to the provision of the cloud computing services. 

In New Zealand, the transfer of personal information (ie information about an identifiable individual, such as an individual's name or address) is governed by privacy laws, including the Privacy Act 1993. Under these laws, a customer is required to comply with 12 information privacy principles relating to (amongst other matters) the disclosure and use of personal information. 

These principles prevent a customer from disclosing personal information to a third party unless an exception applies (for example, where the disclosure is authorised by the individual concerned). A customer will need to ensure that it complies with these principles (and other laws) in relation to disclosure of any personal data to a service provider.

Customers will also need to ensure that service providers do not use any personal information included in the customer's data (or in fact any of the customer's data) on the basis that the service provider's role is to store that data only. Under the Privacy Act, the customer remains responsible for the transfer of personal information to a service provider, and the service provider's subsequent use of that information. In addition, certain key privacy laws apply to information transferred outside New Zealand (where the vast majority of service providers will be based). So, for example, where a customer transfers data to a service provider based outside of New Zealand, the service provider must ensure that: "personal information is protected, by such safeguards as it is reasonable in the circumstances to take, against loss, access, use, modification, disclosure or other misuse". If it does not do so, then the customer (as well as the service provider) will be in breach of New Zealand's privacy laws.

Finally, customers should bear in mind that, in overseas jurisdictions, relevant legislation that service providers may be required to comply with could have implications for a customer's data. For example, the U.S Patriots Act allows government agencies to access data within the United States (and the relevant agency is prohibited from stating whether the information has in fact been accessed).

Service Levels

Cloud computing providers have frequently been criticised for their reluctance to provide adequate service levels to customers, for example in relation to uptime (ie the time that the services are operational and available for use by customers). 

Clearly, any prospective cloud computing customer should review the service levels being offered by the service provider at as early a stage in the decision-making process as is possible, and compare these to the service levels that it already has in place or is considering putting in place via alternative arrangements.

Customer Capture

Cloud computing providers generally offer proprietary technology to their customers. Therefore one major practical issue for any customer, upon the expiry or termination of an  agreement with its existing service provider, is migrating from that supplier's platform to one of its competitor's platforms. Accordingly, it is important that its agreement with the service provider contains adequate transitional provisions to enable this to be done easily and cost effectively.

Contract Enforcement

As mentioned above, the majority of cloud computing providers are based outside New Zealand. Therefore, if a customer does propose to enter into an agreement with an overseas service provider, it should consider (as one of a number of relevant factors), how difficult and expensive it may be for the customer to enforce a legal claim against the service provider, if the service provider were to breach the agreement between them.

Conclusion

While a prospective cloud computing customer may be tempted by the prospect of obtaining flexible, relatively low-cost and easily scalable cloud computing services, it should be aware of the legal and other issues involved in signing up for these services, and ensure that (as much as possible) it is comfortable that these issues have been adequately addressed and the potential risks effectively mitigated against prior to entering into an agreement with a service provider.

Author

Karen Ngan

Partner - Corporate & Commercial

DDI: +64 9 977 5080

Mobile: +64 21 648 977

Email:

View Profile