Dealing with the risks of cloud computing

By Ben Winslade, Senior Solicitor

There has already been a lot of talk about whether the devastation of the Christchurch earthquake will prompt a groundswell of businesses to move their IT systems into the cloud.

While the benefits of cloud services have become painfully apparent to businesses whose internal servers and IT infrastructure have been destroyed or are inaccessible, a lingering sense of unease at sending all your confidential business information into the cloud does seem to have remained.

The contractual terms offered by many suppliers of “cloud offerings” have historically done little to alleviate these concerns. One of the crucial differences between a cloud service, and its former incarnations from a legal perspective, has always been that instead of a very detailed and often heavily negotiated contract, transactions are conducted and varied online in a matter of seconds via a clicked acceptance of the supplier’s standard terms.

While the flexibility to scale up or down on short notice is an important part of the cloud’s appeal, it is probably unrealistic for suppliers to expect large corporate or public sector customers to send their sensitive information into the cloud without thinking about the contractual obligations of the supplier with respect to that data. It is always possible to negotiate specific contractual safeguards to help address the data security and privacy issues associated with the cloud, and this is becoming increasingly common. Indeed, as large-scale customers such as central government begin entering the cloud, the nature of contractual terms being used for cloud offerings is beginning to evolve more generally.

Customers who do have concerns should not be afraid to ask specific questions about the supplier’s handling of their data. Will it be stored in NZ or spread around a global network of data centres? Will the supplier keep it on its own servers or send it to a third party (who may send it to a fourth, fifth, or sixth party)? What privacy and security standards does the supplier adhere to? Is it possible to conduct regular audits to check that the supplier does what it says it will with the data?

While from a technological point of view national borders are increasingly irrelevant, they remain influential from a legal perspective, as the country where the physical servers are located will usually determine what laws apply to the parties handling the data, what governments, law enforcement agencies and other companies can be granted access to the information and in what circumstances. Likewise, the more different entities involved in the storage and processing of your data, the more likely it is that one of them will go under, or be involved in a data breach.

Another important point to bear in mind is that when an organisation moves personal information (whether about its employees or customers) into the cloud, it does not necessarily mean that the organisation can forget about its Privacy Act 1993 responsibilities. If a cloud provider accidentally posts sensitive information about your customers on the internet, it may well be you that has to deal with the resulting Privacy Commissioner investigation. Asking a few questions of the supplier at the outset and putting in place some contractual safeguards will greatly assist you if there is a problem further down the line.

None of the above issues should be fatal when considering a cloud service. There are risks involved in every commercial transaction and cloud computing is no different. The contract is the vehicle which needs to manage those risks in a way which is acceptable to each side.

Ben Winslade is a senior solicitor at national and trans-Tasman lawyers Duncan Cotterill. B.winslade@DuncanCotterill.com

Location http://www.duncancotterill.com/index.cfm/1,159,658,0,html