Servers

The "fine print" of cloud computing

One of the more difficult areas for IT leaders to come to terms with is the legal implications of cloud computing. Patrick Gray talks to a legal expert on what you should know.

Cloud computing is growing increasingly prevalent, and IT leaders are rapidly learning the ins and outs of negotiating with cloud providers. From determining and enforcing service-level agreements, to planning disaster-recovery scenarios, cloud opens a raft of new challenges. One of the more difficult areas for IT leaders to come to terms with is the legal implications of cloud computing. What if sensitive customer data are stolen from your cloud provider? Who foots the bill if aliens abscond with your provider's servers? Who is liable when the lawsuits start flying?

I sat down with Marcus Lee, an attorney at Moore & Van Allen who specializes in IT law. Marcus has recently worked with several large companies to negotiate their contracts with cloud providers, and I asked him what advice he is giving his clients on dealing with some of the legal aspects of cloud computing.

Data security and ownership

One of the critical concerns of cloud computing is data security. While you may think you "own" the data that your provider uses and gathers on your behalf, detailing the ownership of data in the contract with your service provider is critical. Lee suggests that "Data encryption; a right to audit security procedures and data centers; a requirement to be notified immediately of any security beach; and a requirement to allow an outside auditor to assess controls and procedures for storing, handling and transmitting data" should all be detailed in the contract. He also suggests that ownership of data not be left to assumptions. "The contract should clearly state that all data is owned by the client, and contain a provision that at the termination of the contract, the provider should agree to deliver a copy of client data, and permanently destroy all copies of the data in its possession."

Protecting yourself

We have all seen the dreaded "limitation on liability" clause in everything from amusement parks to complex vendor contracts, and working in the cloud is no exception. The first iteration of a contact is always in the favor of the drafting party, and Lee notes that cloud vendor contracts are no exception, especially around limitation on liability clauses. The provider "typically includes a provision that limits its liability to a fixed amount, often based on fees paid to the provider" says Lee. If you are served with a high-dollar lawsuit related to a customer data breech or suffer damages to your business when the provider has a technical problem, this is unlikely to cover the damages if the breech or outage was a result of the cloud provider's negligence.

The "green men from Mars" clause

Force majeure clauses (sometimes called "Acts of God") are unforeseen circumstances that would prevent the cloud provider from delivering on their promised services (often services for which you have paid in advance). These could range from the relatively mundane, like a key communications link being severed by a wanton backhoe, to all manner of natural disasters, terrorist incidents, and, yes, even little green men from Mars shutting down your provider. While you cannot expect your cloud provider to stay up and running through every unforeseen disaster scenario, Lee encourages clients to protect themselves from paying for a service they cannot use.

"A contract should only allow a force majeure clause to apply if the provider is in compliance with its backup obligations," says Lee, "and the client should receive a credit for each day of interruption, and be allowed to terminate the contract should the force majeure event last more than an agreed-upon time." In short, your cloud provider should not be able to claim force majeure if that "state of the art backup data center" is really someone's dorm-room closet and cannot handle the demand if the primary data center fails due to an earthquake.

When bad things happen to good companies

While cloud can be cost effective and let you focus on more important activities or provide your organization with unique capabilities, it is obviously not without risk. On what seems like a regular basis, we hear about providers "losing" a batch of backup tapes with sensitive customer information or a security breach resulting in a similar loss. Lee recommends several protections, including provisions that "indemnify, defend and hold harmless" the company engaging the cloud provider should the company be sued as a result of the provider's negligence.

In addition to legal concerns, many players in the cloud space are relatively new and untried, and some are bound to fail as the market matures. For a particularly risky provider, or in a situation where you cannot easily recreate the data held by your cloud vendor, Lee recommends your data be escrowed with a third party and that contractual provisions require the vendor to return your data and destroy any copies before turning off the lights and skipping town.

Just as with any other critical vendor, be it an implementation partner or the supplier of a critical component for a new product, old-fashioned due diligence can save you many legal and technical headaches. When asked what single factor could prevent many of the legal hurdles to cloud computing, Lee notes: "Even if you have a great contract with the cloud provider with all the right protections, it is still very important for the company to do a thorough due diligence on the cloud provider to be sure it is adequately secured and has appropriate backup capabilities."

Patrick Gray is the founder and president of Prevoyance Group and author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. Prevoyance Group provides strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at patrick.gray@prevoyancegroup.com, and you can follow his blog at www.itbswatch.com.

About

Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent ...

7 comments
Shaun PC
Shaun PC

I'm located in Ontario, Canada. The storage of anybody's personal data is covered by several laws in Ontario. Basically, you have to guarantee that a person's information cannot be viewed by any person or organisation without their consent. Freedon of information also requires that they be able to see their data on request. One of the results of the legislation to which we are subordinate is that we can only store data in a location that guarantees it will not leave Canadian jurisdiction. Having our data end up on a server in the US is not allowable because Homeland Security has the authority to view anything on a server located in the US. We have had to decline any "cloud" solution that cannot guarantee data will not leave Canada. Many companies assume this issue only applies to governmental organisations. In fact this covers all personal data - health, financial, addresses, legal, etc - whether or not it is stored by a private company, NGO or government organisation. The potential for liability is large, however many organisations get carried away with the hype and go ahead with cloud deployments without being aware of laws. I foresee interesting times ahead for many organisations...

To have access to my data in the cloud would I have to be on the internet only?? so if I go offline meaning disconnect from the internet..I cannot access my personal data?

mark.kunkel
mark.kunkel

A cloud vendor's protective clauses in a contract reveals how deeply they understand the implications of having your data in their cloud. While the consumer may be frustrated by some of the contract's limiting factors there is at least some comfort in knowing that the vendor is aware of potentially risky issues and has thought them through.

rhmccool
rhmccool

At its heart, the cloud computing concept is little more than a return to the days of mainframes and dumb terminals. Sure, there are efficiencies to be had, but only if you're willing to take the risk of depending upon communication links and server farms you don't control, and of losing control of what happens with your data.

MeadowsPV
MeadowsPV

Cloud Computing .. sounds like the old pendulum swing of centralized and 'thin-net clients' vs. decentralized computing .. As for me thinking of the Amazon outages ...[ singing ] Hey! Hey! You You! Get off of My Cloud..... gotta love those oldies but true-ies..

PMBOK Advocate
PMBOK Advocate

If you have collaboration tools in place then your files will synch with online and offline and you will be able to use your files while 'off line'. Like anything else, a careful and thoughtful process needs to be completed as each company and individual's needs are different.

santeewelding
santeewelding

If you have been paying attention to all this stuff, which, probably you haven't.

Editor's Picks