Cloud Based Computing Services – What are the risk management and legal issues for users?

Cloud services can be enablers for a company’s digital transformation. However, understanding the risks and legal issues associated with using cloud-based computing services is critical for risk management and protection of an organization’s data and related intellectual property and to minimize the risk of business disruption.

Companies are increasingly using software applications and tools, data storage and back up services that are provided as a cloud based solution utilizing computer servers located in data centers owned or controlled by third parties (“cloud services“). Gartner forecasts that worldwide spending on end-user cloud services will increase by about 20 percent during 2022 to about US$500 billion, with expenditure expected to reach US$600 billion in 2023[i].

Risky business

Companies using cloud services, without proper due diligence including the legal review of the terms and conditions of the cloud services agreements and risk management are potentially putting at risk their data and associated intellectual property (“IP”) and business operations. It is important that businesses understand the risks and benefits of cloud based services and have proper processes and systems to manage the potential risks.

In some cases, the cloud based solution suppliers use third party data centers to provide the cloud based facilities, which adds another level of complication. In this situation, the business may have a contract with the cloud solution supplier but has no contractual relationship with third party data centers who provide the servers and data storage facilities. If the contractual relationship between the cloud solution supplier and datacentre are terminated, the business may not be able to access its data from the datacentre, particularly where the cloud solution supplier is in breach of its agreement with the datacentre. It is important that all third party data center agreements are also reviewed so that the company has rights to access data stored at a third party data center. The due diligence and risk management process should extend to datacentres.

Legal and Risk Management Issues

The legal and risk management issues that companies need to consider when using cloud based software services are complex[ii] and must be considered on a case by case basis. Businesses looking at using cloud based services should seek legal advice which is specific to the cloud based solution that they wish to use and the agreement that they propose to enter.

Some of the legal and risk management issues that should be considered in relation to cloud based computing services include:

  1. Does the cloud service solutions become more efficient, physically operate its business in Australia or outside Australia? If the cloud service supplier is an overseas entity, businesses will have to consider how they can enforce their rights and access their data and content (including IP) where there has been a data breach or non-compliance with the cloud service agreement, the service provider becomes bankrupt or insolvent or they wish to transition to another supplier or use a different software application.
  2. Where is the location of the data center where the business’s data and content (including IP) is to be processed, stored and transferred? Terms and conditions generally do not specify the physical location of the data centers and back up storage facilities. However, data could be stored in a number of different countries, accessed and processed by multiple entities in different countries, without the users of the cloud service knowing where their data and content (including IP) is located. For example, the on-line Dropbox Services Agreement for the use of the Dropbox document sharing service that is used by many businesses and organizations which contains a term which states: Customer agrees that Dropbox and its subcontractors may transfer Customer Data to and access, use and store Customer Data in locations other than Customer’s country but does not specify the countries or the location of the data centers[iii].
  3. What are the legal, security and other risks associated with the data and content (including IP) being stored in datacentres outside Australia in countries whose data, IP and privacy protection and enforcement laws are not comparable to Australian laws?
  4. What security measures and controls have been implemented by the cloud solutions provider?
    • Does the cloud computer provider have information security accreditation such as ISO 27001?
    • Does the cloud service provider use encryption for transmission and storage of data and content (including IP)?
    • Does the cloud service provider use adequate authentication procedures for access to data and content (including IP) stored on the cloud?
    • Does the cloud service provider have adequate security and controls to protect against cyber or other incidents?
    • Does the cloud service provider segment the data so that the data is stored in different datacentres?
  5. Is the cloud service provider externally audited for security and data protection compliance on a regular basis? If so, a copy of the audit reports should be requested. This will assist the business in identifying the potential risks in using the service and managing the risks.
  6. Who owns the data and content (including IP) that is uploaded and/or generated using the cloud based solution? Terms of cloud solutions agreements can include terms which provide for ownership of material (including IP) generated by using the cloud based application to be owned in part or whole by the supplier of the cloud based service.
  7. What rights are given to the cloud solutions supplier to use the businesses’ data and content (including IP)? Cloud solution agreements can also include terms that give the cloud solutions suppliers extensive rights to use, disclose, copy, adapt, publish and transfer the businesses’ data and content (including IP).
  8. What arrangements do the cloud service supplier (including third party datacentre) and businesses intending to use the cloud service have to deal with network and services outages or interruptions? The cloud service suppliers including third party data centers should have alternative means for the cloud based solution and data to be accessed, in the case of such occurrence. Data should also be backed up and accessible from alternate locations. Some cloud based applications include functionality which allow for companies to back up their data on a daily or weekly basis onto their own internal servers which they control.
  9. What terms exist in the cloud service agreement dealing with disengagement and transitioning to a new service provider or alternatively moving facilities in house, upon termination of the agreement or service? Most agreements allow up to 30 days for companies to migrate their data to another system, however do not contain adequate provisions requiring the cloud service provider to assist with the process. The agreements also do not specify the costs involved in extraction or recovery of the data and its migration to a new system. This can be a costly process. There have been reported incidents of companies having to pay hefty fees to access their data.
  10. What happens where the business’s data (including IP) is stored at a data center which is shut down because of court order or government action? What happens in the case of bankruptcy or insolvency of the cloud solution provider? How is the business going to access its data and valuable IP? How are these risks going to be managed so that there is minimum disruption to the business?

It is important that companies have appropriate risk management and redundancy plans in place to access their valuable data and IP and minimize the risk of business disruption. If your business is totally reliant on cloud based solutions, how long can your business operate without access to the cloud based facilities. Too often individuals, business and organizations use cloud based software applications and tools, agreeing to online terms and conditions of use of cloud service without first reading the terms, thus exposing themselves to significant legal, business and data security risks.

.

Leave a Reply

%d bloggers like this: