Although many definitions exist, broadly speaking ‘cloud computing’ is the outsourcing of specified IT functions via the internet (the cloud) to provide or receive services that would otherwise only be available if the end user had installed the appropriate hardware and/or software on desktops, or on local networks controlled by that organisation itself. Such services may include the use of software over the internet or remote storage of business data by a third-party provider. One benefit of this is that businesses can structure payment for these services differently (for example pay-as-you-go or on a subscription basis), rather than having to pay large sunk costs for long-term software licences, and the purchase and installation of IT infrastructure necessary to support the services locally.
Cloud computing is a growing industry and an increasing number of businesses are taking advantage of the potential cost savings it offers, with some estimates predicting that the industry will be worth over £30bn by 2012. Because of the reduced cost and increased flexibility it brings, a migration to cloud computing is compelling for many small and medium enterprises (SMEs). This article summarises some of the key legal issues associated with cloud computing that were identified recently in the European Network and Information Security Agency’s November 2009 report, ‘Cloud computing – benefits, risks and recommendations for information security’ (the report), which focused in particular on the effect on SMEs of the legal issues identified, since in most cases they will not have the bargaining power to negotiate the standard contracts offered by cloud providers. Clearly, the issues also impact larger organisations but may be easier to resolve where the organisation has the power to negotiate appropriate contractual provisions.
Most cloud services, for example e-mail, payroll, customer relationship management and sales management services, involve the processing of personal data. The report therefore considers data protection issues to be of particular importance. The customer will almost always be the data controller, making it responsible for compliance with applicable data protection legislation, for example any national legislation implementing the European Data Protection Directive, 95/46/EC (the Directive), such as the UK Data Protection Act 1998. The Directive applies where the data controller is established in the EU or where equipment used to process personal data is located in the EU.
In addition to the general obligations imposed on data controllers regarding their own security arrangements and access, the Directive requires an organisation to:
- ensure that the cloud provider gives sufficient guarantees in respect of its technical and organisational security measures; and
- take reasonable steps to ensure compliance with those measures.
To ensure that it complies with the Directive, an SME will therefore need to evaluate whether the provider’s security measures are adequate and also whether the relevant contractual provisions give it sufficient protection. By its nature, cloud computing is multi-jurisdictional both in terms of movement of data and location of customers, and this means that providers’ standard contracts will not generally commit the provider to a general obligation to comply with applicable data protection legislation. The customer must accordingly satisfy itself that the specific contractual obligations imposed on the provider (if any) are adequate to ensure compliance with the customer’s applicable legislation. Unfortunately, if such obligations are not sufficient, the organisation may need to reconsider whether the provider’s cloud solution is appropriate for the purposes proposed.
Customers should ensure that they know whether personal data is to be transferred outside the European Economic Area and if so it is likely that the task of ensuring compliance with the export provisions of the Directive will fall on the customer, since providers are unlikely to take on this responsibility. This may mean that the customer must obtain consent to such transfer from its data subjects or ensure that the transfer is in accordance with the procedures in s26 of the Directive, such as the ‘safe harbour principles’ for transfers to the US. In practice, this may not be practical for many organisations and, again, a cloud solution may therefore not be viable.
CONFIDENTIALITY ANDINTELLECTUAL PROPERTY (IP)
Depending on the services, an organisation’s confidential information, IP and know-how may be processed in clouds, and any unauthorised disclosures (whether by an act of the cloud provider itself or as a result of a security breach) have the potential to result in an adverse impact on that organisation’s business. In this context, ‘processing’ refers to using or altering the information or know-how in some way, rather than just storing it. Since such processing will often require data to be in an unencrypted form there is potentially more exposure to an organisation in the event of an unauthorised disclosure. Similarly, if a cloud computing solution involves giving the provider any information that includes valuable IP, then the customer needs to ensure that the provider will protect that information appropriately.
Organisations should therefore carefully analyse the confidentiality and intellectual property provisions in the contract to ensure appropriate protection, including any statements setting out the security measures that the provider is required to have in place, such as encryption of data (which should also be verified from a practical perspective) and provisions governing the provider’s liability to the customer for any breach.
Ultimately, the customer needs to be comfortable that the provider will protect the customer’s confidentiality and IP as far as possible without compromising the quality of service offered, and they will need to ensure that the contract reflects this.
Clearly, failures in a cloud service may in turn have an impact on an organisation’s ability to comply with its obligations to its own customers. There is therefore a risk that the organisation may be liable to its customers or employees for negligence or breach of contract. Many cloud providers exclude or limit their liability for unauthorised access or use, corruption, deletion, destruction or loss of data. Customers must review such limitation or exclusion of liability clauses in light of the services they are proposing to contract out to the cloud provider and the customer’s own obligations (whether contractual or otherwise) to customers and employees who could be impacted by any failure. Similar issues arise where the customer’s sole remedy is limited to service credits.
OUTSOURCING AND CHANGE IN CONTROL
An SME may base its choice of a particular cloud computing provider on the unique qualities of that provider and/or its service offering. The outsourcing of a function by a provider or a change in its control may impact on the way it provides services. The SME should therefore determine whether the provider intends to outsource any services and whether it provides any guarantees or warranties relating to those services. In addition, the SME should review the contract to determine how changes in control are dealt with, for example if they are required to be notified to the customer and whether the customer has the right to terminate in the event of a change in control.
What emerges from an analysis of each of the issues above is that all too often cloud providers’ standard contracts fail to provide adequate protection to customers. Any organisation considering a cloud computing service needs to carefully consider all relevant issues and risks associated with cloud computing solutions, particularly where personal data and valuable intellectual property or confidential information is involved. We recommend that organisations read the full report, which identifies and assesses a wide range of technical, security and organisation and policy risks to consider, in addition to the legal issues we have summarised above.