Read the fine print before you fly into the cloud

The benefits of cloud computing must be considered in light of some of the potential risks writes e.law founder Allison Stanfield.

Cloud computing has become all the rage amongst businesses, and with good reason.  Cloud computing provides a cost effective way to store data.  
 
No more re-leasing equipment every three years, no more spending money on version upgrades to software and less spent on IT professionals.  However, Cloud vendors can provide space on servers so cheaply because they are able load balance clients’ data across their various server farms. 
 
However, what many users do not realise is that cloud vendors may store data in other countries, thereby creating jurisdictional issues for those needing access to the information.  
 
Another issue is that users may unwittingly sign away their right to even own their data; by clicking “I agree” without reading the fine print in the cloud vendor’s contract may sign away ownership to the vendor.  Indeed, the vendor may not even be obliged to provide stringent security around the data.
 
If a user no longer “owns” their data and if data is stored in another country, then there may be problems with discovery, since arguably the data is no longer in the user’s custody, possession or control.  Further, if data is in another country, it may be subject to seizure by that country’s regulatory authorities or the police, and if you do not own the data, you may not have a right to be informed of the data’s seizure.  
 
The best way for image and data managers to protect against these risks is to carefully read the contract provided by the cloud vendor before entering into it.  Some points to negotiate would include:
- ensure data stays local, this way if the organisation is involved in litigation, it will not be faced with jurisdictional issues; 
- having ownership continue to remain with the organisation; the cloud vendor is hosting the data but should never actually “own” it;
- being able to recover your data whenever you ask for it; if “ownership” of the data remains with the user, then by rights you should be able to get it back whenever you need it and the cloud vendor should be obliged to delete the information from its servers after it is handed back;
- ensuring the right to your data should apply to the cloud vendor; and
- having a clause in the contract covering the event of the cloud vendor’s insolvency ie that such an event triggers a right for you to terminate the contract and get have your data returned immediately.
 
At present, cloud vending appears to be somewhat unregulated, in that there are yet to be standards developed for the way in which cloud  vendors should be obliged to provide security and privacy around data stored on their servers.  No doubt this is due to the fact that cloud computing has taken off at a vast rate and has left little time for regulators to catch their breath, let alone keep up.  Having said that, some entities are starting to address the issue and APRA (Australian Prudential Regulator Authority) requires notification of any transfer of data offshore by financial services institutions.  
 
Some government departments have a blanket prohibition on the transfer of data offshore and in the recently released Exposure Draft on the Privacy Act (Cth), if enacted, will introduce vicarious liability so that if a business holding personal information discloses information to a cloud provider, it may be vicariously liable for any misuse of that personal information by the offshore entity. 
 
Therefore, until standards and policies are in place to protect data, it pays to be vigilant about where data is kept.  
 
Unfortunately, offshore storage of data remains outside of our legal system and any recourse would need to occur in the country where the data is kept, where the laws may be completely different to ours and enforcement rights we might expect in Australia simply will not be available. The enormous benefits of storing information in the cloud do not need to be outweighed by the risks, if those risks are addressed up front.  There may be a little more time and cost involved in covering these bases, but it will be worth it in the long run.
 
Allison Stanfield is the founder of e.law International, a niche legal technology company that
specialises in providing computer forensics, electronic discovery and electronic court services, as well as
hosting legal documents in the cloud (locally and securely)