Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Legal issues in the Cloud - Part 3

There are no laws unique to the Cloud, but you must undertake due diligence

Due diligence

Proper due diligence focuses on identifying the players in the Cloud relationship. That is, who is actually involved in providing the services and are they the same entity (or entities) that are processing or storing data? In the case of aggregators, for example, a Cloud user could be dealing with a single entity which itself is provided services by various third parties.

From a contractual and liability perspective, it’s important for the user to know whether it has a directly enforceable contract with the key players or whether it is relying on those with whom it does have a contract to enforce relevant provisions itself. For example, what happens if the services are unavailable or there is a breach of security and data is exposed? Has adequate due diligence been carried out along the chain of responsibility?

Terms of use should be reviewed in detail — and this should be done with all stakeholders, not just the legal and compliance teams. For example, a review of terms should seek to assess issues such as:

  • The parties in the Cloud stack — not just the contracting parties — and their roles, rights and obligations, especially regarding data;
  • Whether each party has the rights required from other parties in the Cloud stack;
  • The capabilities and liability of other parties in the Cloud stack;
  • Backup/restoring data and disaster recovery;
  • Service levels and what happens if the internet is unavailable;
  • Continuous availability of services for business continuity;
  • Treatment of data on termination/insolvency;
  • What happens in the event of a security breach?; and
  • Issues such as change of control, service levels, service credits, audit rights, compliance with security standards, procedures in the event of a breach, force majeure.

Of course, in terms of risk management, users of Cloud services are to an extent letting go of control. If there is an outage or a security breach, a user of Cloud services could be in breach of its own contract with its own customers or of applicable laws, even if this is caused by the provider of services. This element of risk is brought into sharp focus when you consider that providers of IT services often tend to offer their services “as is”, without assuming any risk — and with an exclusion for all liability where permitted by law. This is reinforced by a reading of some standard disclaimers on Cloud computing sites.

Read 12 questions to ask when considering the Cloud.

As of September 2010, Google Apps Premier Edition’s online disclaimer for example noted that “... Google and its licensors make no warranty of any kind, whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and/or non-infringement. Google assumes no responsibility for the use of the service(s). Google and its licensors make no representations about any content or information made accessible by or through the service. Google makes no representation that Google (or any third party) will issue updates or enhancements to the service. Google does not warrant that the functions contained in the service will be uninterrupted or error-free.”

Small and medium enterprises using such services will have little opportunity to negotiate around those terms and conditions.

Larger enterprises might, however. The City of Los Angeles, for example, has reportedly negotiated a Cloud deal with Google which includes unlimited damages for a data breach, guarantees as to where the data will remain and penalties if the services are not available for longer than five minutes a month.

Read Part 1 of Legal issues in the Cloud.

Read Part 2 - Data sovereignty.

Read Part 4 - Data exit from the Cloud.

Mark Vincent is the lead technology and intellectual property partner and Nick Hart is a senior lawyer with Sydney based new economy law firm, Truman Hoyle.

Follow CIO Australia on Twitter: @CIO_Australia

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Google
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cloud computing, data sovereignty, due dilligence, legal, privacy, Truman Hoyle
Latest Blog Posts
Whitepapers
  • Virtualise, Manage, Backup, Consolidate
    Datacenter sprawl is one of the larger challenges that datacenter managers are facing today. Over time, applications, servers, and storage can create many unique architectures across the IT infrastructure. This can introduce complexity, increase costs, and compromise business-critical application performance and availability. Read on.
    Learn more »
  • Virtualisation and Cloud Computing: Optimised Power, Cooling, and Management Maximises Benefits
    While the benefits of this technology and service delivery model are well known, understood, and increasingly being taken advantage of, their effects on the data center physical infrastructure (DCPI) are less understood. The purpose of this paper is to describe these effects while offering possible solutions or methods for dealing with them. Read this whitepaper.
    Learn more »
  • Why Two Thirds of Enterprise Architecture Projects Fail
    This is the conclusion of a study for the R otterdam U niversity carried out by J onathan B roer in the summer of 2008, ordered by BPM and E A software vendor IDS S cheer. B roer questioned 161 respondents from 89 organizations representing a range of industries about their vision and implementation of the enterprise architecture concept.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments