Proper due diligence focuses on identifying the players in the Cloud relationship. That is, who is actually involved in providing the services and are they the same entity (or entities) that are processing or storing data? In the case of aggregators, for example, a Cloud user could be dealing with a single entity which itself is provided services by various third parties.
From a contractual and liability perspective, it’s important for the user to know whether it has a directly enforceable contract with the key players or whether it is relying on those with whom it does have a contract to enforce relevant provisions itself. For example, what happens if the services are unavailable or there is a breach of security and data is exposed? Has adequate due diligence been carried out along the chain of responsibility?
- The parties in the Cloud stack — not just the contracting parties — and their roles, rights and obligations, especially regarding data;
- Whether each party has the rights required from other parties in the Cloud stack;
- The capabilities and liability of other parties in the Cloud stack;
- Backup/restoring data and disaster recovery;
- Service levels and what happens if the internet is unavailable;
- Continuous availability of services for business continuity;
- Treatment of data on termination/insolvency;
- What happens in the event of a security breach?; and
- Issues such as change of control, service levels, service credits, audit rights, compliance with security standards, procedures in the event of a breach, force majeure.
Of course, in terms of risk management, users of Cloud services are to an extent letting go of control. If there is an outage or a security breach, a user of Cloud services could be in breach of its own contract with its own customers or of applicable laws, even if this is caused by the provider of services. This element of risk is brought into sharp focus when you consider that providers of IT services often tend to offer their services “as is”, without assuming any risk — and with an exclusion for all liability where permitted by law. This is reinforced by a reading of some standard disclaimers on Cloud computing sites.
As of September 2010, Google Apps Premier Edition’s online disclaimer for example noted that “... Google and its licensors make no warranty of any kind, whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and/or non-infringement. Google assumes no responsibility for the use of the service(s). Google and its licensors make no representations about any content or information made accessible by or through the service. Google makes no representation that Google (or any third party) will issue updates or enhancements to the service. Google does not warrant that the functions contained in the service will be uninterrupted or error-free.”
Small and medium enterprises using such services will have little opportunity to negotiate around those terms and conditions.
Larger enterprises might, however. The City of Los Angeles, for example, has reportedly negotiated a Cloud deal with Google which includes unlimited damages for a data breach, guarantees as to where the data will remain and penalties if the services are not available for longer than five minutes a month.
Read Part 1 of Legal issues in the Cloud.
Read Part 2 - Data sovereignty.
Read Part 4 - Data exit from the Cloud.
Mark Vincent is the lead technology and intellectual property partner and Nick Hart is a senior lawyer with Sydney based new economy law firm, Truman Hoyle.
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.