Most companies are moving applications and systems to the cloud. But despite the attractions of this ever growing infrastructure model, the legal risks are neither widely nor well understood.
Your business needs to be as prepared as possible for the cloud and the officers who may be held responsible if things go wrong, or need to fix the problem, need to be properly briefed. They need to understand not just the potential benefits, but the downsides and risks, and what courses of action are available when they eventuate.
Take the following high profile example as a warning of what can go wrong. Many of us will recall German internet entrepreneur, Kim Dotcom (Kim Schmitz), and his adventures with New Zealand authorities.
What you may not be aware of is what took place in 2012 in the United States prior to his arrival in New Zealand.
Mr Dotcom and his company, Megaupload, were indicted on a variety of criminal offences related to copyright infringement. As part of this case, the FBI seized a number of domain names and over 1,000 servers operated by an affiliate company of Megaupload called Carpathia, intending that they be used in evidence against Megaupload.
The servers operated by Carpathia not only contained the data of Megaupload, but also that of many innocent and unrelated parties. Once the servers became evidence in a criminal case, the innocent parties who had data legitimately stored on those servers were not allowed to recover it, despite some showing their business relied on that data.
Consider how this incident would affect your business if you were one of those unlucky customers. Criminals and even terrorists are using the digital realm to aid their activities, meaning that the likelihood of a Megaupload-style incident being repeated is quite feasible, if not likely.
It would be an understatement to say there was a growing global focus on the security and integrity of IT systems, particularly relating to personal information.
Breaches of security can cause significant direct loss, but in the minds of senior executives, the biggest loss may well be indirect – loss of reputation is a good example so clearly there is a lot at stake.
So what does it do to your corporate IT risk profile if you take part or all of your IT operations out from behind your security facilities, and place them under someone else’s control? I am confident the answer is obvious.
What are the increased risks and how can you contain them? Does a solution lie in negotiating a comprehensive and balanced cloud supply agreement with the provider? Who should be responsible within your organisation for managing these issues?
In no particular order, the principal areas of concern for a purchaser of cloud services are: Privacy, security, data access, location and movement of data, sub-contracting/third party involvement, liability and responsibility, confidentiality, statutory or industry specific requirements, audit, performance accountability, security, business continuity, insurance, disputes, termination and changing suppliers. This is not an exhaustive list, but covers the key areas.
Before tackling these questions, there is a fundamental concept that must be accepted: understanding, implementing and using third party cloud facilities is a ‘team’ effort and not that of one or two people.
Yes, it is highly desirable to have one person manage the responsibility. However, that one person will need to understand the nature and breadth of the diverse range of personnel and roles he or she will need to oversee and draw information from. They will also need to maintain clear communication lines with, and support from, all those people.
There are clearly many IT related issues in setting up and operating a cloud connection, requiring the IT manager and support team to extensively investigate, including connectivity, storage locations, access, security and backup.
However, there are other areas requiring attention. Depending on the industry you are involved in, you may have industry-specific legislation or other requirements to identify and comply with regarding data handling and storage.
The Privacy Act is very likely to apply to data you collect or are supplied with, and retain. Your insurance may need to be reviewed (and possibly expanded and upgraded) to provide liability cover for the new data-handling circumstances.
If data is your core business, product liability cover may be an issue. It is essential that you put in place updated disaster recovery procedures and policies to take into account using the cloud.
Your executive management needs to be regularly briefed on all these issues and provided with status updates. Directors need to be advised that management of these issues likely goes to whether or not they properly discharge their legal duties as directors/executive managers.
Your HR department will need to look carefully at levels of access into the cloud facilities and whether additional terms are needed in your employment agreements. Internal staff guidelines and policies will also need to be expanded to cover what information can be put into the cloud and who is authorised to upload and download data.
It’s a lot of work to do but preparing thoroughly and understanding the breadth of the risk you are taking is vital if you are to avoid major problems, and in the worst case, losing access and control of your critical business data.
In the second part of this series, I will explore some of the detail behind the key issues and questions posed.
Guy Betar is a corporate/IT lawyer with more than 20 years’ experience. He is currently special counsel at Salvos Legal and can be contacted by email at firstname.lastname@example.org.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.