Last week, I highlighted the Megaupload case as an example of how seriously things can go wrong in the cloud. In the second and final article in this series, I’m going to look more closely at some of the key issues to address when investigating cloud solutions.
The first question to consider is: what are the increased risks? Some key obligations under Australian privacy law will almost certainly become more challenging.
For example, you must not to disclose personal information outside Australia unless reasonable steps are taken to prevent the offshore recipient from breaching Australian Privacy Law – specifically Australian Privacy Principle 8 relating to the cross-border disclosure of personal information. This is relevant when your cloud supplier stores data outside Australia.
You must also protect personal information you hold from misuse, interference and other security related issues (APP11). This will be very challenging if you are not holding the data.
Finally, you must give a person access to their personal information that you hold, if they request it. Ask yourself: What will this entail if a third party holds the data?
The bottom line is that control over your data and its security are both impaired when you pass it into the hands of a cloud provider. As you can see from the three privacy elements noted above, impairment of control and protection of your data goes directly to your compliance with Australian privacy law.
This highlights the direct practical link between reduced control over your data, and increased legal exposure. It is not difficult to extrapolate this connection to other areas of possible exposure.
Using cloud services and facilities is not about eliminating risk – it’s about understanding the risks, minimising them where possible, and making informed decisions about what risks to accept. To do this, there are a number of critical tasks that need to be undertaken.
Firstly, you should review your internal disaster recovery plans. Consider them in the light of a Megaupload scenario and what that would mean to your business. Next, look at your backup procedures, and particularly whether you have access to all your data (including the data in the cloud) to ensure full backup.
If you are relying on the cloud provider to back up your data, you may have no access to it if the cloud supplier gets into difficulties, legally or technically. The IT technical staff on your team will also tell you that you need to understand how the cloud provider stores its data, and its backups, and to what extent it is co-mingled with everyone else’s data.
Insurance should be next on the list. You need to thoroughly review your policies to understand what exposures they cover, and whether placing your data with a cloud supplier comes within the ambit of the policies.
These and other related issues and tasks clearly need to be co-ordinated by management and your professional advisors, and brought together in a cohesive and informed way. One essential ingredient is the contract for supply of cloud services.
Even though there are a range of steps to be taken, both investigative and preventative, the majority of them will also need to be addressed in the contract.Read more: Why does IT exist?
This is a key document for several reasons. Firstly, there must be a comprehensive statement of the rights and obligations of both parties, otherwise the supplier will not be accountable for failures.
Secondly, even though there are a number of essential practical steps and precautions to be taken to move into the cloud, it is critical that cloud users protect themselves legally.
Without a thorough and enforceable contract, not only might you not be able to take protective action against the supplier, your insurance may be prejudiced and possibly the senior executives may have breached their duties by failing to ensure an adequate contract was put in place.
The contract must address a range of important issues. The items touched on above – privacy, disaster recovery, backup, day to day access –must all be covered in your contract.
Apart from standard items that should be dealt with in a supply of services type agreement, there are very specific elements that must also be included, which are unique to cloud-related situations. I will touch on some of them here.
There are two critical geographical issues that must covered. Firstly, where is your cloud supplier – is it an Australian corporation or is it an offshore entity? Even if it is a local entity, is it using sub-contractors who may or may not be on-shore?
Non-Australian entities are for the most part not subject to Australian law, and therefore you may not be able to say with certainty what rights you might be able to enforce against a foreign provider, no matter how comprehensive your contract is.
Secondly, in what country/location are the cloud supplier’s data repositories? Where the data is stored offshore, it is essential to know the locations. Foreign laws vary enormously in terms of your rights, if any, to access your data.
The answers to these two questions will govern a number of different clauses that will need to be included in your contract to provide you with appropriate protection. One provision in particular that becomes very important will be a prohibition against moving the data, and/or sub-contracting to other parties to handle and manage the data.
An absolute no-no in using commercial cloud facilities is a standard form, non-negotiable contract. The interests of supplier and customer are so diametrically opposed in this particular sub-industry, a standard form contract would almost invariably be totally inadequate to protect a commercial user of cloud facilities.
Data is one of the most valuable commodities in the commercial world – protect yours properly.
Guy Betar is a corporate/IT lawyer with more than 20 years’ experience. He is currently special counsel at Salvos Legal and can be contacted at firstname.lastname@example.org.