Take care to ensure both your own and your customers' data is properly protected when embarking on a cloud services contract. That’s the message from Dudley Kneller, a partner at Madgwicks, who specialises in technology law and shared doem of his insights into good governance around cloud computing contracts.
Dudley raised seven broad legal issues which CIOs must be aware if they have deployed, or plan to deploy, cloud solutions.
- Personal Information Protection and Privacy.
In March 2014 Australia will introduce updated privacy laws which replace the National Privacy Principles (NPPs) with the Australian Privacy Principles (the APPs). With a push towards greater regulation and compliance across the board, cross border data flows are particularly impacted.
CIOs should take time or advice to understand how to effectively store and transfer personal information overseas whilst at the same time ensuring current contracts are not in breach of these new regulations.
- Access By Foreign Governments
The Governments in many countries around the world have provisions to compel cloud vendors to provide access to personal data in certain circumstances. Best known of these is the US Government's Patriot Act, but many other jurisdictions also grant their government agencies power to require access to personal information.Whilst some vendors push back, many feel compelled to provide government access to your customers' data, should the request be made.
- Security of data
Under current NPP 4 vendors have to be able to demonstrate their ability to secure their customers' personal data. CIOs should ensure their provider is compliant.
- Service Level Agreements (SLAs)
Many cloud vendors offer off-the-shelf SLAs and are unable or unwilling to customise these agreements to suit each customer’s specific environment. With the exception of larger government agencies and corporates with big budgets your organisation’s ability to negotiate contractual terms that suit your needs are often reduced.
At the same time, it should be noted, levels of service availability are usually very high and in many cases are greater than your organisation would be able to achieve on its own. The commercial implications of a (usually very public) failure by the cloud provider create an additional incentive to maintain high levels of availability.
- Retrieving data when a contract finishes
So called “transition out clauses” are one area CIOs should be particularly cautious. The terms of contract termination are often not handled well and there is little express contractual detail around the handling of the effective migration of your data sitting on your cloud provider’s servers.
If offered at all, cloud vendors will charge a fee to export your data to either another provider or for you to take in-house. CIOs should understand the financial implications of such clauses and ensure they properly deal with transition out obligations. Equally some vendors have clauses that give them the right to delete your data from their servers following termination or expiry, often after a relatively short time period, such as 10 working days. Ensure your contract terms provide sufficient time to retrieve all your data.
- Unilateral changes to contract terms and conditions
Many cloud vendors require you sign up to their standard contracts, which often provide them with the right to unilaterally alter the terms and conditions of the contract. This is a powerful right for the vendor and can lead to increased risk for you, their customer.
- Contract jurisdiction and governing law
Many cloud service providers are based overseas, especially the low cost high volume providers of applications. In many cases, customers are signing contracts based on, say, Californian law. In this situation it is prohibitively expensive to enforce your contract rights overseas.Many of the larger cloud service providers are starting to provide contracts adapted to local Australian law.
Dudley concludes that cloud computing can undoubtedly provide tremendous economic and performance benefits to organisations. With some careful planning and accurate advice, most contractual risks can be managed.