You Can't Have Clouds Without a Little Bit of Lightning: Cloud Computing in 2012
You’ve likely heard the term “cloud computing.” But what is it? And how do you avoid legal lightning strikes? Cloud computing is a service model that enables ubiquitous access to on-demand software services, typically through a shared pool of configurable servers. The service model allows users of the “cloud” to gain access to software solutions and services from any location with internet access through mobile devices, tablets, laptops, and workstations - and can efficiently bring additional resources on-stream as needed.
The “cloud” phenomenon is not entirely new: the IT industry has been moving in this direction for a decade. However, there has been a recent surge in consumer interest and technological capacity to provide such services. Of course, the legal issues that are engaged when using the “cloud” depend on a number of variables, such as the industry, the type of service, the service model, and whether it is a “public” or “private” cloud. If you are considering cloud computing for your organization, here are a few general issues to consider, from a legal perspective:
- Data & Privacy: Confidentiality and privacy issues are front and centre for many organizations. When handling confidential data – for example, transaction logs, customer data, or financial information – an organization must assess the sensitivity of the information and ensure that the cloud security features are proportionate to that sensitivity. Here are a few things to determine: whether Canadian privacy laws apply, where your data is being hosted and what laws apply in that region, and whether your service provider can be bound to Canadian laws. Remember: Canadian laws may not apply to a server located offshore. Cloud computing does not necessarily carry more risk than non-cloud solutions. I note that many of the privacy breaches reported in Alberta last year were from simple human error and relatively low-tech slip-ups (for example, fax machines and garbage bags full of confidential documents). The risks associated with a privacy breach must be assessed.
- Intellectual Property (IP): Cloud computing carries certain risks associated with patents, copyright, trade-marks, and trade secrets. You should consider the question of ownership of IP and improvements, including ownership of content and data uploaded to a cloud-based service. A well-drafted cloud-computing service agreement should also address issues surrounding IP infringement claims, including infringement of patents, copyright and trade-marks.
- Service Failures: What are the consequences to your business when your cloud service is inaccessible due to a failure? There may be a cloud service provider failure, due to a failure of software, hardware, or host-servers. However, remember that other factors can impact your use of the cloud: such as, internet failures, power outages, slowdowns or blackouts in wireless or cell access. Consider what disaster-recovery or backup services are available from the service provider in the event of a catastrophic outage, and the business consequences of being unable to access data or services for hours, or days.
- Vendor Lock-In: The ability to terminate your cloud computing agreement and take your business elsewhere can be complicated by the problem of vendor lock-in. When your data and business processes are so deeply enmeshed with the cloud service vendor, then there are significant disincentives to move to a different vendor, even when your current vendor is falling down on service or reliability. To address this risk, consider what happens when the relationship ends, and most importantly, what happens to your data? Can it be accessed by the end-user in a useable format? All of these issues should be considered in your cloud computing contracts.
- Mitigating Risks: Business is all about risk and reward, and legal advisors can help you understand and mitigate the risks. When negotiating cloud-based IT service agreements, risk can be allocated in the “fine print” through representations, warranties and indemnities. Risk can also be allocated by other means, including: specialized insurance, testing and verification procedures, data back-up protocols, and data escrow plans. Remember: the negotiations about risk allocation are very unlikely to change the underlying architecture of the cloud-based service. The “fine print” is a way of allocating financial penalties, but (typically) these financial negotiations do not change or improve things such as functionality, uptime, technical capacity, availability, or security protocols. Therefore, it is critical to consider, in advance, both the legal and technical standards to which your service provider is bound.
Cloud computing carries tremendous promise, and, when handled carefully, the legal risks can be addressed in a well-drafted cloud computing service agreement. To learn more about cloud computing, the National Institute of Standards and Technology’s paper may be useful. If you wish to discuss the risks and benefits of cloud computing for your particular business, please contact Field Law's Intellectual Property + Technology Group for advice, and follow ipblog.ca for updates on this emerging area of technology.