Cloud Computing Legal Issues

Stephen Mathias Technology Law Practice Kochhar & Co, Bangalore

Even though cloud computing presents significant advantages for businesses, it means increased loss of control which results in higher risks that must be mitigated either in the contract or through practical means

Unlike regular outsourcing contracts where terms are fairly standardised, it is still unclear what are acceptable terms in the cloud computing environment. Legal concepts in the traditional world such as absence of warranties and limitation of liability may not work in cloud computing because of increased risks.

Choosing a service provider carefully is more important in the cloud context because if the service provider ceases operations, you may lose access to the software and/or your data whereas in the traditional software environment, you would mostly lose access to maintenance and updates.

Due diligence on the vendor must include a review of his financial position and possibly, checking references with existing customers on the quality of service provided as well as understanding the IT infrastructure he has in place.

A customer must put in place a cloud computing policy which sets out when it intends to use the cloud and under what terms and what it would do to mitigate the risks if it cannot obtain its desired terms.

Business continuity is far more important in cloud computing because the business cannot function if it cannot access the application or the data. An effective SLA arrangement would seem to be the solution that the customer would desire in the absence of warranties

It is important to understand carve outs to uptime commitments - customer related downtime should be fair and balanced and scheduled maintenance provisions should not be unreasonable.

While a service provider will commit to reasonable security, a customer will want at least a commitment to a specified security standard and certification or a right to audit. The security policy must cover issues such as data backup, strength of data encryption, restricted access by staff, etc.

The customer must consider whether certain types of data should be stored in the public cloud, private cloud or be separately backed up. How the vendor stores the data is important. Will there be inter mingling of data? What kind of customers does the vendor have?

Where the servers are located is also important in terms of your data being stored in less risky countries and the effects of regulation of data there. Stability of internet access is also important.

Storing your data in the cloud makes it easier for governments to access it or for governments and courts to pull the plug due to the fact that the vendor may be hosting content of a rogue customer

An understanding of which parties provide the overall offering is also important particularly if the vendor uses unreliable third parties or tries to disclaim liability for third party actions.

Inter-operability and open standards is a bigger issue in the cloud in the context of migration you dont want to be locked in to the cloud provider and need commitments that secures your ability to migrate to another vendor

Be mindful of regulatory restrictions on sharing data with third parties or requiring vendors to meet regulatory requirements, e.g., HIPPAA compliance in the US or RBI & DoT regulations in India.

Many countries have privacy laws that require that personal data cannot be transferred except to a country with a similar level of legal protection. This may prevent the customer from using the cloud and impose additional requirements on the vendor.

While the modern connected and flat world makes the remote provision of services easier, be minding of tax laws in the customer country that may require the vendor to be taxed or for payments to be withheld.

A customer should be mindful of requiring the provider to meet standards the customer would not have set for itself. At the same time, the ability of the service provider to meet a higher standard is a key reason for moving to the cloud.

Thank You
__________________________________ Stephen Mathias Technology Law Practice Kochhar & Co 201 Prestige Sigma, 3 Vittal Mallya Road Bangalore 560001 stephen.mathias@bgl.kochhar.com _________________________________