Cloud computing services – what are the risk management and legal issues for users?

Cloud services can be enablers for a company’s digital transformation. However, understanding the risks and legal issues associated with the use of cloud computing services is critical to managing risks, protecting enterprise data and related intellectual property, and reducing the risk of business disruption.

Companies are increasingly using software applications, tools, data storage, and backup services that are provided as a cloud-based solution using computer servers located in data centers owned or controlled by third parties (“cloud servicesGartner predicts that global spending on end-user cloud services will rise about 20 percent through 2022 to about $500 billion, and expenditures are expected to reach $600 billion in 2023.[i].

dangerous work

Companies using cloud services, without due diligence including legal review of the terms and conditions of cloud services agreements and risk management, potentially endangering their data and associated intellectual property (“IP”) and business process. It is important that companies understand the risks and benefits of cloud services and have appropriate processes and systems in place to manage potential risks.

In some cases, vendors of cloud-based solutions use third-party data centers to provide cloud-based facilities, which adds another level of complexity. In this case, the company may have a contract with the cloud solutions supplier but not have a contractual relationship with third-party data centers that provide servers and data storage facilities. If the contractual relationship between the cloud solutions supplier and the data center is terminated, the company may not be able to access its data from the data center, particularly when the cloud solutions supplier is in breach of its agreement with the data center. It is important to All third-party data center agreements are also reviewed, so that the company has rights to access data stored in a third-party data center. Due diligence and risk management should extend to data centers.

Legal issues and risk management

The legal and risk management issues that businesses have to consider when using cloud-based software services are complex[ii] It must be taken into account on a case-by-case basis. Companies looking to use cloud-based services should seek legal advice specific to the cloud-based solution they wish to use and the agreement they are proposing to enter into.

Some of the legal issues and risk management to consider regarding cloud computing services include:

  1. Does the cloud service solution provider physically operate its business in Australia or outside of Australia? If the cloud service provider is an external entity, companies will have to consider how they can enforce their rights and access their data and content (including IP) in the event of a data breach or non-compliance with the cloud service agreement or the service provider becomes bankrupt, insolvent or wants to transition to a supplier another or use a different software application.
  2. Where is the location of the data center where business data and content (including IP) is processed, stored, and transmitted? The Terms and Conditions generally do not specify the physical location of data centers and backup storage facilities. However, data can be stored in a number of different countries, accessed and processed by multiple entities in different countries, without cloud service users knowing where their data and contents (including IP) are located. for example, Dropbox’s online services agreement for the use of the Dropbox document sharing service used by many companies and organizations has a term that states: Customer agrees that Dropbox and its subcontractors may transfer Customer Data to, access, use and store Customer Data in locations other than Customer’s country. but Does not specify countries or data center locations[iii].
  3. What are the legal, security and other risks associated with data and content (including IP) stored in data centers outside Australia in countries whose data, intellectual property, privacy protection and Australian laws are not comparable?
  4. What security measures and controls have been implemented by the cloud solution provider?
    • Does your cloud computer provider have information security certification like ISO 27001?
    • Does the cloud service provider use encryption to transmit and store data and content (including IP)?
    • Does the cloud service provider use appropriate authentication procedures to access data and content (including IP) stored in the cloud?
    • Does the cloud service provider have adequate security and controls to protect against cyber or other incidents?
    • Does the cloud service provider segment the data so that the data is stored in different data centers?
  5. Is the cloud provider audited externally for security and data protection compliance on a regular basis? If so, a copy of the audit reports should be requested. This work will help identify potential risks in the use of the Service and manage the risks.
  6. Who owns the data and content (including IP) that is uploaded and/or generated using the cloud-based solution? The terms of Cloud Solution Agreements can include terms that provide ownership of materials (including IP) created using the cloud-based application to be wholly or partly owned by the cloud-based service provider.
  7. What rights do the cloud solutions provider have to use corporate data and content (including IP)? Cloud solutions agreements can also include terms that give cloud vendors broad rights to use, disclose, copy, adapt, publish, and transmit corporate data and content (including IP).
  8. What arrangements do the cloud service provider (including a third-party data center) and the companies that intend to use the cloud make to deal with network and service outages or outages? Cloud service providers, including third-party data centers, must have alternative means of cloud solutions and data to be accessed, should such an event occur. Data should also be backed up and accessed from alternate locations. Some cloud-based applications include functionality that allows companies to back up their data on a daily or weekly basis on their own internal servers that they control.
  9. What are the terms in the cloud service agreement addressing disengagement and moving to a new service provider or alternatively moving facilities at home, upon termination of the agreement or service? Most agreements allow up to 30 days for companies to migrate their data to another system, however they do not have proper provisions that require the cloud service provider to assist with the process. The agreements also do not specify the costs involved in extracting or retrieving data and migrating it to a new system. This can be an expensive process. Incidents have been reported where companies have had to pay exorbitant fees to access their data.
  10. What happens when company data (including IP) is stored in a data center that is closed due to a court order or government action? What happens in the event of the bankruptcy or bankruptcy of a cloud solutions provider? How will the business access its data and IP address? How will these risks be managed so that there is minimal disruption to work?

It is important to Companies have adequate risk and redundancy management plans, to gain access to their valuable data and intellectual property and to reduce the risk of business disruption. If your business depends entirely on cloud-based solutions, how long can your business operate without access to cloud-based facilities. Oftentimes, individuals, companies, and organizations use cloud-based software applications and tools, and agree to the terms and conditions of using the online cloud service without first reading the terms, thus exposing themselves to significant legal, commercial and data security risks.

Leave a Reply

Your email address will not be published.