Understanding and Managing the Risks
By Katarina Klaric, Principal, Stephens Lawyers & Consultants
Companies are increasingly using software applications and tools, data storage and back up services which are provided as cloud based solutions (“cloud services”). The internet is used to access cloud based applications or tools, upload, download, execute, process and share data and content, all of which is processed and stored on external servers in datacentres that are under the control of third parties, rather than on businesses’ own internal computers. IT companies are offering their software applications or tools either as a cloud based service accessible via the internet, or as licensed applications or tools which can be installed and used on the organisation’s own internal computers. Some applications or tools are supplied exclusively as a cloud based solution. Xero, an on-line bookkeeping and accounting software application is only available as a cloud based solution. MYOB is available both as a cloud based service and licensed application which is installed on the business’s own internal computers. Dropbox, a document sharing application is only available as a cloud service. AutoCAD and a range of software tools used in 2D and 3D design supplied by Autodesk are available both as a cloud service and as licensed solutions.
Companies using cloud services, without proper due diligence including the legal review of the terms and conditions of the cloud services agreements and risk management are potentially putting at risk their intellectual property (“IP”) and also risk losing control of their data and content. It is important that businesses understand the risks and benefits of cloud based services and have proper processes and systems to manage the potential risks.
In some cases, the cloud based solution suppliers use third party datacentres to provide the cloud based facilities, which adds another level of complication. In this situation, the business may have a contract with the cloud solution supplier but has no contractual relationship with third party datacentres who provide the servers and data storage facilities. If the contractual relationship between the cloud solution supplier and datacentre are terminated, the business may not be able to access its data from the datacentre, particularly where the cloud solution supplier is in breach of its agreement with the datacentre. It is important that all third party datacentre agreements are also reviewed, so that the company has rights to access data stored at a third party datacentre. The due diligence and risk management process should extend to datacentres.
Legal and Risk Management Issues
The legal and risk management issues that companies need to consider when using cloud based solutions are complex[i] and must be considered on a case by case basis. This information sheet provides an overview of some of the issues and is not intended to be a comprehensive list. Businesses looking at using cloud based services should seek legal advice which is specific to the cloud based solution that they wish to use and the agreement that they propose to enter.
The legal and risk management issues that should be considered in relation to cloud based solutions include:
- Does the cloud service solutions supplier , physically operate its business in Australia or outside Australia? If the cloud service supplier is an overseas entity, businesses will have to consider how they can enforce their rights and access their data and content (including IP) where there has been a data breach or non-compliance with the cloud service agreement, the service provider becomes bankrupt or insolvent or they wish to transition to another supplier or use a different software application.
- What is the location of the datacentre where the business’s data and content (including IP) is to be processed, stored and transferred? Terms and conditions generally do not specify the physical location of the datacentres and back up storage facilities. However, data could be stored in a number of different countries, accessed and processed by multiple entities in different countries, without the users of the cloud service knowing where their data and content (including IP) is located. For example, the on-line Dropbox Business Agreement for the use of the Dropbox document sharing service which is used by many businesses and organisations which contains a term which states:
“ Customer agrees that Dropbox and its sub-processors may transfer, store and process the Customer Data in locations other than the Customer’s country.”
but does not specify the countries or the location of the datacentres[ii].
- What are the legal, security and other risks associated with the data and content (including IP) being stored in datacentres outside Australia in countries whose data, IP and privacy protection and enforcement laws are not comparable to Australian laws?
- What security measures and controls have been implemented by the cloud solutions provider?
- Does the cloud computer provider have information security accreditation such as ISO 27001?
- Does the cloud service provider use encryption for transmission and storage of data and content (including IP)?
- Does the cloud service provider use adequate authentication procedures for access to data and content (including IP) stored on the cloud?
- Is the cloud service provider externally audited for security and data protection compliance on a regular basis? If so, a copy of the audit reports should be requested. This will assist the business in identifying the potential risks in using the service and managing the risks.
- Who owns the data and content (including IP) that is uploaded and/or generated using the cloud based solution? Terms of cloud solutions agreements can include terms which provide for ownership of material (including IP) generated by using the cloud based application to be owned in part or whole by the supplier of the cloud based service.
- What rights are given to the cloud solutions supplier to use the businesses’ data and content (including IP)? Cloud solution agreements can also include terms that give the cloud solutions suppliers extensive rights to use, disclose, copy, adapt, publish and transfer the businesses’ data and content (including IP).
- What arrangements does the cloud service supplier (including third party datacentre) and businesses intending to use the cloud service have to deal with network and services outages or interruptions? The cloud service suppliers including third party data centres should have alternative means for the cloud based solution and data to be accessed, in the case of such occurrence. Data should also be backed up and accessible from alternate locations. Some cloud based applications include functionality which allow for companies to back up their data on a daily or weekly basis onto their own internal servers which they control.
- What terms exist in the cloud service agreement dealing with disengagement and transitioning to a new service provider or alternatively moving facilities in house, upon termination of the agreement or service? Most agreements allow up to 30 days for companies to migrate their data to another system, however do not contain adequate provisions requiring the cloud service provider to assist with the process. The agreements also do not specify the costs involved in extraction or recovery of the data and its migration to a new system. This can be a costly process. There have been reported incidents of companies having to pay hefty fees to access their data.
- What happens where the business’s data (including IP) is stored at a datacentre which is shut down because of court order or government action? What happens in the case of bankruptcy or insolvency of the cloud solution provider? How is the business going to access its data and valuable IP? How are these risks going to be managed so that there is minimum disruption to the business ?
It is important that companies have appropriate risk management and redundancy plans in place, to access their valuable data and IP and minimise the risk of business disruption. If your business is reliant totally on cloud based solutions, how long can your business operate without access to the cloud based facilities. Too often individuals, business and organisations use cloud based software applications and tools, agreeing to on-line terms and conditions of use cloud service without first reading the terms, thus exposing themselves to significant legal, business and data security risks.
Authored by Katarina Klaric
This article is not intended to be a substitute for obtaining legal advice.
© Stephens Lawyers & Consultants. March 2019.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] Cesare BARTOLINI, Donia El KATEB, Yves Le TRAON & David HAGEN, “Cloud Providers Viability: How to Address it from an IT and Legal Perspective?”, Springer International Publishing Switzerland 2016; Australian Government Department of Communications, “Cloud Computing Regulatory Stock Take – Report – Version 1”, Commonwealth of Australia 2014; Silverton Consulting, Inc., “Lessons from the Rapid Closure of Nirvanix”; Silverton Consulting, Inc., 2014; Mark VINCENT, Nick HART & Kate MORTON, “Cloud Computing Contracts White Paper; A Survey of Terms and Conditions”, Truman Hoyle Lawyers, 5 April 2011; David S CAPLAN, “Bankruptcy in the Cloud: Effects of Bankruptcy by a Cloud Service Provider”, Law Offices of David S Caplan 2010
[ii] Clause 1.3(a), Dropbox Business Agreement posted 17 April 2018 https://www.dropbox.com/terms#business_agreement