by Katarina Klaric, Principal, Stephens Lawyers & Consultants
Cloud services can be enablers for a company’s digital transformation.
However, understanding the risks and legal issues associated with using cloud based computing services is critical for risk management and protection of an organisation’s data and related intellectual property and to minimise the risk of business disruption.
Companies are increasingly using software applications and tools, data storage and back up services that are provided as cloud based solution utilising computer servers located in datacentres owned or controlled by third parties (“cloud services”). Gartner forecasts that worldwide spending on end-user cloud services will increase by about 20 percent during 2022 to about US$500 billion, with expenditure expected to reach US$600 billion in 2023[i].
Risky business
Companies using cloud services, without proper due diligence including the legal review of the terms and conditions of the cloud services agreements and risk management are potentially putting at risk their data and associated intellectual property (“IP”) and business operation. It is important that businesses understand the risks and benefits of cloud based services and have proper processes and systems to manage the potential risks.
In some cases, the cloud based solution suppliers use third party datacentres to provide the cloud based facilities, which adds another level of complication. In this situation, the business may have a contract with the cloud solution supplier but has no contractual relationship with third party datacentres who provide the servers and data storage facilities. If the contractual relationship between the cloud solution supplier and datacentre are terminated, the business may not be able to access its data from the datacentre, particularly where the cloud solution supplier is in breach of its agreement with the datacentre. It is important that all third party datacentre agreements are also reviewed, so that the company has rights to access data stored at a third party datacentre. The due diligence and risk management process should extend to datacentres.
Data Security – Legal and Risk Management Issues
The legal and risk management issues that companies need to consider when using cloud based software services are complex[ii] and must be considered on a case by case basis. Businesses looking at using cloud based services should seek legal advice which is specific to the cloud based solution that they wish to use and the agreement that they propose to enter.
Some of the legal and risk management issues that should be considered in relation to cloud based computing services include:
- Does the cloud service solutions supplier, physically operate its business in Australia or outside Australia? If the cloud service supplier is an overseas entity, businesses will have to consider how they can enforce their rights and access their data and content (including IP) where there has been a data breach or non-compliance with the cloud service agreement, the service provider becomes bankrupt or insolvent or they wish to transition to another supplier or use a different software application.
- Where is the location of the datacentre where the business’s data and content (including IP) is to be processed, stored and transferred? Terms and conditions generally do not specify the physical location of the datacentres and back up storage facilities. However, data could be stored in a number of different countries, accessed and processed by multiple entities in different countries, without the users of the cloud service knowing where their data and content (including IP) is located. For example, the on-line Dropbox Services Agreement for the use of the Dropbox document sharing service that is used by many businesses and organisations which contains a term which states:
“ Customer agrees that Dropbox and its Subcontractors may transfer Customer Data to and access, use and store Customer Data in locations other than Customer’s country..”
but does not specify the countries or the location of the datacentres[iii].
- What are the legal, security and other risks associated with the data and content (including IP) being stored in datacentres outside Australia in countries whose data, IP and privacy protection and enforcement laws are not comparable to Australian laws?
- What security measures and controls have been implemented by the cloud solutions provider?
- Does the cloud computer provider have information security accreditation such as ISO 27001?
- Does the cloud service provider use encryption for transmission and storage of data and content (including IP)?
- Does the cloud service provider use adequate authentication procedures for access to data and content (including IP) stored on the cloud?
- Does the cloud service provider have adequate security and controls to protect against cyber or other incidents?
- Does the cloud service provider segment the data so that the data is stored in different datacentres?
- Is the cloud service provider externally audited for security and data protection compliance on a regular basis? If so, a copy of the audit reports should be requested. This will assist the business in identifying the potential risks in using the service and managing the risks.
- Who owns the data and content (including IP) that is uploaded and/or generated using the cloud based solution? Terms of cloud solutions agreements can include terms which provide for ownership of material (including IP) generated by using the cloud based application to be owned in part or whole by the supplier of the cloud based service.
- What rights are given to the cloud solutions supplier to use the businesses’ data and content (including IP)? Cloud solution agreements can also include terms that give the cloud solutions suppliers extensive rights to use, disclose, copy, adapt, publish and transfer the businesses’ data and content (including IP).
- What arrangements do the cloud service supplier (including third party datacentre) and businesses intending to use the cloud service have to deal with network and services outages or interruptions? The cloud service suppliers including third party data centres should have alternative means for the cloud based solution and data to be accessed, in the case of such occurrence. Data should also be backed up and accessible from alternate locations. Some cloud based applications include functionality which allow for companies to back up their data on a daily or weekly basis onto their own internal servers which they control.
- What terms exist in the cloud service agreement dealing with disengagement and transitioning to a new service provider or alternatively moving facilities in house, upon termination of the agreement or service? Most agreements allow up to 30 days for companies to migrate their data to another system, however do not contain adequate provisions requiring the cloud service provider to assist with the process. The agreements also do not specify the costs involved in extraction or recovery of the data and its migration to a new system. This can be a costly process. There have been reported incidents of companies having to pay hefty fees to access their data.
- What happens where the business’s data (including IP) is stored at a datacentre which is shut down because of court order or government action? What happens in the case of bankruptcy or insolvency of the cloud solution provider? How is the business going to access its data and valuable IP? How are these risks going to be managed so that there is minimum disruption to the business?
It is important that companies have appropriate risk management and redundancy plans in place, to access their valuable data and IP and minimise the risk of business disruption. If your business is reliant totally on cloud based solutions, how long can your business operate without access to the cloud based facilities. Too often individuals, business and organisations use cloud based software applications and tools, agreeing to on-line terms and conditions of use of cloud services without first reading the terms, thus exposing themselves to significant legal, business and data security risks.
Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants. The contribution of Rochina Iannella, Lawyer, in researching this 2022 article is acknowledged.
This article is not intended to be a substitute for obtaining legal advice.
© Stephens Lawyers & Consultants. March 2019; 25 August 2022; 28 September 2022.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] https://www.gartner.com/en/newsroom/press-releases/2022-04-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-reach-nearly-500-billion-in-2022
[ii] MITCHELL, Andrew D., SAMLIDIS, Theodore, “Cloud services and government digital sovereignty in Australia and beyond”, International Journal of Law and Information Technology, Volume 29, Issue 4, Winter 2021, Pages 364–394; Cesare BARTOLINI, Donia El KATEB, Yves Le TRAON & David HAGEN, “Cloud Providers Viability: How to Address it from an IT and Legal Perspective?”, Springer International Publishing Switzerland 2016; Australian Government Department of Communications, “Cloud Computing Regulatory Stock Take – Report – Version 1”, Commonwealth of Australia 2014; Silverton Consulting, Inc., “Lessons from the Rapid Closure of Nirvanix”; Silverton Consulting, Inc., 2014; Mark VINCENT, Nick HART & Kate MORTON, “Cloud Computing Contracts White Paper; A Survey of Terms and Conditions”, Truman Hoyle Lawyers, 5 April 2011; David S CAPLAN, “Bankruptcy in the Cloud: Effects of Bankruptcy by a Cloud Service Provider”, Law Offices of David S Caplan 2010
[iii] Clause 4.6 , Dropbox Services Agreement posted 29 October 2021 (Effective 14 January 2022) https://www.dropbox.com/business_agreement ; “Subcontractor” is defined in Clause 15 of the Dropbox Services Agreement as “an entity to whom Dropbox subcontracts any of its obligations under the Agreement”