IT services are all about the cloud these days, but what’s the attraction and what are the legal risks?
Do you think EU data protection legislation has slowed the uptake of cloud computing among businesses?
Gail Crawford, partner, Latham & Watkins: Not significantly. Worryingly, privacy and security are often overlooked when there are significant cost savings to be made, particularly in small and medium-sized enterprises (SMEs) where there is less likely to be an understanding of the legal and operational risks of using the cloud.
Conversely, smart cloud vendors have generated business by building models that address privacy concerns, while clouds operated by EU providers can market the fact that they are not subject to the US Patriot Act, allaying fears that data could be accessed by US authorities.
Richard Graham, partner, Edwards Wildman: It is important to distinguish between information security and data protection when we look at cloud computing. Information security is wider in nature than data protection as it seeks to secure all the intangible assets of a business in the cloud, including its IP, confidential information and other customer, employee and financial data.
For any chief information officer (CIO), the protection of all of the organisation’s intangible assets is of paramount importance and must be impact-assessed and understood before the organisation is able to outsource. For some businesses, including those in regulated sectors, it is concern around information security and the location of the cloud service that is hindering uptake.
Compliance with EU data protection legislation is part of this concern and the existing framework is arguably not flexible enough to adapt to these emerging solutions.
However, data protection on its own is not necessarily a barrier to the uptake of cloud services, as compliance with the rules in most jurisdictions can be achieved. In the EU, there are issues with data protection, including a perceived conflict with US legislation such as the Patriot Act or German concerns around the legality of non-EU cloud computing, but these can be resolved and their significance has been blown out of proportion. As lawyers, we have a responsibility to stop this. Unnecessary scepticism stifles innovation and growth.
Toby Crick, partner, Bristows: Not in the UK, but the view from some other EU jurisdictions is that the local interpretation of EU data protection is slowing the take-up of cloud-based solutions. Absent a prohibition on a solution by a regulator, the EU legislation does not stop cloud computing, but the contracting process has to take account of it.
That said, arguably the greatest perceived legal risk of putting data in the cloud is the possibility of regulatory access overseas – whether under the Patriot Act, the UK Regulation of Investigatory Powers Act 2000 or some other equivalent – and how such national legislation might work with requirements under EU data protection law.
This has a chilling effect with regard to data centres in certain jurisdictions or data centres owned by companies domiciled in certain jurisdictions. In fact, there is a lot of misinformation on this issue, but it can be a real inhibitor to EU companies using the cloud.
Mat Sutton, head of IT, Howard Kennedy: I did not think so until I read a consultation document from the Information Society and Media Directorate-General which concluded: “The EU legal framework within which cloud computing must be implemented confuses and creates uncertainty in the respondents to the consultation.”
The European Commissioner for Digital Agenda has since announced a proposed reform to EU data protection rules.
There are a number of considerations when investigating the feasibility of moving to the cloud, and EU data protection legislation is just one. Much hype surrounds the cloud and I don’t subscribe to all the touted benefits. Cost of ownership is one of the cloud vendors’ strongest selling points, but I am not convinced this is true in all instances. Cost should not be the sole factor when planning your strategy. What you are moving to the cloud and how critical it is to your business should rank highly.
I am not anti-cloud computing, just of the opinion that one needs to see through the hype and understand that different solutions will be viable for different organisations at different times.
Simon Briskman, partner, Field Fisher Waterhouse (FFW): Yes, but perhaps not as people might first think. It is true that there are barriers to moving personal data out of the European Economic Area (EEA) and many major cloud vendors can move data between global data centres to balance the load on their servers, but these issues can usually be resolved if the vendor provides guarantees of privacy and security.
There are, however, more general concerns about cloud resilience and security.
Companies that do not get sufficient guarantees from their vendors on these issues are resorting to bespoke private clouds and internal virtualisation projects. The public cloud is not yet robust enough for many businesses or some sensitive applications.
From a business perspective, what are the major advantages of switching to a cloud system?
Crawford: In addition to the headline advantage of cost savings, cloud services provide the ability to scale up and down, removing the need to procure and manage capital-intensive infrastructure. This, in turn, provides flexibility to facilitate the rapid delivery of new applications.
The model also gives smaller organisations cost-effective access to best-in-class server infrastructure and support that is likely to mean improved security and reliability.
Crick: Cost reduction is usually first on most lists but there are other advantages. These typically depend on where the client is starting from, but moving to a cloud provider can enable a customer to get a more secure and robust service, and one that is updated to meet security threats much faster than that client could manage if it was running its own service. Other advantages include scaleability and access to the latest technology more quickly and cheaply.
Graham: Cloud services, whether they are provided as infrastructure-, platform- or software-as-a-service (IaaS, PaaS or SaaS), allow businesses to benefit from one of the most important revolutions in technology. The cloud allows businesses to gain the economies of scale associated with outsourcing and the customer is able to move its technology requirement from a capital expenditure item to an operating expenditure one.
Cloud computing also has an inbuilt flexibility allowing for expansion or contraction depending on demand. This is helping to fuel the boom in IT start-ups as capacity becomes a rented commodity and there is no longer the requirement to invest millions in server farms before a business can write a line of software source code.
Economies of scale extend beyond financial benefits as hardware utilisation becomes increasingly efficient in the cloud, saving energy and power consumption.
However, perhaps the most fundamental benefit of cloud computing is access to best-in-breed applications. There will be an increasing focus on ‘Big Data’ solutions as businesses migrate to the cloud and benefit from applications and services targeted at analysing or mining data. This will allow data to be interpreted and analysed in innovative ways. We are already seeing these solutions being used in social media, where the value of this data supports the $500bn (£310bn) advertising industry.
Sutton:Implementation can be quick, allowing an organisation to respond quickly to external influences. Scaleability – in terms of additional users or increased storage requirements – can be easily achieved.
Cloud providers make a significant investment in infrastructure and the IT team can be redirected from systems maintenance tasks to more business-focused projects.
Cloud systems and data may be accessed from wherever there is an internet connection and, due to the ubiquity of access, collaboration on data becomes simplified.
Mabel Evans, head of IT services, FFW: To start with, cloud solutions promise much cheaper IT infrastructure. Imagine how many computers in your firm are not used at any one time, or how much additional capacity is built into your web servers to cope with peak demand. By aggregating all these applications on one set of machines and then sharing those machines with multiple users, much redundancy can be eliminated.
But more than that, the cloud opens up the possibility of more efficient development and management of applications, and easier global access to and use of data.
What legal issues should businesses be aware of when making the switch?
Crawford: Issues such as liability for data loss or breach and downtime will be difficult to negotiate. Vendors will generally refuse to accept liability on the basis that assuming such risks would destroy the cost-effectiveness of their services.
Companies need to understand that it is difficult to comply to the letter with privacy laws as the provisions are not easy to apply in the cloud. Organisations should focus on ensuring data will be secure, will be properly deleted on demand and will not be accessible by third parties.
Graham: There are numerous legal intricacies to consider when moving to the cloud. Many arise because of the multijurisdictional nature of cloud services. Other issues concern the technical nature of cloud services and the perceived loss of control over the technology or data. This brings into play questions of applicable law, intermediary liability, enforcement of IP rights and the protection of confidential information.
Further data protection and privacy issues around transparency and the justification for processing arise where personal data is involved. There are also more practical legal issues around breach notification and general regulatory compliance.
There are some concerns around liability for an event or breach in the cloud and whether risks are insurable. In disputes and litigation, discovery in the cloud gives rise to a minefield of issues.
Finally, the unique nature of the cloud throws up issues around audit rights, step-in, shared data, warranties, indemnities and retrieving the data on termination, expiry or insolvency. These are similar in nature to those that arise in standard outsourcing, but drafting should be adapted depending on the cloud service or application provided.
Crick: A cloud vendor’s terms are often scattered around its website or have elements that can be updated on notice. So while it sounds obvious, the key legal issue can often be to make sure you know the terms on which you are contracting.
Having done that, you must ensure that from a regulatory point of view you can move to the solution being offered. Typical regulatory concerns include data protection, but also how the risk and costs arising from a regulatory change would be allocated together with any sector or local regulatory rules.
Beyond these, the usual contractual issues of identifying with certainty what you are getting, how much it costs and the level of service you can expect must be set out clearly and the range of classic legal issues around warranties, indemnities and liability caps reviewed.
Often, cloud vendors take a restrictive view of which terms can be negotiated – their argument is that their price is based on a standardised service. This can be a risk for users who must include certain terms due to regulatory requirements.
Sutton: You need to understand what is being stored, where it is being stored, who will have access to it and where those accessing it are located, as well as the processes supporting the full life cycle of the data for when it is at rest, in transit and being displayed and accessed. These will all influence which legislation and jurisdictions you need to consider.
Briskman: An impact assessment should be carried out at an early stage. Obvious points to consider are regulatory requirements. Data law can demand suitable standards of security, data integrity and auditability, for example. This is not an area to take lightly, but these issues all have their solutions.
What sort of risks should potential cloud users be thinking about, and how can these be mitigated?
Crawford: Use of the cloud raises the classic triad of information security concerns: confidentiality, integrity and availability. These give rise to both legal and operational risks. Contractual terms and vendor diligence only get you so far.
It is crucial to control cloud use within your organisation. Stakeholders should be involved in each decision to put data in the cloud so the advantages can be weighed against the risks, taking into account the sensitivity of the data and/or criticality of the application.
Graham: Information security will always be the main risk with cloud technology. One of the biggest security risks for any business in the cloud is the risk presented by the employee.
A headache for any CIO is the trend towards allowing employees to ‘bring-your-own-device’ and interact remotely with the corporate network through the cloud. This raises information security concerns around the confidentiality, accessibility and integrity of data. These risks, coupled with internal and external cyber attacks on corporate organisations, must be understood and addressed.
In terms of proactive risk management, businesses need to do their due diligence, understand the legal and regulatory framework, develop procedures and explore insurable risk. We are seeing rapid growth in companies developing breach response plans. Businesses will need to assemble breach response teams, work with regulators and insurers, protect their intangible assets by legal means, undertake forensic analysis and develop and implement effective remedial plans.
Crick: The risks people always mention are security and regulatory issues but these can be mitigated by some basic diligence and a decent contract. A far bigger risk is the ease with which cloud users can sign up to terms that expose them to harm of that sort. The key mitigation is – read the contract. Part of any due diligence on a cloud vendor should include looking at its supply chain.
Another risk is the ability of the user to exit and transfer its data/service to another provider. For users switching from an ‘on-premises’ solution to a cloud solution this concern is often overlooked, as is the danger that the vendor may end up finding its operations uneconomic. In such a case the customer may be stranded with a failing supplier. Again, the mitigation is a robust contract.
Sutton: Issues you should look at include the Data Protection Act. Although you have carefully selected a UK/EU-based data centre, does the provider have staff located outside the UK/EU who may have access to the data?
Ubiquity of access has created a reliance on communications, a risk in the event of loss of connectivity. Ensure your provider has multiple connectivity providers and that you also have multiple routes to their services. What would happen to your business if your cloud provider ceased to exist or their systems were impounded?
Not all relationships last forever. Should you choose to move away from your provider, what assistance do they offer in transferring your data to you, for how long, and in what format? Can the data as supplied by your former provider be easily re-used in another system? How strong are the access controls? Do you need additional access security and is your data secured at rest and on the wire (for example, encrypted)?
Briskman: The cloud is maturing quickly and providers are getting better at both service and contractual commitments. Early problems have included major outages and security breaches. Users need to be aware that they are seeking access to their vendor’s standard infrastructure and will not be negotiating their own service levels and operational requirements.
However, most vendors will show flexibility in protective contractual provisions should things go wrong. Choose a vendor of a suitable size for your organisation and consider what your critical applications and data are. The cloud may be more suitable for a firm’s web-based applications rather than business email.
Do you think cloud computing will be widely taken up by law firms?
Crawford: Yes, for public-facing services such as hosting websites and marketing materials. Firms are increasingly using richer media to communicate with clients and need solutions that enable rapid deployment of new content.
However, law firms are unlikely to use the cloud for client-confidential information until they have total comfort on all three legs of information security – particularly confidentiality – as law firms are increasingly a target for hackers trying to obtain market information.
Graham: As law firms grow, a number of technological opportunities and challenges arise. The relationship between technology and the legal profession is evolving and the cloud provides law firms with the opportunity to embrace this. The cloud can help firms build collaborative knowledge-sharing platforms, integrate practice areas and offices, aggregate data from legacy firms and systems, grow business and generate new opportunities.
Cloud-based applications and services can help us understand and use the underlying data in a law firm. However, some of this extends beyond the traditional financial metrics of law firms to information on client relationships, fee-earner calendars, geographical profitability, predicative analysis of sector growth areas and business intelligence obtained through social media.
The legal market is certainly not alone in the quest to exploit ‘Big Data’, but law firms are not immune to the risks associated with cloud computing. In our regulated sector client confidentiality remains at the heart of our responsibilities and the cyber risks associated with the cloud remain a concern.
Crick: Of course, most law firms already have a presence on LinkedIn and so on, and arguably know-how resources are cloud-based. Some of the largest global professional services firms – outside the law – have already moved platforms such as customer relationship management to the cloud. As the technology matures, firms will start to use cloud computing more.
Sutton: The cloud has many forms. If you operate a tightly-integrated IT environment you are unlikely to achieve the same level of integration through multiple SaaS providers as you can with in-house systems, so I see discrete processes not requiring data maintenance moving to the cloud first.
Several law firms are using cloud-based business continuity services to replicate their servers off-site. Off-site transcription services and deal rooms are further examples of cloud services, as are remote working solutions. Law firm adoption of the cloud has begun, and the rate of adoption will increase.
Evans: Yes. We are at an early stage. If you take a utility like electricity as a parallel, the first phase is private provision on-site and the second a move to the utility company providing basic needs, with some provision on-site for important operations.
Over time, provision of IT will become a utility and people will keep on-site provision for the most critical applications. When the cloud is proven, law firms will be more confident in trusting their ‘crown jewels’ to it.
We are moving fairly quickly in that direction.
Cloud computing – the provision of IT services remotely from a business – is slowly taking off, but its use has been limited by users’ concerns over the risks involved.
This week’s panel debate whether the attractions of cost reduction and scaleability can ever win over business concerns about data security and access.