Trust issues

Despite its advantages cloud computing has been slow to catch on, due mainly to the legal risks to users, suggests Adam Mitton

Cloud computing has been ’the next big thing’ for some time now. It comes in many forms and means different things to different people, but in all its forms the term cloud computing expresses the idea that computer resources such as infrastructure, software and platforms are provided as services rather than assets to be purchased and managed by users.

The benefits for a business are plain to see. The cloud computing provider takes on the capital cost and risk of procuring and maintaining the applicable resources and is incentivised to ensure that its resources are state-of-the-art and always available. Meanwhile, the customer avoids having to manage technology refreshes, ­software upgrades or systems failures, and all at a predictable monthly cost that is cheaper than it would be to maintain
in-house systems.

The customer also enjoys flexibility as to the duration of the contract, the number of users and level of service provided. The European Commission is even of the view that cloud computing can lead to energy efficiencies.

What’s the catch?

So why isn’t everyone doing it? While uptake is increasing, on the whole cloud computing has not taken off in the way that its advocates might have expected.

Use of cloud services requires the ­customer to trust the cloud provider to ­protect the customer’s data and systems. From the customer’s perspective this means a loss of control with regard to the security of its data while retaining legal responsibility for any security breach. Bearing in mind the potential legal, financial and reputational risks associated with a data security breach, a customer’s inability to control security directly can be troubling.

The legal risk can be illustrated by ­reference to EU data protection legislation, which places the burden of compliance, including obligations to maintain adequate security measures, squarely on the shoulders of customers, even where some of those obligations are subcontracted to third ­parties. The implication of this is that the customer will be responsible for any failure by the cloud provider to implement appropriate technological and organisational security measures to protect personal data.

However, a cloud provider’s operations are likely to be distributed around the world and, somewhat ironically, in the interests of minimising security risk access to those operations is jealously guarded – even from paying customers – thereby reducing the customer’s ability to satisfy its data ­protection obligations.

Legal risk

One obvious solution would be to have independent accreditation for cloud providers and their security measures, but as yet no standard has been universally adopted.

Practically, this may be as much a ­problem of perception as of any real risk. The likelihood is that a cloud provider will have better physical and technological ­security – and better disaster recovery – than the customer would have itself. Once the fear of practical risk has been overcome the legal risk can, in theory, be protected by adequate provisions in the service contract.

Part of the attraction of cloud services is that data can be housed in more than one place and be moved around to maintain network efficiencies. But EU data protection legislation restricts the export of personal data outside the European Economic Area unless the receiving country guarantees ­certain protections for data subjects or ­specific contractual clauses stipulated by the European Commission are used.

As these clauses require non-EU-based providers to agree to comply with EU data protection law, a reluctance to accept them has hindered the availability and take-up of cloud services. However, models are now evolving that guarantee data will be kept within the EU, so this problem is perhaps receding.

What is more, data housed in a different jurisdiction could become subject to the laws of that jurisdiction. There are obvious regulatory and compliance implications for the customer, but there are also ­implications for the privacy of data subjects whose data and private communications may be more susceptible to interception or governmental scrutiny.

Although cloud providers may have ­different service level tiers, essentially cloud computing offers a one-size-fits-all ­solution. From a service perspective there is little scope for bespoke development or ­customisation, so cloud computing may not be appropriate for customers looking to their IT systems and processes as unique selling points or value-adds for their ­business. A related problem is that integration with legacy systems or other non-cloud non-standard systems may be difficult.

There is a similar problem from a legal perspective in that cloud services are ­usually made available on the provider’s standard terms and conditions. Inevitably, these include provider-favoured disclaimers and limits of liability for lack of availability, loss of data or security breaches. It may also be ­difficult for customers to build in ­contractual service management procedures and strategies to enable them to wrest back some of the control they have given away.

Finally, a customer must bear in mind what will happen at the end of the cloud computing contract. How easy is it to get back whatever data is in the cloud, or switch to a competing provider’s applications or infrastructure?

Sticking points

If any of this is difficult, a ­customer may find themselves tied into a relationship and thus lose the very flexibility that cloud services are meant to provide.

These problems are made worse if a contract comes to an end abruptly as a result of the insolvency of a provider.

Cloud computing has clear benefits for customers and will become more prevalent, but there are also limitations and risks that customers need to be aware of when ­deciding which provider to engage and when reviewing the service contract.

Adam Mitton is a partner at Harbottle & Lewis