Cloud Based Computing Services – What are the risk management and legal issues for users?


Cloud services can be catalysts for a company’s digital transformation. However, understanding the risks and legal issues associated with using cloud-based IT services is critical to managing risk and protecting an organization’s data and associated intellectual property and minimizing the risk of interruption of activities.

Companies are increasingly using software applications and tools, data storage and backup services that are delivered as a cloud-based solution using computer servers located in data centers owned or controlled by third parties (“cloud service”). Gartner predicts that global spending on cloud services for end users will increase by approximately 20% in 2022 to approximately US$500 billion, with spending expected to reach US$600 billion in 2023[i].

Risky business

Businesses using cloud services, without proper due diligence, including legal review of the terms and conditions of cloud service agreements and risk management, potentially put their data and associated intellectual property at risk (“IP”) and commercial exploitation. It is important that businesses understand the risks and benefits of cloud-based services and have appropriate processes and systems in place to manage potential risks.

In some cases, cloud-based solution providers use third-party data centers to provide the cloud-based facilities, which adds another level of complication. In this situation, the company may have a contract with the cloud solution provider but has no contractual relationship with the third-party data centers that provide the servers and data storage facilities. In the event of a breach of the contractual relationship between the cloud solution provider and the datacenter, the company may not be able to access its data from the datacenter, in particular when the cloud solution provider does not respect its agreement with the data center. It is important that any third-party data center agreements are also reviewed, so that the business has the right to access data stored in a third-party data center. The due diligence and risk management process should extend to data centers.

Legal and risk management issues

The legal and risk management issues that companies need to consider when using cloud-based software services are complex[ii] and must be considered on a case-by-case basis. Businesses considering using cloud-based services should seek legal advice specific to the cloud-based solution they wish to use and the agreement they are proposing to enter into.

Some of the legal and risk management issues that need to be considered with respect to cloud-based IT services include:

  1. Does the cloud service solution provider physically operate in Australia or outside of Australia? If the cloud service provider is a foreign entity, companies will need to consider how they can enforce their rights and access their data and content (including intellectual property) in the event of a data breach or non-compliance with the cloud service agreement, the service provider goes bankrupt or becomes insolvent or wants to switch to another provider or use a different software application.
  2. Where is the data center where corporate data and content (including intellectual property) must be processed, stored and transferred? Terms and conditions generally do not specify the physical location of data centers and backup storage facilities. However, data could be stored in a number of different countries, accessed and processed by multiple entities in different countries, without users of the cloud service knowing where their data and content (including IP) is located. For instance, the Dropbox Online Services Agreement for use of the Dropbox document sharing service used by many businesses and organizations which contains a term that states: Customer agrees that Dropbox and its contractors may transfer Customer Data and access, use, and store Customer Data in locations other than Customer’s country. but does not specify the countries or the location of the datacenters[iii].
  3. What are the legal, security and other risks associated with data and content (including intellectual property) stored in data centers outside Australia in countries with data protection and enforcement laws , intellectual property and privacy are not comparable to Australian laws?
  4. What security measures and controls have the cloud solution provider put in place?
    • Does the cloud computing provider have information security accreditation such as ISO 27001?
    • Does the cloud service provider use encryption for the transmission and storage of data and content (including IP)?
    • Does the cloud service provider use adequate authentication procedures to access data and content (including IP) stored in the cloud?
    • Does the cloud service provider have adequate security and controls to protect against cyber or other incidents?
    • Does the cloud service provider segment the data so that the data is stored in different data centers?
  5. Is the cloud service provider regularly audited externally for security and data protection compliance? If so, a copy of the audit reports should be requested. This will help the company identify potential risks associated with using the service and manage the risks.
  6. Who owns the data and content (including intellectual property) uploaded and/or generated using the cloud-based solution? The terms of cloud solution agreements may include terms that provide that ownership of the materials (including intellectual property) generated from the use of the cloud-based application shall be owned in part or in whole by the provider of the cloud-based service.
  7. What rights are given to the cloud solution provider to use company data and content (including IP)? Cloud solution agreements may also include terms that grant cloud solution providers broad rights to use, disclose, copy, adapt, publish, and transfer companies’ data and content (including intellectual property).
  8. What arrangements do the cloud service provider (including third-party data center) and businesses wishing to use the cloud service have in place to deal with network and service outages or disruptions? Cloud service providers, including third-party data centers, must have alternate means of accessing the cloud-based solution and data, in the event of such an event. Data must also be backed up and accessible from other locations. Some cloud-based applications include features that allow businesses to back up their data daily or weekly to their own internal servers that they control.
  9. What terms exist in the cloud service agreement dealing with opting out and transitioning to a new service provider or moving facilities in-house, upon termination of the agreement or service? Most agreements give companies up to 30 days to migrate their data to another system, but lack adequate provisions requiring the cloud service provider to assist in the process. The agreements also do not specify the costs associated with extracting or recovering the data and migrating it to a new system. It can be an expensive process. Incidents have been reported where companies have to pay high fees to access their data.
  10. What happens when company data (including intellectual property) is stored in a data center that is shut down due to a court order or government action? What happens if the cloud solution provider goes bankrupt or insolvent? How will the company access its data and valuable intellectual property? How are these risks going to be managed so that there is minimal disruption to the business?

It is important that companies have appropriate risk management and redundancy plans in place, to access their valuable data and IP and minimize the risk of business disruption. If your business is totally dependent on cloud-based solutions, how long can your business operate without access to cloud-based facilities. Too often, individuals, businesses and organizations use cloud-based software applications and tools, agreeing to the cloud service’s online terms of service without reading them first, exposing themselves to significant legal risks. , business and data security.


About Author

Comments are closed.