You've likely heard the term "cloud computing." But what is it? And how do you avoid legal lightning strikes? Cloud computing is a service model that enables ubiquitous access to ondemand software services, typically through a shared pool of configurable servers. The service model allows users of the "cloud" to gain access to software solutions and services from any location with internet access through mobile devices, tablets, laptops, and workstations - and can efficiently bring additional resources on-stream as needed.
The "cloud" phenomenon is not entirely new: the IT industry has been moving in this direction for a decade. However, there has been a recent surge in consumer interest and technological capacity to provide such services. Of course, the legal issues that are engaged when using the "cloud" depend on a number of variables, such as the industry, the type of service, the service model, and whether it is a "public" or "private" cloud. If you are considering cloud computing for your organization, here are a few general issues to consider, from a legal perspective:
- Data & Privacy: Confidentiality and privacy issues are front and centre for many organizations. When handling confi dential data – for example, transaction logs, customer data, or fi nancial information – an organization must assess the sensitivity of the information and ensure that the cloud security features are proportionate to that sensitivity. Here are a few things to determine: whether Canadian privacy laws apply, where your data is being hosted and what laws apply in that region, and whether your service provider can be bound to Canadian laws. Remember: Canadian laws may not apply to a server located offshore. Cloud computing does not necessarily carry more risk than non-cloud solutions. I note that many of the privacy breaches reported in Alberta last year were from simple human error and relatively low-tech slip-ups (for example, fax machines and garbage bags full of confi dential documents). The risks associated with a privacy breach must be assessed.
- Intellectual Property (IP): Cloud computing carries certain risks associated with patents, copyright, trade-marks, and trade secrets. You should consider the question of ownership of IP and improvements, including ownership of content and data uploaded to a cloud-based service. A well-drafted cloud-computing service agreement should also address issues surrounding IP infringement claims, including infringement of patents, copyright and trade-marks.
- Service Failures: What are the consequences to your business when your cloud service is inaccessible due to a failure? There may be a cloud service provider failure, due to a failure of software, hardware, or host-servers. However, remember that other factors can impact your use of the cloud: such as, internet failures, power outages, slowdowns or blackouts in wireless or cell access. Consider what disaster-recovery or backup services are available from the service provider in the event of a catastrophic outage, and the business consequences of being unable to access data or services for hours, or days.
- Vendor Lock-In: The ability to terminate your cloud computing agreement and take your business elsewhere can be complicated by the problem of vendor lockin. When your data and business processes are so deeply enmeshed with the cloud service vendor, then there are signifi cant disincentives to move to a different vendor, even when your current vendor is falling down on service or reliability. To address this risk, consider what happens when the relationship ends, and most importantly, what happens to your data? Can it be accessed by the end-user in a useable format? All of these issues should be considered in your cloud computing contracts.
- Mitigating Risks: Business is all about risk and reward, and legal advisors can help you understand and mitigate the risks. When negotiating cloudbased IT service agreements, risk can be allocated in the "fi ne print" through representations, warranties and indemnities. Risk can also be allocated by other means, including: specialized insurance, testing and verifi cation procedures, data back-up protocols, and data escrow plans. Remember: the negotiations about risk allocation are very unlikely to change the underlying architecture of the cloud-based service. The "fi ne print" is a way of allocating fi nancial penalties, but (typically) these fi nancial negotiations do not change or improve things such as functionality, uptime, technical capacity, availability, or security protocols. Therefore, it is critical to consider, in advance, both the legal and technical standards to which your service provider is bound.
Cloud computing carries tremendous promise, and, when handled carefully, the legal risks can be addressed in a well-drafted cloud computing service agreement. To learn more about cloud computing, the National Institute of Standards and Technology's paper may be useful. If you wish to discuss the risks and benefi ts of cloud computing for your particular business, please contact our Intellectual Property Law Group for advice, and follow ipblog.ca for updates on this emerging area of technology.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.