One of the biggest developments in recent years has been the
stratospheric rise of what has been termed "Cloud
Computing," sometimes also referred to as "software as a
service" (SaaS). Enticed by the prospects of increasing
accessibility while significantly lowering their IT hardware,
software and infrastructure costs (among other things), numerous
companies either have taken the leap into the clouds or are
seriously considering doing so. Some organizations may be thinking
of embracing Cloud Computing following recent industry developments
such as the 2009 Health Information Technology for Economic and
Clinical Health Act, which encourages health care providers to
adopt electronic medical records.
To be sure, Cloud Computing offers significant economic benefits
and competitive advantages to those who employ it. However, Cloud
Computing is not for everyone or everything. While the benefits may
seem compelling, there are certain risks that all would-be cloud
dwellers potentially face which should be thoroughly assessed and
addressed.
- Control: Residing among the clouds necessarily means relying on a third party to maintain and control your data. It is therefore critical to understand the implications of moving your data to the cloud. Once there, who has access to it and under what circumstances? Who can alter it? How will system outages and service disruptions be rectified? What if the provider fails or departs the business?
- Security: The very idea of handing over important and potentially sensitive or proprietary data to another company understandably worries many people. Clients should ensure that cloud service providers have adequate encryption and other security controls in place that are regularly audited.
- Privacy: If someone can log in from anywhere to access data and applications, it is possible that your privacy could be compromised. That may pose a headache for highly regulated industries. In some cases, regulatory compliance may be impossible if your data is subject to any geographical storage restrictions, such as the European Union Data Protection Directive.
- Preservation: Parties have a duty to preserve evidence in their custody and control where it is foreseeable that the evidence may be relevant to threatened or pending litigation, as well as third-party subpoenas, investigations or regulatory requests for information. If your data is no longer in house, will cloud computing providers be able to implement your company's document retention policies as well as litigation holds?
- E-Discovery: Cloud computing business models challenge the assumption that a company possesses, or even controls, all of the electronically stored information the law may impose duties to preserve and produce. Consequently, companies face substantial barriers to implementing cloud computing solutions if their compliance capabilities are compromised as a result. Conducting forensic examinations or establishing the authenticity and admissibility of "clouded data" can also pose unique problems.
Most of the challenges presented by moving to the cloud can and
should be addressed in well-drafted service-level agreements with
third parties that provide business processes, products and
services. As importantly, due diligence should be performed on the
service provider's internal privacy and information protection
controls, as well as assurances that it does not process, store or
transfer information through jurisdictions whose laws do not
provide for adequate information protection. This may become a
frequent exercise, as it is not uncommon for clients to move from
one cloud service provider to another as contracts expire and more
favorable terms become available.
A more in-depth discussion of the benefits and challenges of Cloud
Computing can be found
here, in our recent white paper on the subject, co-authored
with UHY Advisors FLVS, Inc.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.