Legal issues in the Cloud - Part 3

There are no laws unique to the Cloud, but you must undertake due diligence

Due diligence

Proper due diligence focuses on identifying the players in the Cloud relationship. That is, who is actually involved in providing the services and are they the same entity (or entities) that are processing or storing data? In the case of aggregators, for example, a Cloud user could be dealing with a single entity which itself is provided services by various third parties.

From a contractual and liability perspective, it’s important for the user to know whether it has a directly enforceable contract with the key players or whether it is relying on those with whom it does have a contract to enforce relevant provisions itself. For example, what happens if the services are unavailable or there is a breach of security and data is exposed? Has adequate due diligence been carried out along the chain of responsibility?

Terms of use should be reviewed in detail — and this should be done with all stakeholders, not just the legal and compliance teams. For example, a review of terms should seek to assess issues such as:

  • The parties in the Cloud stack — not just the contracting parties — and their roles, rights and obligations, especially regarding data;
  • Whether each party has the rights required from other parties in the Cloud stack;
  • The capabilities and liability of other parties in the Cloud stack;
  • Backup/restoring data and disaster recovery;
  • Service levels and what happens if the internet is unavailable;
  • Continuous availability of services for business continuity;
  • Treatment of data on termination/insolvency;
  • What happens in the event of a security breach?; and
  • Issues such as change of control, service levels, service credits, audit rights, compliance with security standards, procedures in the event of a breach, force majeure.

Of course, in terms of risk management, users of Cloud services are to an extent letting go of control. If there is an outage or a security breach, a user of Cloud services could be in breach of its own contract with its own customers or of applicable laws, even if this is caused by the provider of services. This element of risk is brought into sharp focus when you consider that providers of IT services often tend to offer their services “as is”, without assuming any risk — and with an exclusion for all liability where permitted by law. This is reinforced by a reading of some standard disclaimers on Cloud computing sites.

Read 12 questions to ask when considering the Cloud.

As of September 2010, Google Apps Premier Edition’s online disclaimer for example noted that “... Google and its licensors make no warranty of any kind, whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and/or non-infringement. Google assumes no responsibility for the use of the service(s). Google and its licensors make no representations about any content or information made accessible by or through the service. Google makes no representation that Google (or any third party) will issue updates or enhancements to the service. Google does not warrant that the functions contained in the service will be uninterrupted or error-free.”

Small and medium enterprises using such services will have little opportunity to negotiate around those terms and conditions.

Larger enterprises might, however. The City of Los Angeles, for example, has reportedly negotiated a Cloud deal with Google which includes unlimited damages for a data breach, guarantees as to where the data will remain and penalties if the services are not available for longer than five minutes a month.

Read Part 1 of Legal issues in the Cloud.

Read Part 2 - Data sovereignty.

Read Part 4 - Data exit from the Cloud.

Mark Vincent is the lead technology and intellectual property partner and Nick Hart is a senior lawyer with Sydney based new economy law firm, Truman Hoyle.

Follow CIO Australia on Twitter: @CIO_Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags legaldata sovereigntycloud computingTruman Hoyledue dilligenceprivacy

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Vincent and Nick Hart

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place