Thursday, December 1, 2011

Cloud computing

I came across a post about cloud computing where a supplier was unwilling to agree where the data will be held. All they wanted to provide was a statement that they abide by the Safe Harbors Program. As purchasing of cloud computing services may be something many companies may be considering, I wanted to share a few thoughts. As with anything new my first advise is talk with your lawyer and then carefully consider what information you may want to have in the “Cloud”.

The simple fact is if you take in personal data or receive another party’s confidential information, no mater where you store information your company or institution would still be liable for any disclosure. Highly confidential company data is something you need to protect to prevent unauthorized disclosures. This means that it’s important to have control over where any of that information will be held. I recently read a good article that talks about that issue:

Aside from location, another important aspect of any type of cloud agreement is whether the service provider will indemnify you against claims from third parties if there is a disclosure. Do they also have the assets to stand behind those commitments?

A supplier may want to say that they abide by the Safe Harbors program, but what does that mean? It means that the country where they are storing the data meets the EEU privacy standards for personal data. It doesn’t limit where the data can be stored to only EEU countries. That would be a restraint of trade. The supplier could hold the information anywhere as long as the country they hold it in meets those same standards for personal data protection. It wouldn't protect you against government orders to access that data. The Safe Harbors program also does not protect confidential business data. It only protects personal data.

From a contracts perspective I would want to specify where the data will be held. If you must go with a safe harbors commitment in the agreement it shouldn’t be a simple statement, it should be a warranty. With a warranty, if you have a breach you can claim damages and terminate the agreement. If you included a warranty you would also need to look at what your limitation of liability says in the agreement. Most limitations of liability limit damages to only direct damages. You would need to carve third party claims for breach of that warranty out of the limitation of liability. You would also need to carve any indemnities the supplier gives for third party claims for breach of that warranty out of the limitation of liability.

Cloud computing is an exciting new technology with lots of potential and many companies rushing in to sell cloud hosting services. As with anything new its important to do your homework and understand the potential risks.

If you learned from this post, think about how much more you could learn from the book.
The book is only US$24.95 plus shipping. The hot-link to is above the date.