Legally cloudy

Pro

1 November 2012

Cloud computing has one key characteristic that consumers and business have grasped from the earliest days-your data could be anywhere. You don’t know and you don’t need to know where exactly. Once it’s ‘there’ on screen when you look for it, what does it matter? On the other hand, in business and other organisations, there is often data for which you have greater responsibility than simple ownership or custody. That is typically either the personal information of individuals or the intellectual property of clients. All in all, for any organisation or CIO looking at the many cost savings and the flexibility offered by cloud computing, the first potentially negative issue in most cases is data security.

All organisations will need to be satisfied about any threat to personal data privacy, which if it happened would leave them open to sanctions for breach of data protection law. But in non-consumer business, the odds are that their data security concerns relate more to commercial information that might either assist competitors or in some way damage market reputation. Clearly a breach of confidential client data held by a service provider, including professional firms, could well be a terminal event.

Nothing new
Experts from top Irish legal firms, Matheson Ormsby Prentice, just re-branded as Matheson, and A&L Goodbody point out that cloud computing presents nothing much new in general legal terms. The considerations and security checklists for appraising a proposed cloud computing solution differ very little from the due diligence that should be conducted before engaging in any ICT managed service or major supplier choice.

"Cloud services are like any other form of managed or outsourced services really," says John O’Connor, partner and co-head of the Technology and Commercial Contract Group in Matheson. "So whether it is being considered by an SME or a major public sector organisation, management will have to draw up the questions to which it requires satisfactory answers. The main headings will certainly include security and confidentiality, followed by data privacy and protection. Explicit information will be needed on exactly how these elements are to be delivered."

Then the potential client will look at the aspects of contract law that apply and what protection it can expect. "That, as with many other elements of the relationship, is in the end about managing risk. Prudent management will conduct some form of ‘due diligence’ examination of the proposed service provider or short list," O’Connor says. "That certainly includes what is known about the company and its record, for example. Can you look to existing clients or referees?"

Service promise
A close look at the service promise as it is represented to you is well advised, he added. Some of that will be technical, like whether your data is to be encrypted or whether it is to be segregated from other clients’ data technically or physically or just logically. "Where is the data to be held? That is a basic question that may then raise others in terms of the service provider’s own disaster recovery plans or partnerships."

Service Level Agreements are basic but O’Connor advises going through what is proposed or ‘standard’ in detail, bearing in mind that as with most relationships and activity in business there will be changes over time. "You certainly want to be fully reassured about the business continuity and disaster recovery provisions and their testing or third party. It is equally important to be absolutely sure of your exit strategy when you wish to terminate the relationship, at end of contract or for some other reason including dissatisfaction.

Mark Rasdale, partner in the IP and Technology Group at A&L Goodbody, agrees that the purely legal issues are not fundamentally different from any other business critical services. In regard to data security, the principles that have governed more traditional IT procurement for many years have now been extended into SaaS and cloud services. "The technology has changed and evolved but the top areas of potential risk are largely the same. A large scale traditional managed service contract would always have had five or six pages specifically focussed on data protection. There are new technical elements and nuances, but a cloud or SaaS contract will cover essentially the same ground."

More mature
Like other areas of ICT in the past, the legal aspects of cloud and SaaS are less speculative and more mature today as the markets have evolved rapidly, Rasdale believes. "There has been a lot of debate and a fair amount of scaremongering about cloud computing. In the end, it is not the cloud that delivers security-or not. It is your service providers." He acknowledges that clear description of the services and definition of the SLAs is fundamental but suggests that not all too often not enough attention is focussed on that clarity.

"Everything to be delivered and expected from the service should be documented. You should know exactly what your remedies are in the event of a service level or other failure. Most essentially, you should know your precise exit strategy in the event of contract termination. At the same time, ICT and business today are of their nature in a constant process of change and service contracts need to be flexible accordingly-but not so flexible that they become vague and so all in favour of the supplier. It’s a fine balance."

Rasdale is keen to emphasise that in the move to cloud computing for data processing or storage, the service provider may be acting as your agent but you, the client, remain legally responsible as the data controller for compliance with data privacy and other regulatory requirements. "The economic attraction of cloud is largely based on high volume and multi-client services. They are probably as secure as any other such services, but it is a commodity market and there is little room for bespoke security. If ‘standard’ security from a cloud service is too much of a risk then cloud computing is not for your organisation."

Supply chain
Both of our legal experts point out that cloud and SaaS are very often service supply chain solutions, in the sense that the primary service provider may have key back-to-back relationships with, for example, data centre operators and telcos. So when considering a service offering, this is an aspect that should be thoroughly explored. It could have implications for where the data is actually held or temporarily migrated. It could also, they both emphasise, raise awkward questions of where you stand if your primary or nominal supplier goes out of business.

Our legal interviewees also emphasised that all of the cloud and SaaS service providers, national and international, are even more aware than their potential clients of the issues and the growing sophistication of market requirements. "Where is the service provided from, where is the data and what kind of data is it? These are questions that European and US cloud service providers are keenly examining because they and their clients are multi-domicile and their service offerings have to match," explains Vincent in’t Veld, Interxion director of Marketing, Cloud Segment. As a specifically EU data centre operator, Interxion is particularly aware of the differing regulatory and other market characteristics that both their direct transnational and service provider clients need to conform to. "As the operator of the data centres, we are the airport, as it were, or the shopping centre. But in turn we must have the infrastructure and facilities that will enable our tenant-clients to manage their service offerings according to the different markets and legal environments."

Trusted data centres
Today that new range of more sophisticated data centre services, driven by cloud computing and SaaS, sits on top of the traditional data centre guarantee of optimum reliability, connectivity and physical security. "We can see the way the market is going. In Europe generally about 80% of server capability is still on-premise. But in the USA that is now down to 60% with the balance in trusted third party data centres," Vincent in’t Veld points out.

"Every CIO, CTO or equivalent in every organisation from SME to government is looking at some sort of roadmap to the sheer cost-efficiency of the new utility computing models. Service providers and systems integrators are moving higher up the computing supply chain. In that context, our pedigree is part of their market proposal, including our certifications such as ISO or PCI." That inevitably means flexibility of all kinds as the markets shift and clients change suppliers. Interestingly, he described the development in data centres of what he calls ‘meet me rooms’ where different telcos can physically interconnect and add or change partners to support the digital flexibility of the services and their clients.

The Irish government cloud strategy,* published in June, recognises both the promise of cloud computing and the many legal, security and privacy constraints that have to be overcome along the way to more comprehensive adoption. They include all of the considerations that any organisation or business enterprise will have to weigh up in terms of the value/risk balance. Government bodies everywhere have to add another layer for reasons that range from national security to statutory requirements for the safety and separation of different classes and kinds of citizen data and a trustee relationship with that information.

Heart of public sector ICT
At the same time the Strategy is unequivocal in placing Cloud Computing at the heart of the public sector ICT strategy, despite some market criticism, and in embracing the concept of trusted third party service providers and competition in providing the various services that will be required. "The key point is that this is not an event, a ribbon-cutting affair. We are in the early stages of a multi-year process that will evolve and mature over time," explains Tim Duggan, assistant secretary of the Department of Public Expenditure and Reform for e-Government and Head of the Centre for Management and Organisation Development (CMOD).

Most public cloud services and many other models in the evolving market landscape are just not mature or reliable enough yet for general government use, he says, pointing to the fact that all major cloud service providers have been off the air for varying periods at some time. "Occasional outages that deny accessibility are not a huge problem for consumers or even SMEs, but there are many core state services where that would be totally unacceptable. Issues of security and privacy still pose similar challenges. I represent Ireland at the EU forum for national CIOs and their equivalents, and it is abundantly clear that no national government in Europe consider public cloud suitable for key government functions and services.

"On the other hand, it is more than likely that in say 10 years’ time we will not even be having these sorts of discussion," Duggan acknowledges. "Anyone who has been in IT since the advent of personal computing and the LAN and then the Internet knows how technology and its adoption matures and the initial-and legitimate-concerns are overcome."

Cloud options
Public sector organisations are now mandated to look at cloud computing as an option in all ICT procurement, subject to the appropriate evaluation and safeguards. In regard to the legal and privacy issues, Duggan suggests that a great deal of the potential obstacles can be overcome in large measure as each public body assesses and carefully categorises its data. That will always range from public information through confidential and sensitive data all the way to national security. He points to government policy development, on the one hand, or the CSO Census and other information that is sacrosanct because people and organisations have cooperated on that trust basis. Matters of national security are self-explanatory.

"Other data may be rightly confidential, perhaps for a period, such as commercial and contract information where general knowledge might destroy value for the state or the supplier. The public is entitled to know what is spent but not necessarily the detailed nature of the expenditure. Statutory audit and scrutiny is the guarantee of correct standards." Duggan adds that most public concern centres around personal data and of course there are huge volumes of that across the public sector. But there are many other types of data in the sector which are at least as sensitive and evaluating the risks of unauthorised access or disclosure is fundamental to any cloud project or activity.

That whole question of the risks to data permeates every decision about cloud computing adoption, usually with the presumption that the risk is either increased or changed in nature, says Jared Carstensen, Accenture’s manager of Enterprise Risk Services. "Organisations are now very conscious that you cannot outsource your legal and regulatory obligations, so due diligence is fundamental in choosing a cloud service and its provider. On the one hand, it generally introduces new and additional risk. But that may not be the obvious security concerns-in fact that may sometimes be a bit of a cop-out because unless you have a validated assessment of your own security you cannot assume the provider’s service will be less secure."

Looking beyond
Carstensen says we should be looking well beyond the basic SLAs and technical variations, citing the example of potential vendor lock-in. "Is your cloud service genuinely interoperable to industry standards-and what exactly are they? Will your service provider be obliged to cooperate in your migration and what guarantees do you have? What sanctions might be possible? What if your service provider just fails-how do you find and migrate to another provider? If it is taken over by some larger entity, have you any options?"

There are already lots of variants in cloud services, he adds, and what suits your business and operations today may not do so in a year or two years’ time. "Cloud services are already a complex environment, not just technologically. For example your direct service provider may actually be dependent on a supply chain of fourth and fifth parties with which you have no legal relationship. We are in a virtual world of multi-supplier, multi-jurisdiction business services which in turn demand a strategy of multiple resilience-in contract as in technical terms. It is all maturing rapidly and the solutions are available or coming. But it is nonetheless a complex and challenging area of business risk management," says Carstensen.

 

*Supporting Public Service Reform: Cloud Computing Strategy, Department of Public Expenditure and Reform (www.PER.gov.ie)

 

 

The threat of the Patriot Act

The somewhat notorious USA Patriot Act, a clunky acronym from the full title "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism", dates back to 2001. A post 9/11 measure, it gives US government agencies extensive powers to intercept and access data held by or under the control of US and other organisations. One of the most troubling elements, at least in many European eyes, is that an organisation that cooperates with such an investigation is forbidden from ever disclosing the fact.

That provision is believed by many in the Irish IT industry to have been the final sticking point when our government looked some years ago at the possibilities of contracting data centre services from the likes of HP and IBM to replace or complement our ageing data centre resources in the public services.

The Patriot Act has been hyped to some degree as a significant obstacle to European organisations entrusting data to US-owned service providers, especially in relation to public cloud computing. Depending on the nature of the business or the types of data that an organisation may control, this is certainly to be considered. The Safe Harbor agreement between the USA and the EU helps US organisations to comply with European data privacy regulations, but it only applies to personal data. So it does not cover, for example, commercial data or client IP held by professional firms, service providers or others.

Many European lawyers and reputable IT consultants, however, will point out that individual countries within the EU have given their security agencies even more Draconian powers than the USA. That would include the France, Germany and, it may surprise some liberals, the Scandinavians, not to mention the Eastern EU states. In Ireland a court warrant (as in most other countries) is required but then non-cooperation or data destruction enters into the criminal realm. The UK Regulation of Investigatory Powers Act 2000 in fact extended the existing powers. Encryption keys can be demanded (refusal is a crime) and can even prevent the existence of interception warrants and any data collected with them from being revealed in court. It can be invoked "….in the interests of the economic well-being of the UK" which is remarkably broad, even for a national counter-espionage mandate. .

 

Read More:


Back to Top ↑

TechCentral.ie