The legal issues and risks around Cloud computing

01.08.2011

I was recently discussing some of my concerns about Cloud computing being viewed as a blanket answer to all IT issues with a legal friend (Geoffrey Sturgess from Warner Goodman Commercial) and he had some very useful and interesting views on the matter. I’m delighted to say he put his thoughts in writing. Here’s what he had to say:

“Whatever ‘cloud computing’ is, it is definitely here, or at least the numbers of references to it in the legal press or even in ordinary conversation would suggest it is.

In fact it has been here for a number of years.

Wikepedia says:
Cloud computing refers to the use and access of multiple server-based computational resources via a digital network,(WAN, Internet connection using the World Wide Web, etc.). Cloud users may access the server resources using a computer, netbook, pad computer, smart phone, or other device. In cloud computing, applications are provided and managed by the cloud server and data is also stored remotely in the cloud configuration. Users do not download and install applications on their own device or computer; all processing and storage is maintained by the cloud server.

Certain email service providers have been doing this for years (as have their customers who had to go on line to view their emails) and with the advent of “Software as a Service” where users rent the use of on-line software applications rather than buying the application to install on their own systems it became fully commercial. The current excitement over cloud computing may in part be down to marketing and in part because off site storage of data is being taken up by consumers.

The logical conclusion of all of this is that no one will have any need for storage heavy servers, pcs, laptops or tablets and all our applications and data stores will be hosted remotely. There will of course be many different payment models.

As with each new technological development in whatever field, the law, and contracts take a while to catch up.

I am seeing two distinct trends in contracting for the provision of cloud services.

The first comes from the “big boys” and involves contracts which reflect the nature of the service they are selling but, because they are big boys excludes their liability for everything and can have rather odd, one might even say unreasonable, provisions. For example the right to amend the service without notice or withdraw it on very short notice without any obligation to assist the customer to transfer his data.  Where these terms are used for consumer sales they probably fall short of the OFT’s requirements for consumer contracts.

The second is to be seen in the contracts of SME providers of cloud services which, unless they have “borrowed” big boy terms, in many cases do not appear to have been drafted to reflect the fact that the providers are no longer attending at their customers’ premises to install software on their systems but are possibly just selling them the use of a password to access and use the software and store their data.

In the former case the SME or consumer user of the cloud service is disadvantaged by the terms they sign up to, in some cases with a check box to signify their acceptance of those terms which they will not have read. The large user will not be so disadvantaged as it will negotiate a bespoke deal.

In the latter case the SME cloud provider is disadvantaged.  First because their contract looks amateurish, second because if they come across a customer who wants terms that actually cover the service they will incur costs in legal argument over something they should not have proffered in the first place and third, because if there ever is a dispute over the service they provide they will start from the rather difficult position of having to admit that their contract does not really cover that which they sell. In particular they are most unlikely to have limited their liabilities effectively.

Users of the services (unless they have negotiated a bespoke deal) are likely to face one big problem which, if they were sensible and had set up robust disaster recovery systems, they would not have suffered before moving off to the cloud—disaster.

Where a cloud provider goes bust or ceases to provide the service or suffers the destruction or failure of its “server farm” how is the service user to ensure continuity of its IT usage?. Ideally it should have servers somewhere (not in the same location nor owned or operated by the same provider) on to which all traffic from the primary servers is replicated. That of course could add substantially to the cost of moving to the cloud.

Whilst it is possible for the customer to get the cloud provider to host the customer’s existing software applications (subject to consent from any third party licensors of that software) it is more usual for the provider to also provide the software applications which are “rented” to the user. This allows the user to only pay for the software for as long as it wants to use it and can provide substantial cash flow advantages.

This works well for standard off the shelf software. Often however, the customer wants the provider to build or customise new applications to be hosted remotely and is prepared to pay for that development. Here the customer needs to realise that when the rental contract comes to an end they will, unless the contract provides otherwise, lose all the benefit of that development.

This is a similar situation to that faced by those buying website development and hosting services who, unless the contract provides for portability, can find that if they want to change host, they also lose the website.

SME providers without their own data hosting facilities also have a habit of not using customer contracts which are “back to back” with the hosting contracts they have accepted. Thus when the host falls down on service but is not in breach of its contract or service levels agreed with the provider, the provider can find itself stuck in the middle—liable to its customer and with no right of recovery against the host.

These contracts will settle down. The OFT and or the Information Commissioner will criticise the big providers for their consumer terms and they will change them for consumers and SMEs. The legal precedent writers will come up with contracts suitable for different kinds of cloud computing. SME customers and their lawyers with access to precedents following best practice will start to insist on sensible contract terms when buying cloud services. Currently contracts are of variable quality.”