Legal pitfalls of outsourcing to the cloud

Regina Pazvakavambwa
By Regina Pazvakavambwa, ITWeb portals journalist.
Johannesburg, 22 Jul 2015
Businesses should consider the data privacy laws of the country where its data will be hosted, says InfoSeal.
Businesses should consider the data privacy laws of the country where its data will be hosted, says InfoSeal.

Companies must take heed of legal pitfalls they must face when outsourcing to the cloud, said Francis Cronj'e, CEO at InfoSeal, speaking during the Data Centres: The Next Frontier 2015 conference, at The Forum in Bryanston yesterday.

Cronje warned companies to carefully understand the consequences of outsourcing so all risks are diminished before starting what could be a costly endeavour for an organisation.

He noted when selecting a service provider, businesses need to consider the data privacy laws of the country where its data will be hosted.

Businesses need to understand the regulatory, contractual and other jurisdictional constraints about the physical locations of data, said Cronj'e.

Cloud security and privacy has become critical in the wake of the Prism scandal, said Cronje.

Prism is a clandestine surveillance program under which the US National Security Agency (NSA) collects Internet communications from major US Internet companies.

According to Cronje, despite companies' strong reaction to the Prism scandal, many say that they don't fully understand current data laws - 60% admitted they don't know as much as they should about data privacy laws.

On the other hand, 70% of key decision makers stated the NSA revelations made them sceptical of cloud providers across the globe.

According to Cronj'e, service providers should reveal to companies their intention to transfer the information to a third-party country or international organisation, and the level of protection afforded to the information by that third country or international organisation.

Also, the onus is on an organisation to find out if it will have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data's location, he added.

"I still believe cloud holds best value and brings about a shift from capital expenditure to operating expense, but companies must make sure they understand the disaster recovery plan and exit processes."

Companies need to be assured by asking the cloud service provider that unauthorised access to its information or data is prevented and covered - from both protection against external "hacking" attacks and access by the cloud provider's personnel or by other users of the data centre, said Cronje.

In addition, they should make sure they have adequate oversight of any sub-processors (irrespective of their location) service providers use or might use, he added.

Subsequent to that, the company must make sure it has the necessary agreements and contracts in place to ensure the security of the organisation's information or data.