Moving to the Cloud: risks and strategies to protect your data
Although there is no generally accepted definition, the term "cloud computing" is generally used to refer to the provision of computing services (such as processing and storage of data) over a network of remote servers hosted on the Internet rather than a physical local server or a personal computer.
Enterprises (medium to large) across the globe are embracing cloud computing, no doubt as a result of the cost benefits gained from spend on technology infrastructure, and reduced support and maintenance costs. In addition, there are other benefits available to businesses such as storage capacity and faster deployment of business systems. However, the use of cloud services presents equal challenges to users, such as data loss, lack of customisation offered by service providers and severe limitations of liability by service providers.
Data protection remains one of the major concerns relating to the use of cloud services, often creating a stumbling block for those enterprises that wish to move to the cloud. With the advent of the Protection of Personal Information Act, 2013 ("POPI"), there are added legal risks to companies that process personal information either by themselves or through third parties.
Historically, service providers for ICT services have sought to exclude liability for consequential/indirect damages with exceptions for losses arising from intellectual property infringements and breaches of confidentiality. These exceptions were generally negotiated between the service provider and the consumer of services. However, as service providers now generally insist on the use of their standard service provider contracts in which they have to back-off the obligations imposed on them down the cloud supply stream, there is little room for consumers to negotiate the terms of these contracts.
An assessment of the advantages and disadvantages of cloud computing services is an important one, however before making the decision to move to the cloud, enterprises should consider the following legal aspects:
1. Identify data processed by the company: A comprehensive data assessment is an important first step as it enables companies to determine their level or exposure to risk and the potential losses that are likely to be suffered due to unauthorised access, loss or damage to the company's data. Cloud service providers generally limit their liability for direct damages to the fees paid or payable under the contract. In practice, the losses suffered by companies for breaches of data protection obligations exceed such capped amounts and often result in indirect damages. An evaluation of the limitations and exclusions of liability will be pivotal.
2. Assess the service provider's obligations under the agreement: Although no IT system is one hundred percent fail-proof, any enterprise that intends to move to the cloud needs to ensure that there are adequate protection measures in place to protect loss of its data. These include data back-up and restoration measures, industry standard organisational and technical measures, as well as having a comprehensive service level agreement in place.
3. Know your location: POPI prohibits cross-border transfer of personal information except under certain exceptions, including where the third party is subject to a law which provides adequate protection. Cloud-based services are commonly located in India, Japan and the US which have different data protection regimes to POPI, which is modelled on European data protection legislation. Added to this, some enterprises may face regulatory restrictions where processing of data is concerned, this particularly being the case for those business that operate in the financial, pharmaceutical or other highly regulated industries.