Thursday, January 19, 2012

Big Legal Risks with Cloud Computing



Cloud computing has its benefits in terms of lower costs and greater reliability & flexibility. But storing data in the cloud has several disadvantages and risks. Apart from the obvious risk of unintended breach of security and loss of sensitive data to hackers, (see the case of Sony and Honda) leading to severe losses on privacy and intellectual property.

Cloud computing will also increase legal risks as well. All data stored in US location or stored with an American firm - such as Google, Amazon, Microsoft, RackSpace, SAP, Oracle, Salesforce.com, HP, IBM, etc., is subject to Americal laws, thus US government can access your data - and you can do nothing about it and watch as a spectator.

According to Gordon Frazer, the managing director of Microsoft UK, he could not guarantee that data stored on Microsoft servers, wherever located, would not end up in the hands of the US government, because Microsoft, a company based in the United States, is subject to US laws, including the Patriot Act. (Source: http://www.mayerbrown.com/publications/article.asp?id=12057 )

US government can demand access to your company's data under Patriot Act or other acts, and the cloud service provider is bound to provide that data without your consent!

According to the current rules: An entity that is subject to US jurisdiction and is served with a valid subpoena must produce any documents within its "possession, custody, or control."

That means that an entity that is subject to US jurisdiction must produce not only materials located within the United States, but any data or materials it maintains in its branches or offices anywhere in the world. The entity even may be required to produce data stored at a non-US subsidiary. This also implies that, all companies that have a branch office in the US are subjected under US Patriot Act - thus US government can get access to your data even if the data is hosted outside US and by a non-US company - if that company has a branch office in the USA.

This provisions in the US law is a big risk. US Government has the means and ways to decrypt your data and then pursue legal actions or even covertly pass that data to other US competitors.

Risk increases further when you realize the fact that other countries can also pass similar laws in future.

Risk is Amplified with SOPA & PIPA

Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) are currently being debated in the US congress and Senate. If this bill passes, the legal risks for storing data in a cloud shoots up exponentially. To understand the legal risks, consider this example.

A global company XYZ has stored all its employee emails with Google. One of the employees has sent a pirated picture/MP3/eBook as an attachment - which is now stored with Google.

The company which owns the copy right or the IP for that object can issue a subpoena to Google, get access to the emails and then sue company XYZ for piracy in the US courts - if company XYZ has operations or branch office in the US. The copyright holder can also prevent Google from providing services to company XYZ, and also prevent company XYZ from accessing/moving their data from Google servers. In other words, company XYZ is struck with an expensive law suit and this is a HUGE legal risk.

Since it is impossible to screen all the data for copyright violations while storing data, non-US companies will have to be very careful in terms of choosing when and where to use cloud storage.

What can you do about it?

A simple answer is - Do not store any sensitive data in the cloud!

For other not-so-sensitive data, use a local cloud service provider - who is subject to the local laws only. Ideally the local cloud service provider must not have any international operation - and must operate in a safe haven - far away from all the US/EU/China government rules.

Opportunity for Indian Cloud Service Providers

European companies have not using US companies for cloud services. Shell is using T-Systems in Germany.

Similarly, Indian companies must start using local cloud service providers - who do not have any operations outside India.

The legal risks associated with cloud computing is VERY BERY BIG. Companies and Individuals must consider all the legal risks before storing or even using cloud computing services.

Few questions to ask before choosing the Cloud Service provider

In order to understand the risks and the protection offered by the service provider, one must ask the following questions:

1. Where is the cloud service providing company incorporated? Is the company subject to US/EU or other foreign laws?
The legal status of the cloud service provider is very important. Even if the company is registered in India, but it has branches in other countries, then there is a legal risk. If the company is a subsidiary of a foreign entity - then the legal risks are high.
Also ask for an advance notice from the service provider - if the service provider company plans to expand abroad.

2. Where is the data stored?
The location of the data store also defines your legal rights. If the data is stored in India, then it is subject to Indian laws. The physical location of the data store, including all the backup location. Knowing this information lets you know other risks involved - such as natural disasters, and how that could affect your company's operations.

3. Who owns the data? (including all the back-ups & logs)
If the answer is not the customer (you) than walk away from that vendor.
Often times, the service provider creates the log files on your data. Technically these log files belong to the service provider, but you can ask what they do with the log files, and do they share these log files with others. Knowing what is done with the log files is very important - because log files can also reveal a lot about your operations.

For example, the service provider can use the log data - such as volume of data stored and bandwidth throughput used by you in their marketing campaign. Any use of such data from the log files must have prior permission from the customer.

4. What is the data security Policy?
Ask for the security compliance the service provider adheres to. The encryption standards, multi-tenancy systems information etc. It is important to know how your data is being stored in the cloud, who has access to it, and what protection systems are provided to safeguard your data.

5. How can I get my data back?
This is a very important question to ask and know ahead, before signing the contract. If you choose to close your account and move your data back into your own data center or to another service provider, then how will the current service provider give your data back?
In many cases, the volume of data and the bandwidth constrains create a lock-in with the existing service provider. Also if the service provider provides the data in a unique format - then you as a customer is limited with your options. Knowing how to get your data back - in all details is vital before selecting a service provider.

Closing Thoughts

Today, all the media & IT companies are touting the great benefits of cloud computing. Cloud computing promise lower costs and greater operation flexibility. But cloud computing opens up huge risks as well. Apart from the well known risks of data loss due to hacking , there are additional legal risks. The scale and limitations of these legal risks are yet unknown as the laws are changing and new regulations are being formulated.

It is therefore very important for companies to understand the legal implications before jumping into the cloud bandwagon. Better still, any public cloud usage must be approved by the company's legal advisors. It is better to be safe than be sorry later.

Also See:


2 comments:

Anthony said...

Hello Arun. My name is Anthony and I am the blogger for the Stratagems Blog for IT services firm Electronic Management Systems. We have been covering this same legal issue surrounding security of sensitive data stored in the cloud. We found your post to be right on the mark and we intend to link to it in our upcoming post. We'd be most appreciative if you'd reciprocate with a link to our discussion here - http://www.goems.com/blog/8-blog/31-blog-post-title-01 .

Keep up the excellent work at helping businesses to understand both the benefits and liabilities involved in leveraging cloud storage.

Cheers,
Anthony

Aldus Logan said...

Cloud computing is good technology its benefits in terms of lower costs and greater reliability & flexibility. But there is lot of risk with cloud computing. Nice to come this post. Thanks.

online business software