Data Protection in the Cloud. Could your business be attacked?
Authors: Tal Williams, Partner and Joann Yap, Paralegal
31 October 2011
There has been a significant rise in the use of Cloud computing services and many in the IT industry believe it is the way of the future. We are told that the benefits of Cloud computing is that it reduces business costs by allowing businesses to avoid investment in staff, hardware and other physical infrastructure and provides for the storage of data in a secure location. Businesses may choose not only to store data available across the network for easy recovery and continuity, but are also able to set up fully operational applications offsite.
However, a number of recent crashes across major cloud computing services such as Amazon’s Elastic Compute Cloud (including the thousands of business websites which rely on this service) are a reminder of the data protection risks. In the unprecedented outrage of Amazon’s service in April this year, websites that built their businesses on the assumption that the cloud was the only reliable platform required in the running of their day-to-day operations were either brought down, slowed down or stopped in their tracks.
How do you protect your business?
We highly recommend that all businesses back up their data across different platforms and have available all that is required to continue the running of the business website as a safeguard. As shown above, data can be hacked, stolen, altered or deleted, even where cloud services are utilized. Though billed as a reliable one-stop platform, providers of IT services offer their services with an exclusion for all liability (to the extent permitted by law). Amazon’s Service Level Agreement, for example, specifies that its Service Commitment does not apply to any unavailability, suspension or termination of its service or other issues: “….caused by factors outside of our reasonable control, including any force majeure event or Internet access or related problems beyond the demarcation point of Amazon EC2….
(iv) that result from your equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control);
(v) that result from failures of individual instances not attributable to Region Unavailability”.
Business users of cloud services will need to bear in mind the terms of service as well as associated commercial issues. It is also essential to consider whether the business is indemnified by its insurance company for loss of business. Furthermore, users of cloud services may be in breach of their own contracts with their own customers if affected by disruption to cloud services, even if this is beyond the control of the business.
What these lessons should illustrate is that you must be aware of the terms and conditions that your web designers and hosters have in place. You must ensure that adequate backups are available and that you have express agreement about where and who has the obligation to backup your website or data generally. You must not assume that someone else will do it – because they are probably also assuming that you will.
Several important questions should be asked of Cloud providers when considering your cloud data security strategy:
- Where will the data be stored or processed? Can a commitment be obtained?
- Are there multiple Cloud platforms/parties involved?
- Who is liable for the data or any security breaches including interruption from computer denial of service attacks, computer viruses, power loss, telecommunication failures, and natural disasters; and what are the legal, commercial and reputational risks? Can you move against the cloud vendor to claim loss of profits?
- Do the relevant contract clauses offer any protection – such as by referring to standards of equivalent legislation or model clauses?
Once your Cloud provider has answered your questions, you must ensure that you actually read and understand the term and conditions that apply to you. Our experienced Corporate and Commercial team can assist you in this area. Please contact us today with any questions.
T: +61 2 9390 8331
T: +61 2 9390 8000