Legal Issues In Cloud Computing

Cloud computing is the delivery of on-demand computing services from applications to storage and processing power over the internet and on a pay-as-you-go basis.

Organizations have moved to cloud platforms for better scalability, mobility, and security. One benefit of using cloud computing services is that organizations can avoid the upfront cost and complexity of owning and maintaining their own IT infrastructure, and instead simply pay for what they use when they use it. However, there are a number of key legal issues that should be agreed upon by the organization/cloud service consumer and the service provider. We have listed those for you:

Governing law and jurisdiction: This is often liable and governed within the service provider’s country. In the same vein, disputes arising from any legal contract are always under the jurisdiction of the courts of the service provider’s country. This can be amended if the cloud service consumer wishes to move any legal jurisdiction to their home country and in some cases when the service provider is a large multinational, this may be possible. Such a provision can be removed from a contract and you can allow a legal debate to decide when or if such a situation arises.

Data location: Issues related to data storage locations must be addressed directly within the contract by the cloud service provider and the customer. Although maintaining data across multiple geographical locations provides a greater level of security, concerns usually grow over time relative to export controls leading to legislation against extraterritorial storage.

Privacy and confidentiality: Most often, data are used for a specific purpose for which they are collected. However, contracts governing data outsourcing need to ensure data usage specifically for the required service, and non-disclosure of data by the third party without authorization. This needs to be expressed explicitly within a contract to ensure that enforcement is not compromised.

Data security: Independent specific security standards should be used to replace relative cloud service providers envisioned reasonably or industry-standard security provisions in the contract to realize a greater level of security. The meaning of reasonable or industry standard is relative and can lead to serious arguments and misinterpretation over time between the cloud provider and the cloud consumer. However, the independent security standards adopted must be updated and audited from time to time. Also, any contract must contain a requirement on the service provider to inform of data or security breaches.

Data access for E-discovery: This contract is expected to exhibit the architecture of the service being provided. The contract must also specify the format used for data storage and available tools for data access if any e-discovery requirements arise. Some services fail to provide such tools, turning e-discovery into a complex and time-consuming task.

End-users responsibility: In a situation where the cloud subscriber makes end-users of the service abide by the terms and agreements of the cloud service provider and customer, a liability of the third-party usage of the system is placed with the cloud consumer. An alternative would be to enforce an agreement between third parties and the service provider for compliance with the service providers’ terms and conditions.

Inappropriate and unauthorized usage: In an attempt made by the service providers to place the responsibility of monitoring and preventing inappropriate and unauthorized usage of the provided service with the customer, the customer should ensure that the service contract limits the liability to the customer not authorizing or knowingly allowing prohibited usage of the service since the service resides in the cloud and outside the control of the customer. These contracts should also include a requirement for the customer to inform the service provider of all material breaches and other unauthorized or inappropriate usages of the service. Caution must be exercised by the customer to report material breaches rather than unauthorized usage.

End-users account suspension: Service providers can suspend the customer’s end-users account at their will on the violation of some terms and conditions. It is preferable for the customer to restrict the service provider’s right of suspension to material or significant violations that compromise the security of the vendors’ system.

Emergency security issues: Service providers may have legislation laws inserted to suspend without notice, a provisioned service, in the event that an unethical use of such a service causes an emergency issue. In the consumer’s best interest, what constitutes an emergency issue should be clearly defined with the service provider so as to limit the flexibility and/or discretion of the service provider if any emergency occurs.

Service Suspension and termination: Service providers have the reserved right to suspend service or to even terminate service in the event of specified events. While such conditions are practical and legitimate from the service provider’s point of view, the service consumer must ensure that the service contract offers a time-window opportunity to rectify the situation, rather than an immediate denial of service (except for extreme emergencies), and to provide the consumer some reasonable period of time to make alternative arrangements for service provision. The service provider must ensure that if such an event occurs, the customer’s data is made available in a usable format for a specified amount of time after service termination. Finally, the contract must oblige the service provider to return or destroy any customer data once the service termination is complete.

Data ownership: The service contract between the service provider and the consumer is expected to explicitly state that all data is the property of the customer and the service provider does not acquire any licenses or rights to the customer’s data based on the transaction. The restriction of any security interest in the customer’s data by the service provider should also be noted.

Publicity: The service provider may request to use the customer’s name, logos, or trademarks for the service providers’ own advertisement purpose; while this can be occasionally granted, cloud service consumers must request that approval be sought regarding the use of any of their associated brand or limit the use to the customer name without implying an endorsement.

Service Level Agreements (SLAs): Guarantees for the service providers need to be detailed to provide for the minimum amount of uptime, the process, and the timescale associated with correcting the downtime. Consequences for falling outside the agreed SLAs need to be precise and detailed.

Disclaimer of warranty: The service contract is expected to guarantee that the provided service operates correspondingly to its specifications without breaching the rights of any third party as a basic minimum requirement. If these kinds of warranties are absent in a service contract, an enforceable assurance of the service functionalities is not possible, or the service provider even has the authority to provide the service. If a service failure event occurs or a liable action is taken against the cloud consumer, without such warranties, the consumer will not have any legal recourse against the service provider.

Customer indemnification: Some service provider contracts require indemnification for the service provider in the event of illicit third-party actions, together with the consumer’s actions. The cloud service consumer must ensure that this liability is not voluntarily accepted, although it does not constitute adopting an extra liability as the customer is liable to face legal action over the third-party content.

Vendor indemnification: Service provider contracts rarely outline any indemnification that benefits the customer, despite legal protection being essential in a minimum of two scenarios — third-party intellectual property rights infringement and a breach or unauthorized disclosure of sensitive customer data. In both scenarios, the responsibility lies solely with the service provider, and defending or remedying the situation can prove extremely costly. Care must be taken by the cloud service consumer to ensure that the prospective service provider is ready to accept liability in either scenario before a decision is being made.

Contract modifications: The cloud service consumer must ensure that the rights of the service providers to modify services as required must be made limited to those services that would not expose the consumer to service deterioration even if the service providers reserve the right to modify their services as they deem them fit.

URL terms incorporation: Beyond advertised contract terms advertised on the service provider’s website and other related avenues, legal information should rather be maintained within the confines of the service contract. In the case where service providers cannot provide this, advanced and individual notice of such a change should be incorporated, with the option of termination of service provided to the customer without penalties, if such amendments are materially detrimental to the requirements of the customer.

Automatic renewal: It is expected of a service contract to provide advanced notice of any changes to terms and conditions in the renewal, and automatically renew with the option of termination on short notice within a specified period of time after the automatic renewal.

Hope this was helpful.