Cloud networks are on-demand networks. A Cloud “account” provides the end user with access to a dynamic and shared pool of configurable resources (private, public, hybrid or community) that can be scaled up or down on demand, without undue efforts on the part of the management and with very little impact on capital investment accounts. Data is transmitted offline instantly and disaster recovery is automatically ensured.
Since the Cloud is not “static” and often exists “beyond national boundaries”, a number of legal issues arise. These include: issues such as liability, security, risk allocation, retention, contractual limitations of third parties, regulatory compliance, issues surrounding physical location of data, data protection, intellectual property protection, cybercrime jurisdictions, etc.
Let us take the example of third party involvement in Cloud services. Third parties to the Cloud service may be residents of another country subject to the jurisdiction of the court in that country. What can the liability of these parties be? Will the liability and responsibility of the sub-contractors be limited to extent defined in the acts of that country? If there is a lack of contractual privities between the parties, will it cause difficulties for the customer in binding the provider for the breach? Should agreements include the liability of the provider for the acts of a sub-contractor? Will the customer have the right to do a due diligence on the third party to fully understand and appreciate the legal implications of the contract with the Cloud service provider?
Remember, all legalese emerges from the Service Level Agreement (SLA) that is signed up between the end user and the service provider. These agreements are generally non-negotiable. Here are a few recommendations:
- End users signing the agreement should hold out for a higher degree of reporting
- End users should ask for additional options for the termination of the contract (planned or unplanned)
- Since the data can be moved to anywhere in the Cloud by the service provider, the end user should demand for the right to know where the data is stored, by whom it is accessed and when it is transferred
- Audit trails should be insisted upon
- A non-disclosure agreement should be signed with the vendor to ensure that IPRs are not transferred to third parties
- Roles and responsibility of both parties to e-discovery should be clearly spelled out
- The information security systems in place by the Cloud service should be inspected and guarantees obtained