Fine print in Cloud computing

Being unable to retrieve data hosted overseas, computer downtime that stretched for days and absurdly high recovery costs are some of the problems small businesses are now facing having moved from their own IT systems to cloud computing. Beware of these potential traps.

There is a balance between potential disasters and sppeding growth; and much of which side you end up on is due to your planning and attention to detail in contracts. So maybe seek legal advice especially as you could end up being locked into a contract that doesn't fit your needs or is unresponsive to your requests. Big businesses can use their muscle to get attention, smaller busineses like ours need to plan in advance to avert possible disaster.

Recent IT disasters such as the Lush, Distribute.IT and Amazon computer outages have proven just how crucial forward planning when considering using the computing cloud is. A good example is the recent Amazon outage which took offline a host of sites including FourSquare and Yelp.

Reviews of a range of legal experts working in the IT industry say many small businesses are completely unaware of where their data is located, how much it is costing them, and many don't even know if they'll get their data back if they ask for it. While cloud computing has its benefits, these experts say, many SMEs don't bother reading the fine print – and it comes back to bite them when something goes wrong. There are legal and regulatory minefields if you are unwary.

An example from Australia, earlier this year Dropbox found that its data was accessible without passwords due to a computing-glitch, and Distribute.IT was unable to retrieve four servers' worth of data after a cyber-attack. Another company saw its data service provider bought out by an Amercian company, and have the data moved without their knowledge off short and the data now subject to US law.

Here are the legal issues you need to keep in mind.

Where is the data hosted?

By far the biggest warning cloud experts give small businesses is to read over contracts closely and determine where your data is being stored, and figure out whether you have any say in where that happens. These experts say that most third-party providers will be hosting data or applications in separate countries. The issue can sometimes be finding out where these are located, and what kind of control you have over these.

"Anyone running applications such as Google Apps, Amazon, Microsoft and so on, is going to have data sitting in a second or third country. They just don't have local centres, so most of the global cloud offerings will have data elsewhere," says Mark Vincent, partner at Shelston IP, Sydney. 

While many businesses might not care about having their data hosted in another country, the ramifications can be hefty. For one thing, if your data crashes and is lost, this can have jurisdictional problems depending on where the data is located. If the jurisdiction of hosted data changes, laws regarding access, encryption, protection and payment can change. Businesses need to ensure they are aware of not only where their data is located, but the relevant laws for each jurisdiction and that they don't fall foul of the law inadvertently.

Businesses need to ask where that data is located and if located outside of home country, then figure out a plan of action for every jurisdiction and subsequent liabilities that which you may be held. When contracting ensuring companies specifiy where data will be stored, and ensure you are able to change the contract should this hosting arrangement change, at no cost to yourself.

Can you get your data back?

Most of the time, the answer is yes. But these experts say that might not come without significant cost or burden.

When you contract , you want to know that as soon as you need your data you can get it. You need to understand if you have access to your data, the cost of that, and how that will impact on you when you need it.

If your business loses a local back-up and needs to get another copy of their hosted files, any delay can be potentially threatening to profits. These experts say ensuring you know how quickly you can receive another copy of your files is crucial in choosing your hosting provider.

In you contract specifiy the mechanisms for getting data back, the agreed timeframes of return, and extend this from data to transaction logs and system metadata that you need to get back in order to replicate your service.

Encryption

When you retrieve their files, you'll need to specifiy that they will be easy to access.

But there's another issue here as well. The past few months has highlighted issues that have arisen from a failure to encrypt data in the Sony and Lush-online store hackings.

When you contract to a cloud supplier, you need to know that you can not only retrieve data that is encrypted, but also making sure it is encrypted while stored on third party severs.

Experts also say you should make sure that your data is distributed across several different providers, so if a hacker manages to access one piece of the puzzle, they won't be able to attack your entire infrastructure.

Are you still backing up anyway?

When Aussie company Distribute.IT was hacked earlier this year, many of its customers complained they were losing business because the hack had totally wiped out their clients' websites. Others, who had a separate back-up were no so concerned.

Backing up your data is crucial, not only for your own state of mind but for your customers'. If you aren't able to keep multiple copies of databases and customer information, then one hack is all it will take to wipe everything out. And these hackers are indiscriminately targeting SMEs across a wide range of countries, so don't think you're immune.

Again, the moral of this story is to have a comprehensive service agreement in place, because when cloud computing goes wrong it's not just you who's affected – it affects your entire set of customers.

Always ask for legal advice

And while the advice did come from lawyers, advice is to ensure appropriate and informed legal counsel before you sign an agreement in order to ensure you're getting the best deal possible. Going over an agreement yourself may result in you missing some elements of your contact that could wind you up in trouble. Be warned that you may not have recourse against a particular third party if your data goes down, so it's crucial that you go through your agreement beforehand and identify any liabilities, or areas where your provider is claiming some particular freedom or avoidance of responsibility.

Think of a cloud service like a utility, when your electricity goes out you don't immediately run to the company and accuse them of non-compliance, you have to accept that there will be breaks in service.  Things fail, and you need to have practical strategies to deal with that upfront, identified in the contract. And you need to make sure that your contacts and service agreements account for that.