Is your head in the clouds?

Legal Posted 18/03/15
On-site data hosting may soon be as rare as having a shrink-wrapped CD-ROM arrive in the post, writes Caroline Young, a solicitor and technology specialist at law firm Cripps, as she examines the future of what has become known as the cloud.

Most businesses already use software or applications based online, but cloud-based data storage is becoming more and more popular. However, while private usage is almost unavoidable in modern life (services from Siri and Google Now to Instagram and Facebook all involve cloud hosting), companies are often reluctant to entrust their data storage to the cloud. With hacking stories in the news, especially following the release of celebrities’ private photos – allegedly obtained from their iCloud accounts – it’s not difficult to see why there is a lack of trust.

Despite this, by staying with traditional hosting options, businesses are missing out. Cloud hosting has considerable benefits including cost reduction, simpler maintenance, and greater flexibility, scalability and reliability. As it relies on sharing resources, the cloud can deliver better economies of scale, especially for small and medium-sized companies.

Since cloud-hosted data is available through the internet, workers can access information from home through their own devices and cloud-hosted applications can be updated centrally without the need to run installations on each user’s device. Because many cloud hosts have significant infrastructure at their disposal, they can accommodate unexpected increases in requirements. As the data can be hosted across multiple locations and time-zones, it can be backed up and available at consistent speeds even at peak times, and advances in infrastructure, software and technology are likely to make these benefits more and more tempting.

So, how do companies address those concerns over lack of security? Businesses want to know where their data is, and sending it off into the cloud can be a scary prospect. National and EU laws regarding data protection and privacy aren’t moving at the same pace as technology and common practice, so customers looking to hold cloud service providers to account will have to rely on the terms of their contracts. Since most businesses don’t have the time, legal spend, or expertise to negotiate the required standards, until now the trend has very much been for minimal provider obligations.

The International Organisation for Standardisation (ISO) has been attempting to rectify this. Its family of ISO 27000 information security standards is intended to provide security for customers and in some cases help them demonstrate their compliance with data protection laws (which require certain levels of security when dealing with personal data).

While these ISO standards may currently only be realistic for bigger cloud providers, the addition of further standards and the rapid growth in the cloud industry will provide more incentives for all providers to improve their security and strive towards common standards.

As well as insisting on the appropriate ISO standard, businesses should ensure providers are complying with the terms of any service level agreement and be wary of any unfavourable terms in their contracts (particularly concerning remedies if data is irretrievable, ownership of data, and provisions for the return of data on termination).

Tweets from @SEBmagazine