Cloud computing can help organizations save money and increase flexibility and adaptability. However, several new risks are added when companies move to the Cloud, including security and legal concerns.
The disadvantages of cloud computing don’t mean that cloud services won’t help businesses. But organizations must be prepared to deal with them, or they could be in big trouble.
Here are seven of the biggest legal dangers of cloud computing — and what businesses can do to avoid them:
1. Other countries’ laws
Under U.S. law, companies must allow the government certain access to the data they own and store, and it’s important for IT to know and understand those complex laws so they can comply. But things are even more complicated with cloud computing, because vendors may store a company’s data in a foreign country — and sometimes, multiple countries — so the data is subject to the laws of those jurisdictions as well.
When signing up for a cloud service it’s important to know where your company’s data may be stored so the organization can research applicable laws and, if necessary, argue for a clause in the contract that limits where information can be held.
2. Electronic discovery
Under electronic discovery regulations, organizations must have policies and procedures in place to retain all relevant data when the company becomes involved in a lawsuit. That’s tough enough when all data is stored in house, but it’s even more complex when it’s held by a cloud computing vendor.
When storing data in the cloud, it’s important to know where all information is kept, what file format is used and what tools are available to search through the data. Knowing those details will make things easier when it’s time to comply with an electronic discovery order.
3. Data security and privacy
One of the biggest disadvantages of cloud computing is the potential for data to be breached while it’s held by the cloud vendor. And beyond just the security problems, that has legal implications as well. Businesses in many industries are required by law to protect information — for example, the Health Insurance Portability and Accountability Act (HIPAA) requires organizations to take certain steps to secure health data.
When data is held in the cloud, organizations must make sure the vendor is also meeting the standards set by any applicable law. It’s the company’s responsibility to make sure its data is protected, and in the event of a violation, the company, not the vendor, will likely be held liable. Cloud computing contracts should include those requirements, and companies should never move data into the Cloud unless they know the service is compliant.
4. Cloud computing vendors’ subcontractors
When organizations contract with cloud vendors, third parties may sometimes be involved, and those third parties might have access to the organization’s data.
Therefore, companies must not only make sure that their cloud computing vendors are compliant with all applicable laws and regulations, but that those vendors’ subcontractors are as well.
5. Data breach responsibility
Under several state laws, as well as industry specific regulations, organizations might have certain responsibilities they must undertake after a data breach. Often, that means affected individuals and/or law enforcement agencies must be notified within a certain length of time.
And that includes when information is compromised because a cloud computing service is breached. That means cloud contracts must require the vendor to notify the company in a timely manner if there’s a data breach, so the company can begin to fulfill its obligations.
6. License agreements and terms of service
One of the disadvantages of cloud computing is that it gives IT less control over how the company uses IT services. And that could get the organization in trouble for violating cloud contract terms. For example, in a recent survey, 42% of users admitted they shared cloud service log-in information with other people, which may violate cloud software licenses.
Users may also violate terms of service in other ways, for example, by storing prohibited types of data in a cloud storage service. It’s important that users are trained on the restrictions and that their use of the service is monitored.
7. Violation of the cloud computing contract
Organizations can also get themselves in trouble for violating the terms of a cloud computing contract. That’s one reason why it’s important to negotiate a more favorable cloud contract, study contracts thoroughly before signing them, and avoid traps such as automatic renewal and clauses that prevent the company from retrieving its data when it changes providers.