Cloud computing relates to IT services and resources – including infrastructure, platforms and software – which can be provided to customers via the internet, rather than by on-site installations of IT hardware and software (for a technical definition of cloud computing see National Institute of Standards and Technology).
Cloud computing allow companies to benefit of financial savings, share of costs with the other customers on the same cloud, and efficiency while their IT infrastructure is constantly upgraded and updated by the cloud computing provider.
Notwithstanding such benefits, cloud computing shall be duly considered in light of the risks involved in it such as – among others – security, performance, service availability, contractual remedies and supplier stability.
From an International Law perspective the key difference between traditional IT outsourcing and cloud computing is “where” the data resides or is processed as data may be dispersed across and stored in multiple data centers all over the world. Moreover, the use of a cloud platform can result in multiple copies of such data being stored in different locations. This is true even for a “private cloud” that is run by a single customer.
In fact, corporate customers shall consider that cloud computing is vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm the relevant systems. Data centers may be located in areas with a high risk of major earthquakes or may be subject to break-ins, sabotage, and intentional acts of vandalism, and to potential disruptions if the operators of these facilities have financial difficulties.
Above all, systems are not fully redundant, and disaster recovery planning cannot account for all eventualities.
In addition, cloud computing products and services are highly technical and complex and may contain errors or vulnerabilities. Any errors or vulnerabilities in such products or services, or damage to or failure of such systems, could result in interruptions in the services, which could reduce revenues and profits, or damage the corporate brand. Finally, internet, technology, and media companies own large numbers of patents, copyrights, trademarks, and trade secrets and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights related to the cloud.
In light of the above, as corporate customer explore cloud computing as IT outsourcing strategy, there are several legal issues that shall be carefully considered. Implications of outsourced data handling, contract terms and conditions, intellectual property rights and proper insurance coverage are among others the key elements to be addressed from an International Law perspective. Therefore, the carry out of a due diligence of the proposed cloud vendor is a crucial risk mitigation step.
Among others, the following key issues shall be addressed: