The Law Society of Scotland recently issued guidance on cloud computing services following consultation with law firms, in-house counsel and cloud providers.
While some of the guidance inevitably reflects the particular duties that law firms owe to clients and regulators, the advice is clear and legible, there are no rubbish cloud puns, and overall it’s a valid read for any individual or organisation considering the acquisition of cloud computing services.
There are however a few extra tips which it won’t hurt to mention.
Surprisingly, the guidance doesn’t mention applicable law and/or jurisdiction. Even a largely favourable contract may not be worth the paper it’s written on if you have to travel to a foreign country to enforce it, and the vast majority of cloud providers will typically offer the law of a particular US state as the choice of law in their standard terms.
Choice of law is usually more significant for UK SMEs or corporate customers because, unlike consumers, they won’t necessarily be protected from terms imposing a foreign legal system. (A further disadvantage of contracting on terms governed by US law is that they usually contain very broad disclaimers of warranty and/or limitations of liability.)
The Law Society guidance refers to backup of data, noting that “you should carefully examine the SLA for the frequency the cloud provider will back up your data to a separate site”. I would go slightly further and say that you should check whether there is an obligation on the provider to back up data at all!
Some providers state that data integrity will only be guaranteed where the customer has paid for additional backup services, while others expressly disclaim the fitness of their services for backup purposes! It’s therefore important that you understand who is responsible for maintaining back-ups, and if the provider’s offering is not sufficient what alternative steps can be taken.
Under the heading “responsibility for security” the Law Society guidance encourages firms to understand “the measures you can take to protect the security of your data “. Again, it may be necessary to go even further, and make sure that there are no express statements in provider terms which either disclaim any duty of confidentiality, or oblige the customer to use encryption.
If I have piqued your interest in the cloud, the Law Society is holding a Cloud Computing Glasgow event next Tuesday. I may see you there.
On March 8, 2012