Sam Bailey: Hello, I'm joined by Principal Associate Jocelyn Paulley and Partner Patrick Arben, both members of Wragge Lawrence Graham & Co's Tech Team. Today we're going to be looking at data in the cloud and how to protect it. So Patrick, how are cloud services different to the traditional data centre hosted IT environment?
Patrick Arben: Well I think when we're talking about data it is important to look at what the difference is between the way data is hosted in a cloud, why we're more interested in the way that data is hosted in the cloud as opposed to on the servers in the basement of your offices and it's important to note that there is no specific law of the cloud, key legal principals remain the same with cloud computing, issues of contract, confidentiality and data protection, the law is the same. For us, as lawyers and as commercial practitioners really the key issue is one of control and it’s the level of control that you give up as a customer, the level of control over your data that you give up.
Now in circumstances where you are giving your data to a third party provider conceptually you ought to be gaining some benefit from that loss of control through for example improved data security, greater scalability, and cost savings as well. But with the relinquishment of control does come potential and increased risk and that is something which you need to be mindful of as a customer you need to consider how much control you want to relinquish and whether it's really worth it for you as a business.
Sam Bailey: So Jocelyn could you take us through the benefits that Patrick touched on?
Jocelyn Paulley: I think, as with any service provider that you're engaged with, you are looking to that provider to ultimately give you a much better level of service than you could do if you were try to provide that internally. You are relying on them being experts in your field and when we think about clou,d we thinking about experts in the security that is applied to the data, we're thinking about the efficiency of their structure and their software, we're thinking about anti–virus protection and the constant updating of all of those things, of everything within their control and reacting to outside threats, which we know a IT practitioners regularly appear on various different levels of scale and risk. So you are expecting them to be able to provide a much quicker response to those kinds of things than you would do if you were providing it yourself.
Certainly in terms of security whilst there is obviously the nervousness around relying on someone else to provide it for you and not being in control of the level that's provided because obviously with any service provider part of their service may be security but in a cloud environment you don't get to dictate and set the levels but in the cloud the advantage should be that that provider is competing with others in its field and security is one area where they can distinguish themselves. So they should be able to provide you with something that is world class and suitable to your business provided that you have selected the right provider in the first place.
Sam Bailey: OK, so we've covered some of the benefits associated with using a cloud solution but what are the risks and most importantly how can these be mitigated?
Patrick Arben: Well if we're looking at risks perhaps its worth starting with this concept of accessibility. What do I mean by accessibility? It's this concept as to whether or not you can exercise control over your data by having exclusive access to it either during the life of the contract or on termination on exit. In terms of the life of the contract one way of mitigating the risk around giving up control of data is to build into your contract a requirement that the cloud provider gives you regular cuts or back-ups of data periodically throughout the life of the contract. How regular and in what format will very much depend upon your business and the type of data that is being hosted. So for example, if you are a hedge fund trading in high volume stocks and shares you may want a back-up of your data at the end of every trading day.
On the other hand if you've got a more static customer database for example it may not be necessary to have that backed-up quite so frequently. However, the issue is again one of risk and benefit because if you're going to have to maintain quite a substantial IT infrastructure to store and retain those regular back-ups, that's going to start to erode some of the financial advantages of doing business in the cloud. On exit or termination, accessibility becomes very important because you are looking to recover what may well be business critical data so that you can ensure continuity in your business as you transition to a new provider or you bring that cloud service back in house perhaps. What's key here is you must have a fully formed and developed exit plan. It's no good trying to negotiate the terms of your exit plan after you’ve served your notice of termination, that's generally a recipe for disputes so the key of course is to try and negotiate and agree a flexible and enforceable exit plan before you ever need to rely upon it as that sets the expectations and it allows you to have some confidence and comfort that when termination comes the supplier will be able to transition and transfer your data either back to you or to a third party provider hopefully seamlessly and without any interruption to your business.
Jocelyn Paulley: I think there are other risks as well around appreciating how many providers and who they are that when you add up the sum of all their services, give you your cloud service. There are various types of cloud, we've got SaaS, PaaS, IaaS and then data centres providing co-location services down at the bottom, so it's important to appreciate at what level of cloud service you are actually buying into and therefore how extensive the stack of contractors behind that might be. It's important to get to grips with that entire chain so you can understand and weigh up the risks of any one of those providers in that chanin becoming insolvent or unable to provide their service and what would that actually mean for you as the customer? What affect would it have on the chain? Could anyone else pick up that element of the service? But also if anything ever went wrong, would you know who to turn to and how to get information from that party to help you resolve your issue. There's a big piece here around doing your due diligence, not just on the party you're going to contract with but on the whole contract stack and chain of people that you have behind that. One way you might want to think about that as well is in terms of your business continuity and how likely it might be you have to bring that in to play.
If different people in that stack fall out, and again the impact of that for you is possibly losing the cost benefits if you also still need to have a business continuity solution that is ready to go in case that cloud service disappears in the same way that you would if your more traditional IT service provider was no longer able to provide, so again the cost benefit you would expect to get from a cloud service might be limited. And another one I wanted to flag because I think it's less obvious is potentially big data implications. If I'm a cloud service provider and I've got all these different customers hosting lots and lots of their data with me, that's a massive pool of data that I might feel I could anonymise, extract information so it's no longer confidential to anyone and then run analytics and algorithms across it to try to extrapolate correlations or patterns or insights that I could then potentially monetise and sell back into the industry.
So if your business is sensitive to that and you wouldn't want data being used in that way regardless of whether it still contained personal data or was in fact actually confidential to you, you might want to include some restrictions in your contract to prevent providers from doing that and given this is still very much a growing area no one knows quite where it's going to go, big data is being used in all areas in life to make decisions and find things and information that we can now process, it's something that you might want to think about even though it's not immediately apparent that the provider at the moment might want to do that or that your type of data is particularly suited to that because we do not know where we are going to go with this in the future.
Patrick Arben: So one other risk I'd like to just pick up on is the question of location. What do I mean by location? It's the physical location in which your data is stored and hosted and that becomes particularly important in circumstances where you need to recover that data for example in the event that your supplier becomes insolvent or in a termination event perhaps in the context of a disputed termination where your provider is withholding data and you're seeking to recover it.
You need to ask yourself in which locations is that data being held and how easy is it going to be for me to recover it if I need for example to get an injunction for delivery up. If you've got an English Law contract it is possible to obtain an injunction but at an injunction is only really ever as good as your ability to enforce it so for example if your data is being hosted in somewhere like the Philippines we have no bilateral treaty arrangements with the Philippines to enable you to enforce your English Law injunction for delivery up. So I think it's important not only to look at what remedies are available in the English Courts but also to look at what local law remedies might be available to you in the jurisdiction in which your data is being hosted and as a further risk mitigation consider having a non-exclusive jurisdiction clause in your contract so you can enforce your rights in the location where your data is being stored in order to hopefully recover it more quickly.
Sam Bailey: OK, thank you. So what happens if despite best efforts to identify and mitigate risks everything has gone wrong, where does an organisation stand?
Patrick Arben: So I think the first question to ask is in a situation where you are in a dispute and the key objective I think if you are a customer, is to recover your data and let's hypothesise for a moment, let us assume you are in a situation where your service provider is withholding provision of that data perhaps as commercial leverage in order to get paid. That's possible in circumstances where the provider has an express contractual right to withhold the data however quite a lot of cloud services contracts are silent on the question as to whether or not the provider can retain data pending full payment and in those situations one looks to the common law and law of Liens to see whether its lawful for a service provider to withhold data essentially to exercise a common law or possessory lien over the data in question.
The answer to that issue was determined last year by the Court of Appeal. In the case of Your Response v Datateam, in that case the Court found that the law of liens does not extend to intangible property, data being an intangible property rather than physical property that you can touch and feel, and whilst it had some sympathy because the law of liens is an ancient remedy that pre-dates intangible property, with the concept of modernising the law they were bound by precedent. So if a cloud services provider were to retain your data unlawfully it would liable for damages for things such as business interruption and loss of profit, subject of course to any exclusions and limitations of liability in your contract. So in those circumstances damages may well be an adequate remedy but actually what is probably more important is getting hold of your data and recovering your data and in those circumstances could you obtain an emergency injunction. We have already discussed that in some detail the answer to that question is yes but really any injunction is only ever as good as your ability to enforce it.
Sam Bailey: OK, so finally what are you top practical tips for managing risk around data in the cloud?
Jocelyn Paulley: So key to understanding what is going on is to ask all the questions before any procurement so you understand what data is being put in, how important it is and what kind of cloud service we are dealing with so you can carry out that balancing act to make sure that the risks and the benefits you are getting are in the right proportion. So do your due diligence, understand the contract stack you are entering into and make sure that your business is comfortable with the potential impact that might have if anything went wrong.
Deal with issues like re-use the data even if it's been anonymised or made non-confidential so you don't run a 'big data' risk with your data being used in a way that you never intended it to be by someone else. Understand where it is going to be stored in the world and if you can contractually restrict it, do that, but if not, ask the questions to understand local law implications of governments having mandatory access rights and enforcing your contract if you ever needed to do that. You could require notification of breaches or losses of data or notifications of any of those kind of mandatory access rights if they ever happened. Do not leave exit planning until exit. Well in advance make sure you have a clear exit plan that says who needs to do what and in what format your data needs to come back to you.
Consider self-help type issues, think about insurance potentially for loss of data, think about business continuity. You can have a non-exclusive jurisdiction clause in the contract to assist with some of the enforcement issues so you do not always have to go through the English Courts first, presuming you are in an English Law contract and you could also consider having unlimited liability for unlawful data retention if a provider did try to exercise a common law lien over your data when they have no right to do so.
Sam Bailey: Thank you Jocelyn and Patrick, and thank you for listening. I hope that you found that interesting and useful. If you have any further questions please do not hesitate to get in contact with any one of Tech Team here at Wragge Lawrence Graham & Co.