Notwithstanding the fact that cloud computing is well established in the business environment, there are still commentators who state that, from a legal perspective, the Cloud is too risky and should be avoided.

Whilst it is undoubtedly true that Cloud computing is not suitable for every circumstance and potential customers would be well advised to undertake a detailed risk analysis before committing new applications to the Cloud, the legal issues relating to the use of the Cloud are well established and indeed have been so for some time.

Are there new legal or regulatory issues?

Businesses are familiar with the legal and regulatory issues surrounding the outsourcing of IT functions and business processes. They also now make extensive use of web-based services. 

In both cases, the legal and regulatory environments were undoubtedly uncertain and on shaky ground in the early days, but that no longer is the case. In many key respects, the very same issues arise in connection with cloud-based services as outsourcing and/or web-based services and the same legal and regulatory solutions generally also apply. Often the Cloud may merely magnify pre-existing issues, which the user will need to understand and address.

Security is typically cited as a key obstacle to the deployment of a Cloud solution.  However, security, knowing where your data is and how it is protected are not new issues and need to be considered in any outsourced service.  Cloud computing service providers will often have more robust and up to date security than their customers, in particular SMEs, who perhaps have limited full-time IT resources and who struggle to keep up to date with security issues and fixes.

Data protection is also flagged up as an obstacle to cloud computing but business are also familiar with outsource data and business processing. Legal concerns can generally be addressed by technical and legal means and whilst this may mean that the supplier may not have total flexibility on where it can process and store data, in the majority of cases the supplier is subject to restrictions imposed by its technical infrastructure in any event and with full transparency and suitable contractual terms, data protection as an issue will disappear.

The use of cloud computing services is more problematic in some industry sectors than others. In heavily regulated sectors, such as the financial services sector, the deployment of a cloud computing solution is likely to come under a greater degree of scrutiny than in other sectors.

To date the FSA has not provided any cloud computing specific regulation or guidelines, but it is widely accepted that services that have been transferred to a cloud computing services provider will fall within the definition of an outsourced service in which even regulations applicable to outsourcing will apply. Again, an area where tried and tested solutions to legal and regulatory issues are available.

What are the risks?

Of course there are risks in transferring services to the Cloud but what the risks are, and how they should be mitigated, will depend on the services in question. Cloud service providers are likely to have better business continuity and disaster recover plans than a typical SME so in some cases transferring services to the Cloud will actually reduce the risk to the business.

Ensuring an adequate level of service will of course be important and the temporary loss of Internet connectivity could have dramatic consequences to a business. Agreed service levels with limited service credits will generally not provide an adequate remedy and where the loss of service is due to a force majeure event, the supplier may have no liability at all.  A careful review of the contract and SLAs should highlight the extent to which the customer has any meaningful remedy if the service levels are not met.

How to mitigate risk

A properly thought-through contract will help mitigate the majority of risks associated with cloud computing services. There are few things, however, that are important to note. CSPs, like all external suppliers, will not act as insurers of a customer's business. Remedies under a contract may form part of, but should not be considered to be an entire risk mitigation strategy.

It is important to acknowledge that not all services are suitable for the Cloud. For example, you may not want to put patient records, certain government business or time critical applications into the public cloud. That is not to say that in some cases a solution based on a form of private cloud may not work with the right contractual framework in place. In other cases, something other than a cloud-based solution should apply.