Do you upload your company data, proprietary information, trade secrets and intellectual property into the cloud? It often makes sense from a business efficiency and cost saving point of view.
Whether you use a software based service (accessed via Internet/ VPN), or if you have outsourced this storage /computing functionality in that your company uses a “virtual machine” component of the service provider’s outsourced hardware or if you physically host your company’s server in a service providers physical location, you need to scrutinise the outsourced cloud service providers Service agreements carefully.
A legal scoping ensures heightened legal scrutiny on terms of engagement, data safety and on so called “evading laws”. When leveraging the cloud, the following legal terms and/clauses merit scrutiny in the perusal and negotiation of cloud documentation:
1. Check the “Content in the Cloud Services” clause very carefully and contract out of clauses that give the cloud service provider a worldwide licence over your content. While this is generally a term in “free to use” cloud services, it may crop up in a “pay to use” service agreement. Do not give away ownership of your data.
2. Pay careful attention to “Data Privacy and Security” clauses and ensure that all possible security safeguards and confidentiality measures are in place. The “how and where “aspects of data storage and processing is significant from a legal compliance perspective. Be wary of clauses that limit and/or exclude liability for data security and security breaches. Pay particular attention to compliance with the Protection of Personal Information Act, signed into law on 27 Nov 13.
3. Incorporate a “Warranty and Security Intelligence “clause against cyber security breaches and insist on security prevention and detection intelligence systems. This may just be a salve when you hear of governmental intrusions (like the recent NSA PRISIM disclosure) or other large scale hack attacks and you could potentially hold your cloud service provider accountable for not taking sufficient measures against advanced and/or persistent security breaches.
4. “Audit” clauses will ensure that you have a sense of security about the cloud service provider’s systems and security. This is important in ensuring data security and privacy obligations as well accounting and anti – corruption compliance preventive measures.
5. The” Up time/Availability” of the service clause, has practical value to your daily operations and access. Ensure that it meets your company’s operational needs and where applicable, those of your outsourced vendors and/ or customers.
6. “Response Time “becomes critical when dealing with real time currency transactions and banking and/ commercial data. In health care sectors it may just be life -saving and time delays in data access can also become potential liability suits. Government entities may also have critical access needs for international relations/foreign affairs engagements, law enforcement and ICT bandwidths and long delays can be detrimental to a country’s trade, economic and safety needs as well as its growth.
7. There are also the ever important “Disaster Recovery and Business Continuity” clause considerations that have pretty much the same implications as “Response Time”. You may want to inquire as to what back up procedures exist and consequently scope any potential legal issues arising therefrom.
8. “Scheduled Downtime and Maintenance” become significant if your service provider is based in a different time zone geographically. Negotiate so that all mandatory maintenance is conducted during your country specific time zone and out of office hours.
9. “Data Return” clauses are not to be missed. You would need to consider the return of the data at the end of the contract.
10. It is generally a clause in the “Liability for Services” section that is troublesome when it comes to the so called evading laws quagmire:
a. Do not contract out of a compliance responsibility that is the service provider’s by agreeing to be responsible for compliance issues.
b. Read the jurisdiction clause very carefully, as it may sometimes contain a multiplicity of jurisdictions for various service providers who are contracted to the cloud service provider and/ or may contain a specific international jurisdiction.
There are no specific cloud computing laws and compliance with existing laws is required. As prudent lawyers do, always ensure that local laws and regulations are compatible with cloud computing agreements.
While there is a need for amendments inter- alia to existing legislation in terms of company records and access, make sure that you that you are familiar with the Companies Act No. 71 of 2008, Tax Administration Act No 28 of 2011, the Electronic Communications Act No 36 of 2005, Independent Communications Authority Act of South Africa Act No 13 of 2000, and the Electronic Communications and Transaction Act No 25 of 2002.
Published in Business Day, Business Law and Tax Review 14 October 2013. Edited online for legal updates.