Being unable to retrieve data hosted overseas, downtime stretching for days and recovery costs that reach into the tens of thousands – these are just some of the problems small businesses are now facing when moving into the cloud.
Legal experts say while this relatively new market is providing many businesses with prospects to grow faster than they thought possible, many are being caught up in data disasters that leave them crippled and in debt.
“I think the transformation with cloud computing is not necessarily technical but rather contractual,” says Logica Australia chief information security officer Ajoy Ghosh.
“There are many companies now being locked into contracts. Of course, larger buyers, such as governments and banks, are able to exert market influence, but for the vast majority of buyers they have to accept the contracts as they are.”
Recent disasters such as the Lush, Distribute.IT and Amazon outrages have proven just how crucial planning for the cloud is. Especially after the recent Amazon outage which took offline a host of sites including FourSquare and Yelp.
A range of legal experts working in the IT industry say many small businesses are completely unaware of where their data is located, how much it is costing them, and many don’t even know if they’ll get their data back if they ask for it.
While cloud computing has its benefits, they say, many SMEs don’t bother reading the fine print – and it comes back to bite them.
“There is a significant case I’m aware of, when an Australian company bought a hosted application which was then sold to an American organisation. All of the data was moved across,” says Ghosh.
“But the customer wanted to pull out, and wanted a statement assuring them that all their data had been wiped. But the American provider responded by saying they weren’t actually allowed to do that under their own local data retention laws.”
There are plenty of cloud-based products for SMEs to choose from now – apps, desktop virtualisation and data storage are only a few. But too many businesses are focusing on the product and aren’t considering the difficult legal nature of these contracts, these experts say.
“This is becoming an issue that a lot of people need to become aware of,” says Cooper Mills director Erhan Karabardak. “Most of us in the tech space have been used to this for awhile but now there are lot of small businesses using these types of service.”
“One of the problems we encounter is that “ignorance is bliss”. A lot of small business owners think they’ll enter the cloud and all will be fine, but they do so without fully comprehending the risks and regulatory requirements.”
These experts say ignoring legal fine print for something as simple as just hosted data can wreak havoc, especially if you find that your information has been hosted in a different country and thus subject to different regulations.
This also has ramifications if your data becomes accessible to the outside world, or even hacked. Earlier this year Dropbox found that its data was accessible without passwords due to a computing glitch, and in Australia, Distribute.IT was unable to retrieve four servers’ worth of data after an attack.
While these problems are monsters to deal with on their own, Mark Vincent, partner at Shelston IP, says businesses are only bringing more pain on themselves if they don’t do enough work beforehand.
“There is a degree of due diligence that needs to take place. And right now I’m seeing a lot more third-party brokering tools and assessment solutions to determine the products these businesses should be using.”
“I think over time, the industry is going to play an important role in selection, and emerging standards of the cloud both here and internationally. Those solutions will be sure to mature over time.”
Here are the legal issues you need to keep in mind.
By far the biggest warning cloud experts give small businesses is to read over contracts closely and determine where your data is being stored, and figure out whether you have any say in where that happens.
Experts say that most third-party providers will be hosting data or applications in separate countries. The issue can sometimes be finding out where these are located, and what kind of control you have over these.
“Anyone running applications such as Google Apps, Amazon, Microsoft and so on, is going to have data sitting in a second or third country. They just don’t have local centres, so most of the global cloud offerings will have data elsewhere,” says Vincent.
While many businesses might not care about having their data hosted in another country, the ramifications here are can be astounding. For one thing, if your data crashes and is lost, this can have jurisdictional problems depending on where the data is located.
If the jurisdiction of hosted data changes, laws regarding access, encryption, protection and payment can change. Businesses need to ensure they are aware of not only where their data is located, but the relevant laws for each jurisdiction.
“There are plenty of ramifications about where data is located,” says Ehran. “Particularly around accessibility, server levels, and so on.”
Ghosh says businesses need to clearly understand where data is being located, how they can be notified if their data is being moved around, and “figure out if they even have a right of refusal” if their provider wants to change the jurisdiction in which its held.
Symantec SMB security expert Chris Russell says it is crucial that businesses start requesting from their providers a list of locations where their data is stored.
“We give our clients options around where their data is stored. We have data centres in the United States, and various locations in Europe, South Africa and so on, so we give them the option of where the data goes.”
“Sometimes organisations raise this as a concern, as we go through the security that are behind these centres it does a good job to allay those concerns. There is a lot of curiosity is around location.”
Businesses need to ask where that data is located, and then figure out a plan of action for every jurisdiction and subsequent liabilities.
Once you’ve figured out just exactly where your data is located, then you have to solve another problem – figuring out if you can get it back or not.
Most of the time, the answer is yes. But these experts say that might not come without significant cost or burden.
Ghosh says the company that wasn’t able to get a certificate confirming data had been deleted had another problem in that the provider wanted to charge them for retrieving that data as well.
“The flipside of knowing where your data is and how it is being run there is making sure they can provide the service in the most flexible way.”
“As a buyer, you want to know that as soon as you need your data you can get it. You need to understand if you have access to your data, the cost of that, and how that will impact on you when you need it.”
Patrick Stafford is a freelance journalist and a former deputy editor of SmartCompany.
