Where in the world is your data?
Once data is in the cloud, it can live on servers anywhere across the globe. This brings up real sticking points related to jurisdiction, should litigation become necessary. What if your data lives on the same server as company ABC and that company's data is seized by legal authorities for some reason? How can you recover your data?
Even the U.S. Department of Justice has an eye toward these types of issues related to cloud computing, particularly with rising pressure from foreign governments with respect to data security in the cloud and the unrestricted access to information provided to the US via the Patriot Act.
U.S. Ambassador Philip Verveer from the Department of Justice points out the "...the benefit of cloud computing is that is allows companies to convert capital expenditures to operating expenditures." And the government recognizes the push for companies to take advantage of the savings cloud computing offers. But because cloud is still fairly new on the scene, there has been some concern that the U.S. lacks the necessary case law to handle potential cloud disputes.
But Deputy Assistant Attorney General Bruce Swart, who is currently working with EU and other countries to develop increased cooperation in sharing data, says that the Budapest Cybercrime Convention sets a framework for access stored within a particular country and it is robust enough to cover most legal issues related to data. The treaty, passed in 2006, brings international laws into parity for increased international cooperation ferreting out criminals and accessing data. But is a loose legal framework enough?
Buyer beware
Duncan C. Card, a Toronto-based attorney with Bennett Jones, L.L.P., who specializes in cloud data ownership, takes more of a buyer beware approach. He says regardless of the technology, the cloud computing contract must consider all governance, legal, regulatory and compliance issues. This means involving general counsel, risk management and compliance teams in addition to IT to ensure cloud computing services are a viable solution.
For instance, in October, the U.S. Securities and Exchange Commission released specific guidance related to cybersecurity breaches for publicly traded companies that calls for increased disclosure. So any company that uses a cloud computing service provider needs to ask the necessary questions to make it possible to adhere to cybersecurity disclosure requirements.
"So, is there a mechanism for reporting if a server gets hacked in Turkey?" Card asks.
But regulation doesn't stop with security. He adds that in Canada, federal regulators prohibit financial institutions from processing data outside the country, so any cloud computing model adopted by Canadian banks would need to meet that criteria, for example.
