Cloud computing allows a business customer to outsource its information technology (IT) needs to a service provider, who can in turn provide the required services in a more efficient, reliable and cost-effective manner.
Despite the obvious benefits of choosing this business technology model, Bradley Freedman, partner at Borden Ladner Gervais (BLG) in Vancouver, believes there can be very significant business and legal risk associated with using cloud computing.
Freedman, who leads the intellectual property and technology law practice at BLG, attributes these risks to two major factors associated with cloud computing.
First, when a business engages a cloud-computing service, it is essentially giving up control over its data.
“I may contract with Company X, but they don’t own the servers so they sub-contract to someone else, and then who the hell knows where all the information is,” said Freedman.
The customer gives up its data – and that data may be comprised of the business’ own confidential information as well as data it has collected from other people, including customer information.
“They are giving up custody and control of that data – which presents a serious business risk if the relationship ends in a bad way or it’s mission critical and the service isn’t there,” said Freedman.
He noted that the second risk factor associated with cloud computing is that, in Canada, when a business collects personal information from customers it has a legal obligation to those customers.
It is irrelevant if the business gets help from a third-party service provider to process that information, the business still has those legal obligations to the customer in terms of making disclosures about what it is collecting and how it does it and ensuring that the personal information is properly secured.
“While a business uses a cloud-computing service, it can effectively outsource to the service provider all of its IT needs; however, it can’t outsource its legal responsibilities and liabilities,” said Freedman.
He says the cloud-service relationship gives rise to a lot of dependency and vulnerability.
Stewart Irvine, CEO of cloud-service provider IMOGO Mobile Technologies Corp., said his company was “purpose built, engineered and designed on security first and foremost.”
In developing Burnaby-based IMOGO over the last five years, one of the underpinnings of the company was making sure that information is always safe and within a closed-loop environment, where it can never be lost and no one can ever get their hands on it.
Irvine said, “People don’t recognize that when you are dealing with people’s information, you have a duty to properly secure that information.”
IMOGO says its IBM RackForce data centre, located in Kelowna, boasts a higher security level than banks.
The company uses 4,096-bit encryption, compared with the 10-, 24- and up to 2,000-bit encryption that most banks use today.
The recent Internet security breach at U.S.-based Epsilon, a third-party email marketing and service provider, dealt a serious blow to the cloud-based managed services industry and the trend toward outsourcing.
Epsilon, which contracts with some of largest retail and financial companies in the U.S. and Canada, reported that its systems experienced an unauthorized access event that had exposed the names and email addresses of the customers the company’s clients serve.
In Canada, the breach affected customers of Best Buy Canada and Air Miles along with various smaller companies.
The large companies were likely prepared to deal with such a crisis, whereas the smaller businesses stand to be greatly affected by the breach.
And it is also small businesses that stand to be the most vulnerable when dealing with cloud services from a value proposition standpoint.
Freedman said, “This arises from the fact that in the relationship the value proposition is very asymmetrical. For small or medium-sized businesses thinking of ways to maximize efficiency and using cloud-computing services, the costs they will be incurring on a monthly basis are fairly small.
“On the other side of the equation, you have the service provider, many of which are looking at a low-value, high-volume business model. They aren’t making a lot of money on each customer, but they want lots and lots of customers and that is how it is profitable to them. And they are aware if there are service problems for their customers, the customers are going to suffer potentially significant losses.”
And many providers do not want to accept that risk.
According to Freedman what they are doing is coming up with standard form contracts that are one-sided, unfair to the customer, do not address at all or properly the business risks associated with this kind of relationship and provide very little – if any – protection to the customer.
Freedman concluded, “Businesses have to be aware of this and balance the competing considerations of a compelling IT business case and all of this risk management and business continuity concern.”