The ability to store software and processing services in the internet cloud has led to a new generation of 'software as a service' providers. Kevin Calder and Peter Wainman report

The IT climate is changing, with most experts forecasting a greater reliance on 'cloud computing'. Consumers and, more notably, businesses are increasingly accessing and using computing resources located somewhere in the internet 'cloud', including software, storage and processing services, replacing tools previously stored on individuals' hard drives or businesses' servers.

This change is fuelled in part by faster and more reliable internet connections, cheaper components and the advent of 'football pitch-sized' data centres. Cloud computing as a business model gives rise to new opportunities and unfamiliar risks for both IT suppliers and customers. This article considers some of the key legal issues they face.

A new licensing model

Suppliers typically make software hosted within the cloud available as a service. This gives the suppliers control over the way the software is accessed – and signals a movement away from conventional software licensing models, where customers would typically receive a CD and install the software on their own systems.

In terms of legal contracts, in the 'software as a service' model, the traditional software licences and associated support and maintenance contracts are commonly replaced by terms of use and service agreements. The vast majority of cloud services are purchased over the internet on standard 'click to agree' terms, with a customer perception that there is little opportunity to negotiate the terms offered.

While a cloud computing customer will require a licence to access and use the software forming part of the service, the strict controls over scope of use imposed in a traditional software licence are less relevant for cloud computing – in the cloud, control is exercised by the provider, which restricts users' ability to log on to the service. In addition, many cloud services charge on a per-use basis.

However, cloud agreements are likely to include new restrictions around taking care of, and liability for misuse of: log in details; prohibitions on attempting to access or extract the underlying service software code; and any misuse of the service which may disrupt access to third-party users.

Service levels

The functionality and performance offered by a cloud service is often not documented in detail, and cloud service providers are generally reluctant to make any service commitments.

The gmail service offered by Google was launched in 2004, but the standard gmail service remains in 'beta' – and the terms of use reflect this, stating that the service is provided 'as is'. While users are encouraged to use gmail to store all their messages, the content remains at risk if Google exercises any of its stated rights to unilaterally terminate the service. Comfort comes from the size and stature of Google, rather than any technical or contractual commitment to continue to provide the service.

Google also offers Google Apps, including word processing, spreadsheet and presentation services. Users who pay for the 'premier edition' of Google Apps receive the benefit of a service level agreement (SLA), under which Google commits that the web interface will be operational and available 99.9% of each month. If this level is not met and the customer requests a credit, the customer is entitled to receive extra days of service at no charge, which is stated to be the sole and exclusive remedy for any failure by Google to provide the service.

As businesses using cloud computing become increasingly reliant on the provider for business-critical systems, the SLA and availability of remedies becomes more relevant. Businesses using services hosted in the cloud will need to look to the service provider for all necessary support – it is unlikely that the customer's in-house IT personnel will be able to resolve any material service issues. Given that the charges for cloud computing services are often relatively low, the maximum remedies offered by providers for any failures, whether as service credits or otherwise, are likely to be small. However, it is worth bearing in mind that even in the more traditional model, software suppliers are typically risk averse and often impose low limits of liability and give limited or no SLAs.

In general, as for a standard software contract, a cloud SLA should not be seen to provide meaningful compensation for the damage to a business in the event of a failure – any service credits merely provide, at best, some incentive for the supplier to deliver the contracted service.

Where the cloud provider is delivering a critical service, customers will need to look outside the contract terms at other practical means of  managing their risk.

Loss of control

In April 2009, following an FBI raid at a data centre in Texas, equipment containing data relating to various customers was seized, which reportedly left at least one of the companies unable to operate. One of the benefits of the cloud is that it commonly makes use of 'virtualisation' – allowing the data of multiple organisations to be stored on a single server. This means that when a legal action freezes the data of one entity, it may have implications for others.

This illustrates one of the key issues around use of the cloud – the need to have a contingency plan in place covering not just loss of the functionality offered by a software package, but also the loss of access to the business data processed by that software. An effective backup process is crucial, and it is worth exploring whether the cloud service facilitates this. In many cases, the method used to store data online makes it difficult to 'export' the data to a useful backup.

Organisations need to ensure that a plan is in place for transition to an alternative cloud provider. Customers will need to consider how and when the service can be terminated. Do any notice periods give the customer sufficient time to transition to an alternative service provider? Do customers retain ownership of all data processed by the service?

Where a service is critical to the functions of a business, multi-sourcing may be an option, although currently it can be technically difficult to swap seamlessly between cloud providers in the event of failure.

Data protection and security

The last year has seen an increasing focus on the importance of data security, following a number of high-profile instances of data security breach. Customers using service providers in the cloud need to carry out appropriate due diligence on their chosen provider and evaluate whether appropriate data security measures are in place.

In the UK, businesses have obligations under the Data Protection Act in relation to the security of personal data and must put in place a data processing contract with any third-party supplier which is appointed to collect, store or destroy such data on their behalf. Do the service provider terms include appropriate provisions? Businesses also need to consider where the data held by the provider will be stored – transfers to servers based outside the European Economic Area would need to be appropriately justified under the Data Protection Act.

Data security is a rapidly developing area – the recent launch of the Cloud Security Alliance, a not-for-profit organisation promoting best practice for security assurance within cloud computing, is intended to give security experts confidence that cloud providers are taking these issues seriously.

Content of the customer data

While a customer may be relaxed about the content stored on the networked storage facility in their own server room, where data is to be transferred onto a server within the cloud, providers will typically seek warranties and indemnities from customers about the data, such as the absence of infringing and/or defamatory content, and often reserve the right to remove the data and/or suspend service if any data is found to breach these requirements.

Customers need to review their intended use of a cloud service carefully and potentially tighten corporate policies to ensure that any materials which could be unlawful are not transmitted to a provider.

Where sensitive business data is to be stored in the cloud, customers will want to review the confidentiality provisions of any service agreement carefully. Will any cloud provider personnel have access to the data, and if so, for what purpose?

The future

Cloud computing customers need to become adept at understanding exactly what service they are paying for and how they can manage any risk caused by the loss of control over their data and IT systems.

The silver lining to this cloud is the new business opportunities for suppliers, with customers more prepared to outsource data storage and processing functions that would previously have been carried out in-house. Customers can access flexible, efficient, cutting-edge tools, potentially at a reduced cost. For smaller businesses, this may help to level the playing field with larger rivals, avoiding the need to incur the significant acquisition costs of sophisticated IT systems.

The legal and commercial risks associated with cloud computing can be managed – but customers wanting to avoid stormy weather in future will need to get used to reading the service description and the terms of use before they sign up.

Kevin Calder is a partner and Peter Wainman a senior solicitor in the technology and commerce team at Mills & Reeve.