Jun 27,2011 / News / Legal Brief

As more organisations seek to cut costs and improve efficiencies, the use of cloud services is growing amongst South African businesses. But director at Werksmans Attorneys, Tammy Bortz, advises companies to undertake a comprehensive technical and legal due diligence of cloud service providers before using cloud services.
“A lack of guidelines, codes of conduct or standards for cloud service providers in South Africa could leave businesses open to risk,” says Bortz. “While internationally there are a number of organisations which have issued guidelines and codes of conduct, there are no such frameworks locally.”
Cloud computing is not new technology but rather a new way of delivering computing services “on demand” whereby users can turn the services on and off, scale up or down, depending on need”. Examples include Gmail and Google Apps. The ability to turn the services on and off or scale up or down, depending on the need has many benefits for companies, including cost-effectiveness and flexibility. But concerns remain around security, data privacy, loss of control over critical business functions and data, as well as service interruption.
Bortz says the selection of a cloud provider, and the conclusion of a cloud computing contract, should be approached in the same way that other technology-related decisions are – with a thorough audit of the provider undertaken first.
“With most public cloud offerings, contracts are not negotiable and so the focus should be on contract/provider evaluation,” says Bortz. “Companies should assess the various cloud providers, including their security, privacy and redundancy policies as well as service level agreements, carefully.”
Bortz says security remains a critical issue in cloud computing, especially for companies using the cloud for business critical services or where sensitive or personal data may be placed in the cloud. Therefore conducting an audit of the provider’s security policies / processes and considering its security certifications, are key to ensuring the integrity of personal data.
“Always check whether the provider has experienced any security breaches and if so, ask how they were handled and what planning has been done to prevent future problems,” she adds.
Probably the biggest risk to companies placing sensitive and personal data in the cloud is data protection and privacy. Certain provisions of the Protection of Personal Information (PPI) Bill are relevant for both local cloud providers and organisations who are considering using cloud services, whether locally or offshore.
Any person or business which processes personal information of third parties is bound by the PPI Bill, which covers the collection, storage, use, dissemination of personal information.
“Companies who process personal information will need to ensure that they identify any threats to the personal information under their control, ensure that proper safeguards are in place and regularly verify and update those safeguards,” says Bortz. “They’re also responsible for ensuring that the cloud provider establishes and maintains these security measures.”
She adds that agreements with the cloud provider regarding confidentiality and security measures must be concluded.
In addition, the PPI Bill will impact cross border data flows, especially where South African companies use offshore cloud providers. The PPI Bill prohibits the transfer of personal information to a foreign entity unless the recipient of the information is subject to a law or agreement which upholds similar information protection principles or the data subject consents to the transfer. As a result, Bortz advises companies to establish what laws apply to protect personal information in the jurisdiction in which the cloud provider is situated. Also consider any restrictions of the transfer of such data back into South Africa.
She says companies should also find out what happens when an arrangement with a cloud provider terminates. “Ask whether the cloud provider offers any termination assistance around the return of data. There are currently no standard data formats or procedures for data portability, so the format in which data will be returned must be understood and agreed upfront.”
It’s also important to consider what happens if there is interruption to service and what service levels are in place to guarantee availability, response and resolution times.
“Cloud computing presents many benefits for companies. However, it’s important to mitigate the associated risks by conducting a thorough technical and legal due diligence of cloud providers and their offerings,” concludes Bortz.