In mid-2017, the Australian Bureau of Statistics revealed that almost a third of sampled businesses are using commercial cloud computing services. This year, Gartner reported Australian businesses will spend $4.6 billion on cloud services (an 18.5% increase from last year).
Below we highlight some of the risks for businesses associated with the use of cloud services and provide tips to mitigate some of those risks.
Some cloud service providers can make it difficult for their clients to transition to a new cloud service provider, in what is known as “vendor lock-in”. This can occur where the transition-out services are not included, or are inadequately defined, in a service contract. In these cases, businesses are unlikely to receive meaningful support and cannot be certain of the secure and complete transfer of its data to another provider. Where support is provided, any compromises or corner-cutting made by the outgoing service provider could also expose data to additional security and privacy risks.
A further issue is there can be fundamental differences in the configuration of the cloud systems offered by competing cloud service providers. The difficulty and costs involved in migrating from one provider to another can be exploited by certain cloud service providers. This can be particularly problematic where the service provider can unilaterally update the terms of the service without consultation upon giving a specified amount of notice. Usually, these new terms are agreed to by continued use of the service and the only alternative is terminating the contract and risking the migration of the data.
Businesses should carefully scrutinise a prospective cloud service provider’s template contract and plan for the possibility of changing cloud service providers. This means ensuring the contract includes adequate transition-out services and designing the system architecture of the business so it is not tied to one particular provider which maximises data portability.
Tip: Review the template service contracts of your current/prospective cloud service provider to ensure it will provide adequate transition-out services.
Data loss can happen for a variety of reasons including malicious attacks, human error, corruption and physical damage to hosting servers. While these events can happen without the involvement of cloud computing services, the responsibility for monitoring the data and protecting against these events is placed with the service provider and out of the direct control of affected businesses.
The outsourcing of this responsibility can impact the business’ ability to respond to data loss incidents and mitigate their impact as the business is dependent on diligent reporting by the cloud service provider. This means that the continuity of business operations may be reliant on efficacy of the cloud service provider’s data backup mechanisms and disaster recovery procedures which may be inadequate or improper.
The reliance on cloud service providers can increase a business’ exposure to ransomware and other data loss events. To mitigate this risk, businesses should request a detailed framework from their cloud service provider about its data loss mitigation policies, data-back mechanisms and disaster recovery procedures. Further, a business may choose to maintain a local storage of its critical business information to lessen its vulnerability to data loss events.
Tip: Enquire about your cloud service provider’s data loss mitigation policies, data-back mechanisms and disaster recovery procedures.
Where a business chooses to store the personal information of its customers or employees with a cloud service provider, it still retains its obligations under the applicable privacy laws. One of these obligations is compliance with the notifiable data breach notification scheme (NDB Scheme) introduced under the Privacy Act 1988 (Cth) (Privacy Act) in February 2018.
The operation of this NDB Scheme was played out in June when PageUp, a provider of cloud-based human resources system, revealed it had experienced a data breach a month earlier that compromised personal information of employees and former employees of its clients, including major Australian and international companies. Following this data breach, the effected businesses were informed by PageUp that the companies’ customers personal information could be in the hands of hackers.
The key message from the PageUp incident is that companies who collect personal information about their customers will be responsible for data breaches, even if the data incident occurs at a vendor or cloud service provider.
Businesses should also be conscious of cloud service providers that host data on overseas servers. Where subject to the Privacy Act, businesses must take reasonable steps to ensure overseas recipients of personal information do not breach the Australian Privacy Principles (APPs) which govern its collection and management. In certain circumstances, if an overseas recipient breaches the APPs, then their acts or omissions can be taken to be those of the disclosing business. Therefore, businesses should ensure they are covered for any regulatory penalties or sanctions due to their service providers through contractual provisions and appropriate insurance.
Tip: Ask your cloud service provider about where they hold your data and consider contractual provisions that deal with reporting and cooperation by the cloud service provider in an instance of a data breach or breach of the Privacy Act.
It is known that downtime is a reality of internet-based services, such as cloud computing, and that it can occur for any number of reasons. What is alarming is that a majority of Australian businesses have not assessed the financial impact of cloud downtime when deciding to move their data onto the cloud. Research sponsored by Veritas Technologies revealed that 62% of respondents across Australia and New Zealand have not adequately evaluated the cost of an outage to their business.
On this basis, these businesses may not be prepared to deal with the impact of downtime when it occurs. For example, in 2017, Amazon Web Services experienced an outage caused by human error which reportedly cost publicly traded companies up to USD$150 million. This incident indicates that no cloud service provider and no business is immune from downtime.
For this reason, business should play close attention to the service levels for accessibility and availability of their cloud service to ensure the level meets with its business requirements. Commonly, cloud service providers offer a 99.9% or higher level of availability and provide service credits if the service level drops below this. This metric is usually reported on by cloud service providers after measuring the service level over a 365 day period. The problem for businesses is that if they are subject to service levels that are below the 99.9% throughout the year, they may incur business costs without compensation until the end of the 365 day period.
Given this known risk to cloud services, businesses should consider whether they have appropriate coverage in the event of extended or consistent downtime. Business interruption insurance may be essential to cover costs incurred by a business as a result of substandard service levels.
Tip: Assess whether your business has adequate recourse against the cloud service provider in respect of an extended or consistent downtime.
The use of cloud computer services by businesses is rapidly growing and is very likely to continue doing so for the foreseeable future. While this growth can lead to increased efficiencies and reduced costs for businesses, it carries with it risks associated with handing over control to a service provider of what can be a critical part of a business’ infrastructure, all while maintaining the responsibility of ensuring compliance with privacy regulations and other legal obligations.
Given the risks associated with the use of cloud computing services, obtaining a policy of cyber insurance is a critical part of a business’ overall network security strategy. Cyber insurance can provide cover in the event of data loss or a breach of privacy regulations arising from the use of cloud services.
Tip: Businesses who use cloud computer services should purchase cyber insurance.
If your organisation is currently using or considering using cloud computer services, it may be worthwhile to seek legal advice in relation to the cloud computing service contract.