Cloud computing: Is it worth the legal risks?

The cloud throws up a raft of legal and security concerns - but that doesn't mean you shouldn't embrace it, says lawyer Mark O'Conor.

The drive for cost savings and added pressure of ensuring resources are used in a way that is environmentally sound has seen technological developments take on even greater significance for businesses.

Finding economies of scale through amalgamating an organisation's IT portfolio, combined with ways to use redundant processing power, is vital.

Cloud computing helps facilitate these goals but also presents several factors and risks that should be considered by any business using the technology.

First, cloud computing challenges current methods of licensing and payment. The traditional model is the standard ROI model: the developer spends time and money creating new software, protects the source code (human-readable and easily copyable) and then licenses the object code of the new offering.

From there, the software is sold in the normal way, whereby restrictions are imposed relating to number of users, scope of use and geographical usage. These models do not fit the virtualised services, such as SaaS, so will need to be re-examined, and in some instances, discarded.

The manner in which technological knowledge is provided has and will continue to dramatically shift. While the cloud exists because of a complex scheme of interconnected networks, these complexities are hidden from the end user. From their perspective, the applications and data are stored in servers on the internet and then cached on a temporary basis on the user's desktop (or other device) when needed.

But this means there are additional security and legal issues to address, as the licensing model is quite different and information is no longer contained within one server.

Security is the main concern. The very fact that data and applications are hosted away from the user means that additional controls are required (both technically and contractually) to ensure security remains adequately protected. And this shouldn't be done simply out of goodwill to protecting customer data - the Data Protection Act's seventh and eight principles include enforceable rules for personal information that is hosted remotely.

With regards to licensing, instead of a perpetual licence linked to limited warranty, IT services from the cloud have a rolling support and maintenance agreement. In a virtualised licence agreement, 'term' is irrelevant, as use is instead provided on a real-time basis.

This impacts the payment profile, as the user merely wants to pay for their use, not a longer-term licence fee. Systems need to be in place, similar to a virtual water meter, to total up usage and create the right invoice.

Although there are many issues to address around the growing use of cloud computing, none of them are insurmountable. With some foresight, all can be adequately mitigated by both technical and contractual means.

As such, if organisations are not already looking at virtual models as part of their technology roadmap, it is likely that they will be shortly.

Mark O'Conor is a partner in the intellectual property and technology group at law firm DLA Piper.