5 Questions to Ask Before You Move to the Cloud

Before you give the green light to the cloud, here’s what you need to know

By: Lauren Mack and Kaiser Wahab

November 10, 2011

Google Looks for Answers

Answers are the new keywords when it comes to search engines

How to Find the Best Marketing Help

11 steps to ensure you’re hiring the right marketing professional

Why You Shouldn’t Throw in the Towel

Thinking about giving up on a prospect? Here’s why you shouldn’t

Hiring, Healthcare, and Small Business

A recent survey sheds light on the thoughts of business owners in regards to the economy

SBA’s Small Business Week Award Winners

Congratulations to New York’s nine winners

Today on NYReport.com

Want Your Website to Rank Better?

Learning from Behavioral Finance

Why Someone You Pay $500K Quits

What Are the Hottest Global Economies?

The Power of Marketing and Memory

If you own a business, your IT staff is likely one of many across the globe who are slowly convincing businesses owners and managers that storing data in the cloud is the future. He or she probably pointed out that hiring a third party to store your company’s data will allow you and your employees to access it from anywhere via the internet, cut costs, and may help you avoid a great deal of hassle should something happen to the company’s on-site data storage facilities.

But before you give the green light to your resident tech geek to start outsourcing your company’s data storage to the cloud, there are several legal considerations that you should be aware of prior to making the big move. Here are the five major questions that you as a business owner or manager need to know the answers to before signing a contract with a cloud service provider:

Subscribe for Free

Sign up to NY Report's email newsletter
Subscribe to NY Report magazine for FREE
NEW! - Subscribe to NY Report’s digital magazine

1. Who will have access to your business’ data?

The first piece of information that you need to obtain from potential cloud service providers is whether a third party will be processing, storing, or transmitting your company’s data. In some cases, a cloud service provider may not actually own the servers where your data will be stored. The cloud service provider may subcontract out the storage of data, and that subcontractor may in turn be subcontracting out storage services, and so on. Other cloud service providers may offer bundles of cloud software services that seem to all be part of one application to the user, but are actually made up of several subcontractors that operate the different services and the associated data storage. The more subcontractors that are involved, the more legal risk your company will likely be subject to because it can never know where the data is physically located and how well it is protected at any one time.

Any contract your business signs with a cloud service provider should address who will actually be handling your company’s data, whether any subcontractors will be allowed to further subcontract out the storage of your company’s data, whether you will receive notice when your cloud service provider switches subcontractors, and what data security standards any subcontractors should be able to satisfy.

It is also important to spell out that although your company is providing the cloud service provider with its data, that does not automatically mean that they own it or are allowed to exploit it or use it for any purpose other than to provide services to your company. The contract should make clear that any intellectual property contained in the stored data belongs to your company, and whether the cloud service provider may allow third parties to access or use your company’s data should be addressed.

2. Where will your business’ data be stored?

Where the servers containing your company’s data are physically located is very important when it comes to complying with various laws protecting the privacy of your customers and regulating how security breaches must be handled. The jurisdiction where the servers with your company’s data are kept controls how that data may be stored and accessed. In the U.S., most states have their own data protection and breach laws for personal or sensitive information. It is your company’s responsibility to make sure that these laws are complied with—not the cloud storage service provider’s.

Where your data is stored also affects whether the government in that jurisdiction can access that information and how. A potential problem with storing information in the United States is the USA Patriot Act, which allows the U.S. government to seize information stored in the U.S. or accessible from the U.S. without giving the affected parties notice, reason, or an opportunity to contest the intrusion. This ability may conflict with privacy laws governing the private data of your customers who live outside of the U.S.

It is also important to ask whether your company’s data can be transferred elsewhere, to where, and whether your company will be notified beforehand. Businesses that have customers located in the European Union need to be aware of the EU Data Protection Directive, which prohibits transferring the personal information of EU residents out of the EU to many countries, including the U.S., without complying with the applicable provisions of the Directive. Switzerland and Russia have similar data protection laws based on the Directive, and the Canadian province of Alberta’s Personal Information Protection Act requires that notice be given to a resident whose personal information is transferred outside of Canada.

Your company’s data might also be subject to U.S. export control regulations, such as the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR), if it is “exported” to a server outside of the U.S.