Data ownership in the cloud could prove to be a thorny legal issue
Cloud resource use needs to be managed if employees and employers are to avoid data ownership and legal liability issues
Data ownership is easy right? You own something or you don't. But it's not quite so straightforward when it comes to the cloud. In this case, the cloud makes it easy for individuals and organisations to access technology resources, but this can create challenges as well as opportunities – particularly in areas such as data ownership and financial control.
“Be sure to keep the legal title to all of your data hosted on cloud services,” says Stephen Bowman, a solicitor in the corporate and commercial team at Brachers LLP. But this can be easier said than done. Who owns the data if an individual employee subscribes to a cloud service? What happens if their employment ceases? How can you monitor, control or consolidate cloud spending when individual employees or departments can so easily expense it using personal and corporate credit cards? Who has a contract with the service provider – the employer or the employee?
“We’ve faced the data ownership issue a few times,” says Duane Jackson, founder and CEO of Kashflow, a software as a service (SaaS) provider. “Rather than having any strict rules we always judge this on a case-by-case basis.”
Kashflow tends to be guided by the email address used to register the account and the details held at Companies House on the directors of the company. Jackson says: “It gets more difficult when there isn’t a separate distinct and documented legal entity, such as when a business is a sole trader not a limited company. Then it comes down to IP logs of who historically has used the account and their knowledge of the data that’s in there,” he explains, adding: “But it nearly always comes down to a judgment call.”
Different cloud service providers take different approaches. Amazon Web Services (AWS) focuses on the individual account owner. “Each AWS account has a unique 12-digit AWS ID and this is the primary identifier for all AWS accounts,” says AWS spokesman Matt Lambert. Data ownership is linked to this, so if an employee has paid for a cloud service using their personal credit card ‘corporate’ data may ‘belong’ to the individual not the organisation employing them. “Our responsibility is to the account owner,” he says. “Any agreement they may have entered into with an employer is between them and does not imply any right to the account. If two parties agree they wish to hand over the account, we can provide advice on how.”
The individual account owner also has responsibilities. If they were to use AWS to spin-up a couple of virtual servers and then forget to turn them off over a long weekend or when leaving the company the bill could follow them, as financial liability seems to rest with each individual AWS account holder, not with their employer.
“Ultimately, the account holder is responsible for any payment of any bills on their account,” says Lambert – regardless of who the card-holder is. “If another party has supplied their card details to be used on the account, that is an agreement between them and does not infer any rights to the account or any services on the account,” he explains.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
Issues may also arise because of non-payment for services. If an account becomes overdue providers will notify the user and then (variously) charge interest, suspend services, and take legal action against the individual or organisation the service provider has a contract with.
Rackspace, for example, suspends services and charges interest on overdue amounts at 1.5 percent per month if an amount is overdue by more than 30 days. It also charges fees if its services are reinstated after a suspension for non-payment, and if it does bring legal action against a customer to collect on the late payment of a valid invoice, that customer will also be liable for Rackspace’s costs of collection, including reasonable legal fees, expenses and court costs.
All of which gives employers and employees some very good reasons to clarify matters relating to data ownership and financial liability for all types of cloud service.
Just in case you need more reasons to take a proactive approach to corporate use of cloud resources, this can deliver real benefits, by helping those in IT and finance to ensure that the business gets the biggest possible bang for every buck it spends on technology – particularly when employees can access the same resources through both cloud and traditional means.
Specialist ‘spend optimisation’ tools are available to monitor, analyse and report on usage, as CloudPro outlined here and here, and software access management (SAM) tools are adding related functionality too.
Snow Licence Manager, for example, offers visibility by deploying an ‘agent’ on each device in an organisation. “It runs an audit review each day of everything on each device,” explains Mark Flynn, UK MD of Snow Software, so if a new sales team has been using credit cards to buy software they chose independently the company would know about it before it gets recharged via company expenses.
"The IT department has the ability to differentiate between users of cloud apps [delivered via a browser internally or externally] and traditional applications,” he explains, so IT can look at usage times and patterns and then optimise its licence use. “It’s possible to make an accurate judgement on whether a user needs a particular application," he adds.
Providers of cloud IT resources are also making it easier for users to analyse and manage the associated costs, with features such as consolidated billing. But if you want a service provider to search its records for account holders (using corporate email addresses) and then tell you which employees are doing this you may be disappointed.
"We are vigilant about our customer’s security and privacy so do not disclose account details to anyone other than the account holder,” says AWS's Lambert, adding. “We do, however, have teams of solutions architects and account managers that work very closely with our larger customers around the world to help them consolidate their billing. It is through this ‘hands-on’ interaction that our teams help customers to identify all of the AWS accounts they have.”
Lesley Meall is a freelance journalist and editor. She has been writing about accountancy, business and technology for more years than she cares to remember, and before this, at some point in the dim and distant past, she used to be a software engineer.