There’s an insightful article in today’s National Post about the legal implications of offshore cloud storage. This article should be mandatory reading for any organization thinking about implementing cloud storage. It also provides a remedial lesson for any Canadian-based organization that embraced cloud storage without first determining where its data would be stored and assessing the risks inherent in any out-of-country storage.
Cloud storage provides many benefits including reduced storage costs, disaster recovery protection, and allowing 24/7 access to information (by authorized users, of course). But how many organizations thoroughly assess the tradeoffs in achieving those benefits before signing a contract with a cloud storage provider?
One of the biggest risks of cloud computing concerns the location of the stored data. By virtue of being located in another country, a Canadian-based organization risks that the goverment of that country will be able to access the information or be able to use the information in ways not allowed under Canadian law. This is of concern particularly where personal information is concerned as we’ve seen from the anxiety many experienced when the expanded search and seizure powers came into effect under the US Patriot Act.
As the article makes clear, any organization signing a cloud storage contract should first ask the vendor to specify where the data will be stored so the organization can assess the jurisdictional implications of any out-of-country storage. I also recommend asking the vendor about backups since its possible that the back up server(s) may be located in yet another country.