SMEs and Cloud storage – will my confidential information be safe “in the Cloud”? Helpline / Sample Case

Printer-friendly versionPDF version

Case:

We are an SME involved in an FP7 project which is to start soon. For environmental as well as cost-saving reasons, we would like to document our research using Electronic Laboratory Notebooks (ELN). All the data storage providers we have contacted so far have informed us that the data pertaining to such ELN will be stored via “Clouds”.

We are not fully comfortable with the idea of our research data being stored in the Cloud, especially as this data will for the most part include confidential information and know-how, or might be subject to intellectual property protection in the course of our project. Many of our research colleagues use Cloud storage, but we are not confident as to whether this is advisable. Would you recommend that we resort to Cloud storage? Are such storage tools reliable, or can they be risky or have a negative impact upon our intellectual property?

Because of these concerns, we are currently negotiating the setting up of our own Cloud with a storage provider. Do you have any recommendations as to what we should consider during these negotiations?

Answer:

The Cloud can be a very convenient data storage solution for SMEs, being flexible, easily adaptable to small businesses’ size and needs, and cost-effective at the same time. This tool should however be used with caution as it is not necessarily suited to all types of data, especially data compiled by SMEs involved in R&D activities. Your enquiry revolves around laboratory notes, which are a typical example of sensitive or confidential information.

As you know, it is quite likely that all your laboratory notes will have to be kept confidential during the duration of the project and possibly beyond. This may be because the information they contain (know-how, for instance) is not protectable as such and therefore has to remain undisclosed; this may be because some of these notes can be the basis for a patent application, which will require novelty i.e. undisclosed information up until the moment it is filed. Either way, the main principle surrounding the management of this confidential information is that such information must be stored safely.

In the case of paper laboratory notes, this would involve, for instance, these notes being locked in a safe and being only accessible to a small number of people. The same principle applies to electronically stored information, which should be technologically protected – should you store this information on your own servers, it would be highly advisable to set up encryption mechanisms and/or passwords in order to prevent unauthorised access to this data, and to change them regularly. As you can see, storing your physical or electronic data, even within your own premises, would usually involve adopting a bundle of security measures aiming at ensuring data protection.

Based on the above, storing this data in the Cloud means that you will have very little ability to personally ensure that your storage is safe and that no leaks or unauthorised disclosures occur.

Cloud storage will by its nature involve several storage locations across the globe, without those locations always being clearly defined; it will also involve staff working for your storage provider and/or its contractors, who might at some point have to handle this data. Cloud storage for such sensitive data therefore involves a risk, especially as the legal framework surrounding cloud computing is still uncertain.

You were wondering whether Cloud storage providers offer a safe data storage service.As far as the technical aspects go, we would suggest that you consult online studies, reviews and comparisons between Cloud storage providers in order to see where each of them stands in terms of security, data loss, confidentiality and related issues. However, and as outlined above, given the current legal uncertainty surrounding this issue, we would like to stress that resorting to Cloud storage for your confidential data, even if provided by well-established companies with the promise of security, will always involve a risk.

Should you still wish to resort to a “ready-made” Cloud storage solution such as those offered by major storage providers, you are then strongly advised to conduct a proper due diligence and to carefully go through the provider’s terms and conditions before making your final decision – in particular, we would recommend that you always take a close look at the disclaimers and provisions surrounding confidentiality as well as the provider’s liability in the event of data loss or unauthorised disclosure.

The problem of such “click-through” standard terms is that there is usually no room for negotiation. Providers will often mention that reasonable care will be used in order to keep your data confidential, their staff being also bound by an obligation of confidentiality. Providers’ liability provisions would however usually be reduced to a minimum and therefore complete confidentiality of your data will never be fully guaranteed. Most providers will often avoid giving any clear undertaking as to the protection of your data’s confidentiality, nor accept any liability for it – there is often a lack of transparency and clarity concerning the extent to which data security is guaranteed.

If you go through these providers’ standard terms and conditions, you will often notice certain provisions according to which data disclosure can be requested in certain cases, particularly under the law of the United States.Furthermore, such standard terms will also often include provisions stating that only the customer can be responsible for securing its data.

As a result, should a leak or disclosure occur, the outcome in terms of provider liability is quite uncertain, based on the provisions and disclaimers mentioned above. Many contracts are silent on key terms; in many instances, uncertainty prevails as regards issues such as enforceability or applicability of EU laws to international data transfers. A technical answer to this could be to consult an IT expert in order to see whether it could be possible to add an extra level of encryption to the data uploaded into the Cloud, in order to secure it further and to, at least, prevent any access to it in the event of a leak.

To conclude on this point, as you see, storage providers will usually try and provide a secure storage space and will also impose confidentiality obligations upon their staff. We cannot confirm that such storage would be risk-free, however, as the legal provisions applicable to such contracts allow for certain types of disclosure and will often go towards a reduction or exclusion of the service provider’s liability.

Besides the issue of knowing whether Cloud storage providers can be trusted with your confidential data, you were enquiring as to the specific IP issues which could arise in relation to Cloud storage. As stated above, being a fairly recent issue, Cloud computing is still a grey area, with many legal aspects remaining quite uncertain or unresolved for the time being. At the European level for instance, the European Commission has recently launched the “European Cloud Computing Strategy”, which aims at setting certain basic standards and identifying safe and fair contract terms – which are lacking for the time being.

Most of this uncertainty revolves around the lack of geographical boundaries inherent to Cloud storage – your data being stored “in the Cloud” implies that it can be stored anywhere in the world, most probably across different locations, and can be moved swiftly from one country to the next, inside or outside the EU.

No legal framework specific to cloud computing exists so far, and therefore the rules applicable to your data will mostly depend on the contractual provisions regulating your relationship with the provider. As stated above, such contracts often suffer from a lack of transparency.

Uploading data into the Cloud will most probably mean exporting your data abroad, to locations which might not be precisely disclosed to you. Your Cloud provider may also resort to providers of its own and outsource some or all of the storage elsewhere. There will therefore always be a risk of uncertainty as to where your data is legally deemed to be located, i.e. the risk of not being aware of how many legal systems (and which ones) apply to it.

In terms of IP per se, the ownership of the data contained in your laboratory notes and of any IP rights over it should normally not be affected should you choose to upload them into the Cloud, as a storage contract would usually not grant storage providers any rights to their users’ content. This is of course subject to the existence of any overriding provisions in the national laws of the various storage places.

It is therefore our understanding that the main issue would most likely revolve around “soft IP” i.e. around the protection of trade secrets or confidential information not protectable as such by IP rights, and for which the only protection there is would be non-disclosure, or disclosure under strict confidentiality agreements. Disclosure of your confidential data might be allowed more or less widely (or requested more or less widely by national laws) depending on the place where the storage takes place. In other words, when uploading your lab notes into the Cloud, it will be very difficult for you to ensure that the provider’s (as well as its staff’s) contractual non-disclosure obligation is actually being complied with. What would constitute a breach of an obligation of confidentiality under the law of your home country might be allowed under certain circumstances in other jurisdictions – in other words, there is currently a lack of standards as to what providers may disclose or not.

For these reasons, and seeing as you are currently considering setting up your own Cloud, we would like to provide you with a few guidelines in order to reduce the risks inherent to Cloud storage.

As explained above, it is our understanding that laboratory notes should ideally be kept away from the Cloud. Should you nevertheless decide to resort to that means of storage, bear in mind that you should, when possible, try and negotiate reinforced security and confidentiality clauses with your provider in order to achieve a higher level of protection than what you would get on the basis on the standard terms described above. You have mentioned being currently in negotiations with an ELN provider – which means that you might be able to negotiate a custom-made level of protection better suited to your needs than what standard terms would provide.

During the negotiations, you should also require as much information as possible about the countries where your provider usually stores its clients’ data, the countries where your provider has partners likely to host some of your data, and so on. This will give you an overview as to the different jurisdictions which may become relevant to you. You may in certain cases be able to choose the location of data storage – for example, major Cloud providers often have an EU infrastructure and are therefore able to give their customers the option to choose between the United States or the European Union as a data location. This would usually only apply to permanent data storage (as opposed to temporary data storage, for which no choice is given) but could still be a good start – you may wish to ask for similar provisions to be added into your contract.You should, as far as possible, try to strengthen the confidentiality clauses in your contract while at the same time trying to narrow the geographical scope of storage, in order to retain better control over your data.

Finally, should you end up choosing cloud storage, we would also generally recommend that you set up digital protection measures and/or encryption mechanisms in order to lock the contents stored in your ELN away from third parties. Regardless of confidentiality issues, we would also recommend that you set up a backup system in order to protect yourself from any data loss which may occur.