Legal tips for engaging datacentres

When signing on a new datacentre provider, businesses and government should get their lawyers to check over the three key areas of physical security, data security and copyright, according to Baker and McKenzie partner James Halliday.

Speaking at CommsDay’s Australian Data Centre Summit, Halliday said that while the three areas don’t represent all issues that should be examined by businesses and government when picking a datacentre provider, they are among the most important.

Halliday said that the process of signing on to a datacentre provider used to be simple, and that the only real consideration used to be whether the provider actually owned the title to the physical infrastructure.

However, he said that this is no longer the case.

“With increasing sophistication of cloud and datacentre services, what we’re seeing is an increase in the complexity.”

Physical security

In terms of physical security, Halliday said that it is imperative to understand a datacentre’s claims history, particularly insurance claims.

“A long-term history of recurring claims, particularly claims of insurance, tends to indicate systemic problems, and this can have a number of knock-on effects.”

These include larger premiums that the provider has to pay because of repeat claims, which would then be passed on to the customer.

“Unless the service contract is carefully drafted, then it’s typically the purchaser that’s left to meet this cost, and, as a result, there will be no recourse against the seller,” Halliday said.

He suggested that companies negotiate indemnity from the seller to cover all increases in insurance premiums, should the provider need to make a claim.

However, Halliday said that those looking for a datacentre and wanting the provider to carry all costs of an outage shouldn’t expect to be able to have such a clause written into the contract. Contracts generally exclude customers from being able to claim for consequential losses and limit the liability of the provider to only physical damage, he said.

Furthermore, he said that purchasers should expect providers to exclude liability for any matters outside of their control, such as acts of God or incidents where another customer in the same datacentre decides to “go rogue” and cause damage to others. He warned that purchasers should also consider whether their contracts go to the extent of limiting customers from suing each other.

Data security

Halliday indicated that the legal issues relating to data security are still very much up in the air, as Australia’s review of privacy laws is still to be decided.

“To date, there’s really been only limited legal activity or litigation in this country in relation to breaches of privacy or data integrity, and that’s because the law of Australia is quite limited in its [provisions] for individuals to make claims for breach of their own data security or their own personal privacy,” he said.

Despite this, he said that potential purchasers should carefully inspect their contracts to ensure that where a datacentre provider fails to protect or take reasonable steps to protect personal information from unauthorised access, modification or disclosure, it provides the purchaser with indemnity.

He also said that purchasers should review the operational history of the provider to check whether it has had any breaches in the past. Lastly, he said that purchasers should also look at the sales contract to ensure that they are protected during the period between signing the provider on and having the services delivered, whether it’s in terms of compensation and/or the ability to exit the contract.

Copyright

While not directly related to security, Halliday said that copyright issues are an important issue.

Paul Noonan, Herbert Geer’s partner, went into further detail on how it is not just the person copying copyrighted material that could be held accountable, but also anyone who assists them. In the case where one party enables another to copy or distribute copyrighted material, they are considered to have authorised the infringement, and are also liable.

Geer said that while there are safe harbour provisions that limit carriage service providers’ liability, these do not apply to datacentres. Although iiNet has so far not been found to have authorised infringements in the case brought against it by the Australian Federation against Copyright Theft (AFACT), three judges have found that if it were, safe harbour provisions would not apply. This is because, contrary to iiNet’s beliefs, it does not satisfy the condition to meet them. This means that a datacentre operator could be open to greater liability, a cost that may then be passed on to its customers.

“The question must arise as to whether a datacentre operator … could be liable for authorisation infringement,” Noonan said.

To guard against copyright issues, Halliway said that purchasers should ensure that the operator has strong intellectual property and indemnity protections in its contracts, passing liability back to customers. This is so that the operator is not held responsible for copyright issues that might stem from a single user, and can then pass the costs of the liability on to all customers.

“I’d have a pretty careful look at customer contracts. I’d want to see that the operator has shifted the legal risk of copyright infringement to users of the service. This is best achieved by having in place contractual indemnities from the user to the centre operator that basically cover or indemnify the operator for any infringement that is caused by a user of the service.”

Noonan agreed. “It’s worth considering the circumstances in which you would be able to terminate the customer contracts if you had a Megaupload that was potentially doing something wrong,” he said.

In addition, Halliday said that purchasers should ask what systems and processes the operator has in place that will allow it to respond to any claims of infringing activity, or, at the minimum, a plan of what it would do in the event that infringing activity is reported.

(Carousel image by Michael Lee/ZDNet Australia)

Views: 0

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Powered by WordPress | Designed by: Premium WordPress Themes | Thanks to Themes Gallery, Bromoney and Wordpress Themes