legal tips for small businesses using cloud services
TRANSCRIPT
Legal tips for small
businesses using cloud
services
enter
IntroductionCloud computing can offer many benefits to small businesses, such as improved productivity and more innovative service. When using cloud in your small business, it is important that you have good information to maximise the benefits while managing any risks. Sometimes it can be difficult to get good information about the cloud—for example there are a number of misperceptions that may lead small businesses to believe cloud services are more risky than traditional ICT services. For more information see the Small Business Guide on Cloud Computing Myths.
This document aims to explore some of the legal implications of cloud under Australian Commonwealth laws, so that small business can better understand their protections and obligations under the law. This document covers:
• Contractual_terms_and_conditions
• Your rights as a consumer of cloud services
• Privacy protections
• Securing your data
• Law enforcement access to data stored in the cloud
In addition to Commonwealth law, there may be state and territory laws or industry specific laws that are relevant to you. If in doubt, you may wish to seek your own independent legal advice.
Legal tips for small businesses using cloud servicesDepartment of Communication2
What is cloud computing?Cloud computing is the consumption of information and communications technology (ICT) over the internet, as a service.
There are five essential characteristics that differentiate cloud services from traditional ICT services:
Capacity on demand—the service already exists and can be accessed when needed, usually through an automated process.
Device agnostic—users can access cloud services over a network through a broad range of devices, accessed over a standardised platform (such as a web browser).
Resource pooling—shared computing resources can provide significant economies of scale which help reduce costs and accelerate innovation.
Scalability—users can scale cloud services up or down quickly and cheaply to suit their individual needs.
Metering—users can measure their consumption of cloud services quickly and easily, and adjust it accordingly.
Examples of cloud services include data storage services such as Basecamp, Drop Box and Amazon Web Services, productivity tools such as Microsoft Office 365 and Adobe Creative Cloud or online book keeping service such as Xero or MYOB online accounting. There are thousands of different cloud services, so shop around to find the service that is right for your business.
Legal tips for small businesses using cloud servicesDepartment of Communication3
Before choosing a cloud service• Shop around—be prepared to compare services and to consider
what service may meet all your needs, not just price.
• Ask questions—if something about the service is unclear ask the cloud service provider to explain.
• Check the terms and conditions—read the contract carefully to ensure the service meets your needs. Check other relevant documents (such as privacy and security documents).
When using a cloud service• Know your legal obligations and how these may be affected by
using a cloud service. You may need to get legal advice on your specific circumstances.
• Be aware of how to make a complaint—raise concerns with the cloud service provider. If they are unable to resolve the issue, you may need to check which organisation can assist with your complaint. Information on where you can get more help is provided below. If your provider is based overseas, be aware that it may be more difficult to enforce Australian law.
Legal tips for small businesses using cloud servicesDepartment of Communication4
Contractual terms and conditionsBy using a cloud service, you will be entering into a contract. In most cases the contract will set out what your rights are as a customer and the obligations that the provider has committed to. As with most ICT services, a cloud computing contract may be ‘standard form’ and there may be little opportunity to negotiate specific terms and conditions.
The contract may not be the only document that provides information about the service. Information may be provided in the provider’s policy documents, service level agreements or in other information available on the provider’s website. You may wish to get legal advice to assist you in understanding these contractual terms and conditions.
Before choosing a service, consider whether the service will meet your needs as this can be more important than comparing price. To assist you in making a decision, there are a range of questions you may wish to ask about a cloud service. For an overview of potential questions see the Small Business Guide on Questions to ask your Cloud Provider.
What are your rights?
The Australian Consumer Law (ACL) sets out your rights as a consumer of services, such as cloud computing. Many of these protections apply to both business and individuals. The ACL is enforced jointly by the Australian Competition and Consumer Commission (ACCC) and fair trading associations in each state and territory.
Unconscionable conduct
The ACL prohibits unconscionable conduct when supplying services, such as cloud services. Unconscionable conduct may occur when a cloud service provider uses questionable tactics to pressure a customer to purchase a service that does not meet their needs. The factors surrounding the conduct are relevant, such as the terms and conditions of the contract, the relative bargaining strengths of the parties, whether the contract was negotiated by the parties and whether the customer could understand the documents used to sell the service.
Legal tips for small businesses using cloud servicesDepartment of Communication5
False or misleading representations
The ACL prohibits false or misleading representation about a service, including that the service meets certain standards or quality or is provided at a certain price. For example, if a cloud service provider’s marketing material indicated that the service was available for certain periods, but failed to meet that standard, this may be found to be false or misleading. These protections apply to all businesses and individuals.
Consumer guarantees
Consumer guarantees are provided under the ACL and cannot be excluded by a contract. They may be applicable where a cloud service does not meet the service availability or quality indicated by the provider. These guarantees include that the services:
• are delivered with an acceptable level of care and skill
• are fit for the purpose that the consumer made known to the provider before purchasing or the results agreed to with the service provider
• are delivered within the time agreed or, if none was agreed, within a reasonable time.
Consumers have the right to seek a refund or replacement for services that do not meet a guarantee. The consumer guarantees regime applies to purchases under $40,000 or where the services are usually for personal, domestic or household use.
Where can you get more information or make a complaint?
More information about the ACL is available from www.consumerlaw.gov.au. You can contact your state or territory fair trading association to find out more about your rights under the ACL or to make a complaint. More information about the ACCC is available from www.accc.gov.au. If you are in New South Wales, South Australia, Victoria or Western Australia assistance may also be available from the state small business commissioner.
You may also wish to seek independent legal advice on your rights as a consumer.
Legal tips for small businesses using cloud servicesDepartment of Communication6
Privacy protections
Privacy is an important consideration when storing data in the cloud. A particular issue for small businesses to consider is where their data will be stored. There are rules setting out how personal information can be disclosed to overseas recipients. Refer to the Cloud Computing & Privacy—A small business factsheet for more information about privacy protections.
Securing your data
Ensuring that your data is secure from unauthorised third party access is important in any ICT arrangement. Data loss can have an impact on your ability to run your business and on your business’ reputation.
As with any ICT service, there is the potential for a cloud service to be open to cybercrime threats. These are not necessarily new concerns. You should check whether your cloud service provider has security settings to deal with these threats. The size of cloud service providers often means that they have more resources to prevent security threats. Many users of cloud services find that the security of their data improves when using the cloud.
You can improve the security of data stored in the cloud by:
• Checking the security settings in the cloud service contract or other supporting documentation, such as a security policy, to make sure they are appropriate for the type of information you will be storing. You could also check with the cloud service provider whether they will let you know if a third party gets unauthorised access to your data stored in their service.
• Using good security practices when accessing your data, such as strong passwords and providing staff with security training.
• Notifying the cloud service provider if you become aware of any breaches in security, as they made need to audit their security practices to prevent any further security breaches.
Legal tips for small businesses using cloud servicesDepartment of Communication7
The Criminal Code Act 1995
Protections for victims of computer based crimes, including those involving a cloud service, are provided by the Criminal Code Act 1995 (Criminal Code Act). This includes offences that only apply in the digital world, such as hacking or distribution of malware, and existing offences being committed using a computer, such as online fraud. For example, it is a criminal offence to cause the unauthorised access, modification or impairment to data held in a computer with the intent to commit a serious offence (punishable by imprisonment for five years or longer) against a law of the Commonwealth, a state or territory. It is also a criminal offence to possess or control data, or to produce, supply or obtain data with the intent to commit a computer offence.
The Criminal Code Act applies to offences where the system or computer server where the content is hosted in Australia or the offender who has caused the intrusion, disruption or impairment is an Australian citizen.
Where can you get more information or make a complaint?
Cybercrime is dealt with by state and territory police. If you believe that there has been unauthorised access to your data, you can report it to your local state or territory police. There are also a range of simple steps you can take to protect your business online. More information on reporting cybercrime is available from the Australian Federal Police.
Law enforcement access to data in the cloud
In some circumstances, the Australian Government can access communications and data for law enforcement or national security purposes. Generally a warrant is required that has been issued by a court or tribunal. For example:
• Access to telecommunications information is covered by the Telecommunications (Interception and Access) Act 1979 (TIA Act) and Part 14 of the Telecommunications Act 1997. The TIA Act permits access to communications for law enforcement and national security purposes after obtaining a warrant from a court or tribunal. Applications for warrants must comply with the strict requirements of the TIA Act. Agencies can access communications without a warrant in certain limited circumstances, such as in an emergency.
• The Australian Security Intelligence Organisation Act 1979 enables the Australian Security Intelligence Organisation (ASIO), under warrant, to obtain data held in a particular computer where the information will substantially assist in the collection of intelligence in respect of a matter that is important in relation to security.
• The Cybercrime Act 2001, Crimes Act 1914 (Crimes Act) and Criminal Code Act 1995 also provide certain enforcement powers relating to computer-based offences. For example, under the Crimes Act, law enforcement agencies may request electronic documents from a cloud service provider without court approval where there are reasonable grounds to believe they will be relevant to the investigation of a serious terrorism offence.
Legal tips for small businesses using cloud servicesDepartment of Communication8
Disclaimer: This document provides factual information only and is not business or legal advice. You should seek professional advice before taking any action based on its contents.
back to start