Cloud computing generally refers to software and data accessed via the Internet.  It derives its name from diagrams used by IT professionals to designate another network, usually the public network, with a cloud symbol.   The term requires some precision because it is currently used to refer to several different types of data storage, application programs and even commercial arrangements. These include:

1. Web-based email like Hotmail, Yahoo or Gmail that are alternatives to MS Exchange servers run by your firm.
2. Applications like Facebook, LinkedIn and GoodLawyers.com.au that are not owned directly by their users and have no traditional software licensing equivalent.
3. Accounting and other applications like Saasu.com and Xero.com that are equivalent to MYOB or Quicken, but are hosted by their developers on a ‘Software as Service’ model; that is, based on a monthly subscription rather than a software license.  Sometimes these applications include additional fees for additional storage.
4. Third party hosted storage (disk space) like DropBox, iDrive or Amazon Web Services (AWS).  Google Docs offers both on-line storage space and an on-line word processor in one product.
5. Third party servers (or slices of a server) rented by your firm from iiNet, AWS,  RackSpace et al.  These are often called Virtual Private Servers and provide a web hosting space or application host that your IT staff can manage directly.
6. Off-site servers owned or leased by your own company from your IT service provider and managed by them.
7. Virtual desktops running MS Word, Outlook and various accounting applications offered by Matrix Solutions or Optus.  The hosting provider licenses a set of applications from Microsoft and others (for example MYOB) and then rents the package, usually including some support for a monthly subscription.  The applications and data are hosted by the service provider at their premises or at those of a fourth party.

The terminology ‘cloud computing’ is confusing because it blurs several important distinctions, some of which are technical while others are commercial or legal:

1. Whether the software is licensed by your firm or your firm pays a time/user based subscription, or the software is ‘free’ or advertiser-supported, or a combination.   This affects your rights to use the software, and while in theory your access to data you own may be guaranteed under law, in practice the data may be useless without the application software.  For accounting data and business records, it is relevant that a company director is obliged to maintain proper records.
2. Whether the equipment is owned by your firm, or leased, or your firm pays a time based fee, usually a monthly subscription.  Again, this might affect your ability to access data or to easily transfer to another provider.
3. Whether the equipment is located at your premises or at a ‘server farm’.
4. Whether the data is located in Australia or in another jurisdiction.

The number of permutations and variations on these themes is only going to increase, and with it the legal and commercial complexity of choosing between different options.

For lawyers, the decision of where to store data, whether made overtly or by default, may impact the ability of clients to access data even if a claim that data is privileged can be sustained.  This may expose lawyers to claims of negligence if these factors are not considered when setting up personal or office systems.

While it is easy to argue that well-managed off-site data is probably more secure than poorly managed on-site data, you may have little control over who accesses data stored at a remote location.

Well-managed on-site data is probably the most secure, but it is also the most expensive to manage because the cost of data management and security cannot be amortized across a number of people or businesses.

The greatest risk comes from poorly managed off-site data, especially data held overseas, but many applications do not give you the option of local data storage, or even local backup.  The recent Megaupload case in which Kim Dotcom was arrested by police in New Zealand on behalf of United States authorities, including the FBI, should be a reminder to all controllers of data that the security of data relies on those who have custody of data being ethically, technically and legally beyond reproach.  It is worth noting that while the majority of data stored by Megaupload was located in Hong Kong, the fact that the company leased some servers in Virginia was deemed to be a sufficient connection with the USA that the FBI was able to take control of all the data managed by Megaupload.

As usual, caveat emptor!

Christopher Eddison-Cogan is a partner at Barringer Leather Lawyers, a director of BHL Software Pty Ltd and a founder of GoodLawyers.com.au.  He is a member of the Law Society IT Committee for which this article was first prepared.