Is the ownership of data and intellectual property rights (e.g., custom-built applications or data) automatically vested in the cloud service user? Can the customer lose these rights to the cloud service provider?
The right to access and use the cloud service is usually granted through a licence arrangement between the cloud service provider and the customer. A customer would not automatically gain ownership of the intellectual property in the custom- built applications through accessing the cloud service. In fact, this would be extremely rare, unless the customer had engaged the cloud service provider to develop a private cloud infrastructure for it.
There may be instances where a customer gains rights over certain intellectual property in the cloud computing service, but this is often limited to the interface modules or access portals and where the customer is heavily involved in and pays for the customization of the cloud computing service.
Such rights need to be explicitly provided for in the cloud service contract. The usual default position is that the cloud service provider will own rights to all such intellectual property.
A customer will not lose ownership of data through the use of the cloud service. Cloud service providers are unlikely to require ownership of a customer's data. The scope of the cloud service provider’s access to and use of the customer’s data is usually limited to processing and storing on the customer’s behalf.
Do cloud service providers owe a duty of data protection to customers?
In general, a cloud service provider does not owe the customer a duty to protect the data of its customers unless such a duty is imposed through the cloud service contract – that is, the cloud service provider agrees to protect and keep secure the data of its customer. Service levels [agreements] do not create a duty of to protect data per se.
As a customer, it is strongly advisable to negotiate into a cloud service contract a general obligation of confidentiality on the part of the cloud service provider and undertakings from the cloud service provider that it will comply with all applicable data privacy laws.
What risks do cloud service providers face for sharing their customer data with third parties? How will they limit theirliability in a cloud service contract?
A cloud service provider can face regulatory censure and be in breach of its data security obligations and contractual obligations to its customers if the cloud service provider shares its customers' data with third parties, without the consent or authorization of the customers. This risk is accentuated when the data in question relates to sensitive personal data, such as financial or medical information.
In order to mitigate this risk, the cloud service provider can introduce provisions in the cloud service contract that limit its liability from any disclosure of the customer’s data. Whilst not related to the cloud service contract, the cloud service provider can seek back-to-back arrangements with its service providers (e.g. a data center) to allow the cloud service provider to recover any compensation it may have to pay out to a customer for disclosure of the customer's data.
In case of a data breach by a cloud vendor, what are the customer’s options in claiming for damage and funds to cover third-party liability?
If a default by a cloud service provider results in the loss or misuse of a customer's corporate information, the customer may recover damages (including losses from third party claims) from its cloud service provider (to the extent it is not limited from doing so by the cloud service contract). However, cloud service contracts are usually supplier-centric and will usually exclude or limit the customer's ability to claim damages.
In this event, or if it is difficult to prove that the loss was caused by the cloud service provider, it is prudent commercial practice for corporations to have in place insurance that would cover such losses. The ability of a customer to recover against such cyber insurance policies would depend on the scope of the policy and the facts and circumstances surrounding the loss.