update When signing on a new datacentre provider, businesses and government should get their lawyers to check over the three key areas of physical security, data security and copyright, according to Baker and McKenzie partner James Halliday.
Speaking at CommsDay's Australian Data Centre Summit, Halliday said that while the three areas don't represent all issues that should be examined by businesses and government when picking a datacentre provider, they are among the most important.
Halliday said that the process of signing on to a datacentre provider used to be simple, and that the only real consideration used to be whether the provider actually owned the title to the physical infrastructure.
However, he said that this is no longer the case.
"With increasing sophistication of cloud and datacentre services, what we're seeing is an increase in the complexity."
In terms of physical security, Halliday said that it is imperative to understand a datacentre's claims history, particularly insurance claims.
"A long-term history of recurring claims, particularly claims of insurance, tends to indicate systemic problems, and this can have a number of knock-on effects."
These include larger premiums that the provider has to pay because of repeat claims, which would then be passed on to the customer.
"Unless the service contract is carefully drafted, then it's typically the purchaser that's left to meet this cost, and, as a result, there will be no recourse against the seller," Halliday said.
He suggested that companies negotiate indemnity from the seller to cover all increases in insurance premiums, should the provider need to make a claim.
However, Halliday said that those looking for a datacentre and wanting the provider to carry all costs of an outage shouldn't expect to be able to have such a clause written into the contract. Contracts generally exclude customers from being able to claim for consequential losses and limit the liability of the provider to only physical damage, he said.
Furthermore, he said that purchasers should expect providers to exclude liability for any matters outside of their control, such as acts of God or incidents where another customer in the same datacentre decides to "go rogue" and cause damage to others. He warned that purchasers should also consider whether their contracts go to the extent of limiting customers from suing each other.
Halliday indicated that the legal issues relating to data security are still very much up in the air, as Australia's review of privacy laws is still to be decided.
"To date, there's really been only limited legal activity or litigation in this country in relation to breaches of privacy or data integrity, and that's because the law of Australia is quite limited in its [provisions] for individuals to make claims for breach of their own data security or their own personal privacy," he said.
Despite this, he said that potential purchasers should carefully inspect their contracts to ensure that where a datacentre provider fails to protect or take reasonable steps to protect personal information from unauthorised access, modification or disclosure, it provides the purchaser with indemnity.
He also said that purchasers should review the operational history of the provider to check whether it has had any breaches in the past. Lastly, he said that purchasers should also look at the sales contract to ensure that they are protected during the period between signing the provider on and having the services delivered, whether it's in terms of compensation and/or the ability to exit the contract.
While not directly related to security, Halliday said that copyright issues are an important issue.
Paul Noonan, a partner at law firm Herbert Geer, went into further detail on how it is not just the person copying the copyright material who could be held accountable. A person who enables another person to illegally copy or distribute copyrighted material may be considered to have authorised the infringement, and could also be liable for infringement.
Noonan said that while there are safe harbour provisions that limit the liability of carriage service providers for copyright infringement, these do not apply to datacentres. Carriage service providers have to comply with certain conditions to qualify for safe harbour protection. iiNet has been accused of authorising copyright infringements made by some of its subscribers in the case brought against it by the Australian Federation against Copyright Theft (AFACT). The judgements to date have held that iiNet has not authorised the infringements, but three of the judges have found that if it had infringed, iiNet would not have been eligible for safe harbour protection, because, at the time of the subscribers' activities, the ISP did not satisfy all of the safe harbour conditions.
Noonan referred to recent reports that US datacentre provider Carpathia might be a target for claims that it has been party to copyright infringements allegedly made by its customer Megaupload. "The question must arise as to whether a datacentre operator ... could be liable for authorisation infringement in Australia," Noonan said. The absence of safe harbour protection in Australia for datacentres could result in them being exposed to greater liability for authorisation infringement than ISPs. The implication of Noonan's comments was that this could result in costs being passed on to datacentre customers.
To guard against copyright issues, Halliway said that purchasers should ensure that the operator has strong intellectual property and indemnity protections in its contracts, passing liability back to customers. This is so that the operator is not held responsible for copyright issues that might stem from a single user, and can then pass the costs of the liability on to all customers.
"I'd have a pretty careful look at customer contracts. I'd want to see that the operator has shifted the legal risk of copyright infringement to users of the service. This is best achieved by having in place contractual indemnities from the user to the centre operator that basically cover or indemnify the operator for any infringement that is caused by a user of the service."
Noonan agreed. "It's worth considering the circumstances in which you would be able to terminate the customer contracts if you had a Megaupload that was potentially doing something wrong," he said.
In addition, Halliday said that purchasers should ask what systems and processes the operator has in place that will allow it to respond to any claims of infringing activity, or, at the minimum, a plan of what it would do in the event that infringing activity is reported.
Updated at 5.39pm, 17 April 2012: Added additional information to paragraphs 18, 19 and 20, following additional information received from Herbert Geer.