Warren W. • Paul, you may find The Cloud Industry Forum a helpful resource at http://www.cloudindustryforum.org. They offer a series of white papers including Contracting Cloud Services: A best Practice Guide, also a review of adoption and trends. Amongst their goals is to sustain a credible and certifiable Code of Practice for the Cloud Industry. LawCloud undertook a rigorous due diligence process before selecting its Cloud provider, who are amongst one of the key members of this forum,

Paul M. • Thanks Warren

Warren W. • These are the research papers http://t.co/ileHt27T (Cloud UK: Contracting Cloud Services, a Guide to Best Practice)

Warren W. • Great to see that The Law Society of Scotland @lawscot are clearly leading the way forward with their research on developing procurement guidelines for the legal profession.

Rich B. • Interesting paper. How do multi-national companies decide where to house data? It sounds like many companies simply want have a CSP in their borders where there is a level of understanding legally. The US Patriot Act seems to allow some US Govt entities to enter facilities and remove computers of unsavory customers. I have heard different comments about EU customers housing data in US CSPs. What is the general feeling on that?

Gavin W. • Hi Rich, I think that EU customers - particularly clients of law firms in the EU - would prefer to see their data being housed within the EU. LawCloud have written about some of the data protection issues within the EU here http://www.lawcloud.co.uk/security . If a firm was to choose a US CSP, there may be additional risks to consider.

This article in the Register from July is pretty interesting on that front and, indeed, it mentions the US Patriot Act as you have already considered... http://www.theregister.co.uk/2011/07/04/eu_customer_cloud_data_may_be_handed_over_by_microsoft/

Harvey D. • I think it definitely depends on the nature of the data being held... For example, we are providing a full cloud infrastructure to a company which provides services to NHS trusts... and one of the key stipulations is that all the data is held/hosted within England (ie not the UK or the EU).

Also, just because the data is hosted within the EU, that does not mean that an organisation has discharged all its data protection duties - it still needs to ensure that the safeguards in place are appropriate given the sensitivity of the data (to paraphrase the Data Protection Act). And there is a lot of opinion which suggests that data being held even in Dublin or Amsterdam may still not be appropriate especially if the organisation has minimal control over the infrastructure.

We also know that other businesses including law firms are not too keen on the idea of their data being held outside the UK for other reasons - they like to know that they are dealing with a company based near them in, say, England and from whom they can get all the necessary additional services (eg. making sure the onsite printers/scanners/faxes are hooked up properly to their cloud infrastructure and that all the applications are integrated properly and backed up securely). This also gives them the comfort that they can get hold of their data very quickly if they need to (or move quickly to another CSP), and, in some cases, they may be obliged contractually to have this ability.

Frank J. • Yes, during the research we conducted with CIF it does seem that customers (law firms or not) prefer their data to be located within the EU and preferably the UK. The other issue is whether providers will compensate customers for lost / corrupted data or whether an SLA is all they will get. This will continue to be a concern for a while yet and law firms are not alone, but we are seeing cloud providers and customers warming to the best practice recommendations. I would be interested in seeing the @lawscot guidelines...