Australian IT managers should mandate where their data was stored in contracts negotiated with a cloud provider, a Melbourne high-technology lawyer said.
Freehills senior associate Julian Lincoln outlined risks that arise from cloud-computing environments.
Where data was stored was a key concern for those worried about security and privacy, he said.
"Putting data offshore can introduce distinct regulatory problems," Lincoln said.
"Consider mandating the location of data storage. I don't think we, as customers, should just accept where a cloud provider is going to put storage."
An alternative was to use cloud services hosted in the European Union, which were subject to "strong" protection and privacy rules, and have a backup hosted in Australia, he said.
Other risks related to contract law and service levels.
Lincoln said the cloud could prompt a rethink of "consequential loss" clauses in service contracts that reduced a service provider's liability for events such as data loss.
"It's too simplistic in the cloud to say ‘we're not going to be responsible' [for data loss]," Lincoln said. "That's pretty unsatisfactory".
Service level agreements were also risky in the cloud world.
"We think there will be a risk of cloud providers sticking with standardised service level offerings - for example, gold, silver or bronze," Lincoln said.
"You, as the customer, have to ask if that's appropriate. Is it appropriate to take a standardised service level if it's not quite right for the business?
"This is going to be an issue. I think negotiating custom service level agreements with providers is going to be a challenge."
Lincoln spoke at a cloud computing event in Sydney organised by analyst firm Springboard Research.
Its vice president of software and Asia Pacific research, Michael Barnes, revealed to delegates the results of primary research conducted by Springboard on cloud computing in the region.
It surveyed 479 organisations, of which 89 were in Australia and 20 in New Zealand.
Barnes said that only 27 percent of organisations in A/NZ believed that cloud was "overhyped".
"That's actually a bit lower than I thought it would be," he said.
"The more mature the market, the less they view cloud as overhyped. That's a very good sign."
Most organisations - some 64 percent in A/NZ - were focused on the "private cloud" - giving their internal data centre "cloud characteristics" such as a multi-tenancy architecture.
Only 15 percent identified their main interest as the public cloud. Eight percent said they were looking at both public and private clouds.
"The more mature the market, the more focus there is on leveraging existing IT assets," Barnes said, explaining the emphasis on private cloud.
Cloud use was being justified through hardware cost savings, simplified resource/server provisioning and reduced IT staff or administrative costs.